Rebase on db0f2f382e31 at SELinuxProject

- Build with libsepol.so.1 and libsemanage.so.2
- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
- fixfiles: correctly restore context of mountpoints
- sepolgen: print extended permissions in hexadecimal

0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch

@@ -0,0 +1,34 @@
+From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
+From: "W. Michael Petullo" <mike@flyn.org>
+Date: Thu, 16 Jul 2020 15:29:20 -0500
+Subject: [PATCH] python/audit2allow: add #include <limits.h> to
+ sepolgen-ifgen-attr-helper.c
+
+I found that building on OpenWrt/musl failed with:
+
+  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
+
+Musl is less "generous" than glibc in recursively including header
+files, and I suspect this is the reason for this error. Explicitly
+including limits.h fixes the problem.
+
+Signed-off-by: W. Michael Petullo <mike@flyn.org>
+---
+ python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+index 53f20818722a..f010c9584c1f 100644
+--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
++++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -28,6 +28,7 @@
+ 
+ #include <selinux/selinux.h>
+ 
++#include <limits.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-- 
+2.29.0
+

0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch

@@ -0,0 +1,26 @@
+From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Thu, 16 Jul 2020 14:22:13 +0200
+Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
+ restorecond.desktop file
+
+This completely inactivate the .desktop file incase the user session is
+managed by systemd as restorecond also provide a service file
+
+Signed-off-by: Laurent Bigonville <bigon@bigon.be>
+---
+ restorecond/restorecond.desktop | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
+index af7286801c24..7df854727a3f 100644
+--- a/restorecond/restorecond.desktop
++++ b/restorecond/restorecond.desktop
+@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
+ Type=Application
+ StartupNotify=false
+ X-GNOME-Autostart-enabled=false
++X-GNOME-HiddenUnderSystemd=true
+-- 
+2.29.0
+

0003-fixfiles-correctly-restore-context-of-mountpoints.patch

@@ -0,0 +1,136 @@
+From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
+From: bauen1 <j2468h@googlemail.com>
+Date: Thu, 6 Aug 2020 16:48:36 +0200
+Subject: [PATCH] fixfiles: correctly restore context of mountpoints
+
+By bind mounting every filesystem we want to relabel we can access all
+files without anything hidden due to active mounts.
+
+This comes at the cost of user experience, because setfiles only
+displays the percentage if no path is given or the path is /
+
+Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
+ policycoreutils/scripts/fixfiles.8 |  8 ++++++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 5d7770348349..30dadb4f4cb6 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -112,6 +112,7 @@ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+ RESTORE_MODE=""
++BIND_MOUNT_FILESYSTEMS=""
+ SETFILES=/sbin/setfiles
+ RESTORECON=/sbin/restorecon
+ FILESYSTEMSRW=`get_rw_labeled_mounts`
+@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+ 	    LogReadOnly
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+-	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
++
++	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
++	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
++	    else
++	        # we bind mount so we can fix the labels of files that have already been
++	        # mounted over
++	        for m in `echo $FILESYSTEMSRW`; do
++	            TMP_MOUNT="$(mktemp -d)"
++	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
++
++	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
++	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
++	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
++	            umount "${TMP_MOUNT}${m}" || exit 1
++	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
++	        done;
++	    fi
+ 	else
+ 	    echo >&2 "fixfiles: No suitable file systems found"
+ 	fi
+@@ -313,6 +330,7 @@ case "$1" in
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+ 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
++	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
+ 	# Force full relabel if SELinux is not enabled
+ 	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+@@ -324,7 +342,7 @@ esac
+ }
+ usage() {
+ 	echo $"""
+-Usage: $0 [-v] [-F] [-f] relabel
++Usage: $0 [-v] [-F] [-M] [-f] relabel
+ or
+ Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
+ or
+@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
+ or
+ Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+ or
+-Usage: $0 [-F] [-B] onboot
++Usage: $0 [-F] [-M] [-B] onboot
+ """
+ }
+ 
+@@ -353,7 +371,7 @@ set_restore_mode() {
+ }
+ 
+ # See how we were called.
+-while getopts "N:BC:FfR:l:v" i; do
++while getopts "N:BC:FfR:l:vM" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
+ 		echo "Redirecting output to $OPTARG"
+ 		exec >>"$OPTARG" 2>&1
+ 		;;
++	M)
++		BIND_MOUNT_FILESYSTEMS="-M"
++		;;
+ 	F)
+ 		FORCEFLAG="-F"
+ 		;;
+diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
+index 9f447f03d444..123425308416 100644
+--- a/policycoreutils/scripts/fixfiles.8
++++ b/policycoreutils/scripts/fixfiles.8
+@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
+ .na
+ 
+ .B fixfiles
+-.I [\-v] [\-F] [\-f] relabel
++.I [\-v] [\-F] [-M] [\-f] relabel
+ 
+ .B fixfiles
+ .I [\-v] [\-F] { check | restore | verify } dir/file ...
+@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
+ .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
+ 
+ .B fixfiles
+-.I [-F] [-B] onboot
++.I [-F] [-M] [-B] onboot
+ 
+ .ad
+ 
+@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
+ Only act on files created after the specified date.  Date must be specified in
+ "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
+ 
++.TP
++.B \-M
++Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
++
+ .TP
+ .B -v
+ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
+-- 
+2.29.0
+

0004-sepolgen-print-extended-permissions-in-hexadecimal.patch

@@ -0,0 +1,112 @@
+From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:33 +0200
+Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+All tools like ausearch(8) or sesearch(1) and online documentation[1]
+use hexadecimal values for extended permissions.
+Hence use them, e.g. for audit2allow output, as well.
+
+[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
+ python/sepolgen/tests/test_access.py      | 10 +++++-----
+ python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
+index 43cecfc77385..747636875ef7 100644
+--- a/python/sepolgen/src/sepolgen/refpolicy.py
++++ b/python/sepolgen/src/sepolgen/refpolicy.py
+@@ -407,10 +407,9 @@ class XpermSet():
+ 
+         # print single value without braces
+         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
+-            return compl + str(self.ranges[0][0])
++            return compl + hex(self.ranges[0][0])
+ 
+-        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
+-                   self.ranges)
++        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
+ 
+         return "%s{ %s }" % (compl, " ".join(vals))
+ 
+diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
+index 73a5407df617..623588e09aeb 100644
+--- a/python/sepolgen/tests/test_access.py
++++ b/python/sepolgen/tests/test_access.py
+@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def text_merge_xperm2(self):
+         """Test merging AV that does not contain xperms with AV that does"""
+@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def test_merge_xperm_diff_op(self):
+         """Test merging two AVs that contain xperms with different operation"""
+@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
+-        self.assertEqual(a.xperms["asdf"].to_string(), "23")
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
++        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+                          
+     def test_merge_xperm_same_op(self):
+         """Test merging two AVs that contain xperms with same operation"""
+@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
++        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
+ 
+ class TestUtilFunctions(unittest.TestCase):
+     def test_is_idparam(self):
+diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
+index 4b50c8aada96..c7219fd568e9 100644
+--- a/python/sepolgen/tests/test_refpolicy.py
++++ b/python/sepolgen/tests/test_refpolicy.py
+@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
+         a.complement = True
+         self.assertEqual(a.to_string(), "")
+         a.add(1234)
+-        self.assertEqual(a.to_string(), "~ 1234")
++        self.assertEqual(a.to_string(), "~ 0x4d2")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "1234")
++        self.assertEqual(a.to_string(), "0x4d2")
+         a.add(2345)
+-        self.assertEqual(a.to_string(), "{ 1234 2345 }")
++        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
+         a.complement = True
+-        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
++        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
+         a.add(42,64)
+-        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
++        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
++        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
+ 
+ class TestSecurityContext(unittest.TestCase):
+     def test_init(self):
+-- 
+2.29.0
+

0005-sepolgen-sort-extended-rules-like-normal-ones.patch

@@ -0,0 +1,109 @@
+From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:34 +0200
+Subject: [PATCH] sepolgen: sort extended rules like normal ones
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+Changed:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/output.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
+index 3a21b64c19f7..aeeaafc889e7 100644
+--- a/python/sepolgen/src/sepolgen/output.py
++++ b/python/sepolgen/src/sepolgen/output.py
+@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
+         return ret
+ 
+     # At this point, who cares - just return something
+-    return cmp(len(a.perms), len(b.perms))
++    return 0
+ 
+ # Compare two interface calls
+ def ifcall_cmp(a, b):
+@@ -100,7 +100,7 @@ def rule_cmp(a, b):
+         else:
+             return id_set_cmp([a.args[0]], b.src_types)
+     else:
+-        if isinstance(b, refpolicy.AVRule):
++        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
+             return avrule_cmp(a,b)
+         else:
+             return id_set_cmp(a.src_types, [b.args[0]])
+@@ -130,6 +130,7 @@ def sort_filter(module):
+         # we assume is the first argument for interfaces).
+         rules = []
+         rules.extend(node.avrules())
++        rules.extend(node.avextrules())
+         rules.extend(node.interface_calls())
+         rules.sort(key=util.cmp_to_key(rule_cmp))
+ 
+-- 
+2.29.0
+

0006-newrole-support-cross-compilation-with-PAM-and-audit.patch

@@ -0,0 +1,32 @@
+From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Tue, 1 Sep 2020 18:16:41 +0200
+Subject: [PATCH] newrole: support cross-compilation with PAM and audit
+
+Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/newrole/Makefile | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
+index 73ebd413da85..0e7ebce3dd56 100644
+--- a/policycoreutils/newrole/Makefile
++++ b/policycoreutils/newrole/Makefile
+@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= /etc
+ LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
+-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
++INCLUDEDIR ?= $(PREFIX)/include
++PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
++AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+-- 
+2.29.0
+

0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,4 +1,4 @@
-From 269d3c64978af8053a84ecc54ab2adb7ee481d10 Mon Sep 17 00:00:00 2001
+From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.23.0
+2.29.0
 

0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,4 +1,4 @@
-From f8714034d527c1eb6bd698abcfd8f02d1542f648 Mon Sep 17 00:00:00 2001
+From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 442608191cc8..2ee9e37fde9f 100755
+index 3e8a3be907e3..a1d70623cff0 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -735,10 +735,13 @@ Default Defined Ports:""")
@@ -42,5 +42,5 @@ index 442608191cc8..2ee9e37fde9f 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.23.0
+2.29.0
 

0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,4 +1,4 @@
-From 73cfd014130f4a37b1db29d5a7b840bf414e8f19 Mon Sep 17 00:00:00 2001
+From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
@@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 2ee9e37fde9f..ec17fb145375 100755
+index a1d70623cff0..2d33eabb2536 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -23,5 +23,5 @@ index 2ee9e37fde9f..ec17fb145375 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.23.0
+2.29.0
 

0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,4 +1,4 @@
-From 66766a7298065ae60819355f2b515fe3fcc248e3 Mon Sep 17 00:00:00 2001
+From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
 Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644
  
  def reinit():
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index ec17fb145375..8c529ddb07cd 100755
+index 2d33eabb2536..acc77f368d95 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -149,10 +149,6 @@ def prettyprint(f, trim):
@@ -165,5 +165,5 @@ index ec17fb145375..8c529ddb07cd 100755
              if len(self.manpage_roles[letter]):
                  fd.write("""
 -- 
-2.23.0
+2.29.0
 

0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,4 +1,4 @@
-From 59d6989beb341fb17f87b270e4fc8d55351d3a51 Mon Sep 17 00:00:00 2001
+From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
 Subject: [PATCH] We want to remove the trailing newline for
@@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
          system_release = "Misc"
  
 -- 
-2.23.0
+2.29.0
 

0012-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,4 +1,4 @@
-From 600fda8edf440acc3e5b32a31a044b16d65cbef9 Mon Sep 17 00:00:00 2001
+From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
 Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 8c529ddb07cd..10e2c1745f8b 100755
+index acc77f368d95..4aeb3e2e51ba 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -220,7 +220,7 @@ class HTMLManPages:
@@ -21,5 +21,5 @@ index 8c529ddb07cd..10e2c1745f8b 100755
  <body>
  <h1>SELinux man pages for %s</h1>
 -- 
-2.23.0
+2.29.0
 

0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From b45d202d954bad6cd4e96fe22d35677717e5eff9 Mon Sep 17 00:00:00 2001
+From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5d7770348349..fd43aab0cb6a 100755
+index 30dadb4f4cb6..e73bb81c3336 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -20,5 +20,5 @@ index 5d7770348349..fd43aab0cb6a 100755
  RPMFILES=""
  PREFC=""
 -- 
-2.23.0
+2.29.0
 

0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,4 +1,4 @@
-From 61fcb9e5af82482d79c9e9edacb1a7f30686ee4a Mon Sep 17 00:00:00 2001
+From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 10e2c1745f8b..9a4b24743aca 100755
+index 4aeb3e2e51ba..330b055af214 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -125,8 +125,24 @@ def gen_domains():
@@ -59,5 +59,5 @@ index 10e2c1745f8b..9a4b24743aca 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.23.0
+2.29.0
 

0015-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,4 +1,4 @@
-From 15d2491e3c455f740a20eaf93f2c6a9b89e79d7a Mon Sep 17 00:00:00 2001
+From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
 Subject: [PATCH] sepolicy: Another small optimization for mcs types
@@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
  1 file changed, 11 insertions(+), 5 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 9a4b24743aca..736ae13b0524 100755
+index 330b055af214..f8584436960d 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -142,6 +142,15 @@ def _gen_entry_types():
@@ -49,5 +49,5 @@ index 9a4b24743aca..736ae13b0524 100755
          self.fd.write ("""
  .SH "MCS Constrained"
 -- 
-2.23.0
+2.29.0
 

0016-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,4 +1,4 @@
-From 8e02b757f90827f4e850b732ccea32c2897036a8 Mon Sep 17 00:00:00 2001
+From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
 Subject: [PATCH] Move po/ translation files into the right sub-directories
@@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
 @@ -0,0 +1 @@
 +../sandbox
 -- 
-2.23.0
+2.29.0
 

0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,4 +1,4 @@
-From c19dde7c189cba536d79331baff24d987b3fae4d Mon Sep 17 00:00:00 2001
+From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
      import gettext
      kwargs = {}
 -- 
-2.26.2
+2.29.0
 

0018-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,4 +1,4 @@
-From 8384f31cdcf0afd2b13f93f4e8bc42254b4b7928 Mon Sep 17 00:00:00 2001
+From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
 +msgid "Invalid value %s"
 +msgstr ""
 -- 
-2.23.0
+2.29.0
 

0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,4 +1,4 @@
-From 38586b84c3bae778883e43d72700ef1491abae17 Mon Sep 17 00:00:00 2001
+From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
  .BI \-e \ directory
  directory to exclude (repeat option for more than one directory).
 -- 
-2.26.2
+2.29.0
 

0020-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From f2625885226a65df2b0d7f825bafe462a6454c49 Mon Sep 17 00:00:00 2001
+From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -52,7 +52,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 744ee13f692d..a6309783e85e 100644
+index 43180ca6fda4..d60a08e1d72c 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
 @@ -99,7 +99,9 @@ def get_all_ports():
@@ -67,5 +67,5 @@ index 744ee13f692d..a6309783e85e 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.23.0
+2.29.0
 

0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,4 +1,4 @@
-From 6f510c03e54b0058b74fabae6489099f5369a957 Mon Sep 17 00:00:00 2001
+From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
  	}
  
 -- 
-2.23.0
+2.29.0
 

0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From 7afddf20e889731126fda14b2fa713a367d9dd84 Mon Sep 17 00:00:00 2001
+From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.23.0
+2.29.0
 

policycoreutils.spec

@@ -1,8 +1,8 @@
 %global libauditver     3.0
-%global libsepolver     3.1
-%global libsemanagever  3.1
-%global libselinuxver   3.1
-%global sepolgenver     3.1
+%global libsepolver     3.1-4
+%global libsemanagever  3.1-4
+%global libselinuxver   3.1-4
+%global sepolgenver     3.1-4
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -38,22 +38,29 @@ Source23: sandbox-po.tgz
 # $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
-Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
-Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
+Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
+Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
+Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
+Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
+Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
+Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
+Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
+Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
+Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
+Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2