* Mon Jun 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-7

- Fix sepolgen-ifgen processing

.cvsignore

@@ -178,3 +178,4 @@ policycoreutils-2.0.43.tgz
 policycoreutils-2.0.44.tgz
 policycoreutils-2.0.46.tgz
 policycoreutils-2.0.47.tgz
+policycoreutils-2.0.49.tgz

policycoreutils-rhat.patch

@@ -1,5 +1,5 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.49/Makefile
---- nsapolicycoreutils/Makefile	2008-05-22 14:01:49.292734000 -0400
+--- nsapolicycoreutils/Makefile	2008-05-22 14:01:49.000000000 -0400
 +++ policycoreutils-2.0.49/Makefile	2008-05-16 11:27:02.000000000 -0400
 @@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
@@ -8,7 +8,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
  INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
  
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.49/restorecond/restorecond.c
---- nsapolicycoreutils/restorecond/restorecond.c	2008-05-22 14:01:42.385538000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.c	2008-05-22 14:01:42.000000000 -0400
 +++ policycoreutils-2.0.49/restorecond/restorecond.c	2008-05-16 11:27:02.000000000 -0400
 @@ -210,9 +210,10 @@
  			}
@@ -37,7 +37,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
  	free(scontext);
  	close(fd);
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.49/restorecond/restorecond.init
---- nsapolicycoreutils/restorecond/restorecond.init	2008-05-22 14:01:42.394526000 -0400
+--- nsapolicycoreutils/restorecond/restorecond.init	2008-05-22 14:01:42.000000000 -0400
 +++ policycoreutils-2.0.49/restorecond/restorecond.init	2008-05-16 11:27:02.000000000 -0400
 @@ -2,7 +2,7 @@
  #
@@ -49,8 +49,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
  # listed in the /etc/selinux/restorecond.conf file, and restores the \
  # correct security context.
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.49/scripts/fixfiles
---- nsapolicycoreutils/scripts/fixfiles	2008-05-22 14:01:41.983778000 -0400
-+++ policycoreutils-2.0.49/scripts/fixfiles	2008-05-22 13:56:53.737824000 -0400
+--- nsapolicycoreutils/scripts/fixfiles	2008-05-22 14:01:41.000000000 -0400
++++ policycoreutils-2.0.49/scripts/fixfiles	2008-05-22 13:56:53.000000000 -0400
 @@ -138,6 +138,9 @@
  fi
  LogReadOnly
@@ -81,7 +81,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
  
  if [ $# = 0 ]; then
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles.8 policycoreutils-2.0.49/scripts/fixfiles.8
---- nsapolicycoreutils/scripts/fixfiles.8	2008-05-22 14:01:41.942823000 -0400
+--- nsapolicycoreutils/scripts/fixfiles.8	2008-05-22 14:01:41.000000000 -0400
 +++ policycoreutils-2.0.49/scripts/fixfiles.8	2008-05-16 11:27:02.000000000 -0400
 @@ -7,6 +7,8 @@
  
@@ -102,10 +102,249 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po
  
  .SH "OPTIONS"
  .TP 
+diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.49/semanage/semanage
+--- nsapolicycoreutils/semanage/semanage	2008-05-22 14:01:41.000000000 -0400
++++ policycoreutils-2.0.49/semanage/semanage	2008-06-12 14:34:26.499263000 -0400
+@@ -43,49 +43,52 @@
+ if __name__ == '__main__':
+ 
+ 	def usage(message = ""):
+-		print _('\
+-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
+-semanage login -{a|d|m} [-sr] login_name\n\
+-semanage user -{a|d|m} [-LrRP] selinux_name\n\
+-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
+-semanage interface -{a|d|m} [-tr] interface_spec\n\
+-semanage fcontext -{a|d|m} [-frst] file_spec\n\
+-semanage translation -{a|d|m} [-T] level\n\n\
+-semanage boolean -{d|m} boolean\n\n\
+-\
+-Primary Options:\n\
+-\
+-	-a, --add        Add a OBJECT record NAME\n\
+-	-d, --delete     Delete a OBJECT record NAME\n\
+-	-m, --modify     Modify a OBJECT record NAME\n\
+-	-l, --list       List the OBJECTS\n\n\
+-	-C, --locallist  List OBJECTS local customizations\n\n\
+-	-D, --deleteall  Remove all OBJECTS local customizations\n\
+-\
+-	-h, --help       Display this message\n\
+-	-n, --noheading  Do not print heading when listing OBJECTS\n\
+-        -S, --store      Select and alternate SELinux store to manage\n\n\
+-Object-specific Options (see above):\n\
+-	-f, --ftype      File Type of OBJECT \n\
+-		"" (all files) \n\
+-		-- (regular file) \n\
+-		-d (directory) \n\
+-		-c (character device) \n\
+-		-b (block device) \n\
+-		-s (socket) \n\
+-		-l (symbolic link) \n\
+-		-p (named pipe) \n\n\
+-\
+-	-p, --proto      Port protocol (tcp or udp)\n\
+-	-P, --prefix     Prefix for home directory labeling\n\
+-	-L, --level      Default SELinux Level (MLS/MCS Systems only)\n\
+-	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")\n\
+-	-T, --trans      SELinux Level Translation (MLS/MCS Systems only)\n\n\
+-\
+-	-s, --seuser     SELinux User Name\n\
+-	-t, --type       SELinux Type for the object\n\
+-	-r, --range      MLS/MCS Security Range (MLS/MCS Systems only)\n\
+-')
++		print _("""
++semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] 
++semanage login -{a|d|m} [-sr] login_name
++semanage user -{a|d|m} [-LrRP] selinux_name
++semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
++semanage interface -{a|d|m} [-tr] interface_spec
++semanage fcontext -{a|d|m} [-frst] file_spec
++semanage translation -{a|d|m} [-T] level
++semanage boolean -{d|m} boolean
++semanage permissive -{d|a} type
++
++Primary Options:
++
++	-a, --add        Add a OBJECT record NAME
++	-d, --delete     Delete a OBJECT record NAME
++	-m, --modify     Modify a OBJECT record NAME
++	-l, --list       List the OBJECTS
++	-C, --locallist  List OBJECTS local customizations
++	-D, --deleteall  Remove all OBJECTS local customizations
++
++	-h, --help       Display this message
++	-n, --noheading  Do not print heading when listing OBJECTS
++        -S, --store      Select and alternate SELinux store to manage
++
++Object-specific Options (see above):
++
++	-f, --ftype      File Type of OBJECT 
++		"" (all files) 
++		-- (regular file) 
++		-d (directory) 
++		-c (character device) 
++		-b (block device) 
++		-s (socket) 
++		-l (symbolic link) 
++		-p (named pipe) 
++
++	-p, --proto      Port protocol (tcp or udp)
++	-P, --prefix     Prefix for home directory labeling
++	-L, --level      Default SELinux Level (MLS/MCS Systems only)
++	-R, --roles      SELinux Roles (ex: "sysadm_r staff_r")
++	-T, --trans      SELinux Level Translation (MLS/MCS Systems only)
++
++	-s, --seuser     SELinux User Name
++	-t, --type       SELinux Type for the object
++	-r, --range      MLS/MCS Security Range (MLS/MCS Systems only)
++""")
+ 		print message
+ 		sys.exit(1)
+ 		
+@@ -112,6 +115,8 @@
+ 		valid_option["translation"] += valid_everyone + [ '-T', '--trans' ] 
+ 		valid_option["boolean"] = []
+ 		valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ] 
++		valid_option["permissive"] = []
++		valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
+ 		return valid_option
+ 
+ 	#
+@@ -266,6 +271,9 @@
+ 		if object == "translation":
+ 			OBJECT = seobject.setransRecords()
+ 		
++		if object == "permissive":
++			OBJECT = seobject.permissiveRecords(store)
++		
+ 		if list:
+ 			OBJECT.list(heading, locallist)
+ 			sys.exit(0);
+@@ -302,6 +310,9 @@
+ 
+ 			if object == "fcontext":
+ 				OBJECT.add(target, setype, ftype, serange, seuser)
++			if object == "permissive":
++				OBJECT.add(target)
++
+ 			sys.exit(0);
+ 			
+ 		if modify:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.49/semanage/semanage.8
+--- nsapolicycoreutils/semanage/semanage.8	2008-05-22 14:01:41.000000000 -0400
++++ policycoreutils-2.0.49/semanage/semanage.8	2008-06-11 16:18:48.000000000 -0400
+@@ -17,6 +17,8 @@
+ .br
+ .B semanage fcontext \-{a|d|m} [\-frst] file_spec
+ .br
++.B semanage permissive \-{a|d} type
++.br
+ .B semanage translation \-{a|d|m} [\-T] level
+ .P
+ 
+@@ -101,10 +103,11 @@
+ $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
+ # Allow Apache to listen on port 81
+ $ semanage port -a -t http_port_t -p tcp 81
++# Change apache to a permissive domain
++$ semanage permissive -a http_t
+ .fi
+ 
+ .SH "AUTHOR"
+ This man page was written by Daniel Walsh <dwalsh@redhat.com> and
+ Russell Coker <rcoker@redhat.com>.
+ Examples by Thomas Bleher <ThomasBleher@gmx.de>.
+-
 diff --exclude-from=exclude --exclude=sepolgen-1.0.11 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.49/semanage/seobject.py
---- nsapolicycoreutils/semanage/seobject.py	2008-05-22 14:01:41.602159000 -0400
-+++ policycoreutils-2.0.49/semanage/seobject.py	2008-05-16 11:27:02.000000000 -0400
-@@ -464,7 +464,7 @@
+--- nsapolicycoreutils/semanage/seobject.py	2008-05-22 14:01:41.000000000 -0400
++++ policycoreutils-2.0.49/semanage/seobject.py	2008-06-12 14:34:36.038161000 -0400
+@@ -1,5 +1,5 @@
+ #! /usr/bin/python -E
+-# Copyright (C) 2005, 2006, 2007 Red Hat 
++# Copyright (C) 2005, 2006, 2007, 2008 Red Hat 
+ # see file 'COPYING' for use and warranty information
+ #
+ # semanage is a tool for managing SELinux configuration files
+@@ -24,7 +24,9 @@
+ import pwd, string, selinux, tempfile, os, re, sys
+ from semanage import *;
+ PROGNAME="policycoreutils"
++import sepolgen.module as module
+ 
++import commands
+ import gettext
+ gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+ gettext.textdomain(PROGNAME)
+@@ -246,7 +248,67 @@
+ 		os.close(fd)
+ 		os.rename(newfilename, self.filename)
+                 os.system("/sbin/service mcstrans reload > /dev/null")
+-                
++
++class permissiveRecords:
++	def __init__(self, store):
++               self.store = store
++
++	def get_all(self):
++               rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
++               l = []
++               for i in out.split():
++                      if i.startswith("permissive_"):
++                             l.append(i.split("permissive_")[1])
++               return l
++
++	def list(self,heading = 1, locallist = 0):
++		if heading:
++			print "\n%-25s\n" % (_("Permissive Types"))
++                for t in self.get_all():
++                       print t
++
++
++	def add(self, type):
++               name = "permissive_%s" % type
++               dirname = "/var/lib/selinux"
++               os.chdir(dirname)
++               filename = "%s.te" % name
++               modtxt = """
++module %s 1.0;
++
++require {
++          type %s;
++}
++
++permissive %s;
++""" % (name, type, type)
++               fd = open(filename,'w')
++               fd.write(modtxt)
++               fd.close()
++               mc = module.ModuleCompiler()
++               mc.create_module_package(filename, 1)
++               rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
++               for root, dirs, files in os.walk("top", topdown=False):
++                      for name in files:
++                             os.remove(os.path.join(root, name))
++                      for name in dirs:
++                             os.rmdir(os.path.join(root, name))
++
++               if rc != 0:
++                      raise ValueError(out)			
++
++
++	def delete(self, name):
++               rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
++               if rc != 0:
++                      raise ValueError(out)			
++
++	def deleteall(self):
++               l = self.get_all()
++               if len(l) > 0:
++                      all = " permissive_".join(l)
++                      self.delete(all)
++
+ class semanageRecords:
+ 	def __init__(self, store):
+ 		self.sh = semanage_handle_create()
+@@ -464,7 +526,7 @@
  	def __init__(self, store = ""):
  		semanageRecords.__init__(self, store)
  

policycoreutils-sepolgen.patch

@@ -1,6 +1,28 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py	2008-01-23 14:36:29.000000000 -0500
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/audit.py	2008-05-28 10:11:36.373597000 -0400
+@@ -241,14 +241,17 @@
+     def from_split_string(self, recs):
+         AuditMessage.from_split_string(self, recs)
+         dict={}
++        ctr = 0
+         for i in recs:
++            ctr = ctr + 1
+             t = i.split('=')
+             if len(t) < 2:
++                if t[0] == "context":
++                    self.type = refpolicy.SecurityContext(recs[ctr]).type
+                 continue
+             dict[t[0]]=t[1]
+         try:
+             self.role = refpolicy.SecurityContext(dict["scontext"]).role
+-            self.type = refpolicy.SecurityContext(dict["tcontext"]).type
+         except:
+             raise ValueError("Split string does not represent a valid compute sid message")
+     def output(self):
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py
 --- nsasepolgen/src/sepolgen/refparser.py	2008-01-23 14:36:29.000000000 -0500
-+++ policycoreutils-2.0.35/sepolgen-1.0.11/src/sepolgen/refparser.py	2008-01-11 11:17:50.000000000 -0500
++++ policycoreutils-2.0.49/sepolgen-1.0.11/src/sepolgen/refparser.py	2008-05-16 11:27:03.000000000 -0400
 @@ -919,7 +919,7 @@
  def list_headers(root):
      modules = []

policycoreutils.spec

@@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.49
-Release: 3%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -63,6 +63,7 @@ make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optfla
 %install
 rm -rf %{buildroot}
 mkdir -p %{buildroot}/etc/rc.d/init.d
+mkdir -p %{buildroot}/var/lib/selinux
 mkdir -p %{buildroot}%{_bindir}
 mkdir -p %{buildroot}%{_sbindir}
 mkdir -p %{buildroot}/sbin
@@ -111,7 +112,7 @@ Summary: SELinux configuration GUI
 Group: System Environment/Base
 Requires: policycoreutils = %{version}-%{release} 
 Requires: gnome-python2, pygtk2, pygtk2-libglade, gnome-python2-canvas 
-Requires: usermode, rhpl
+Requires: usermode 
 Requires: setools-console
 Requires: python >= 2.4
 BuildRequires: desktop-file-utils
@@ -172,6 +173,7 @@ rm -rf %{buildroot}
 %dir %{_libdir}/python?.?/site-packages/sepolgen
 %{_libdir}/python?.?/site-packages/sepolgen/*
 %dir  /var/lib/sepolgen
+%dir  /var/lib/selinux
 /var/lib/sepolgen/perm_map
 
 %preun
@@ -183,7 +185,6 @@ fi
 %post
 /sbin/chkconfig --add restorecond
 [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen  > /dev/null 
-/usr/bin/sepolgen-ifgen  > /dev/null
 exit 0
 
 %postun
@@ -192,6 +193,18 @@ if [ "$1" -ge "1" ]; then
 fi
 
 %changelog
+* Mon Jun 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-7
+- Fix sepolgen-ifgen processing
+
+* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-6
+- Add deleteall to semanage permissive, cleanup error handling
+
+* Thu Jun 12 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-5
+- Complete removal of rhpl requirement
+
+* Wed Jun 11 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-4
+- Add semanage permissive *
+
 * Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> 2.0.49-3
 - Fix fixfiles to cleanup /tmp and /var/tmp