* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.37-1

- Update to upstream
  * Merged replacement for audit2why from Dan Walsh.

.cvsignore

@@ -168,3 +168,5 @@ policycoreutils-2.0.33.tgz
 policycoreutils-2.0.34.tgz
 policycoreutils-2.0.35.tgz
 policycoreutils-2.0.36.tgz
+policycoreutils-2.0.37.tgz
+sepolgen-1.0.11.tgz

policycoreutils-rhat.patch

@@ -1,6 +1,6 @@
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.35/audit2allow/audit2allow
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.36/audit2allow/audit2allow
---- nsapolicycoreutils/audit2allow/audit2allow	2007-07-16 14:20:41.000000000 -0400
+--- nsapolicycoreutils/audit2allow/audit2allow	2008-01-23 16:47:07.000000000 -0500
-+++ policycoreutils-2.0.35/audit2allow/audit2allow	2008-01-15 11:32:58.000000000 -0500
++++ policycoreutils-2.0.36/audit2allow/audit2allow	2008-01-23 15:47:45.000000000 -0500
 @@ -19,7 +19,6 @@
  #
  
@@ -9,627 +9,84 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  
  import sepolgen.audit as audit
  import sepolgen.policygen as policygen
-@@ -60,7 +59,10 @@
+@@ -153,9 +152,9 @@
-         parser.add_option("-o", "--output", dest="output",
-                           help="append output to <filename>, conflicts with -M")
-         parser.add_option("-R", "--reference", action="store_true", dest="refpolicy",
--                          default=False, help="generate refpolicy style output")
-+                          default=True, help="generate refpolicy style output")
-+
-+        parser.add_option("-N", "--noreference", action="store_false", dest="refpolicy",
-+                          default=False, help="do not generate refpolicy style output")
-         parser.add_option("-v", "--verbose", action="store_true", dest="verbose",
-                           default=False, help="explain generated output")
-         parser.add_option("-e", "--explain", action="store_true", dest="explain_long",
-@@ -72,6 +74,9 @@
-         parser.add_option("--debug", dest="debug", action="store_true", default=False,
-                           help="leave generated modules for -M")
- 
-+        parser.add_option("-w", "--why", dest="audit2why",  action="store_true", default=False,
-+                          help="Translates SELinux audit messages into a description of why the access was denied")
-+
-         options, args = parser.parse_args()
- 
-         # Make -d, -a, and -i conflict
-@@ -147,10 +152,12 @@
  
      def __process_input(self):
          if self.__options.type:
 -            filter = audit.TypeFilter(self.__options.type)
 -            self.__avs = self.__parser.to_access(filter)
+-            self.__selinux_errs = self.__parser.to_role(filter)
 +            avcfilter = audit.TypeFilter(self.__options.type)
 +            self.__avs = self.__parser.to_access(avcfilter)
 +            self.__selinux_errs = self.__parser.to_role(avcfilter)
          else:
              self.__avs = self.__parser.to_access()
-+            self.__selinux_errs = self.__parser.to_role()
+             self.__selinux_errs = self.__parser.to_role()
- 
+@@ -221,13 +220,14 @@
-     def __load_interface_info(self):
+     def __output_audit2why(self):
-         # Load interface info file
+             import selinux
-@@ -210,7 +217,74 @@
+             import selinux.audit2why as audit2why
-         sys.stdout.write((_("To make this policy package active, execute:" +\
-                                 "\n\nsemodule -i %s\n\n") % packagename))
- 
-+    def __output_audit2why(self):
-+            import selinux
-+            import selinux.audit2why as audit2why
 +            import seobject
-+            audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
+             audit2why.init("%s.%s" % (selinux.selinux_binary_policy_path(), selinux.security_policyvers()))
-+            for i in self.__parser.avc_msgs:
+             for i in self.__parser.avc_msgs:
-+                rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
+                 rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
-+                if rc >= 0:
+                 if rc >= 0:
-+                    print "%s\n\tWas caused by:" % i.message
+                     print "%s\n\tWas caused by:" % i.message
-+                if rc == audit2why.NOPOLICY:
+                 if rc == audit2why.NOPOLICY:
+-                    raise "Must call policy_init first"
 +                    raise RuntimeError("Must call policy_init first")
-+                if rc == audit2why.BADTCON:
+                 if rc == audit2why.BADTCON:
-+                    print "Invalid Target Context %s\n" % i.tcontext
+                     print "Invalid Target Context %s\n" % i.tcontext
-+                    continue
+                     continue
-+                if rc == audit2why.BADSCON:
+@@ -241,7 +241,7 @@
-+                    print "Invalid Source Context %s\n" % i.scontext
+                     print "Invalid permission %s\n" % i.accesses
-+                    continue
+                     continue
-+                if rc == audit2why.BADSCON:
+                 if rc == audit2why. BADCOMPUTE:
-+                    print "Invalid Type Class %s\n" % i.tclass
+-                    raise "Error during access vector computation"
-+                    continue
-+                if rc == audit2why.BADPERM:
-+                    print "Invalid permission %s\n" % i.accesses
-+                    continue
-+                if rc == audit2why. BADCOMPUTE:
 +                    raise RuntimeError("Error during access vector computation")
-+                if rc == audit2why.ALLOW:
+                 if rc == audit2why.ALLOW:
-+                    print "\t\tUnknown - would be allowed by active policy\n",
+                     print "\t\tUnknown - would be allowed by active policy\n",
-+                    print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
+                     print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
-+                    print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
+@@ -249,18 +249,20 @@
-+                    continue
+                     continue
-+                if rc == audit2why.BOOLEAN:
+                 if rc == audit2why.BOOLEAN:
-+                    if len(bools) > 1:
+                     if len(bools) > 1:
+-                        print "\tOne of the following booleans was set incorrectly."
 +                        print "\tOne of the following booleans being set incorrectly."
-+                        for b in bools:
+                         for b in bools:
+-                            print "\n\tBoolean %s is %d. Allow access by executing:" % (b[0], not b[1])
+-                            print "\t# setsebool -P %s %d"  % (b[0], b[1])
 +                            print "\n\tBoolean %s is %d." % (b[0], not b[1])
 +                            print "\tDescription:\n\t%s\n"  % seobject.boolean_desc(b[0])
 +                            print "\tAllow access by executing:\n\t# setsebool -P %s %d"  % (b[0], b[1])
-+                    else:
+                     else:
+-                        print "\tThe boolean %s was set incorrectly.  Allow access by executing:" % bools[0][0]
+-                        print "\t# setsebool -P %s %d\n"  % (bools[0][0], bools[0][1])
+-
 +                        print "\tThe boolean %s set incorrectly. " % (bools[0][0])
 +                        print "\n\tBoolean %s is %d." % (bools[0][0], bools[0][1])
 +                        print "\tDescription:\n\t%s\n"  % seobject.boolean_desc(bools[0][0])
 +                        print "\tAllow access by executing:\n\t# setsebool -P %s %d"  % (bools[0][0], bools[0][1])
-+                    continue
+                     continue
-+
+ 
-+                if rc == audit2why.TERULE:
+                 if rc == audit2why.TERULE:
+-                    print "\t\tMissing or disabled type enforcing (TE) allow rule.\n"
 +                    print "\t\tMissing or disabled type enforcingment (TE) allow rule.\n"
-+                    print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n"
+                     print "\t\tYou can use audit2allow to generate the missing allow rules and/or load policy to allow this access.\n"
-+                    continue
+                     continue
-+
-+                if rc == audit2why.CONSTRAINT:
-+                    print "\t\tConstraint violation.\n"
-+                    print "\t\tCheck policy/constraints.\n"
-+                    print "\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n"
-+                    continue
-+
-+                if rc == audit2why.RBAC:
-+                    print "\t\tMissing role allow rule.\n"
-+                    print "\t\tAdd allow rule for the role pair.\n"
-+                    continue
-+
-+            audit2why.finish()
-+            return
-+
-     def __output(self):
-+        
-+        if self.__options.audit2why:
-+            return self.__output_audit2why()
-+
-         g = policygen.PolicyGenerator()
  
-         if self.__options.module:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.36/Makefile
-@@ -251,6 +325,12 @@
-                 fd = sys.stdout
-             writer.write(g.get_module(), fd)
- 
-+            if len(self.__selinux_errs) > 0:
-+                fd.write("\n=========== ROLES ===============\n")
-+
-+            for role in self.__selinux_errs:
-+                fd.write(role.output())
-+
-     def main(self):
-         try:
-             self.__parse_options()
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.35/audit2allow/audit2allow.1
---- nsapolicycoreutils/audit2allow/audit2allow.1	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.35/audit2allow/audit2allow.1	2008-01-11 11:25:54.000000000 -0500
-@@ -24,7 +24,12 @@
- .\"
- .TH AUDIT2ALLOW "1" "January 2005" "Security Enhanced Linux" NSA
- .SH NAME
--audit2allow \- generate SELinux policy allow rules from logs of denied operations
-+.BR audit2allow
-+	\- generate SELinux policy allow rules from logs of denied operations
-+
-+.BR audit2why  
-+	\- translates SELinux audit messages into a description of why the access was denied (audit2allow -w)
-+
- .SH SYNOPSIS
- .B audit2allow
- .RI [ options "] "
-@@ -65,12 +70,19 @@
- .B "\-r" | "\-\-requires"
- Generate require output syntax for loadable modules.
- .TP
-+.B "\-N" | "\-\-noreference"
-+Do not generate reference policy, traditional style allow rules.
-+.TP
- .B "\-R" | "\-\-reference"
--Generate reference policy using installed macros.  Requires the selinux-policy-devel package.
-+Generate reference policy using installed macros.Default
- .TP
- .B "\-t "  | "\-\-tefile"
- Indicates input file is a te (type enforcement) file.  This can be used to translate old te format to new policy format.
- .TP
-+.B "\-w" | "\-\-why"
-+Translates SELinux audit messages into a description of why the access wasn denied
-+
-+.TP
- .B "\-v" | "\-\-verbose"
- Turn on verbose output
- 
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why policycoreutils-2.0.35/audit2why/audit2why
---- nsapolicycoreutils/audit2why/audit2why	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.35/audit2why/audit2why	2008-01-11 11:26:34.000000000 -0500
-@@ -0,0 +1,2 @@
-+#!/bin/sh
-+/usr/bin/audit2allow -w $*
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.1 policycoreutils-2.0.35/audit2why/audit2why.1
---- nsapolicycoreutils/audit2why/audit2why.1	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.35/audit2why/audit2why.1	2008-01-11 11:30:41.000000000 -0500
-@@ -0,0 +1 @@
-+.so man1/audit2allow.1
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.8 policycoreutils-2.0.35/audit2why/audit2why.8
---- nsapolicycoreutils/audit2why/audit2why.8	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.35/audit2why/audit2why.8	1969-12-31 19:00:00.000000000 -0500
-@@ -1,79 +0,0 @@
--.\" Hey, Emacs! This is an -*- nroff -*- source file.
--.\" Copyright (c) 2005 Dan Walsh <dwalsh@redhat.com>
--.\"
--.\" This is free documentation; you can redistribute it and/or
--.\" modify it under the terms of the GNU General Public License as
--.\" published by the Free Software Foundation; either version 2 of
--.\" the License, or (at your option) any later version.
--.\"
--.\" The GNU General Public License's references to "object code"
--.\" and "executables" are to be interpreted as the output of any
--.\" document formatting or typesetting system, including
--.\" intermediate and printed output.
--.\"
--.\" This manual is distributed in the hope that it will be useful,
--.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
--.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--.\" GNU General Public License for more details.
--.\"
--.\" You should have received a copy of the GNU General Public
--.\" License along with this manual; if not, write to the Free
--.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
--.\" USA.
--.\"
--.\"
--.TH AUDIT2WHY "8" "May 2005" "Security Enhanced Linux" NSA
--.SH NAME
--audit2why \- Translates SELinux audit messages into a description of why the access was denied
--.SH SYNOPSIS
--.B audit2why
--.RI [ options "] "
--.SH OPTIONS
--.TP
--
--.B "\-\-help"
--Print a short usage message
--.TP
--.B "\-p <policyfile>"
--Specify an alternate policy file.
--.SH DESCRIPTION
--.PP
--This utility processes SELinux audit messages from standard
--input and and reports which component of the policy caused each
--permission denial based on the specified policy file if the -p option
--was used or the active policy otherwise.  There are three possible
--causes: 1) a missing or disabled TE allow rule, 2) a constraint violation, 
--or 3) a missing role allow rule.   In the first case, the TE allow
--rule may exist in the policy but may be disabled due to boolean settings.
--See 
--.BR booleans (8).
--If the allow rule is not present at all, it can be generated via
--.BR audit2allow (1).
--In the second case, a constraint is being violated; see policy/constraints
--or policy/mls to identify the particular constraint.  Typically, this can
--be resolved by adding a type attribute to the domain.  In the third case,
--a role transition was attempted but no allow rule existed for the role pair.
--This can be resolved by adding an allow rule for the role pair to the policy.
--.PP
--.SH EXAMPLE
--.nf
--$ /usr/sbin/audit2why < /var/log/audit/audit.log
--
--type=KERNEL msg=audit(1115316408.926:336418): avc:  denied  { getattr } for  path=/home/sds dev=hda5 ino=1175041 scontext=root:secadm_r:secadm_t:s0-s9:c0.c127 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
--        Was caused by:
--                Missing or disabled TE allow rule.
--                Allow rules may exist but be disabled by boolean settings; check boolean settings.
--                You can see the necessary allow rules by running audit2allow with this audit message as input.
--
--type=KERNEL msg=audit(1115320071.648:606858): avc:  denied  { append } for  name=.bash_history dev=hda5 ino=1175047 scontext=user_u:user_r:user_t:s1-s9:c0.c127 tcontext=user_u:object_r:user_home_t:s0 tclass=file
--        Was caused by:
--                Constraint violation.
--                Check policy/constraints.
--                Typically, you just need to add a type attribute to the domain to satisfy the constraint.
--.fi
--.PP
--.SH AUTHOR
--This manual page was written by 
--.I Dan Walsh <dwalsh@redhat.com>,
--.B audit2why
--utility was written by Stephen Smalley <sds@tycho.nsa.gov>.
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/audit2why.c policycoreutils-2.0.35/audit2why/audit2why.c
---- nsapolicycoreutils/audit2why/audit2why.c	2008-01-11 10:52:37.000000000 -0500
-+++ policycoreutils-2.0.35/audit2why/audit2why.c	1969-12-31 19:00:00.000000000 -0500
-@@ -1,313 +0,0 @@
--#define _GNU_SOURCE
--#include <unistd.h>
--#include <stdio.h>
--#include <stdlib.h>
--#include <ctype.h>
--#include <errno.h>
--#include <getopt.h>
--#include <limits.h>
--#include <sepol/sepol.h>
--#include <sepol/policydb/services.h>
--#include <selinux/selinux.h>
--
--#define AVCPREFIX "avc:  denied  { "
--#define SCONTEXT "scontext="
--#define TCONTEXT "tcontext="
--#define TCLASS "tclass="
--
--void usage(char *progname, int rc)
--{
--	fprintf(stderr, "usage:  %s [-p policy] < /var/log/audit/audit.log\n",
--		progname);
--	exit(rc);
--}
--
--int main(int argc, char **argv)
--{
--	char path[PATH_MAX];
--	char *buffer = NULL, *bufcopy = NULL;
--	unsigned int lineno = 0;
--	size_t len = 0, bufcopy_len = 0;
--	FILE *fp = NULL;
--	int opt, rc, set_path = 0;
--	char *p, *scon, *tcon, *tclassstr, *permstr;
--	sepol_security_id_t ssid, tsid;
--	sepol_security_class_t tclass;
--	sepol_access_vector_t perm, av;
--	struct sepol_av_decision avd;
--	unsigned int reason;
--	int vers = 0;
--	sidtab_t sidtab;
--	policydb_t policydb;
--	struct policy_file pf;
--
--	while ((opt = getopt(argc, argv, "p:?h")) > 0) {
--		switch (opt) {
--		case 'p':
--			set_path = 1;
--			strncpy(path, optarg, PATH_MAX);
--			fp = fopen(path, "r");
--			if (!fp) {
--				fprintf(stderr, "%s:  unable to open %s:  %s\n",
--					argv[0], path, strerror(errno));
--				exit(1);
--			}
--			break;
--		default:
--			usage(argv[0], 0);
--		}
--	}
--
--	if (argc - optind)
--		usage(argv[0], 1);
--
--	if (!set_path) {
--		if (!is_selinux_enabled()) {
--			fprintf(stderr,
--				"%s:  Must specify -p policy on non-SELinux systems\n",
--				argv[0]);
--			exit(1);
--		}
--		vers = security_policyvers();
--		if (vers < 0) {
--			fprintf(stderr,
--				"%s:  Could not get policy version:  %s\n",
--				argv[0], strerror(errno));
--			exit(1);
--		}
--		snprintf(path, PATH_MAX, "%s.%d",
--			 selinux_binary_policy_path(), vers);
--		fp = fopen(path, "r");
--		while (!fp && errno == ENOENT && --vers) {
--			snprintf(path, PATH_MAX, "%s.%d",
--				 selinux_binary_policy_path(), vers);
--			fp = fopen(path, "r");
--		}
--		if (!fp) {
--			snprintf(path, PATH_MAX, "%s.%d",
--				 selinux_binary_policy_path(),
--				 security_policyvers());
--			fprintf(stderr, "%s:  unable to open %s:  %s\n",
--				argv[0], path, strerror(errno));
--			exit(1);
--		}
--	}
--
--	/* Set up a policydb directly so that we can mutate it later
--	   for booleans and user settings.  Otherwise we would just use
--	   sepol_set_policydb_from_file() here. */
--	pf.fp = fp;
--	pf.type = PF_USE_STDIO;
--	if (policydb_init(&policydb)) {
--		fprintf(stderr, "%s:  policydb_init failed: %s\n",
--			argv[0], strerror(errno));
--		exit(1);
--	}
--	if (policydb_read(&policydb, &pf, 0)) {
--		fprintf(stderr, "%s:  invalid binary policy %s\n",
--			argv[0], path);
--		exit(1);
--	}
--	fclose(fp);
--	sepol_set_policydb(&policydb);
--
--	if (!set_path) {
--		/* If they didn't specify a full path of a binary policy file,
--		   then also try loading any boolean settings and user
--		   definitions from the active locations.  Otherwise,
--		   they can use genpolbools and genpolusers to build a
--		   binary policy file that includes any desired settings
--		   and then apply audit2why -p to the resulting file. 
--		   Errors are non-fatal as such settings are optional. */
--		sepol_debug(0);
--		(void)sepol_genbools_policydb(&policydb,
--					      selinux_booleans_path());
--		(void)sepol_genusers_policydb(&policydb, selinux_users_path());
--	}
--
--	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
--	   and sepol_compute_av_reason. */
--	rc = sepol_sidtab_init(&sidtab);
--	if (rc < 0) {
--		fprintf(stderr, "%s:  unable to init sidtab\n", argv[0]);
--		exit(1);
--	}
--	sepol_set_sidtab(&sidtab);
--
--	/* Process the audit messages. */
--	while (getline(&buffer, &len, stdin) > 0) {
--		size_t len2 = strlen(buffer);
--
--		if (buffer[len2 - 1] == '\n')
--			buffer[len2 - 1] = 0;
--		lineno++;
--
--		p = buffer;
--		while (*p && strncmp(p, AVCPREFIX, sizeof(AVCPREFIX) - 1))
--			p++;
--		if (!(*p))
--			continue;	/* not an avc denial */
--
--		p += sizeof(AVCPREFIX) - 1;
--
--		/* Save a copy of the original unmodified buffer. */
--		if (!bufcopy) {
--			/* Initial allocation */
--			bufcopy_len = len;
--			bufcopy = malloc(len);
--		} else if (bufcopy_len < len) {
--			/* Grow */
--			bufcopy_len = len;
--			bufcopy = realloc(bufcopy, len);
--		}
--		if (!bufcopy) {
--			fprintf(stderr, "%s:  OOM on buffer copy\n", argv[0]);
--			exit(2);
--		}
--		memcpy(bufcopy, buffer, len);
--
--		/* Remember where the permission list begins,
--		   and terminate the list. */
--		permstr = p;
--		while (*p && *p != '}')
--			p++;
--		if (!(*p)) {
--			fprintf(stderr,
--				"Missing closing bracket on line %u, skipping...\n",
--				lineno);
--			continue;
--		}
--		*p++ = 0;
--
--		/* Get scontext and convert to SID. */
--		while (*p && strncmp(p, SCONTEXT, sizeof(SCONTEXT) - 1))
--			p++;
--		if (!(*p)) {
--			fprintf(stderr, "Missing %s on line %u, skipping...\n",
--				SCONTEXT, lineno);
--			continue;
--		}
--		p += sizeof(SCONTEXT) - 1;
--		scon = p;
--		while (*p && !isspace(*p))
--			p++;
--		if (*p)
--			*p++ = 0;
--		rc = sepol_context_to_sid(scon, strlen(scon) + 1, &ssid);
--		if (rc < 0) {
--			fprintf(stderr,
--				"Invalid %s%s on line %u, skipping...\n",
--				SCONTEXT, scon, lineno);
--			continue;
--		}
--
--		/* Get tcontext and convert to SID. */
--		while (*p && strncmp(p, TCONTEXT, sizeof(TCONTEXT) - 1))
--			p++;
--		if (!(*p)) {
--			fprintf(stderr, "Missing %s on line %u, skipping...\n",
--				TCONTEXT, lineno);
--			continue;
--		}
--		p += sizeof(TCONTEXT) - 1;
--		tcon = p;
--		while (*p && !isspace(*p))
--			p++;
--		if (*p)
--			*p++ = 0;
--		rc = sepol_context_to_sid(tcon, strlen(tcon) + 1, &tsid);
--		if (rc < 0) {
--			fprintf(stderr,
--				"Invalid %s%s on line %u, skipping...\n",
--				TCONTEXT, tcon, lineno);
--			continue;
--		}
--
--		/* Get tclass= and convert to value. */
--		while (*p && strncmp(p, TCLASS, sizeof(TCLASS) - 1))
--			p++;
--		if (!(*p)) {
--			fprintf(stderr, "Missing %s on line %u, skipping...\n",
--				TCLASS, lineno);
--			continue;
--		}
--		p += sizeof(TCLASS) - 1;
--		tclassstr = p;
--		while (*p && !isspace(*p))
--			p++;
--		if (*p)
--			*p = 0;
--		tclass = string_to_security_class(tclassstr);
--		if (!tclass) {
--			fprintf(stderr,
--				"Invalid %s%s on line %u, skipping...\n",
--				TCLASS, tclassstr, lineno);
--			continue;
--		}
--
--		/* Convert the permission list to an AV. */
--		p = permstr;
--		av = 0;
--		while (*p) {
--			while (*p && !isspace(*p))
--				p++;
--			if (*p)
--				*p++ = 0;
--			perm = string_to_av_perm(tclass, permstr);
--			if (!perm) {
--				fprintf(stderr,
--					"Invalid permission %s on line %u, skipping...\n",
--					permstr, lineno);
--				continue;
--			}
--			av |= perm;
--			permstr = p;
--		}
--
--		/* Reproduce the computation. */
--		rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd,
--					     &reason);
--		if (rc < 0) {
--			fprintf(stderr,
--				"Error during access vector computation on line %u, skipping...\n",
--				lineno);
--			continue;
--		}
--
--		printf("%s\n\tWas caused by:\n", bufcopy);
--
--		if (!reason) {
--			printf("\t\tUnknown - would be allowed by %s policy\n",
--			       set_path ? "specified" : "active");
--			printf
--			    ("\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n");
--			printf
--			    ("\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n");
--		}
--
--		if (reason & SEPOL_COMPUTEAV_TE) {
--			printf("\t\tMissing or disabled TE allow rule.\n");
--			printf
--			    ("\t\tAllow rules may exist but be disabled by boolean settings; check boolean settings.\n");
--			printf
--			    ("\t\tYou can see the necessary allow rules by running audit2allow with this audit message as input.\n");
--		}
--
--		if (reason & SEPOL_COMPUTEAV_CONS) {
--			printf("\t\tConstraint violation.\n");
--			printf("\t\tCheck policy/constraints.\n");
--			printf
--			    ("\t\tTypically, you just need to add a type attribute to the domain to satisfy the constraint.\n");
--		}
--
--		if (reason & SEPOL_COMPUTEAV_RBAC) {
--			printf("\t\tMissing role allow rule.\n");
--			printf("\t\tAdd allow rule for the role pair.\n");
--		}
--
--		printf("\n");
--	}
--	free(buffer);
--	free(bufcopy);
--	exit(0);
--}
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2why/Makefile policycoreutils-2.0.35/audit2why/Makefile
---- nsapolicycoreutils/audit2why/Makefile	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.35/audit2why/Makefile	2008-01-11 11:39:04.000000000 -0500
-@@ -1,15 +1,7 @@
- # Installation directories.
- PREFIX ?= ${DESTDIR}/usr
- BINDIR ?= $(PREFIX)/bin
--LIBDIR ?= ${PREFIX}/lib
- MANDIR ?= $(PREFIX)/share/man
--LOCALEDIR ?= /usr/share/locale
--INCLUDEDIR ?= ${PREFIX}/include
--
--
--CFLAGS ?= -Werror -Wall -W
--override CFLAGS += -I$(INCLUDEDIR)
--LDLIBS = ${LIBDIR}/libsepol.a -lselinux -L$(LIBDIR)
- 
- TARGETS=audit2why
- 
-@@ -18,13 +10,5 @@
- install: all
- 	-mkdir -p $(BINDIR)
- 	install -m 755 $(TARGETS) $(BINDIR)
--	-mkdir -p $(MANDIR)/man8
--	install -m 644 audit2why.8 $(MANDIR)/man8/
--
--clean:
--	-rm -f $(TARGETS) *.o
--
--indent:
--	../../scripts/Lindent $(wildcard *.[ch])
--
--relabel:
-+	-mkdir -p $(MANDIR)/man1
-+	install -m 644 audit2why.1 $(MANDIR)/man1/
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.35/Makefile
 --- nsapolicycoreutils/Makefile	2007-12-19 06:02:52.000000000 -0500
-+++ policycoreutils-2.0.35/Makefile	2008-01-11 11:17:46.000000000 -0500
++++ policycoreutils-2.0.36/Makefile	2008-01-23 15:47:45.000000000 -0500
 @@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
  
  INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
  
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.35/restorecond/restorecond.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.36/restorecond/restorecond.c
 --- nsapolicycoreutils/restorecond/restorecond.c	2007-07-16 14:20:41.000000000 -0400
-+++ policycoreutils-2.0.35/restorecond/restorecond.c	2008-01-11 11:17:46.000000000 -0500
++++ policycoreutils-2.0.36/restorecond/restorecond.c	2008-01-23 15:47:45.000000000 -0500
 @@ -210,9 +210,10 @@
  			}
  
@@ -656,9 +113,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  	}
  	free(scontext);
  	close(fd);
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.35/scripts/fixfiles
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.36/scripts/fixfiles
 --- nsapolicycoreutils/scripts/fixfiles	2008-01-23 14:36:28.000000000 -0500
-+++ policycoreutils-2.0.35/scripts/fixfiles	2008-01-23 13:32:53.000000000 -0500
++++ policycoreutils-2.0.36/scripts/fixfiles	2008-01-23 15:47:45.000000000 -0500
 @@ -36,8 +36,8 @@
  LOGGER=/usr/sbin/logger
  SETFILES=/sbin/setfiles
@@ -697,9 +154,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
      else
  	${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
      fi
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.35/semanage/semanage
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.36/scripts/fixfiles.8
+--- nsapolicycoreutils/scripts/fixfiles.8	2007-07-16 14:20:41.000000000 -0400
++++ policycoreutils-2.0.36/scripts/fixfiles.8	2008-01-23 15:48:52.000000000 -0500
+@@ -35,7 +35,7 @@
+ 
+ .TP 
+ .B -f
+-Don't prompt for removal of /tmp directory.
++Clear /tmp directory with out prompt for removal.
+ 
+ .TP 
+ .B -R rpmpackagename[,rpmpackagename...]
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.36/semanage/semanage
 --- nsapolicycoreutils/semanage/semanage	2008-01-23 14:36:28.000000000 -0500
-+++ policycoreutils-2.0.35/semanage/semanage	2008-01-11 11:17:46.000000000 -0500
++++ policycoreutils-2.0.36/semanage/semanage	2008-01-23 15:47:45.000000000 -0500
 @@ -111,7 +111,7 @@
  		valid_option["translation"] = []
  		valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] 
@@ -748,9 +217,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  		if object == "login":
  			OBJECT = seobject.loginRecords(store)
  
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.35/semanage/seobject.py
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.36/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2007-12-10 21:42:27.000000000 -0500
-+++ policycoreutils-2.0.35/semanage/seobject.py	2008-01-15 11:31:49.000000000 -0500
++++ policycoreutils-2.0.36/semanage/seobject.py	2008-01-23 15:47:45.000000000 -0500
 @@ -117,6 +117,12 @@
         #print _("Failed to translate booleans.\n%s") % e
         pass
@@ -776,9 +245,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  
          def get_category(self, boolean):
                 if boolean in booleans_dict:
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.35/setfiles/setfiles.8
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.36/setfiles/setfiles.8
 --- nsapolicycoreutils/setfiles/setfiles.8	2007-07-16 14:20:43.000000000 -0400
-+++ policycoreutils-2.0.35/setfiles/setfiles.8	2008-01-21 14:08:06.000000000 -0500
++++ policycoreutils-2.0.36/setfiles/setfiles.8	2008-01-23 15:47:45.000000000 -0500
 @@ -59,6 +59,9 @@
  .TP 
  .B \-W
@@ -789,9 +258,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po
  
  .SH "ARGUMENTS"
  .B spec_file
-diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.35/setfiles/setfiles.c
+diff --exclude-from=exclude --exclude=sepolgen-1.0.10 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.36/setfiles/setfiles.c
 --- nsapolicycoreutils/setfiles/setfiles.c	2008-01-11 10:52:37.000000000 -0500
-+++ policycoreutils-2.0.35/setfiles/setfiles.c	2008-01-21 14:04:32.000000000 -0500
++++ policycoreutils-2.0.36/setfiles/setfiles.c	2008-01-23 15:47:45.000000000 -0500
 @@ -55,6 +55,7 @@
  static int verbose = 0;
  static int logging = 0;

policycoreutils.spec

@@ -2,10 +2,10 @@
 %define	libsepolver	2.0.10-1
 %define	libsemanagever	2.0.5-1
 %define	libselinuxver	2.0.46-5
-%define	sepolgenver	1.0.10
+%define	sepolgenver	1.0.11
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.36
+Version: 2.0.37
 Release: 1%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
@@ -193,6 +193,13 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.37-1
+- Update to upstream
+  * Merged replacement for audit2why from Dan Walsh.
+
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.36-2
+- Cleanup fixfiles -f message in man page
+
 * Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> 2.0.36-1
 - Update to upstream
 	* Merged update to chcat, fixfiles, and semanage scripts from Dan Walsh.

sources

@@ -1,2 +1,2 @@
-eddb3e34fb982d752aa8cbed7b98f3d2  sepolgen-1.0.10.tgz
+f450ab5a14db31051869cc22a4e532a3  policycoreutils-2.0.37.tgz
-58d63c40aab742f45be11e30e32c31c4  policycoreutils-2.0.36.tgz
+3fed5cd04ee67c0f86e3cc6825261819  sepolgen-1.0.11.tgz