* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2

- Fix auditing to semanage - Change genhomedircon to use new prefix interface in libselinux
2006-02-10 17:04:04 +00:00 · 2006-02-10 17:04:04 +00:00 · 4c107ae3b8
parent 49470329fc
commit 4c107ae3b8
2 changed files with 211 additions and 77 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,7 +1,27 @@
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
 --- nsapolicycoreutils/scripts/genhomedircon	2006-01-30 18:32:39.000000000 -0500
-+++ policycoreutils-1.29.20/scripts/genhomedircon	2006-02-07 10:36:38.000000000 -0500
-@@ -170,7 +170,7 @@
+++ policycoreutils-1.29.20/scripts/genhomedircon	2006-02-09 10:27:15.000000000 -0500
+@@ -4,7 +4,7 @@
+ #
+ # genhomedircon - this script is used to generate file context
+ # configuration entries for user home directories based on their
+-# default roles and is run when building the policy. Specifically, we
+# default prefixes and is run when building the policy. Specifically, we
+ # replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
+ # generic and user-specific values.
+ #
+@@ -15,9 +15,7 @@
+ # The file CONTEXTDIR/files/homedir_template exists.  This file is used to
+ # set up the home directory context for each real user.
+ # 
+-# If a user has more than one role, genhomedircon uses the first role in the list.
+-#
+-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
+ #
+ # "Real" users (as opposed to system users) are those whose UID is greater than
+ #  or equal STARTING_UID (usually 500) and whose login is not a member of
+@@ -170,37 +168,34 @@
 	def heading(self):
 		ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
 		if self.semanaged:
@ -10,18 +30,130 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
 		else:
 			ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
 		return ret
-@@ -196,7 +196,7 @@
- 		return role
+ 
+-	def defaultrole(self, name):
+	def get_default_prefix(self, name):
+ 		for idx in range(self.usize):
+ 			user = semanage_user_by_idx(self.ulist, idx)
+ 			if semanage_user_get_name(user) == name:
+-				if name == "staff_u" or name == "root" and self.type != "targeted":
+-					return "staff_r"
+-				else:
+-					return "user_r"
+				return semanage_user_get_prefix(user)
+ 		return name
+-	def getOldRole(self, role):
+-		rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role)
+	def get_old_prefix(self, user):
+		rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
+ 		if rc == "":					    
+-			rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role)
+			rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
+ 		if rc != "":
+ 			user=rc.split()
+-			role = user[3]
+-			if role == "{":
+-				role = user[4]
+-		return role
+			prefix = user[3]
+			if prefix == "{":
+				prefix = user[4]
+		if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
+			prefix = prefix[:-2]
+		return prefix
 		
- 	def adduser(self, udict, user, seuser, role):
+-	def adduser(self, udict, user, seuser, role):
 -		if seuser == "user_u" or user == "__default__":
+	def adduser(self, udict, user, seuser, prefix):
 +		if seuser == "user_u" or user == "__default__" or user == "system_u":
 			return
- 		# !!! chooses first role in the list to use in the file context !!!
- 		if role[-2:] == "_r" or role[-2:] == "_u":
+-		# !!! chooses first role in the list to use in the file context !!!
+-		if role[-2:] == "_r" or role[-2:] == "_u":
+-			role = role[:-2]
+		# !!! chooses first prefix in the list to use in the file context !!!
+ 		try:
+ 			home = pwd.getpwnam(user)[5]
+ 			if home == "/":
+@@ -217,7 +212,7 @@
+ 				return
+ 		prefs = {}
+ 		prefs["seuser"] = seuser
+-		prefs["role"] = role
+		prefs["prefix"] = prefix
+ 		prefs["home"] = home
+ 		udict[user] = prefs
+ 		
+@@ -229,7 +224,7 @@
+ 				user=[]
+ 				seuser = semanage_seuser_by_idx(list, idx)
+ 				seusername=semanage_seuser_get_sename(seuser)
+-				self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
+				self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
+ 				
+ 		else:
+ 			try:
+@@ -242,8 +237,8 @@
+ 					if len(user) < 2:
+ 						continue
+ 					
+-					role=self.getOldRole(user[1])
+-					self.adduser(udict, user[0], user[1], role)
+					prefix=self.get_old_prefix(user[1])
+					self.adduser(udict, user[0], user[1], prefix)
+ 				fd.close()
+ 			except IOError, error:
+ 				# Must be install so force add of root
+@@ -251,40 +246,37 @@
+ 
+ 		return udict
+ 
+-	def getHomeDirContext(self, user, seuser, home, role):
+	def getHomeDirContext(self, user, seuser, home, prefix):
+ 		ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
+ 		fd=open(self.getHomeDirTemplate(), 'r')
+ 		for i in  fd.read().split('\n'):
+ 			if i.startswith("HOME_DIR") == 1:
+ 				i=i.replace("HOME_DIR", home)
+-				i=i.replace("ROLE", role)
+				i=i.replace("ROLE", prefix)
+ 				i=i.replace("system_u", seuser)
+ 				ret = ret+i+"\n"
+ 		fd.close()
+ 		return ret
+ 
+-	def getUserContext(self, user, sel_user, role):
+	def getUserContext(self, user, sel_user, prefix):
+ 		ret=""
+ 		fd=open(self.getHomeDirTemplate(), 'r')
+ 		for i in  fd.read().split('\n'):
+ 			if i.find("USER") == 1:
+ 				i=i.replace("USER", user)
+-				i=i.replace("ROLE", role)
+				i=i.replace("ROLE", prefix)
+ 				i=i.replace("system_u", sel_user)
+ 				ret=ret+i+"\n"
+ 		fd.close()
+ 		return ret
+ 
+ 	def genHomeDirContext(self):
+-		if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "":
+-			warning("genhomedircon:  Warning!  No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
+-			warning("genhomedircon:  You must manually update file_contexts.homedirs for any non-user_r users (including root).");
+ 		users = self.getUsers()
+ 		ret=""
+-		# Fill in HOME and ROLE for users that are defined
+		# Fill in HOME and prefix for users that are defined
+ 		for u in users.keys():
+-			ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
+-			ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
+			ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
+			ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
+ 		return ret+"\n"
+ 
+ 	def checkExists(self, home):
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2006-02-02 12:08:04.000000000 -0500
-+++ policycoreutils-1.29.20/semanage/seobject.py	2006-02-07 10:35:46.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py	2006-02-10 11:48:59.000000000 -0500
@@ -21,8 +21,11 @@
 #
 #  
@ -35,7 +167,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 
 def validate_level(raw):
 	sensitivity="s([0-9]|1[0-5])"
-@@ -170,119 +173,143 @@
+@@ -170,119 +173,145 @@
 		if sename == "":
 			sename = "user_u"
 			
@ -117,18 +249,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not add login mapping for %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
 +			raise error
 +		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping",
-+					     name, 0, "", "", "", 1);
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
 	def modify(self, name, sename = "", serange = ""):
 -		if sename == "" and serange == "":
 -			raise ValueError("Requires seuser or serange")
+		oldsename=""
+		oldserange=""
 +		try:
 +			if sename == "" and serange == "":
 +				raise ValueError("Requires seuser or serange")
@ -162,10 +294,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 -			semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
 -		if sename != "":
 -			semanage_seuser_set_sename(self.sh, u, sename)
+			oldserange=semanage_seuser_get_mlsrange(u)
+			oldsename=semanage_seuser_get_sename(u)
 +			if serange != "":
 +				semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+			else:
+				serange=oldserange
 +			if sename != "":
 +				semanage_seuser_set_sename(self.sh, u, sename)
+			else:
+				sename=oldsename
 
 -		rc = semanage_begin_transaction(self.sh)
 -		if rc < 0:
@ -184,18 +322,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +			rc = semanage_seuser_modify_local(self.sh, k, u)
 +			if rc < 0:
 +				raise ValueError("Could not modify login mapping for %s" % name)
- 
+
 +			rc = semanage_commit(self.sh)
 +			if rc < 0:
 +				raise ValueError("Could not modify login mapping for %s" % name)
-+
+ 
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
 +			raise error
-+
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping",
-+					     name, 0, "", "", "", 1);
+		
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
 		semanage_seuser_key_free(k)
 		semanage_seuser_free(u)
 
@ -254,109 +390,107 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not delete login mapping for %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
 +			raise error
-+
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping",
-+					     name, 0, "", "", "", 1);
+		
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
 		semanage_seuser_key_free(k)
 
 		
-@@ -322,127 +349,150 @@
+@@ -322,127 +351,145 @@
 		else:
 			selevel = untranslate(selevel)
 
 -		(rc,k) = semanage_user_key_create(self.sh, name)
 -		if rc < 0:
 -			raise ValueError("Could not create a key for %s" % name)
-+		try:
-+			(rc,k) = semanage_user_key_create(self.sh, name)
-+			if rc < 0:
-+				raise ValueError("Could not create a key for %s" % name)
- 
+-
 -		(rc,exists) = semanage_user_exists(self.sh, k)
 -		if rc < 0:
 -			raise ValueError("Could not check if SELinux user %s is defined" % name)
 -		if exists:
 -			raise ValueError("SELinux user %s is already defined" % name)
+		seroles=" ".join(roles)
+		try:
+			(rc,k) = semanage_user_key_create(self.sh, name)
+			if rc < 0:
+				raise ValueError("Could not create a key for %s" % name)
+ 
+-		(rc,u) = semanage_user_create(self.sh)
+-		if rc < 0:
+-			raise ValueError("Could not create SELinux user for %s" % name)
 +			(rc,exists) = semanage_user_exists(self.sh, k)
 +			if rc < 0:
 +				raise ValueError("Could not check if SELinux user %s is defined" % name)
 +			if exists:
 +				raise ValueError("SELinux user %s is already defined" % name)
 
-		(rc,u) = semanage_user_create(self.sh)
+-		rc = semanage_user_set_name(self.sh, u, name)
 -		if rc < 0:
-			raise ValueError("Could not create SELinux user for %s" % name)
+-			raise ValueError("Could not set name for %s" % name)
 +			(rc,u) = semanage_user_create(self.sh)
 +			if rc < 0:
 +				raise ValueError("Could not create SELinux user for %s" % name)
 
-		rc = semanage_user_set_name(self.sh, u, name)
-		if rc < 0:
-			raise ValueError("Could not set name for %s" % name)
-+			rc = semanage_user_set_name(self.sh, u, name)
-+			if rc < 0:
-+				raise ValueError("Could not set name for %s" % name)
- 
 -		for r in roles:
 -			rc = semanage_user_add_role(self.sh, u, r)
-+			for r in roles:
-+				rc = semanage_user_add_role(self.sh, u, r)
-+				if rc < 0:
-+					raise ValueError("Could not add role %s for %s" % (r, name))
-+
-+			rc = semanage_user_set_mlsrange(self.sh, u, serange)
+			rc = semanage_user_set_name(self.sh, u, name)
 			if rc < 0:
 -				raise ValueError("Could not add role %s for %s" % (r, name))
-+				raise ValueError("Could not set MLS range for %s" % name)
+				raise ValueError("Could not set name for %s" % name)
 
 -		rc = semanage_user_set_mlsrange(self.sh, u, serange)
 -		if rc < 0:
 -			raise ValueError("Could not set MLS range for %s" % name)
-+			rc = semanage_user_set_mlslevel(self.sh, u, selevel)
-+			if rc < 0:
-+				raise ValueError("Could not set MLS level for %s" % name)
+			for r in roles:
+				rc = semanage_user_add_role(self.sh, u, r)
+				if rc < 0:
+					raise ValueError("Could not add role %s for %s" % (r, name))
 
 -		rc = semanage_user_set_mlslevel(self.sh, u, selevel)
 -		if rc < 0:
 -			raise ValueError("Could not set MLS level for %s" % name)
-+			(rc,key) = semanage_user_key_extract(self.sh,u)
+			rc = semanage_user_set_mlsrange(self.sh, u, serange)
 +			if rc < 0:
-+				raise ValueError("Could not extract key for %s" % name)
+				raise ValueError("Could not set MLS range for %s" % name)
 
 -		(rc,key) = semanage_user_key_extract(self.sh,u)
 -		if rc < 0:
 -			raise ValueError("Could not extract key for %s" % name)
-+			rc = semanage_begin_transaction(self.sh)
+			rc = semanage_user_set_mlslevel(self.sh, u, selevel)
 +			if rc < 0:
-+				raise ValueError("Could not start semanage transaction")
+				raise ValueError("Could not set MLS level for %s" % name)
 
 -		rc = semanage_begin_transaction(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not start semanage transaction")
-+			rc = semanage_user_modify_local(self.sh, k, u)
+			(rc,key) = semanage_user_key_extract(self.sh,u)
 +			if rc < 0:
-+				raise ValueError("Could not add SELinux user %s" % name)
+				raise ValueError("Could not extract key for %s" % name)
 
 -		rc = semanage_user_modify_local(self.sh, k, u)
 -		if rc < 0:
 -			raise ValueError("Could not add SELinux user %s" % name)
-+			rc = semanage_commit(self.sh)
+			rc = semanage_begin_transaction(self.sh)
 +			if rc < 0:
-+				raise ValueError("Could not add SELinux user %s" % name)
+				raise ValueError("Could not start semanage transaction")
 
 -		rc = semanage_commit(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not add SELinux user %s" % name)
-+		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
-+			raise error
+			rc = semanage_user_modify_local(self.sh, k, u)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
+
+			rc = semanage_commit(self.sh)
+			if rc < 0:
+				raise ValueError("Could not add SELinux user %s" % name)
 
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record",
-+					     name, 0, "", "", "", 1);
+		except ValueError, error:
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
+			raise error
+		
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
@ -423,7 +557,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 -		rc = semanage_commit(self.sh)
 -		if rc < 0:
 -			raise ValueError("Could not modify SELinux user %s" % name)
-		
 +			rc = semanage_user_modify_local(self.sh, k, u)
 +			if rc < 0:
 +				raise ValueError("Could not modify SELinux user %s" % name)
@ -433,12 +566,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +				raise ValueError("Could not modify SELinux user %s" % name)
 +
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
 +			raise error
-+
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record",
-+					     name, 0, "", "", "", 1);
+ 		
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
 		semanage_user_key_free(k)
 		semanage_user_free(u)
 
@ -495,12 +626,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
 +			if rc < 0:
 +				raise ValueError("Could not delete SELinux user %s" % name)
 +		except ValueError, error:
-+			audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
-+						     name, 0, "", "", "", 0);
+			audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
 +			raise error
 		
-+		audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record",
-+					     name, 0, "", "", "", 1);
+		audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
 		semanage_user_key_free(k)		
 
 	def get_all(self):
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -1,10 +1,11 @@
+%define libauditver 1.1.4-3
 %define libsepolver 1.11.13-1
-%define libsemanagever 1.5.21-1
+%define libsemanagever 1.5.21-2
 %define libselinuxver 1.29.7-1
 Summary: SELinux policy core utilities.
 Name: policycoreutils
 Version: 1.29.20
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -12,7 +13,7 @@ Patch: policycoreutils-rhat.patch

 BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver} 
 PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
-Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python
+Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python >=  %{libauditver} 
 BuildRoot: %{_tmppath}/%{name}-buildroot

 %description
@ -97,6 +98,10 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_libdir}/python2.4/site-packages/seobject.py*

 %changelog
+* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2
+- Fix auditing to semanage
+- Change genhomedircon to use new prefix interface in libselinux
+
 * Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-1
 - Update from upstream
 	* Merged seuser/user_extra support patch to semodule_package