* Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-31

- Fix sepolgen code generation
Resolve: #603001

policycoreutils-gui.patch

@@ -6414,8 +6414,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
 +    app.stand_alone()
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.82/gui/polgen.py
 --- nsapolicycoreutils/gui/polgen.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/polgen.py	2010-06-07 16:38:00.000000000 -0400
++++ policycoreutils-2.0.82/gui/polgen.py	2010-06-15 12:01:00.000000000 -0400
-@@ -0,0 +1,1273 @@
+@@ -0,0 +1,1286 @@
 +#!/usr/bin/python
 +#
 +# Copyright (C) 2007-2010 Red Hat 
@@ -7115,7 +7115,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +
 +            if self.type == USER:
 +                for u in self.transition_users:
-+                    temp =  re.sub("TEMPLATETYPE", self.name, executable.te_userapp_trans_rules)
++                    temp =  re.sub("TEMPLATETYPE", self.name, user.te_user_trans_rules)
 +                    newte += re.sub("USER", u.split("_u")[0], temp)
 +
 +            return newte
@@ -7131,6 +7131,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +
 +                for u in self.transition_users:
 +                    role = u.split("_u")[0]
++                    
 +                    if (role + "_r") in self.all_roles:
 +                        tmp =  re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules)
 +                        newte += re.sub("USER", role, tmp)
@@ -7265,11 +7266,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +                newif =""
 +                if self.use_terminal or self.type == USER:
 +                    newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules)
++                newif = re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules)
 +                return newif
 +
 +                
 +	def generate_if(self):
 +                newif = ""
++                newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
 +                if self.program != "":
 +                    newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules)
 +                if self.initscript != "":
@@ -7299,6 +7302,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +            if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER):
 +                roles = ""
 +                if len(self.roles) > 0:
++                    newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules)
 +                    newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules)
 +                    for role in self.roles:
 +                        tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules)
@@ -7317,7 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +########################################
 +#
 +# %s local policy
-+#""" % self.name
++#
++""" % self.name
 +                newte += self.generate_capabilities()
 +                newte += self.generate_process()
 +		newte += self.generate_network_types()
@@ -7357,6 +7362,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +	def generate_fc(self):
 +		newfc = ""
 +                fclist = []
++                if self.type in USERS:
++                    return re.sub("EXECUTABLE", self.program, executable.fc_user)
 +                if self.program == "":
 +                    raise ValueError(_("You must enter the executable path for your confined process"))
 +
@@ -7480,10 +7487,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +                    fcfile = "%s/my%s.fc" % (out_dir, self.file_name)
 +                else:
 +                    fcfile = "%s/%s.fc" % (out_dir, self.file_name)
-+                if self.type in APPLICATIONS:
++                fd = open(fcfile, "w")
-+                    fd = open(fcfile, "w")
++                fd.write(self.generate_fc())
-+                    fd.write(self.generate_fc())
++                fd.close()
-+                    fd.close()
 +		return fcfile
 +
 +	def generate(self, out_dir = "."):
@@ -7501,6 +7507,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +	sys.exit(1)
 +
 +def test():
++    import tempfile
++
++    tmpdir = tempfile.mkdtemp()
 +    mypolicy = policy("mycgi", CGI)
 +    mypolicy.set_program("/var/www/cgi-bin/cgi")
 +    mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000")
@@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    mypolicy.set_use_syslog(True)
 +    mypolicy.set_use_pam(True)
 +    mypolicy.set_out_tcp(0,"8000")
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +
 +    mypolicy = policy("myuser", USER)
 +    mypolicy.set_program("/usr/bin/myuser")
@@ -7523,7 +7532,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    mypolicy.add_file("/var/lib/myuser/myuser.sock")
 +    mypolicy.set_out_tcp(0,"8000")
 +    mypolicy.set_transition_users(["unconfined_u", "staff_u"])
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +    
 +
 +    mypolicy = policy("myrwho", DAEMON)
@@ -7537,7 +7546,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    mypolicy.set_use_pam(True)
 +    mypolicy.add_dir("/var/run/myrwho")
 +    mypolicy.add_dir("/var/lib/myrwho")
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +    
 +    mypolicy = policy("myinetd", INETD)
 +    mypolicy.set_program("/usr/bin/mytest")
@@ -7562,7 +7571,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    mypolicy.set_use_terminal(True)
 +    mypolicy.set_use_mail(True)
 +    mypolicy.set_out_tcp(0,"8000")
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +
 +
 +    mypolicy = policy("mydbus", DBUS)
@@ -7573,24 +7582,27 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    mypolicy.set_use_tmp(True)
 +    mypolicy.set_use_syslog(True)
 +    mypolicy.set_use_pam(True)
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +
 +    mypolicy = policy("mytuser", TUSER)
-+    mypolicy.set_transition_domains(["sudo"])
 +    mypolicy.set_admin_roles(["mydbadm"])
 +    mypolicy.add_boolean("allow_mytuser_setuid", "Allow mytuser users to run setuid applications")
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +    
 +    mypolicy = policy("myxuser", XUSER)
 +    mypolicy.set_in_tcp(1, 1, 1, "28920")
 +    mypolicy.set_in_udp(0, 0, 1, "1513")
 +    mypolicy.set_transition_domains(["mozilla"])
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
 +    
 +    mypolicy = policy("mydbadm", RUSER)
 +    mypolicy.set_admin_domains(["postgresql", "mysql"])
-+    print mypolicy.generate("/var/tmp")
++    print mypolicy.generate(tmpdir)
-+    
++    os.chdir(tmpdir)
++    rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile1")
++    print output
++    print type(rc), os.WEXITSTATUS(rc)
++    sys.exit(os.WEXITSTATUS(rc))
 +
 +import os, sys, getopt, socket, random, fcntl
 +    
@@ -7610,7 +7622,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +    print _("""
 +%s
 +
-+polgen [ -m ] [ -t type ] executable
++polgen [ -m ] [ -t type ] [ executable | Name ]
 +valid Types:
 +""") % msg
 +    keys=poltype.keys()
@@ -7655,35 +7667,36 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
 +        usage(_("Options Error %s ") % error.msg)
 +
 +    if len(cmds) == 0:
-+           usage(_("Executable required"))
++           usage(_("Executable or Name required"))
 +
 +    try:
 +        if not name:
 +            name = os.path.basename(cmds[0]).replace("-","_")
 +        cmd = cmds[0]
 +        mypolicy = policy(name, setype)
-+        mypolicy.set_program(cmd)
++        if setype in APPLICATIONS:
-+        for f in gen_writeable(cmd):
++            mypolicy.set_program(cmd)
-+            for b in mypolicy.DEFAULT_DIRS:
++            for f in gen_writeable(cmd):
-+                if b == "/etc":
++                for b in mypolicy.DEFAULT_DIRS:
-+                    continue
++                    if b == "/etc":
-+                if f.startswith(b):
++                        continue
-+                    if os.path.isfile(f):
++                    if f.startswith(b):
-+                        mypolicy.add_file(f)
++                        if os.path.isfile(f):
-+                    else:
++                            mypolicy.add_file(f)
-+                        mypolicy.add_dir(f)
++                        else:
++                            mypolicy.add_dir(f)
 +
-+        if os.path.isfile("/var/run/%s.pid"  % name):
++            if os.path.isfile("/var/run/%s.pid"  % name):
-+            mypolicy.add_file("/var/run/%s.pid"  % name)
++                mypolicy.add_file("/var/run/%s.pid"  % name)
 +
-+        if os.path.isfile("/etc/rc.d/init.d/%s"  % name):
++            if os.path.isfile("/etc/rc.d/init.d/%s"  % name):
-+            mypolicy.set_init_script("/etc/rc\.d/init\.d/%s"  % name)
++                mypolicy.set_init_script("/etc/rc\.d/init\.d/%s"  % name)
 +
-+        symbols = gen_symbols(cmd)
++            symbols = gen_symbols(cmd)
-+        for s in symbols:
++            for s in symbols:
-+            for b in mypolicy.symbols:
++                for b in mypolicy.symbols:
-+                if s.startswith(b):
++                    if s.startswith(b):
-+                    exec "mypolicy.%s" %  mypolicy.symbols[b]
++                        exec "mypolicy.%s" %  mypolicy.symbols[b]
 +        
 +        print mypolicy.generate()
 +        sys.exit(0)
@@ -11788,7 +11801,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
 +    app.stand_alone()
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.82/gui/templates/boolean.py
 --- nsapolicycoreutils/gui/templates/boolean.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/boolean.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/boolean.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,40 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -11832,7 +11845,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py
 +
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.82/gui/templates/etc_rw.py
 --- nsapolicycoreutils/gui/templates/etc_rw.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/etc_rw.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/etc_rw.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,113 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -11949,8 +11962,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.82/gui/templates/executable.py
 --- nsapolicycoreutils/gui/templates/executable.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/executable.py	2010-06-07 16:40:33.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/executable.py	2010-06-11 17:08:24.000000000 -0400
-@@ -0,0 +1,361 @@
+@@ -0,0 +1,382 @@
 +# Copyright (C) 2007-2009 Red Hat 
 +# see file 'COPYING' for use and warranty information
 +#
@@ -12049,7 +12062,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
 +
 +apache_content_template(TEMPLATETYPE)
 +
-+permissive http_TEMPLATETYPE_script_t;
++permissive httpd_TEMPLATETYPE_script_t;
 +"""
 +
 +te_daemon_rules="""
@@ -12127,20 +12140,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
 +miscfiles_read_localization(TEMPLATETYPE_t)
 +"""
 +
-+te_userapp_trans_rules="""
++########################### Interface File #############################
-+optional_policy(`
-+	gen_require(`
-+		type USER_t;
-+		role USER_r;
-+	')
 +
-+	TEMPLATETYPE_run(USER_t, USER_r)
++if_heading_rules="""
-+')
++## <summary>policy for TEMPLATETYPE</summary>
 +"""
 +
-+########################### Interface File #############################
 +if_program_rules="""
-+## <summary>policy for TEMPLATETYPE</summary>
 +
 +########################################
 +## <summary>
@@ -12215,6 +12221,29 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
 +	ps_process_pattern($2, TEMPLATETYPE_t)
 +	allow $2 TEMPLATETYPE_t:process signal;
 +')
++
++"""
++
++if_role_change_rules="""
++########################################
++## <summary>
++##	Change to the TEMPLATETYPE role.
++## </summary>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`TEMPLATETYPE_role_change',`
++	gen_require(`
++		role TEMPLATETYPE_r;
++	')
++
++	allow $1 TEMPLATETYPE_r;
++')
++
 +"""
 +
 +if_initscript_rules="""
@@ -12308,13 +12337,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
 +
 +EXECUTABLE		--	gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
 +"""
++
++fc_user="""\
++# Users do not have file context, leave blank
++"""
++
 +fc_initscript="""\
 +
 +EXECUTABLE	--	gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.82/gui/templates/__init__.py
 --- nsapolicycoreutils/gui/templates/__init__.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/__init__.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/__init__.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,18 @@
 +#
 +# Copyright (C) 2007 Red Hat, Inc.
@@ -12336,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
 +
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.82/gui/templates/network.py
 --- nsapolicycoreutils/gui/templates/network.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/network.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/network.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,80 @@
 +te_port_types="""
 +type TEMPLATETYPE_port_t;
@@ -12420,7 +12454,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
 +
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.82/gui/templates/rw.py
 --- nsapolicycoreutils/gui/templates/rw.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/rw.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/rw.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,131 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -12555,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.82/gui/templates/script.py
 --- nsapolicycoreutils/gui/templates/script.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/script.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/script.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,126 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -12685,7 +12719,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.82/gui/templates/semodule.py
 --- nsapolicycoreutils/gui/templates/semodule.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/semodule.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/semodule.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,41 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -12730,7 +12764,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p
 +
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.82/gui/templates/tmp.py
 --- nsapolicycoreutils/gui/templates/tmp.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/tmp.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/tmp.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,102 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -12836,8 +12870,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.82/gui/templates/user.py
 --- nsapolicycoreutils/gui/templates/user.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/user.py	2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/user.py	2010-06-11 17:08:24.000000000 -0400
-@@ -0,0 +1,179 @@
+@@ -0,0 +1,195 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
 +#
@@ -12880,7 +12914,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
 +# Declarations
 +#
 +
-+userdom_admin_login_user_template(TEMPLATETYPE)
++userdom_admin_user_template(TEMPLATETYPE)
 +"""
 +
 +te_min_login_user_types="""\
@@ -12933,6 +12967,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
 +#
 +# TEMPLATETYPE local policy
 +#
++
 +"""
 +
 +te_existing_user_rules="""\
@@ -12966,6 +13001,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
 +')
 +"""
 +
++te_user_trans_rules="""
++optional_policy(`
++	gen_require(`
++		role USER_r;
++	')
++
++	TEMPLATETYPE_role_change(USER_r)
++')
++"""
++
 +te_admin_rules="""
 +allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 +files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
@@ -12981,45 +13026,50 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
 +domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
 +domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
 +
-+userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t)
++userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
-+userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t)
++userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)
 +
 +bool TEMPLATETYPE_read_user_files false;
 +bool TEMPLATETYPE_manage_user_files false;
 +
 +if (TEMPLATETYPE_read_user_files) {
-+   userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t)
++   userdom_read_user_home_content_files(TEMPLATETYPE_t)
-+   userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
++   userdom_read_user_tmp_files(TEMPLATETYPE_t)
 +}
 +
 +if (TEMPLATETYPE_manage_user_files) {
-+   userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t)
++   userdom_manage_user_home_content(TEMPLATETYPE_t)
-+   userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
++   userdom_manage_user_tmp_files(TEMPLATETYPE_t)
-+   userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t)
 +}
 +
 +"""
 +
 +te_admin_trans_rules="""
-+userdom_role_change_template(USER, TEMPLATETYPE)
++allow user_r TEMPLATETYPE_r;
 +"""
 +
 +te_admin_domain_rules="""
 +optional_policy(`
-+	APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
++	APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
 +')
 +"""
 +
 +te_roles_rules="""
-+userdom_role_change_template(TEMPLATETYPE, ROLE)
++ROLE_role_change(TEMPLATETYPE_r)
++"""
++
++te_sudo_rules="""
++optional_policy(`
++	sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
++')
 +"""
 +
 +te_newrole_rules="""
-+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
++seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.py policycoreutils-2.0.82/gui/templates/var_cache.py
 --- nsapolicycoreutils/gui/templates/var_cache.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_cache.py	2010-06-07 16:46:31.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_cache.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,133 @@
 +# Copyright (C) 2010 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -13156,7 +13206,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.82/gui/templates/var_lib.py
 --- nsapolicycoreutils/gui/templates/var_lib.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_lib.py	2010-05-26 09:29:58.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_lib.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,161 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -13321,7 +13371,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.82/gui/templates/var_log.py
 --- nsapolicycoreutils/gui/templates/var_log.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_log.py	2010-05-26 09:32:01.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_log.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,116 @@
 +# Copyright (C) 2007,2010 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -13441,7 +13491,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
 +
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.82/gui/templates/var_run.py
 --- nsapolicycoreutils/gui/templates/var_run.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_run.py	2010-05-26 09:28:54.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_run.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,101 @@
 +# Copyright (C) 2007,2010 Red Hat 
 +# see file 'COPYING' for use and warranty information
@@ -13546,7 +13596,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py
 +"""
 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.82/gui/templates/var_spool.py
 --- nsapolicycoreutils/gui/templates/var_spool.py	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_spool.py	2010-06-07 16:46:58.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_spool.py	2010-06-11 17:08:24.000000000 -0400
 @@ -0,0 +1,133 @@
 +# Copyright (C) 2007 Red Hat 
 +# see file 'COPYING' for use and warranty information

policycoreutils-rhat.patch

@@ -1549,8 +1549,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.82/sandbox/Makefile
 --- nsapolicycoreutils/sandbox/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/Makefile	2010-05-25 16:18:41.000000000 -0400
++++ policycoreutils-2.0.82/sandbox/Makefile	2010-06-08 15:05:27.000000000 -0400
-@@ -0,0 +1,42 @@
+@@ -0,0 +1,44 @@
 +# Installation directories.
 +PREFIX ?= ${DESTDIR}/usr
 +INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/
@@ -1561,7 +1561,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +LOCALEDIR ?= /usr/share/locale
 +SHAREDIR ?= $(PREFIX)/share/sandbox
 +override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-+LDLIBS += -lselinux -lcap-ng 
++LDLIBS += -lcgroup -lselinux -lcap-ng 
 +
 +all: sandbox seunshare sandboxX.sh 
 +
@@ -1574,6 +1574,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	-mkdir -p $(MANDIR)/man8
 +	install -m 644 sandbox.8 $(MANDIR)/man8/
 +	install -m 644 seunshare.8 $(MANDIR)/man8/
++	-mkdir -p $(MANDIR)/man5
++	install -m 644 sandbox.conf.5 $(MANDIR)/man5/
 +	-mkdir -p $(SBINDIR)
 +	install -m 4755 seunshare $(SBINDIR)/
 +	-mkdir -p $(SHAREDIR)
@@ -1581,7 +1583,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	-mkdir -p $(INITDIR)
 +	install -m 755 sandbox.init $(INITDIR)/sandbox
 +	-mkdir -p $(SYSCONFDIR)
-+	install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
++	install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox
 +
 +test:
 +	@python test_sandbox.py -v
@@ -1595,10 +1597,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +relabel:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.82/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/sandbox	2010-06-03 16:30:17.000000000 -0400
++++ policycoreutils-2.0.82/sandbox/sandbox	2010-06-08 15:12:00.000000000 -0400
-@@ -0,0 +1,427 @@
+@@ -0,0 +1,434 @@
 +#! /usr/bin/python -E
 +# Authors: Dan Walsh <dwalsh@redhat.com>
++# Authors: Thomas Liu <tliu@fedoraproject.org>
 +# Authors: Josh Cogliati
 +#
 +# Copyright (C) 2009,2010  Red Hat
@@ -1885,6 +1888,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +        parser.add_option("-l", "--level", dest="level", 
 +                          help=_("MCS/MLS level for the sandbox"))
 +
++        parser.add_option("-C", "--cgroups",
++                         action="store_true", dest="usecgroup", default=False,
++                         help="Use cgroups to limit this sandbox.")
++
 +        self.__parser=parser
 +
 +        self.__options, cmds = parser.parse_args()
@@ -1960,22 +1967,24 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +
 +    def __execute(self):
 +           try:
-+                  if self.__options.X_ind:
++                  cmds = [ '/usr/sbin/seunshare',  "-Z", self.__execcon ]
-+                         xmodmapfile = self.__homedir + "/.xmodmap"
++                  if self.__options.usecgroup == True:
-+                         xd = open(xmodmapfile,"w")
++                         cmds.append('-c')
-+                         subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
-+                         xd.close()
-+
-+                         self.__setup_sandboxrc(self.__options.wm)
-+                         
-+                         cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ]
-+                         rc = subprocess.Popen(cmds).wait()
-+                         return rc
-+
 +                  if self.__mount:
-+                         cmds =  [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
++                         cmds +=  [ "-t", self.__tmpdir, "-h", self.__homedir ]
-+                         rc = subprocess.Popen(cmds).wait()
++
-+                         return rc
++                         if self.__options.X_ind:
++                                xmodmapfile = self.__homedir + "/.xmodmap"
++                                xd = open(xmodmapfile,"w")
++                                subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
++                                xd.close()
++
++                                self.__setup_sandboxrc(self.__options.wm)
++
++                                cmds += [ "--", "/usr/share/sandbox/sandboxX.sh" ]
++                         else:
++                                cmds += [ "--" ] + self.__paths
++                         return subprocess.Popen(cmds).wait()
 +
 +                  selinux.setexeccon(self.__execcon)
 +                  rc = subprocess.Popen(self.__cmds).wait()
@@ -2026,8 +2035,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +    sys.exit(rc)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.82/sandbox/sandbox.8
 --- nsapolicycoreutils/sandbox/sandbox.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/sandbox.8	2010-05-27 13:42:03.000000000 -0400
++++ policycoreutils-2.0.82/sandbox/sandbox.8	2010-06-08 14:41:10.000000000 -0400
-@@ -0,0 +1,64 @@
+@@ -0,0 +1,69 @@
 +.TH SANDBOX "8" "May 2010" "sandbox" "User Commands"
 +.SH NAME
 +sandbox \- Run cmd under an SELinux sandbox
@@ -2083,6 +2092,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +\fB\-X\fR 
 +Create an X based Sandbox for gui apps, temporary files for
 +$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
++.TP
++\fB\-C\fR
++Use control groups to control this copy of sandbox.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
 +.PP
 +.SH "SEE ALSO"
 +.TP
@@ -2092,12 +2104,63 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.SH AUTHOR
 +This manual page was written by 
 +.I Dan Walsh <dwalsh@redhat.com>
-diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.82/sandbox/sandbox.config
++and
---- nsapolicycoreutils/sandbox/sandbox.config	1969-12-31 19:00:00.000000000 -0500
++.I Thomas Liu <tliu@fedoraproject.org>
-+++ policycoreutils-2.0.82/sandbox/sandbox.config	2010-04-28 17:12:19.000000000 -0400
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.82/sandbox/sandbox.conf
-@@ -0,0 +1,2 @@
+--- nsapolicycoreutils/sandbox/sandbox.conf	1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.82/sandbox/sandbox.conf	2010-06-08 14:41:59.000000000 -0400
+@@ -0,0 +1,7 @@
 +# Space separate list of homedirs
 +HOMEDIRS="/home"
++# Control group configuration
++NAME=sandbox
++CPUAFFINITY=ALL
++MEMUSAGE=80%
++CPUUSAGE=80%
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.82/sandbox/sandbox.conf.5
+--- nsapolicycoreutils/sandbox/sandbox.conf.5	1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.82/sandbox/sandbox.conf.5	2010-06-08 14:41:19.000000000 -0400
+@@ -0,0 +1,40 @@
++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
++.SH NAME
++sandbox.conf \- user config file for the SELinux sandbox 
++.SH DESCRIPTION
++.PP
++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
++
++.PP
++Everything after "#" is ignored, as are empty lines.  All arguments should be separated by and equals sign ("=").
++
++.PP
++These keywords are allowed.
++
++.RS
++.TP
++.B NAME
++The name of the sandbox control group.  Default is "sandbox".
++
++.TP
++.B CPUAFFINITY
++Which cpus to assign sandbox to.  The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges.  Ex: 0-2,5
++
++.TP
++.B MEMUSAGE
++How much memory to allow sandbox to use.  The default is 80%.  Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively.  Ex: 50% or 100M
++
++.TP
++.B CPUUSAGE
++Percentage of cpu sandbox should be allowed to use.  The default is 80%.  Specify a value followed by a percent sign ("%"). Ex: 50%
++
++
++
++.SH "SEE ALSO"
++.TP
++sandbox(8)
++.PP
++
++.SH AUTHOR
++This manual page was written by 
++.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.82/sandbox/sandbox.init
 --- nsapolicycoreutils/sandbox/sandbox.init	1969-12-31 19:00:00.000000000 -0500
 +++ policycoreutils-2.0.82/sandbox/sandbox.init	2010-06-03 17:11:59.000000000 -0400
@@ -2195,8 +2258,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +exit 0
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.82/sandbox/seunshare.8
 --- nsapolicycoreutils/sandbox/seunshare.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/seunshare.8	2010-05-21 08:12:39.000000000 -0400
++++ policycoreutils-2.0.82/sandbox/seunshare.8	2010-06-08 14:41:19.000000000 -0400
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,34 @@
 +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
 +.SH NAME
 +seunshare \- Run cmd under an SELinux context
@@ -2217,6 +2280,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +\fB\-t\ tmpdir
 +Use alternate tempory directory to mount on /tmp.  tmpdir must be owned by the user.
 +.TP
++\fB\-c cgroups\fR
++Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
++.TP
 +\fB\-v\fR
 +Verbose output
 +.SH "SEE ALSO"
@@ -2226,10 +2292,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.SH AUTHOR
 +This manual page was written by 
 +.I Dan Walsh <dwalsh@redhat.com>
++and
++.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.82/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/seunshare.c	2010-05-25 13:37:30.000000000 -0400
++++ policycoreutils-2.0.82/sandbox/seunshare.c	2010-06-08 14:56:09.000000000 -0400
-@@ -0,0 +1,313 @@
+@@ -0,0 +1,522 @@
++/*
++ * Authors: Dan Walsh <dwalsh@redhat.com>
++ * Authors: Thomas Liu <tliu@fedoraproject.org>
++ */
++
 +#define _GNU_SOURCE
 +#include <signal.h>
 +#include <sys/types.h>
@@ -2239,8 +2312,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +#include <pwd.h>
 +#include <unistd.h>
 +#include <sched.h>
++#include <libcgroup.h>
 +#include <string.h>
 +#include <stdio.h>
++#include <regex.h>
 +#include <stdlib.h>
 +#include <cap-ng.h>
 +#include <getopt.h>		/* for getopt_long() form of getopt() */
@@ -2265,6 +2340,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +#define PACKAGE "policycoreutils"	/* the name of this package lang translation */
 +#endif
 +
++#define BUF_SIZE 1024
++
 +/**
 + * This function will drop all capabilities 
 + * Returns zero on success, non-zero otherwise
@@ -2382,23 +2459,53 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	return 0;
 +}
 +
-+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] --  executable [args] ")
++
++int sandbox_error(const char *string) {
++	fprintf(stderr, string);
++	syslog(LOG_AUTHPRIV | LOG_ALERT, string);
++	exit(-1);
++
++}
++
++
++int match(const char *string, char *pattern) {
++	int status;
++	regex_t re; 
++	if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
++		return 0;
++	}
++	status = regexec(&re, string, (size_t)0, NULL, 0);
++	regfree(&re);	
++	if (status != 0) {
++		return 0;
++	}
++	return 1;
++}
++
++void config_error() {
++	fprintf(stderr, "Error parsing config file.");
++	exit(-1);
++}
 +
 +int main(int argc, char **argv) {
 +	int rc;
 +	int status = -1;
 +
-+	security_context_t scontext;
++	security_context_t scontext = NULL;
 +
 +	int flag_index;		/* flag index in argv[] */
 +	int clflag;		/* holds codes for command line flags */
 +	char *tmpdir_s = NULL;	/* tmpdir spec'd by user in argv[] */
 +	char *homedir_s = NULL;	/* homedir spec'd by user in argv[] */
++	int usecgroups = 0;
 +
 +	const struct option long_options[] = {
 +		{"homedir", 1, 0, 'h'},
 +		{"tmpdir", 1, 0, 't'},
 +		{"verbose", 1, 0, 'v'},
++		{"cgroups", 1, 0, 'c'},
++		{"context", 1, 0, 'Z'},
 +		{NULL, 0, 0, 0}
 +	};
 +
@@ -2427,7 +2534,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +	}
 +
 +	while (1) {
-+		clflag = getopt_long(argc, argv, "vh:t:", long_options,
++		clflag = getopt_long(argc, argv, "cvh:t:c:m:p:Z:", long_options,
 +				     &flag_index);
 +		if (clflag == -1)
 +			break;
@@ -2445,6 +2552,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		case 'v':
 +			verbose = 1;
 +			break;
++		case 'c':
++			usecgroups = 1;
++			break;
++		case 'Z':
++			scontext = strdup(optarg);
++			break;
 +		default:
 +			fprintf(stderr, "%s\n", USAGE_STRING);
 +			return -1;
@@ -2456,15 +2569,175 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		return -1;
 +	}
 +
-+	if (argc - optind < 2) {
++	if (argc - optind < 1) {
-+		fprintf(stderr, _("Error: context and executable required \n %s \n"), USAGE_STRING);
++		fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING);
 +		return -1;
 +	}
 +
-+	scontext = argv[optind++];
 +	
 +	if (set_signal_handles())
 +		return -1;
++	if (usecgroups) {
++		char *cpus = NULL;	/* which CPUs to use */
++		char *cgroupname = NULL;/* name for the cgroup */
++		char *mem = NULL;	/* string for memory amount to pass to cgroup */
++		int64_t memusage = 0;	/* amount of memory to use max (percent) */
++		int cpupercentage = 0;  /* what percentage of cpu to allow usage */
++		FILE* fp;
++		char buf[BUF_SIZE];
++		char *tok = NULL;
++		const char* fname = "/etc/sysconfig/sandbox";	
++
++		if ((fp = fopen(fname, "rt")) == NULL) {
++			fprintf(stderr, "Error opening sandbox config file.");
++			exit(-1);
++		}
++		while(fgets(buf, BUF_SIZE, fp) != NULL) {
++			/* Skip comments */
++			if (buf[0] == '#') continue;
++			
++			/* Copy the string, ignoring whitespace */
++			int len = strlen(buf);
++			char *str = malloc((len + 1) * sizeof(char));
++
++			int ind = 0;	
++			int i;
++			for (i = 0; i < len; i++) {
++				char cur = buf[i];
++				if (cur != ' ' && cur != '\t') {
++					str[ind] = cur;
++					ind++;
++				}
++			}
++			str[ind] = '\0';
++
++			tok = strtok(str, "=\n");
++			if (tok != NULL) {
++				if (!strcmp(tok, "CPUAFFINITY")) {
++					tok = strtok(NULL, "=\n");
++					cpus = strdup(tok);
++					if (!strcmp(cpus, "ALL")) {
++						cpus = NULL;
++					}
++				} else if (!strcmp(tok, "MEMUSAGE")) {
++					tok = strtok(NULL, "=\n");
++					if (match(tok, "^[0-9]+[kKmMgG%]")) {
++						char *ind = strchr(tok, '%');
++						if (ind != NULL) {
++							*ind = '\0';;
++							memusage = atoi(tok);
++						} else {
++							mem = strdup(tok);
++						}
++					} else {
++						config_error();
++					}
++
++				} else if (!strcmp(tok, "CPUUSAGE")) {
++					tok = strtok(NULL, "=\n");
++					if (match(tok, "^[0-9]+\%")) {
++						char* ind = strchr(tok, '%');
++						*ind = '\0';
++						cpupercentage = atoi(tok);
++					} else {
++						config_error();
++					}
++				} else if (!strcmp(tok, "NAME")) {
++					tok = strtok(NULL, "=\n");
++					cgroupname = strdup(tok);
++				} else {
++					continue;
++				}
++			}
++
++
++		}
++		if (mem == NULL) {
++			long phypz = sysconf(_SC_PHYS_PAGES);
++			long psize = sysconf(_SC_PAGE_SIZE);
++			memusage = phypz * psize * (float) memusage / 100.0;
++		}
++
++		cgroup_init();
++
++		int64_t current_runtime = 0;
++		int64_t current_period = 0 ;
++		int64_t current_mem = 0;
++		char *curr_cpu_path = NULL;
++		char *curr_mem_path = NULL;
++		int ret  = cgroup_get_current_controller_path(getpid(), "cpu", &curr_cpu_path);
++		if (ret) {
++			sandbox_error("Error while trying to get current controller path.\n");
++		} else {
++			struct cgroup *curr = cgroup_new_cgroup(curr_cpu_path);
++			cgroup_get_cgroup(curr);
++			cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", &current_runtime);
++			cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", &current_period);
++		}   
++
++		ret  = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
++		if (ret) {
++			sandbox_error("Error while trying to get current controller path.\n");
++		} else {
++			struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
++			cgroup_get_cgroup(curr);
++			cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", &current_mem);
++		}   
++
++		if (((float) cpupercentage)  / 100.0> (float)current_runtime / (float) current_period) {
++			sandbox_error("CPU usage restricted!\n");
++			exit(-1);
++		}   
++
++		if (mem == NULL) {	
++			if (memusage > current_mem) {
++				sandbox_error("Attempting to use more memory than allowed!");
++				exit(-1);
++			}
++		}
++	    
++		long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
++
++		struct sched_param sp; 
++		sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
++		sched_setscheduler(getpid(), SCHED_FIFO, &sp);
++		struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
++		cgroup_add_controller(sandbox_group, "memory");
++		cgroup_add_controller(sandbox_group, "cpu");
++
++		if (mem == NULL) {
++			if (memusage > 0) {
++				cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
++			}	
++		} else {
++			cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
++		}
++		if (cpupercentage > 0) {
++			cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_runtime_us",
++						(float) cpupercentage / 100.0 * 60000);
++			cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_period_us",60000 * nprocs);
++		}
++		if (cpus != NULL) {
++			cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
++		}
++
++		uint64_t allocated_mem;
++		if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
++			sandbox_error("Attempting to use more memory than allowed!\n");
++			exit(-1);
++		}
++
++
++		int r = cgroup_create_cgroup(sandbox_group, 1);
++		if (r != 0) {
++			sandbox_error("Failed to create group.  Ensure that cgconfig service is running. \n");
++			exit(-1);
++		}
++
++
++		cgroup_attach_task(sandbox_group);
++
++	}
 +
 +        if (unshare(CLONE_NEWNS) < 0) {
 +		perror(_("Failed to unshare"));
@@ -2513,11 +2786,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +			exit(-1);
 +		}
 +		
-+		if (setexeccon(scontext)) {
++		if (scontext) {
-+			fprintf(stderr, _("Could not set exec context to %s.\n"),
++			if (setexeccon(scontext)) {
-+				scontext);
++				fprintf(stderr, _("Could not set exec context to %s.\n"),
-+			free(display);
++					scontext);
-+			exit(-1);
++				free(display);
++				exit(-1);
++			}
 +		}
 +
 +		if (display) 
@@ -2533,8 +2808,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +			exit(-1);
 +		}
 +		setsid();
++
 +		execv(argv[optind], argv + optind);
 +		free(display);
++		freecon(scontext);
 +		perror("execv");
 +		exit(-1);
 +	} else {

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.82
-Release: 29%{?dist}
+Release: 31%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -30,7 +30,7 @@ Obsoletes: policycoreutils < 2.0.61-2
 
 %global pkgpythondir  %{python_sitelib}/%{name}
 
-BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
+BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
 BuildRequires: python-devel
 Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff rpm /bin/sed
@@ -111,7 +111,7 @@ desktop-file-install	--vendor fedora \
 Summary: SELinux policy core python utilities
 Group:	 System Environment/Base
 Requires: policycoreutils = %{version}-%{release} 
-Requires: libsemanage-python >= %{libsemanagever} libselinux-python
+Requires: libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
 Requires: audit-libs-python >=  %{libauditver} 
 Requires: /usr/bin/make
 Requires(pre): python >= 2.6
@@ -140,6 +140,7 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/man1/audit2allow.1*
 %{_mandir}/ru/man1/audit2allow.1*
 %{_mandir}/man1/audit2why.1*
+%{_mandir}/man5/sandbox.conf.5*
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
 %{_mandir}/man8/sandbox.8*
@@ -313,6 +314,13 @@ fi
 exit 0
 
 %changelog
+* Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-31
+- Fix sepolgen code generation
+Resolve: #603001
+
+* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-30
+- Add cgroup support for sandbox 
+
 * Mon Jun 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-29
 - Allow creation of /var/cache/DOMAIN from sepolgen