libsemanage-2.7-3

* Tue Jun 26 2018 Paul Moore <pmoore@redhat.com> - 2.7-3
- Disable expand-check (#1595316)

.gitignore

@@ -136,13 +136,3 @@ libsemanage-2.0.45.tgz
 /libsemanage-2.5.tar.gz
 /libsemanage-2.6.tar.gz
 /libsemanage-2.7.tar.gz
-/libsemanage-2.8-rc1.tar.gz
-/libsemanage-2.8-rc2.tar.gz
-/libsemanage-2.8-rc3.tar.gz
-/libsemanage-2.8.tar.gz
-/libsemanage-2.9-rc1.tar.gz
-/libsemanage-2.9-rc2.tar.gz
-/libsemanage-2.9.tar.gz
-/libsemanage-3.0-rc1.tar.gz
-/libsemanage-3.0.tar.gz
-/libsemanage-3.1.tar.gz

0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch

@@ -1,233 +0,0 @@
-From b46406de8a93abe10e685c422597516517c0bff3 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:50 +0200
-Subject: [PATCH] libsemanage: Remove legacy and duplicate symbols
-
-Versioned duplicate symbols cause problems for LTO. These symbols were
-introduced during the CIL integration several releases ago and were only
-consumed by other SELinux userspace components.
-
-Related: https://github.com/SELinuxProject/selinux/issues/245
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsemanage/include/semanage/modules.h |   2 +-
- libsemanage/src/libsemanage.map        |   5 --
- libsemanage/src/modules.c              | 100 +------------------------
- libsemanage/src/modules.h              |   9 +--
- libsemanage/src/semanageswig_python.i  |   2 -
- 5 files changed, 4 insertions(+), 114 deletions(-)
-
-diff --git a/libsemanage/include/semanage/modules.h b/libsemanage/include/semanage/modules.h
-index ac4039314857..b51f61f033d5 100644
---- a/libsemanage/include/semanage/modules.h
-+++ b/libsemanage/include/semanage/modules.h
-@@ -33,7 +33,7 @@ typedef struct semanage_module_key semanage_module_key_t;
-  */
- 
- extern int semanage_module_install(semanage_handle_t *,
--				   char *module_data, size_t data_len, char *name, char *ext_lang);
-+				   char *module_data, size_t data_len, const char *name, const char *ext_lang);
- extern int semanage_module_install_file(semanage_handle_t *,
- 					const char *module_name);
- extern int semanage_module_remove(semanage_handle_t *, char *module_name);
-diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
-index 1375a8ca0ea7..4bec06aaae27 100644
---- a/libsemanage/src/libsemanage.map
-+++ b/libsemanage/src/libsemanage.map
-@@ -167,18 +167,13 @@ LIBSEMANAGE_1.0 {
-     semanage_mls_enabled;
-     semanage_module_disable;
-     semanage_module_enable;
--    semanage_module_get_enabled;
-     semanage_module_get_name;
-     semanage_module_get_version;
-     semanage_module_info_datum_destroy;
--    semanage_module_install;
--    semanage_module_install_base;
--    semanage_module_install_base_file;
-     semanage_module_install_file;
-     semanage_module_list;
-     semanage_module_list_nth;
-     semanage_module_remove;
--    semanage_module_upgrade;
-     semanage_module_upgrade_file;
-     semanage_msg_get_channel;
-     semanage_msg_get_fname;
-diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
-index 6d3eb60ae462..8b36801038df 100644
---- a/libsemanage/src/modules.c
-+++ b/libsemanage/src/modules.c
-@@ -42,70 +42,7 @@
- #include "modules.h"
- #include "debug.h"
- 
--asm(".symver semanage_module_get_enabled_1_1,semanage_module_get_enabled@@LIBSEMANAGE_1.1");
--asm(".symver semanage_module_get_enabled_1_0,semanage_module_get_enabled@LIBSEMANAGE_1.0");
--asm(".symver semanage_module_install_pp,semanage_module_install@LIBSEMANAGE_1.0");
--asm(".symver semanage_module_install_hll,semanage_module_install@@LIBSEMANAGE_1.1");
--
--/* Takes a module stored in 'module_data' and parses its headers.
-- * Sets reference variables 'module_name' to module's name and
-- * 'version' to module's version. The caller is responsible for
-- * free()ing 'module_name' and 'version'; they will be
-- * set to NULL upon entering this function.  Returns 0 on success, -1
-- * if out of memory, or -2 if data did not represent a module.
-- */
--static int parse_module_headers(semanage_handle_t * sh, char *module_data,
--				size_t data_len, char **module_name, char **version)
--{
--	struct sepol_policy_file *pf;
--	int file_type;
--	*version = NULL;
--
--	if (sepol_policy_file_create(&pf)) {
--		ERR(sh, "Out of memory!");
--		return -1;
--	}
--	sepol_policy_file_set_mem(pf, module_data, data_len);
--	sepol_policy_file_set_handle(pf, sh->sepolh);
--	if (module_data == NULL ||
--	    data_len == 0 ||
--	    sepol_module_package_info(pf, &file_type, module_name, version) == -1) {
--		sepol_policy_file_free(pf);
--		ERR(sh, "Could not parse module data.");
--		return -2;
--	}
--	sepol_policy_file_free(pf);
--	if (file_type != SEPOL_POLICY_MOD) {
--		ERR(sh, "Data did not represent a pp module. Please upgrade to the latest version of libsemanage to support hll modules.");
--		return -2;
--	}
--
--	return 0;
--}
--
--/* This function is used to preserve ABI compatibility with
-- * versions of semodule using LIBSEMANAGE_1.0
-- */
--int semanage_module_install_pp(semanage_handle_t * sh,
--			    char *module_data, size_t data_len)
--{
--	char *name = NULL;
--	char *version = NULL;
--	int status;
--
--	if ((status = parse_module_headers(sh, module_data, data_len, &name, &version)) != 0) {
--		goto cleanup;
--	}
--
--	status = semanage_module_install_hll(sh, module_data, data_len, name, "pp");
--
--cleanup:
--	free(name);
--	free(version);
--	return status;
--}
--
--int semanage_module_install_hll(semanage_handle_t * sh,
-+int semanage_module_install(semanage_handle_t * sh,
- 			    char *module_data, size_t data_len, const char *name, const char *ext_lang)
- {
- 	if (sh->funcs->install == NULL) {
-@@ -160,16 +97,6 @@ int semanage_module_extract(semanage_handle_t * sh,
- 	return sh->funcs->extract(sh, modkey, extract_cil, mapped_data, data_len, modinfo);
- }
- 
--/* Legacy function that remains to preserve ABI
-- * compatibility. Please use semanage_module_install instead.
-- */
--int semanage_module_upgrade(semanage_handle_t * sh,
--			    char *module_data, size_t data_len)
--{
--	return semanage_module_install_pp(sh, module_data, data_len);
--	
--}
--
- /* Legacy function that remains to preserve ABI
-  * compatibility. Please use semanage_module_install_file instead.
-  */
-@@ -179,24 +106,6 @@ int semanage_module_upgrade_file(semanage_handle_t * sh,
- 	return semanage_module_install_file(sh, module_name);
- }
- 
--/* Legacy function that remains to preserve ABI
-- * compatibility. Please use semanage_module_install instead.
-- */
--int semanage_module_install_base(semanage_handle_t * sh,
--				 char *module_data, size_t data_len)
--{
--	return semanage_module_install_pp(sh, module_data, data_len);
--}
--
--/* Legacy function that remains to preserve ABI
-- * compatibility. Please use semanage_module_install_file instead.
-- */
--int semanage_module_install_base_file(semanage_handle_t * sh,
--				 const char *module_name)
--{
--	return semanage_module_install_file(sh, module_name);
--}
--
- int semanage_module_remove(semanage_handle_t * sh, char *module_name)
- {
- 	if (sh->funcs->remove == NULL) {
-@@ -780,7 +689,7 @@ int semanage_module_key_set_priority(semanage_handle_t *sh,
- }
- 
- 
--int semanage_module_get_enabled_1_1(semanage_handle_t *sh,
-+int semanage_module_get_enabled(semanage_handle_t *sh,
- 				const semanage_module_key_t *modkey,
- 				int *enabled)
- {
-@@ -800,11 +709,6 @@ int semanage_module_get_enabled_1_1(semanage_handle_t *sh,
- 	return sh->funcs->get_enabled(sh, modkey, enabled);
- }
- 
--int semanage_module_get_enabled_1_0(semanage_module_info_t *modinfo)
--{
--	return modinfo->enabled;
--}
--
- int semanage_module_set_enabled(semanage_handle_t *sh,
- 				const semanage_module_key_t *modkey,
- 				int enabled)
-diff --git a/libsemanage/src/modules.h b/libsemanage/src/modules.h
-index 2d3576fb15df..64d4a157f5ca 100644
---- a/libsemanage/src/modules.h
-+++ b/libsemanage/src/modules.h
-@@ -26,16 +26,9 @@
- 
- #include "semanage/modules.h"
- 
--int semanage_module_install_pp(semanage_handle_t * sh,
--			    char *module_data, size_t data_len);
--int semanage_module_install_hll(semanage_handle_t * sh,
--			    char *module_data, size_t data_len, const char *name, const char *ext_lang);
--int semanage_module_upgrade(semanage_handle_t * sh,
--			    char *module_data, size_t data_len);
-+
- int semanage_module_upgrade_file(semanage_handle_t * sh,
- 				 const char *module_name);
--int semanage_module_install_base(semanage_handle_t * sh,
--				 char *module_data, size_t data_len);
- int semanage_module_install_base_file(semanage_handle_t * sh,
- 				 const char *module_name);
- 
-diff --git a/libsemanage/src/semanageswig_python.i b/libsemanage/src/semanageswig_python.i
-index 8dd79fc24213..5f0113966962 100644
---- a/libsemanage/src/semanageswig_python.i
-+++ b/libsemanage/src/semanageswig_python.i
-@@ -30,8 +30,6 @@
- %}
- 
- %include "stdint.i"
--%ignore semanage_module_install_pp;
--%ignore semanage_module_install_hll;
- 
- %wrapper %{
- 
--- 
-2.29.0
-

0002-libsemanage-Drop-deprecated-functions.patch

@@ -1,100 +0,0 @@
-From c08b73d7183e2dbab0ba43c3df32f4214abbc9c6 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:51 +0200
-Subject: [PATCH] libsemanage: Drop deprecated functions
-
-semanage_module_enable() and semanage_module_disable() were deprecated
-by commit 9fbc6d14418f ("libsemanage: add back original module
-enable/disable functions for ABI compatability") in 2014 in order to
-preserve ABI compatibility. As we the libsemanage ABI is changed by the
-previous commit, it makes sense to drop them completely.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsemanage/src/libsemanage.map |  2 --
- libsemanage/src/modules.c       | 56 ---------------------------------
- 2 files changed, 58 deletions(-)
-
-diff --git a/libsemanage/src/libsemanage.map b/libsemanage/src/libsemanage.map
-index 4bec06aaae27..3ea7b60f97bb 100644
---- a/libsemanage/src/libsemanage.map
-+++ b/libsemanage/src/libsemanage.map
-@@ -165,8 +165,6 @@ LIBSEMANAGE_1.0 {
-     semanage_is_connected;
-     semanage_is_managed;
-     semanage_mls_enabled;
--    semanage_module_disable;
--    semanage_module_enable;
-     semanage_module_get_name;
-     semanage_module_get_version;
-     semanage_module_info_datum_destroy;
-diff --git a/libsemanage/src/modules.c b/libsemanage/src/modules.c
-index 8b36801038df..b6dd456cac32 100644
---- a/libsemanage/src/modules.c
-+++ b/libsemanage/src/modules.c
-@@ -734,62 +734,6 @@ int semanage_module_set_enabled(semanage_handle_t *sh,
- }
- 
- 
--/* This function exists only for ABI compatibility. It has been deprecated and
-- * should not be used. Instead, use semanage_module_set_enabled() */
--int semanage_module_enable(semanage_handle_t *sh, char *module_name)
--{
--	int rc = -1;
--	semanage_module_key_t *modkey = NULL;
--
--	rc = semanage_module_key_create(sh, &modkey);
--	if (rc != 0)
--		goto exit;
--
--	rc = semanage_module_key_set_name(sh, modkey, module_name);
--	if (rc != 0)
--		goto exit;
--
--	rc = semanage_module_set_enabled(sh, modkey, 1);
--	if (rc != 0)
--		goto exit;
--
--	rc = 0;
--
--exit:
--	semanage_module_key_destroy(sh, modkey);
--	free(modkey);
--
--	return rc;
--}
--
--/* This function exists only for ABI compatibility. It has been deprecated and
-- * should not be used. Instead, use semanage_module_set_enabled() */
--int semanage_module_disable(semanage_handle_t *sh, char *module_name)
--{
--	int rc = -1;
--	semanage_module_key_t *modkey = NULL;
--
--	rc = semanage_module_key_create(sh, &modkey);
--	if (rc != 0)
--		goto exit;
--
--	rc = semanage_module_key_set_name(sh, modkey, module_name);
--	if (rc != 0)
--		goto exit;
--
--	rc = semanage_module_set_enabled(sh, modkey, 0);
--	if (rc != 0)
--		goto exit;
--
--	rc = 0;
--
--exit:
--	semanage_module_key_destroy(sh, modkey);
--	free(modkey);
--
--	return rc;
--}
--
- /* Converts a string to a priority
-  *
-  * returns -1 if str is not a valid priority.
--- 
-2.29.0
-

0003-libsemanage-Bump-libsemanage.so-version.patch

@@ -1,45 +0,0 @@
-From 6ebb35d261eaa8701b53b9f68184b05de8dfd868 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 9 Oct 2020 15:00:52 +0200
-Subject: [PATCH] libsemanage: Bump libsemanage.so version
-
-Previous commits removed some symbols and broke ABI, therefore we need to change
-SONAME.
-
-See the following quotes from distribution guidelines:
-
-https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
-
-Every time the shared library ABI changes in a way that may break
-binaries linked against older versions of the shared library, the SONAME
-of the library and the corresponding name for the binary package
-containing the runtime shared library should change.
-
-https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
-
-When new versions of the library are released, you should use an ABI
-comparison tool to check for ABI differences in the built shared
-libraries. If it detects any incompatibilities, bump the n number by
-one.
-
-Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
----
- libsemanage/src/Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
-index a0eb3747d74b..ab6cae51f5c3 100644
---- a/libsemanage/src/Makefile
-+++ b/libsemanage/src/Makefile
-@@ -32,7 +32,7 @@ YACC = bison
- YFLAGS = -d
- 
- VERSION = $(shell cat ../VERSION)
--LIBVERSION = 1
-+LIBVERSION = 2
- 
- LIBA=libsemanage.a
- TARGET=libsemanage.so
--- 
-2.29.0
-

0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch

@@ -1,66 +0,0 @@
-From fc966a746653cc15a14d1e1a80f01fc2f567ee08 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Wed, 7 Nov 2018 18:17:34 +0100
-Subject: [PATCH] libsemanage: Fix RESOURCE_LEAK and USE_AFTER_FREE coverity
- scan defects
-
----
- libsemanage/src/direct_api.c | 21 ++++++++-------------
- 1 file changed, 8 insertions(+), 13 deletions(-)
-
-diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
-index d2b91fb24292..f445cd4d6fb5 100644
---- a/libsemanage/src/direct_api.c
-+++ b/libsemanage/src/direct_api.c
-@@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh,
- 
- 	fp = NULL;
- 
--	ret = 0;
-+	return 0;
- 
- cleanup:
- 	if (fp != NULL) fclose(fp);
-@@ -2184,7 +2184,6 @@ cleanup:
- 	semanage_module_info_destroy(sh, modinfo);
- 	free(modinfo);
- 
--	if (fp != NULL) fclose(fp);
- 	return status;
- }
- 
-@@ -2349,16 +2348,6 @@ static int semanage_direct_get_module_info(semanage_handle_t *sh,
- 	free(tmp);
- 	tmp = NULL;
- 
--	if (fclose(fp) != 0) {
--		ERR(sh,
--		    "Unable to close %s module lang ext file.",
--		    (*modinfo)->name);
--		status = -1;
--		goto cleanup;
--	}
--
--	fp = NULL;
--
- 	/* lookup enabled/disabled status */
- 	ret = semanage_module_get_path(sh,
- 				       *modinfo,
-@@ -2402,7 +2391,13 @@ cleanup:
- 		free(modinfos);
- 	}
- 
--	if (fp != NULL) fclose(fp);
-+	if (fp != NULL && fclose(fp) != 0) {
-+		ERR(sh,
-+		    "Unable to close %s module lang ext file.",
-+		    (*modinfo)->name);
-+		status = -1;
-+	}
-+
- 	return status;
- }
- 
--- 
-2.29.0
-

0005-libsemanage-genhomedircon-check-usepasswd.patch

@@ -1,35 +0,0 @@
-From 511f8bbf779e10152d5af491e8b6a408b8ad666c Mon Sep 17 00:00:00 2001
-From: Vit Mojzis <vmojzis@redhat.com>
-Date: Fri, 30 Oct 2020 17:42:17 +0100
-Subject: [PATCH] libsemanage/genhomedircon: check usepasswd
-
-Only add user homedir contexts when usepasswd = True
-
-Resolves:
-   # grep usepasswd /etc/selinux/semanage.conf
-   usepasswd=False
-   # useradd -Z unconfined_u -d /tmp test
-   # matchpathcon /tmp
-   /tmp	unconfined_u:object_r:user_home_dir_t:s0
-
-Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
----
- libsemanage/src/genhomedircon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
-index d08c88de99a7..18d3d99a1254 100644
---- a/libsemanage/src/genhomedircon.c
-+++ b/libsemanage/src/genhomedircon.c
-@@ -1332,7 +1332,7 @@ static int write_context_file(genhomedircon_settings_t * s, FILE * out)
- 			s->fallback->home = NULL;
- 		}
- 	}
--	if (user_context_tpl || username_context_tpl) {
-+	if ((s->usepasswd) && (user_context_tpl || username_context_tpl)) {
- 		if (write_username_context(s, out, username_context_tpl,
- 					   s->fallback) != STATUS_SUCCESS) {
- 			retval = STATUS_ERR;
--- 
-2.29.2
-

gating.yaml

@@ -1,16 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-

libsemanage-fedora.patch

@@ -0,0 +1,299 @@
+diff --git libsemanage-2.7/include/semanage/fcontexts_policy.h libsemanage-2.7/include/semanage/fcontexts_policy.h
+index a50db2b..199a1e1 100644
+--- libsemanage-2.7/include/semanage/fcontexts_policy.h
++++ libsemanage-2.7/include/semanage/fcontexts_policy.h
+@@ -26,4 +26,8 @@ extern int semanage_fcontext_list(semanage_handle_t * handle,
+ 				  semanage_fcontext_t *** records,
+ 				  unsigned int *count);
+ 
++extern int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
++				  semanage_fcontext_t *** records,
++				  unsigned int *count);
++
+ #endif
+diff --git libsemanage-2.7/src/direct_api.c libsemanage-2.7/src/direct_api.c
+index 65842df..31fcada 100644
+--- libsemanage-2.7/src/direct_api.c
++++ libsemanage-2.7/src/direct_api.c
+@@ -148,9 +148,6 @@ int semanage_direct_connect(semanage_handle_t * sh)
+ 		if (semanage_create_store(sh, 1))
+ 			goto err;
+ 
+-	if (semanage_access_check(sh) < SEMANAGE_CAN_READ)
+-		goto err;
+-
+ 	sh->u.direct.translock_file_fd = -1;
+ 	sh->u.direct.activelock_file_fd = -1;
+ 
+@@ -210,6 +207,12 @@ int semanage_direct_connect(semanage_handle_t * sh)
+ 				     semanage_fcontext_dbase_local(sh)) < 0)
+ 		goto err;
+ 
++	if (fcontext_file_dbase_init(sh,
++				     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_STORE_FC_HOMEDIRS),
++				     semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
++				     semanage_fcontext_dbase_homedirs(sh)) < 0)
++		goto err;
++
+ 	if (seuser_file_dbase_init(sh,
+ 				   semanage_path(SEMANAGE_ACTIVE,
+ 						 SEMANAGE_SEUSERS_LOCAL),
+@@ -349,6 +352,7 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
+ 	iface_file_dbase_release(semanage_iface_dbase_local(sh));
+ 	bool_file_dbase_release(semanage_bool_dbase_local(sh));
+ 	fcontext_file_dbase_release(semanage_fcontext_dbase_local(sh));
++	fcontext_file_dbase_release(semanage_fcontext_dbase_homedirs(sh));
+ 	seuser_file_dbase_release(semanage_seuser_dbase_local(sh));
+ 	node_file_dbase_release(semanage_node_dbase_local(sh));
+ 
+@@ -373,10 +377,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh)
+ 
+ static int semanage_direct_begintrans(semanage_handle_t * sh)
+ {
+-
+-	if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) {
+-		return -1;
+-	}
+ 	if (semanage_get_trans_lock(sh) < 0) {
+ 		return -1;
+ 	}
+@@ -1545,43 +1545,46 @@ rebuild:
+ 	}
+ 
+ 	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL);
+-	if (access(path, F_OK) == 0) {
+-		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
+-							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
+-							sh->conf->file_mode);
+-		if (retval < 0) {
+-			goto cleanup;
+-		}
++	retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL),
++						semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL),
++						sh->conf->file_mode);
++	if (retval < 0 && errno != ENOENT) {
++		goto cleanup;
+ 	}
+ 
+ 	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC);
+-	if (access(path, F_OK) == 0) {
+-		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
+-							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
+-							sh->conf->file_mode);
+-		if (retval < 0) {
+-			goto cleanup;
+-		}
++	retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC),
++						semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC),
++						sh->conf->file_mode);
++	if (retval < 0 && errno != ENOENT) {
++		goto cleanup;
+ 	}
+ 
+ 	path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS);
+-	if (access(path, F_OK) == 0) {
+-		retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
+-							semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
+-							sh->conf->file_mode);
+-		if (retval < 0) {
+-			goto cleanup;
+-		}
++	retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS),
++						semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS),
++						sh->conf->file_mode);
++	if (retval < 0 && errno != ENOENT) {
++		goto cleanup;
+ 	}
+ 
+ 	/* run genhomedircon if its enabled, this should be the last operation
+ 	 * which requires the out policydb */
+ 	if (!sh->conf->disable_genhomedircon) {
+-		if (out && (retval =
+-			semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
+-			ERR(sh, "semanage_genhomedircon returned error code %d.",
+-			    retval);
+-			goto cleanup;
++		if (out){
++			if ((retval = semanage_genhomedircon(sh, out, sh->conf->usepasswd,
++								sh->conf->ignoredirs)) != 0) {
++				ERR(sh, "semanage_genhomedircon returned error code %d.", retval);
++				goto cleanup;
++			}
++			/* file_contexts.homedirs was created in SEMANAGE_TMP store */
++			retval = semanage_copy_file(
++						semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS),
++						semanage_final_path(SEMANAGE_FINAL_TMP,	SEMANAGE_FC_HOMEDIRS),
++						sh->conf->file_mode);
++			if (retval < 0) {
++				goto cleanup;
++			}
+ 		}
+ 	} else {
+ 		WARN(sh, "WARNING: genhomedircon is disabled. \
+diff --git libsemanage-2.7/src/fcontexts_policy.c libsemanage-2.7/src/fcontexts_policy.c
+index 0b063b1..98490ab 100644
+--- libsemanage-2.7/src/fcontexts_policy.c
++++ libsemanage-2.7/src/fcontexts_policy.c
+@@ -51,3 +51,11 @@ int semanage_fcontext_list(semanage_handle_t * handle,
+ 	dbase_config_t *dconfig = semanage_fcontext_dbase_policy(handle);
+ 	return dbase_list(handle, dconfig, records, count);
+ }
++
++int semanage_fcontext_list_homedirs(semanage_handle_t * handle,
++			   semanage_fcontext_t *** records, unsigned int *count)
++{
++
++	dbase_config_t *dconfig = semanage_fcontext_dbase_homedirs(handle);
++	return dbase_list(handle, dconfig, records, count);
++}
+diff --git libsemanage-2.7/src/genhomedircon.c libsemanage-2.7/src/genhomedircon.c
+index b9a74b7..d09d82f 100644
+--- libsemanage-2.7/src/genhomedircon.c
++++ libsemanage-2.7/src/genhomedircon.c
+@@ -1345,8 +1345,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
+ 
+ 	s.homedir_template_path =
+ 	    semanage_path(SEMANAGE_TMP, SEMANAGE_HOMEDIR_TMPL);
+-	s.fcfilepath = semanage_final_path(SEMANAGE_FINAL_TMP,
+-					   SEMANAGE_FC_HOMEDIRS);
++	s.fcfilepath =
++		semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_HOMEDIRS);
+ 
+ 	s.fallback = calloc(1, sizeof(genhomedircon_user_entry_t));
+ 	if (s.fallback == NULL) {
+@@ -1385,7 +1385,9 @@ done:
+ 	if (out != NULL)
+ 		fclose(out);
+ 
+-	pop_user_entry(&(s.fallback));
++	while (s.fallback)
++		pop_user_entry(&(s.fallback));
++
+ 	ignore_free();
+ 
+ 	return retval;
+diff --git libsemanage-2.7/src/handle.h libsemanage-2.7/src/handle.h
+index 889871d..1780ac8 100644
+--- libsemanage-2.7/src/handle.h
++++ libsemanage-2.7/src/handle.h
+@@ -79,7 +79,7 @@ struct semanage_handle {
+ 	struct semanage_policy_table *funcs;
+ 
+ 	/* Object databases */
+-#define DBASE_COUNT      23
++#define DBASE_COUNT      24
+ 
+ /* Local modifications */
+ #define DBASE_LOCAL_USERS_BASE  0
+@@ -102,13 +102,14 @@ struct semanage_handle {
+ #define DBASE_POLICY_INTERFACES  15
+ #define DBASE_POLICY_BOOLEANS    16
+ #define DBASE_POLICY_FCONTEXTS   17
+-#define DBASE_POLICY_SEUSERS     18
+-#define DBASE_POLICY_NODES       19
+-#define DBASE_POLICY_IBPKEYS     20
+-#define DBASE_POLICY_IBENDPORTS  21
++#define DBASE_POLICY_FCONTEXTS_H 18
++#define DBASE_POLICY_SEUSERS     19
++#define DBASE_POLICY_NODES       20
++#define DBASE_POLICY_IBPKEYS     21
++#define DBASE_POLICY_IBENDPORTS  22
+ 
+ /* Active kernel policy */
+-#define DBASE_ACTIVE_BOOLEANS    22
++#define DBASE_ACTIVE_BOOLEANS    23
+ 	dbase_config_t dbase[DBASE_COUNT];
+ };
+ 
+@@ -236,6 +237,12 @@ static inline
+ }
+ 
+ static inline
++    dbase_config_t * semanage_fcontext_dbase_homedirs(semanage_handle_t * handle)
++{
++	return &handle->dbase[DBASE_POLICY_FCONTEXTS_H];
++}
++
++static inline
+     dbase_config_t * semanage_seuser_dbase_policy(semanage_handle_t * handle)
+ {
+ 	return &handle->dbase[DBASE_POLICY_SEUSERS];
+diff --git libsemanage-2.7/src/semanage_store.c libsemanage-2.7/src/semanage_store.c
+index 6158d08..320fa7b 100644
+--- libsemanage-2.7/src/semanage_store.c
++++ libsemanage-2.7/src/semanage_store.c
+@@ -116,6 +116,7 @@ static const char *semanage_sandbox_paths[SEMANAGE_STORE_NUM_PATHS] = {
+ 	"/modules/disabled",
+ 	"/policy.kern",
+ 	"/file_contexts.local",
++	"/file_contexts.homedirs",
+ 	"/file_contexts",
+ 	"/seusers"
+ };
+@@ -537,7 +538,6 @@ char *semanage_conf_path(void)
+ int semanage_create_store(semanage_handle_t * sh, int create)
+ {
+ 	struct stat sb;
+-	int mode_mask = R_OK | W_OK | X_OK;
+ 	const char *path = semanage_files[SEMANAGE_ROOT];
+ 	int fd;
+ 
+@@ -556,9 +556,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+ 			return -1;
+ 		}
+ 	} else {
+-		if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
++		if (!S_ISDIR(sb.st_mode)) {
+ 			ERR(sh,
+-			    "Could not access module store at %s, or it is not a directory.",
++			    "Module store at %s is not a directory.",
+ 			    path);
+ 			return -1;
+ 		}
+@@ -579,9 +579,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+ 			return -1;
+ 		}
+ 	} else {
+-		if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
++		if (!S_ISDIR(sb.st_mode)) {
+ 			ERR(sh,
+-			    "Could not access module store active subdirectory at %s, or it is not a directory.",
++			    "Module store active subdirectory at %s is not a directory.",
+ 			    path);
+ 			return -1;
+ 		}
+@@ -602,9 +602,9 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+ 			return -1;
+ 		}
+ 	} else {
+-		if (!S_ISDIR(sb.st_mode) || access(path, mode_mask) == -1) {
++		if (!S_ISDIR(sb.st_mode)) {
+ 			ERR(sh,
+-			    "Could not access module store active modules subdirectory at %s, or it is not a directory.",
++			    "Module store active modules subdirectory at %s is not a directory.",
+ 			    path);
+ 			return -1;
+ 		}
+@@ -623,8 +623,8 @@ int semanage_create_store(semanage_handle_t * sh, int create)
+ 			return -1;
+ 		}
+ 	} else {
+-		if (!S_ISREG(sb.st_mode) || access(path, R_OK | W_OK) == -1) {
+-			ERR(sh, "Could not access lock file at %s.", path);
++		if (!S_ISREG(sb.st_mode)) {
++			ERR(sh, "Lock file at %s missing.", path);
+ 			return -1;
+ 		}
+ 	}
+diff --git libsemanage-2.7/src/semanage_store.h libsemanage-2.7/src/semanage_store.h
+index fcaa505..34bf852 100644
+--- libsemanage-2.7/src/semanage_store.h
++++ libsemanage-2.7/src/semanage_store.h
+@@ -61,6 +61,7 @@ enum semanage_sandbox_defs {
+ 	SEMANAGE_MODULES_DISABLED,
+ 	SEMANAGE_STORE_KERNEL,
+ 	SEMANAGE_STORE_FC_LOCAL,
++	SEMANAGE_STORE_FC_HOMEDIRS,
+ 	SEMANAGE_STORE_FC,
+ 	SEMANAGE_STORE_SEUSERS,
+ 	SEMANAGE_STORE_NUM_PATHS

libsemanage-genhomedircon.patch

@@ -0,0 +1,32 @@
+Index: libsemanage/src/semanage_store.c
+===================================================================
+RCS file: /cvsroot/selinux/nsa/selinux-usr/libsemanage/src/semanage_store.c,v
+retrieving revision 1.21
+diff -u -r1.21 semanage_store.c
+--- libsemanage/src/semanage_store.c	9 Nov 2005 14:52:55 -0000	1.21
++++ libsemanage/src/semanage_store.c	14 Nov 2005 21:43:09 -0000
+@@ -950,11 +950,6 @@
+ 		goto cleanup;
+ 	}
+ 
+-	if ((r = semanage_exec_prog(sh, sh->conf->genhomedircon, sh->conf->store_path, "")) != 0) {
+-		ERR(sh, "genhomedircon returned error code %d.", r);
+-		goto cleanup;
+-	}
+-
+ 	retval = 0;
+ cleanup:
+ 	free(storepath);
+@@ -1070,6 +1065,12 @@
+ 		goto cleanup;
+ 	}
+ 
++	if ((retval = semanage_exec_prog(sh, sh->conf->genhomedircon, sh->conf->store_path, "")) != 0) {
++		ERR(sh, "genhomedircon returned error code %d.", retval);
++		goto cleanup;
++	}
++
++
+ cleanup:
+ 	return retval;
+ 

libsemanage.spec

@@ -1,36 +1,35 @@
-%define libsepolver 3.1-5
-%define libselinuxver 3.1-5
+%global with_python3 1
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print (get_python_lib(1))")}
 
-Summary: SELinux binary policy manipulation library
+%define libsepolver 2.7-2
+%define libselinuxver 2.7-3
+
+Summary: SELinux binary policy manipulation library 
 Name: libsemanage
-Version: 3.1
-Release: 5%{?dist}
+Version: 2.7
+Release: 3%{?dist}
 License: LGPLv2+
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsemanage-3.1.tar.gz
-# fedora-selinux/selinux: git format-patch -N libsemanage-3.1 -- libsemanage
-# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
-# Patch list start
-Patch0001: 0001-libsemanage-Remove-legacy-and-duplicate-symbols.patch
-Patch0002: 0002-libsemanage-Drop-deprecated-functions.patch
-Patch0003: 0003-libsemanage-Bump-libsemanage.so-version.patch
-Patch0004: 0004-libsemanage-Fix-RESOURCE_LEAK-and-USE_AFTER_FREE-cov.patch
-Patch0005: 0005-libsemanage-genhomedircon-check-usepasswd.patch
-# Patch list end
+Group: System Environment/Libraries
+Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804/libsemanage-2.7.tar.gz
+# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
+# run:
+# $ VERSION=2.7 BRANCH=f27 ./make-fedora-selinux-patch.sh libsemanage
+# HEAD https://github.com/fedora-selinux/selinux/commit/e5a6540888e254b245d42b7cecf0b895d64ddc43
+
+Patch1: libsemanage-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
 
-BuildRequires: gcc make
-BuildRequires: libselinux-devel >= %{libselinuxver} swig
+BuildRequires: libselinux-devel >= %{libselinuxver} swig ustr-devel
 BuildRequires: libsepol-devel >= %{libsepolver} 
 BuildRequires: audit-libs-devel
-BuildRequires: bison flex bzip2-devel
+BuildRequires: python python-devel bison flex bzip2-devel
 
-BuildRequires: python3
-BuildRequires: python3-devel
+%if 0%{?with_python3}
+BuildRequires: python3 python3-devel
+%endif # if with_python3
 
 Requires: bzip2-libs audit-libs
-Requires: libselinux%{?_isa} >= %{libselinuxver}
-Obsoletes: libsemanage-compat = 3.1-4
 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -50,6 +49,7 @@ on binary policies such as customizing policy boolean settings.
 
 %package static
 Summary: Static library used to build policy manipulation tools
+Group: Development/Libraries
 Requires: libsemanage-devel%{_isa} = %{version}-%{release}
 
 %description static
@@ -58,33 +58,40 @@ needed for developing applications that manipulate binary policies.
 
 %package devel
 Summary: Header files and libraries used to build policy manipulation tools
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release} ustr
 
 %description devel
 The semanage-devel package contains the libraries and header files
 needed for developing applications that manipulate binary policies. 
 
-%package -n python3-libsemanage
+%package python
+Summary: semanage python bindings for libsemanage
+Group: Development/Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description python
+The libsemanage-python package contains the python bindings for developing 
+SELinux management applications. 
+
+%if 0%{?with_python3}
+%package python3
 Summary: semanage python 3 bindings for libsemanage
+Group: Development/Libraries
 Requires: %{name}%{?_isa} = %{version}-%{release}
 Requires: libselinux-python3
-%{?python_provide:%python_provide python3-libsemanage}
-# Remove before F30
-Provides: %{name}-python3 = %{version}-%{release}
-Provides: %{name}-python3%{?_isa} = %{version}-%{release}
-Obsoletes: %{name}-python3 < %{version}-%{release}
 
-%description -n python3-libsemanage
+%description python3
 The libsemanage-python3 package contains the python 3 bindings for developing
 SELinux management applications.
+%endif # if with_python3
 
 %prep
-%autosetup -n libsemanage-%{version} -p 2
+%autosetup -n libsemanage-%{version} -p 1
 
 
 %build
-%set_build_flags
-CFLAGS="$CFLAGS -fno-semantic-interposition"
+export LDFLAGS="%{?__global_ldflags}"
 
 # To support building the Python wrapper against multiple Python runtimes
 # Define a function, for how to perform a "build" of the python wrapper against
@@ -95,16 +102,21 @@ BuildPythonWrapper() {
   # Perform the build from the upstream Makefile:
   make \
     PYTHON=$BinaryName \
-    LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" \
+    CFLAGS="%{optflags}" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" \
     pywrap
 }
 
 make clean
-make swigify
-%make_build LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all
+make CFLAGS="%{optflags}" swigify
+make CFLAGS="%{optflags}" LIBDIR="%{_libdir}" SHLIBDIR="%{_lib}" all
 
+BuildPythonWrapper \
+  %{__python}
+  
+%if 0%{?with_python3}
 BuildPythonWrapper \
   %{__python3}
+%endif # with_python3
 
 %install
 InstallPythonWrapper() {
@@ -112,189 +124,85 @@ InstallPythonWrapper() {
 
   make \
     PYTHON=$BinaryName \
-    DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" \
+    DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_libdir}" \
     install-pywrap
 }
 
+rm -rf ${RPM_BUILD_ROOT}
 mkdir -p ${RPM_BUILD_ROOT}%{_libdir}
 mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux
 mkdir -p ${RPM_BUILD_ROOT}%{_sharedstatedir}/selinux/tmp
-%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
+make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_libdir}" install
 
+InstallPythonWrapper \
+  %{__python} \
+  .so
+
+%if 0%{?with_python3}
 InstallPythonWrapper \
   %{__python3} \
   $(python3-config --extension-suffix)
+%endif # with_python3
   
 cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf
+ln -sf  %{_libdir}/libsemanage.so.1 ${RPM_BUILD_ROOT}/%{_libdir}/libsemanage.so
+
+sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%' %{buildroot}%{_libexecdir}/selinux/semanage_migrate_store
+
+%clean
+rm -rf ${RPM_BUILD_ROOT}
 
 %files
+%defattr(-,root,root)
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 %dir %{_sysconfdir}/selinux
 %config(noreplace) %{_sysconfdir}/selinux/semanage.conf
-%{_libdir}/libsemanage.so.2
+%{_libdir}/libsemanage.so.1
 %{_mandir}/man5/*
-%{_mandir}/ru/man5/*
 %dir %{_libexecdir}/selinux
 %dir %{_sharedstatedir}/selinux
 %dir %{_sharedstatedir}/selinux/tmp
 
-%ldconfig_scriptlets
+%post -p /sbin/ldconfig
+
+%postun -p /sbin/ldconfig
 
 %files static
+%defattr(-,root,root)
 %{_libdir}/libsemanage.a
 
 %files devel
+%defattr(-,root,root)
 %{_libdir}/libsemanage.so
 %{_libdir}/pkgconfig/libsemanage.pc
 %dir %{_includedir}/semanage
 %{_includedir}/semanage/*.h
 %{_mandir}/man3/*
 
-%files -n python3-libsemanage
+%files python
+%defattr(-,root,root)
+%{python_sitearch}/_semanage.so
+%{python_sitearch}/semanage.py*
+
+%if 0%{?with_python3}
+%files python3
+%defattr(-,root,root)
 %{python3_sitearch}/*.so
 %{python3_sitearch}/semanage.py*
 %{python3_sitearch}/__pycache__/semanage*
 %{_libexecdir}/selinux/semanage_migrate_store
+%endif # if with_python3
 
 %changelog
-* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
-- Drop and obsolete libsemanage-compat
-- genhomedircon: check usepasswd
+* Tue Jun 26 2018 Paul Moore <pmoore@redhat.com> - 2.7-3
+- Disable expand-check (#1595316)
 
-* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
-- Drop deprecated functions and duplicated symbols
-- Change library version to libsemanage.so.2
-- Temporary ship -compat with libsemanage.so.1
-- Based on upstream db0f2f382e31
-- Re-enable lto flags
-
-* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
-- Use make macros
-- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-- Use -fno-semantic-interposition and more make macros
-
-* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
-- SELinux userspace 3.1 release
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-4
-- Rebuilt for Python 3.9
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jan 22 2020 Ondrej Mosnacek <omosnace@redhat.com> - 3.0-2
-- Enable policy optimization
-
-* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
-- SELinux userspace 3.0 release
-
-* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc1.1
-- SELinux userspace 3.0-rc1 release candidate
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-5
-- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Sun Aug 18 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.9-4
-- Rebuilt for Python 3.8
-
-* Tue Aug 13 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
-- Drop python2-libsemanage (#1738466)
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
-- SELinux userspace 2.9 release
-
-* Mon Mar 11 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
-- SELinux userspace 2.9-rc2 release
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
-- SELinux userspace 2.9-rc1 release
-
-* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
-- Always set errno to 0 before calling getpwent()
-- Set selinux policy root around calls to selinux_boolean_sub
-
-* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
-- genhomedircon - improve handling large groups
-
-* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
-- Fix RESOURCE_LEAK and USE_AFTER_FREE coverity scan defects
-
-* Mon Sep 17 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
-- Include user name in ROLE_REMOVE audit events
-
-* Tue Sep  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
-- Reset umask before creating directories (#1186422)
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
-- Rebuilt for Python 3.7
-
-* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
-- SELinux userspace 2.8 release
-
-* Mon May 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
-- SELinux userspace 2.8-rc3 release candidate
-
-* Fri May  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
-- SELinux userspace 2.8-rc2 release candidate
-
-* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
-- SELinux userspace 2.8-rc1 release candidate
-
-* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-12
-- build: Replace PYSITEDIR with PYTHONLIBDIR
-- direct_api.c: Fix iterating over array (#1557468)
-
-* Fri Mar 16 2018 Petr Lautrbach <plautrba@workstation> - 2.7-11
-- Revert "remove access() check to make setuid programs work" (#1557468)
-
-* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-10
-- properly check return value of iterate function
-- Use umask(0077) for fopen() write operations
-- Return commit number if save-previous false
-- Allow tmp files to be kept if a compile fails
-- build: follow standard semantics for DESTDIR and PREFIX
-- Improve warning for installing disabled module
-- silence clang static analyzer report
-- remove access() check to make setuid programs work
-
-* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-9
-- Escape macros in %%changelog
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-8
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-7
-- Switch to %%ldconfig_scriptlets
-
-* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.7-6
-- Update Python 2 dependency declarations to new packaging standards
-  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
-
-* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
+* Fri Nov 24 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
 - free genhomedircon fallback user
-- Rebuild with libsepol-2.7-3 and libselinux-2.7-6
-
-* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-4
-- Add support for listing fcontext.homedirs file (#1409813)
-
-* Sun Aug 20 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-3
-- Add Provides for the old names without %%_isa
-
-* Thu Aug 10 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-2
-- Python 2 binary package renamed to python2-libsemanage
-  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
-- Python 3 binary package renamed to python3-libsemanage
+- Add support for listing fcontext.homedirs file
+- Keep copy of file_contexts.homedirs in policy store
 
 * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
 - Update to upstream release 2017-08-04
@@ -331,7 +239,7 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf
 - Use pp module name instead of filename when installing module
 - tests: Do not force using gcc
 - genhomedircon: remove hardcoded refpolicy strings
-- genhomedircon: add support for %%group syntax
+- genhomedircon: add support for %group syntax
 - genhomedircon: generate contexts for logins mapped to the default user
 - Validate and compile file contexts before installing
 - Swap tcp and udp protocol numbers
@@ -349,7 +257,7 @@ cp %{SOURCE1} ${RPM_BUILD_ROOT}/etc/selinux/semanage.conf
 
 * Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
 - Fix multiple spelling errors
-- genhomedircon: %%{USERID} and %%{USERNAME} support and code cleanup
+- genhomedircon: %{USERID} and %{USERNAME} support and code cleanup
 
 * Mon Mar 21 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
 - Enable expand-check by default (#1319652)

make-rhat-patches.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+LIBSEMANAGE_VERSION=2.4
+BRANCH=master
+
+REBASEDIR=`mktemp -d rebase.XXXXXX`
+pushd $REBASEDIR
+
+git clone git@github.com:fedora-selinux/selinux.git
+pushd selinux; git checkout $BRANCH; COMMIT=`git rev-parse --verify HEAD`; popd
+
+# prepare libsemanage-rhat.patch
+tar xfz ../libsemanage-$LIBSEMANAGE_VERSION.tar.gz
+pushd libsemanage-$LIBSEMANAGE_VERSION
+
+git init; git add .; git commit -m "init"
+cp -r ../selinux/libsemanage/* .
+git add -A .
+
+git diff --cached --src-prefix=libsemanage-$LIBSEMANAGE_VERSION/ --dst-prefix=libsemanage-$LIBSEMANAGE_VERSION/ > ../../libsemanage-rhat.patch
+
+popd
+
+popd
+# echo rm -rf $REBASEDIR
+
+echo libsemanage-rhat.patch created from https://github.com/fedora-selinux/selinux/commit/$COMMIT

semanage.conf

@@ -50,7 +50,6 @@ usepasswd=False
 bzip-small=true
 bzip-blocksize=5
 ignoredirs=/root
-optimize-policy=true
 
 [sefcontext_compile]
 path = /usr/sbin/sefcontext_compile

sources

@@ -1 +1 @@
-SHA512 (libsemanage-3.1.tar.gz) = 8609ca7d13b5c603677740f2b14558fea3922624af182d20d618237ba11fcf2559fab82fc68d1efa6ff118f064d426f005138521652c761de92cd66150102197
+SHA512 (libsemanage-2.7.tar.gz) = 6b30ea87f1ab3944935188539bbf869c8e287e05c174ea61cd19722a89cf8156518f336476e23b4117a5a05aec9a99a4db679b58a6952bf0c31ad809e9ab91d9

tests/tests.yml

@@ -8,18 +8,18 @@
     repositories:
       - repo: "https://src.fedoraproject.org/tests/selinux.git"
         dest: "selinux"
-        fmf_filter: "tier: 1 | component: libsemanage & tags: generic"
+    tests:
+    - selinux/libsemanage/semanage-handle-functions
+    - selinux/libsemanage/semanage-seuser-functions
+    - selinux/libsemanage/verify-options-in-semanage-conf
     required_packages:
-    - libsemanage             # Required for sanity-tests
-    - libsemanage-devel       # Required for sanity-tests
-    - glibc                   # Required for sanity-tests
-    - gcc                     # Required for sanity-tests
-    - CUnit-devel             # Required for sanity-tests
+    - libsemanage             # Required for semanage-*-functions tests
+    - libsemanage-devel       # Required for semanage-*-functions tests
+    - glibc                   # Required for semanage-*-functions tests
+    - gcc                     # Required for semanage-*-functions tests
     - libselinux              # Required for verify-options-in-semanage-conf
     - libselinux-utils        # Required for verify-options-in-semanage-conf
     - policycoreutils         # Required for verify-options-in-semanage-conf
-    - policycoreutils-python-utils  # Required for verify-options-in-semanage-conf
+    - policycoreutils-python  # Required for verify-options-in-semanage-conf when running on RHEL
     - selinux-policy          # Required for verify-options-in-semanage-conf
     - selinux-policy-devel    # Required for verify-options-in-semanage-conf
-    - lksctp-tools            # sctp_test
-    - psmisc                  # sctp_test