policycoreutils-2.7-2.fc27

- sepolicy: Fix sepolicy manpage.
- semanage: Update Infiniband code to work on python3
- semanage: Fix export of ibendport entries
- semanage: Enforce noreload only if it's requested by -N option
- semanage: Don't use global setup variable
- semanage: drop *_ini functions
- semanage: Enable listing file_contexts.homedirs
- semanage: make seobject.py backward compatible
- gui: remove mappingsPage
- gui: delete overridden definition of usersPage.delete()
- gui: fix parsing of "semodule -lfull" in tab Modules
- gui: remove the status bar
- sepolicy: support non-MLS policy in gui
- sepolicy: ignore comments and empty lines in file_contexts.subs_dist
- gui: port to Python 3 by migrating to PyGI
- sepolicy: do not fail when file_contexts.local or .subs do not exist
- restorecond: check write() and daemon() results
- sepolicy: remove stray space in section "SEE ALSO"
- sepolicy: support non-MCS policy in manpage
- sepolicy: support non-MLS policy in manpage
- sepolicy: fix misspelling of _ra_content_t suffix
- sepolicy: do not fail when file_contexts.local does not exist

policycoreutils-fedora.patch

@@ -1,3 +1,35 @@
+diff --git policycoreutils-2.7/load_policy/load_policy.8 policycoreutils-2.7/load_policy/load_policy.8
+index 5f5550d..0810995 100644
+--- policycoreutils-2.7/load_policy/load_policy.8
++++ policycoreutils-2.7/load_policy/load_policy.8
+@@ -39,4 +39,4 @@ Initial policy load failed and enforcing mode requested
+ .SH AUTHORS
+ .nf
+ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+-The program was written by Stephen Smalley <sds@epoch.ncsc.mil>.
++The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
+diff --git policycoreutils-2.7/newrole/hashtab.c policycoreutils-2.7/newrole/hashtab.c
+index 77ed143..24c65c4 100644
+--- policycoreutils-2.7/newrole/hashtab.c
++++ policycoreutils-2.7/newrole/hashtab.c
+@@ -1,5 +1,5 @@
+ 
+-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
++/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
+ 
+ /* FLASK */
+ 
+diff --git policycoreutils-2.7/newrole/hashtab.h policycoreutils-2.7/newrole/hashtab.h
+index 9f737df..3790f0a 100644
+--- policycoreutils-2.7/newrole/hashtab.h
++++ policycoreutils-2.7/newrole/hashtab.h
+@@ -1,5 +1,5 @@
+ 
+-/* Author : Stephen Smalley, <sds@epoch.ncsc.mil> */
++/* Author : Stephen Smalley, <sds@tycho.nsa.gov> */
+ 
+ /* FLASK */
+ 
 diff --git policycoreutils-2.7/scripts/fixfiles policycoreutils-2.7/scripts/fixfiles
 index 1aa330f..7ec0396 100755
 --- policycoreutils-2.7/scripts/fixfiles
@@ -10,3 +42,16 @@ index 1aa330f..7ec0396 100755
  FORCEFLAG=""
  RPMFILES=""
  PREFC=""
+diff --git policycoreutils-2.7/setfiles/setfiles.8 policycoreutils-2.7/setfiles/setfiles.8
+index 9501845..ccaaf4d 100644
+--- policycoreutils-2.7/setfiles/setfiles.8
++++ policycoreutils-2.7/setfiles/setfiles.8
+@@ -255,7 +255,7 @@ being updated provided there are no errors.
+ 
+ .SH "AUTHOR"
+ This man page was written by Russell Coker <russell@coker.com.au>.
+-The program was written by Stephen Smalley <sds@epoch.ncsc.mil>
++The program was written by Stephen Smalley <sds@tycho.nsa.gov>
+ 
+ .SH "SEE ALSO"
+ .BR restorecon (8),

policycoreutils.spec

@@ -1,7 +1,7 @@
 %global	libauditver	2.1.3-4
-%global libsepolver	2.7-1
+%global libsepolver	2.7-2
-%global	libsemanagever	2.7-1
+%global	libsemanagever	2.7-2
-%global	libselinuxver	2.7-1
+%global	libselinuxver	2.7-3
 %global	sepolgenver	2.7
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
@@ -9,7 +9,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.7
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -31,8 +31,10 @@ Source18: selinux-autorelabel.target
 Source19: selinux-autorelabel-generator.sh
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
-# $ VERSION=2.7 ./make-fedora-selinux-patch.sh policycoreutils
+# HEAD https://github.com/fedora-selinux/selinux/commit/e5a6540888e254b245d42b7cecf0b895d64ddc43
-# HEAD https://github.com/fedora-selinux/selinux/commit/70a12c5e7b56a81223d67ce2469292826b84efe9
+# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
+#   BRANCH=f27 VERSION=2.7 ./make-fedora-selinux-patch.sh $i
+# done
 Patch:	 policycoreutils-fedora.patch
 # $ VERSION=2.7 ./make-fedora-selinux-patch.sh selinux-python
 Patch1:  selinux-python-fedora.patch
@@ -40,7 +42,7 @@ Patch2:  selinux-gui-fedora.patch
 Patch3:  selinux-sandbox-fedora.patch
 Patch4:  selinux-dbus-fedora.patch
 # Patch5:  semodule-utils-fedora.patch
-# Patch6:  restorecond
+Patch6:  restorecond-fedora.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
 # initscripts < 9.66 shipped fedora-autorelabel services which are renamed to selinux-relabel
@@ -185,6 +187,7 @@ sed -i '1s%\(#! *\)/usr/bin/python\([^3].*\|\)$%\1%{__python3}\2%' \
 	%{buildroot}%{_bindir}/audit2why \
 	%{buildroot}%{_bindir}/sepolicy \
 	%{buildroot}%{_bindir}/sepolgen{,-ifgen} \
+	%{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.py \
 	%{buildroot}%{_datadir}/system-config-selinux/selinux_server.py \
 	%nil
 
@@ -400,6 +403,7 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_datadir}/system-config-selinux/polgengui.py*
 %{_datadir}/system-config-selinux/system-config-selinux.py*
 %{_datadir}/system-config-selinux/*.glade
+%{_datadir}/system-config-selinux/*.ui
 %{python_sitelib}/sepolicy/gui.py*
 %{python_sitelib}/sepolicy/sepolicy.glade
 %dir %{python_sitelib}/sepolicy/help
@@ -498,6 +502,30 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Fri Nov 24 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
+- sepolicy: Fix sepolicy manpage.
+- semanage: Update Infiniband code to work on python3
+- semanage: Fix export of ibendport entries
+- semanage: Enforce noreload only if it's requested by -N option
+- semanage: Don't use global setup variable
+- semanage: drop *_ini functions
+- semanage: Enable listing file_contexts.homedirs
+- semanage: make seobject.py backward compatible
+- gui: remove mappingsPage
+- gui: delete overridden definition of usersPage.delete()
+- gui: fix parsing of "semodule -lfull" in tab Modules
+- gui: remove the status bar
+- sepolicy: support non-MLS policy in gui
+- sepolicy: ignore comments and empty lines in file_contexts.subs_dist
+- gui: port to Python 3 by migrating to PyGI
+- sepolicy: do not fail when file_contexts.local or .subs do not exist
+- restorecond: check write() and daemon() results
+- sepolicy: remove stray space in section "SEE ALSO"
+- sepolicy: support non-MCS policy in manpage
+- sepolicy: support non-MLS policy in manpage
+- sepolicy: fix misspelling of _ra_content_t suffix
+- sepolicy: do not fail when file_contexts.local does not exist
+
 * Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
 - Update to upstream release 2017-08-04
 - Move DBUS API from -gui to -dbus package

restorecond-fedora.patch

@@ -0,0 +1,29 @@
+diff --git restorecond-2.7/restorecond.c restorecond-2.7/restorecond.c
+index f379db1..6fbbd35 100644
+--- restorecond-2.7/restorecond.c
++++ restorecond-2.7/restorecond.c
+@@ -103,7 +103,10 @@ static int write_pid_file(void)
+ 		pidfile = 0;
+ 		return 1;
+ 	}
+-	(void)write(pidfd, val, (unsigned int)len);
++	if (write(pidfd, val, (unsigned int)len) != len) {
++		syslog(LOG_ERR, "Unable to write to pidfile (%s)", strerror(errno));
++		return 1;
++	}
+ 	close(pidfd);
+ 	return 0;
+ }
+@@ -204,8 +207,10 @@ int main(int argc, char **argv)
+ 	watch_file = server_watch_file;
+ 	read_config(master_fd, watch_file);
+ 
+-	if (!debug_mode)
+-		daemon(0, 0);
++	if (!debug_mode) {
++		if (daemon(0, 0) < 0)
++			exitApp("daemon");
++	}
+ 
+ 	write_pid_file();
+ 

selinux-python-fedora.patch

@@ -1,3 +1,270 @@
+diff --git selinux-python-2.7/semanage/semanage selinux-python-2.7/semanage/semanage
+index 313537c..8d8a086 100644
+--- selinux-python-2.7/semanage/semanage
++++ selinux-python-2.7/semanage/semanage
+@@ -89,16 +89,6 @@ class CheckRole(argparse.Action):
+             newval.append(v)
+         setattr(namespace, self.dest, newval)
+ 
+-store = ''
+-
+-
+-class SetStore(argparse.Action):
+-
+-    def __call__(self, parser, namespace, values, option_string=None):
+-        global store
+-        store = values
+-        setattr(namespace, self.dest, values)
+-
+ 
+ class seParser(argparse.ArgumentParser):
+ 
+@@ -134,67 +124,21 @@ class SetImportFile(argparse.Action):
+                 sys.exit(1)
+         setattr(namespace, self.dest, values)
+ 
+-# functions for OBJECT initialization
+-
+-
+-def login_ini():
+-    OBJECT = seobject.loginRecords(store)
+-    return OBJECT
+-
+-
+-def user_ini():
+-    OBJECT = seobject.seluserRecords(store)
+-    return OBJECT
+-
+-
+-def port_ini():
+-    OBJECT = seobject.portRecords(store)
+-    return OBJECT
+-
+-def ibpkey_ini():
+-    OBJECT = seobject.ibpkeyRecords(store)
+-    return OBJECT
+-
+-def ibendport_ini():
+-    OBJECT = seobject.ibendportRecords(store)
+-    return OBJECT
+-
+-def module_ini():
+-    OBJECT = seobject.moduleRecords(store)
+-    return OBJECT
+-
+-
+-def interface_ini():
+-    OBJECT = seobject.interfaceRecords(store)
+-    return OBJECT
+-
+-
+-def node_ini():
+-    OBJECT = seobject.nodeRecords(store)
+-    return OBJECT
+-
+-
+-def fcontext_ini():
+-    OBJECT = seobject.fcontextRecords(store)
+-    return OBJECT
+-
+-
+-def boolean_ini():
+-    OBJECT = seobject.booleanRecords(store)
+-    return OBJECT
+-
+-
+-def permissive_ini():
+-    OBJECT = seobject.permissiveRecords(store)
+-    return OBJECT
+-
+-
+-def dontaudit_ini():
+-    OBJECT = seobject.dontauditClass(store)
+-    return OBJECT
+-
+ # define dictonary for seobject OBEJCTS
+-object_dict = {'login': login_ini, 'user': user_ini, 'port': port_ini, 'module': module_ini, 'interface': interface_ini, 'node': node_ini, 'fcontext': fcontext_ini, 'boolean': boolean_ini, 'permissive': permissive_ini, 'dontaudit': dontaudit_ini, 'ibpkey': ibpkey_ini, 'ibendport': ibendport_ini}
++object_dict = {
++    'login': seobject.loginRecords,
++    'user': seobject.seluserRecords,
++    'port': seobject.portRecords,
++    'module': seobject.moduleRecords,
++    'interface': seobject.interfaceRecords,
++    'node': seobject.nodeRecords,
++    'fcontext': seobject.fcontextRecords,
++    'boolean': seobject.booleanRecords,
++    'permissive': seobject.permissiveRecords,
++    'dontaudit': seobject.dontauditClass,
++    'ibpkey': seobject.ibpkeyRecords,
++    'ibendport': seobject.ibendportRecords
++}
+ 
+ def generate_custom_usage(usage_text, usage_dict):
+     # generate custom usage from given text and dictonary
+@@ -238,8 +182,7 @@ def handleLogin(args):
+ 
+     handle_opts(args, login_args, args.action)
+ 
+-    OBJECT = object_dict['login']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['login'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.login, args.seuser, args.range)
+@@ -257,7 +200,7 @@ def handleLogin(args):
+ 
+ 
+ def parser_add_store(parser, name):
+-    parser.add_argument('-S', '--store', action=SetStore, help=_("Select an alternate SELinux Policy Store to manage"))
++    parser.add_argument('-S', '--store', default='', help=_("Select an alternate SELinux Policy Store to manage"))
+ 
+ 
+ def parser_add_priority(parser, name):
+@@ -269,7 +212,7 @@ def parser_add_noheading(parser, name):
+ 
+ 
+ def parser_add_noreload(parser, name):
+-    parser.add_argument('-N', '--noreload', action='store_false', default=True, help=_('Do not reload policy after commit'))
++    parser.add_argument('-N', '--noreload', action='store_true', default=False, help=_('Do not reload policy after commit'))
+ 
+ 
+ def parser_add_locallist(parser, name):
+@@ -372,8 +315,7 @@ def handleFcontext(args):
+     else:
+         handle_opts(args, fcontext_args, args.action)
+ 
+-    OBJECT = object_dict['fcontext']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['fcontext'](args)
+ 
+     if args.action is "add":
+         if args.equal:
+@@ -441,8 +383,7 @@ def handleUser(args):
+ 
+     handle_opts(args, user_args, args.action)
+ 
+-    OBJECT = object_dict['user']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['user'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.selinux_name, args.roles, args.level, args.range, args.prefix)
+@@ -492,8 +433,7 @@ def handlePort(args):
+ 
+     handle_opts(args, port_args, args.action)
+ 
+-    OBJECT = object_dict['port']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['port'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.port, args.proto, args.range, args.type)
+@@ -538,8 +478,7 @@ def handlePkey(args):
+ 
+     handle_opts(args, ibpkey_args, args.action)
+ 
+-    OBJECT = object_dict['ibpkey']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['ibpkey'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.ibpkey, args.subnet_prefix, args.range, args.type)
+@@ -582,8 +521,7 @@ def handleIbendport(args):
+ 
+     handle_opts(args, ibendport_args, args.action)
+ 
+-    OBJECT = object_dict['ibendport']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['ibendport'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.ibendport, args.ibdev_name, args.range, args.type)
+@@ -626,8 +564,7 @@ def handleInterface(args):
+ 
+     handle_opts(args, interface_args, args.action)
+ 
+-    OBJECT = object_dict['interface']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['interface'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.interface, args.range, args.type)
+@@ -666,8 +603,7 @@ def setupInterfaceParser(subparsers):
+ 
+ 
+ def handleModule(args):
+-    OBJECT = seobject.moduleRecords(store)
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = seobject.moduleRecords(args)
+     if args.action == "add":
+         OBJECT.add(args.module_name, args.priority)
+     if args.action == "enable":
+@@ -709,8 +645,7 @@ def handleNode(args):
+     node_args = {'list': [('node', 'type', 'proto', 'netmask'), ('')], 'add': [('locallist'), ('type', 'node', 'proto', 'netmask')], 'modify': [('locallist'), ('node', 'netmask', 'proto')], 'delete': [('locallist'), ('node', 'netmask', 'prototype')], 'extract': [('locallist', 'node', 'type', 'proto', 'netmask'), ('')], 'deleteall': [('locallist'), ('')]}
+     handle_opts(args, node_args, args.action)
+ 
+-    OBJECT = object_dict['node']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['node'](args)
+ 
+     if args.action is "add":
+         OBJECT.add(args.node, args.netmask, args.proto, args.range, args.type)
+@@ -756,8 +691,7 @@ def handleBoolean(args):
+ 
+     handle_opts(args, boolean_args, args.action)
+ 
+-    OBJECT = object_dict['boolean']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['boolean'](args)
+ 
+     if args.action is "modify":
+         if args.boolean:
+@@ -795,8 +729,7 @@ def setupBooleanParser(subparsers):
+ 
+ 
+ def handlePermissive(args):
+-    OBJECT = object_dict['permissive']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['permissive'](args)
+ 
+     if args.action is "list":
+         OBJECT.list(args.noheading)
+@@ -830,8 +763,7 @@ def setupPermissiveParser(subparsers):
+ 
+ 
+ def handleDontaudit(args):
+-    OBJECT = object_dict['dontaudit']()
+-    OBJECT.set_reload(args.noreload)
++    OBJECT = object_dict['dontaudit'](args)
+     OBJECT.toggle(args.action)
+ 
+ 
+@@ -848,7 +780,7 @@ def handleExport(args):
+     for i in manageditems:
+         print("%s -D" % i)
+     for i in manageditems:
+-        OBJECT = object_dict[i]()
++        OBJECT = object_dict[i](args)
+         for c in OBJECT.customized():
+             print("%s %s" % (i, str(c)))
+ 
+@@ -912,7 +844,7 @@ def mkargv(line):
+ 
+ 
+ def handleImport(args):
+-    trans = seobject.semanageRecords(store)
++    trans = seobject.semanageRecords(args)
+     trans.start()
+ 
+     for l in sys.stdin.readlines():
+@@ -932,7 +864,6 @@ def handleImport(args):
+         except KeyboardInterrupt:
+             sys.exit(0)
+ 
+-    trans.set_reload(args.noreload)
+     trans.finish()
+ 
+ 
 diff --git selinux-python-2.7/semanage/semanage.8 selinux-python-2.7/semanage/semanage.8
 index 0bdb90f..0cdcfcc 100644
 --- selinux-python-2.7/semanage/semanage.8
@@ -15,10 +282,67 @@ index 0bdb90f..0cdcfcc 100644
  user identities to authorized role sets.  In most cases, only the
  former mapping needs to be adjusted by the administrator; the latter
 diff --git selinux-python-2.7/semanage/seobject.py selinux-python-2.7/semanage/seobject.py
-index 70fd192..af88126 100644
+index 70fd192..99e1cd8 100644
 --- selinux-python-2.7/semanage/seobject.py
 +++ selinux-python-2.7/semanage/seobject.py
-@@ -386,6 +386,8 @@ class moduleRecords(semanageRecords):
+@@ -238,21 +238,28 @@ class semanageRecords:
+     transaction = False
+     handle = None
+     store = None
++    args = None
+ 
+-    def __init__(self, store):
++    def __init__(self, args = None):
+         global handle
+-        self.load = True
+-        self.sh = self.get_handle(store)
++        if args:
++            # legacy code - args was store originally
++            if type(args) == str:
++                self.store = args
++            else:
++                self.args = args
++        self.noreload = getattr(args, "noreload", False)
++        if not self.store:
++            self.store = getattr(args, "store", "")
++
++        self.sh = self.get_handle(self.store)
+ 
+         rc, localstore = selinux.selinux_getpolicytype()
+-        if store == "" or store == localstore:
++        if self.store == "" or self.store == localstore:
+             self.mylog = logger()
+         else:
+             self.mylog = nulllogger()
+ 
+-    def set_reload(self, load):
+-        self.load = load
+-
+     def get_handle(self, store):
+         global is_mls_enabled
+ 
+@@ -312,7 +319,8 @@ class semanageRecords:
+         if semanageRecords.transaction:
+             return
+ 
+-        semanage_set_reload(self.sh, self.load)
++        if self.noreload:
++            semanage_set_reload(self.sh, 0)
+         rc = semanage_commit(self.sh)
+         if rc < 0:
+             self.mylog.commit(0)
+@@ -328,8 +336,8 @@ class semanageRecords:
+ 
+ class moduleRecords(semanageRecords):
+ 
+-    def __init__(self, store):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def get_all(self):
+         l = []
+@@ -386,6 +394,8 @@ class moduleRecords(semanageRecords):
              print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
  
      def add(self, file, priority):
@@ -27,7 +351,7 @@ index 70fd192..af88126 100644
          if not os.path.exists(file):
              raise ValueError(_("Module does not exist: %s ") % file)
  
-@@ -398,6 +400,8 @@ class moduleRecords(semanageRecords):
+@@ -398,6 +408,8 @@ class moduleRecords(semanageRecords):
              self.commit()
  
      def set_enabled(self, module, enable):
@@ -36,7 +360,7 @@ index 70fd192..af88126 100644
          for m in module.split():
              rc, key = semanage_module_key_create(self.sh)
              if rc < 0:
-@@ -416,11 +420,15 @@ class moduleRecords(semanageRecords):
+@@ -416,11 +428,15 @@ class moduleRecords(semanageRecords):
          self.commit()
  
      def modify(self, file):
@@ -52,11 +376,372 @@ index 70fd192..af88126 100644
          rc = semanage_set_default_priority(self.sh, priority)
          if rc < 0:
              raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
+@@ -440,8 +456,8 @@ class moduleRecords(semanageRecords):
+ 
+ class dontauditClass(semanageRecords):
+ 
+-    def __init__(self, store):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def toggle(self, dontaudit):
+         if dontaudit not in ["on", "off"]:
+@@ -453,8 +469,8 @@ class dontauditClass(semanageRecords):
+ 
+ class permissiveRecords(semanageRecords):
+ 
+-    def __init__(self, store):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def get_all(self):
+         l = []
+@@ -522,8 +538,8 @@ class permissiveRecords(semanageRecords):
+ 
+ class loginRecords(semanageRecords):
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+         self.oldsename = None
+         self.oldserange = None
+         self.sename = None
+@@ -534,7 +550,7 @@ class loginRecords(semanageRecords):
+         if sename == "":
+             sename = "user_u"
+ 
+-        userrec = seluserRecords()
++        userrec = seluserRecords(self.args)
+         range, (rc, oldserole) = userrec.get(self.oldsename)
+         range, (rc, serole) = userrec.get(sename)
+ 
+@@ -603,7 +619,7 @@ class loginRecords(semanageRecords):
+         if sename == "" and serange == "":
+             raise ValueError(_("Requires seuser or serange"))
+ 
+-        userrec = seluserRecords()
++        userrec = seluserRecords(self.args)
+         range, (rc, oldserole) = userrec.get(self.oldsename)
+ 
+         if sename != "":
+@@ -660,7 +676,7 @@ class loginRecords(semanageRecords):
+ 
+     def __delete(self, name):
+         rec, self.oldsename, self.oldserange = selinux.getseuserbyname(name)
+-        userrec = seluserRecords()
++        userrec = seluserRecords(self.args)
+         range, (rc, oldserole) = userrec.get(self.oldsename)
+ 
+         (rc, k) = semanage_seuser_key_create(self.sh, name)
+@@ -779,8 +795,8 @@ class loginRecords(semanageRecords):
+ 
+ class seluserRecords(semanageRecords):
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def get(self, name):
+         (rc, k) = semanage_user_key_create(self.sh, name)
+@@ -1042,8 +1058,8 @@ class portRecords(semanageRecords):
+     except RuntimeError:
+         valid_types = []
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def __genkey(self, port, proto):
+         if proto == "tcp":
+@@ -1317,8 +1333,8 @@ class ibpkeyRecords(semanageRecords):
+     except:
+         valid_types = []
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def __genkey(self, pkey, subnet_prefix):
+         if subnet_prefix == "":
+@@ -1540,9 +1556,8 @@ class ibpkeyRecords(semanageRecords):
+     def customized(self):
+         l = []
+         ddict = self.get_all(True)
+-        keys = ddict.keys()
+-        keys.sort()
+-        for k in keys:
++
++        for k in sorted(ddict.keys()):
+             if k[0] == k[1]:
+                 l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
+             else:
+@@ -1554,11 +1569,10 @@ class ibpkeyRecords(semanageRecords):
+         keys = ddict.keys()
+         if len(keys) == 0:
+             return
+-        keys.sort()
+ 
+         if heading:
+             print("%-30s %-18s %s\n" % (_("SELinux IB Pkey Type"), _("Subnet_Prefix"), _("Pkey Number")))
+-        for i in keys:
++        for i in sorted(keys):
+             rec = "%-30s %-18s " % i
+             rec += "%s" % ddict[i][0]
+             for p in ddict[i][1:]:
+@@ -1572,8 +1586,8 @@ class ibendportRecords(semanageRecords):
+     except:
+         valid_types = []
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def __genkey(self, ibendport, ibdev_name):
+         if ibdev_name == "":
+@@ -1782,10 +1796,9 @@ class ibendportRecords(semanageRecords):
+     def customized(self):
+         l = []
+         ddict = self.get_all(True)
+-        keys = ddict.keys()
+-        keys.sort()
+-        for k in keys:
+-            l.append("-a -t %s -x %s %s" % (ddict[k][0], k[2], k[0]))
++
++        for k in sorted(ddict.keys()):
++            l.append("-a -t %s -r %s -z %s %s" % (ddict[k][0], ddict[k][1], k[1], k[0]))
+         return l
+ 
+     def list(self, heading=1, locallist=0):
+@@ -1793,11 +1806,10 @@ class ibendportRecords(semanageRecords):
+         keys = ddict.keys()
+         if len(keys) == 0:
+             return
+-        keys.sort()
+ 
+         if heading:
+             print("%-30s %-18s %s\n" % (_("SELinux IB End Port Type"), _("IB Device Name"), _("Port Number")))
+-        for i in keys:
++        for i in sorted(keys):
+             rec = "%-30s %-18s " % i
+             rec += "%s" % ddict[i][0]
+             for p in ddict[i][1:]:
+@@ -1810,8 +1822,8 @@ class nodeRecords(semanageRecords):
+     except RuntimeError:
+         valid_types = []
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+         self.protocol = ["ipv4", "ipv6"]
+ 
+     def validate(self, addr, mask, protocol):
+@@ -2046,8 +2058,8 @@ class nodeRecords(semanageRecords):
+ 
+ class interfaceRecords(semanageRecords):
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+ 
+     def __add(self, interface, serange, ctype):
+         if is_mls_enabled == 1:
+@@ -2243,8 +2255,8 @@ class fcontextRecords(semanageRecords):
+     except RuntimeError:
+         valid_types = []
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+         self.equiv = {}
+         self.equiv_dist = {}
+         self.equal_ind = False
+@@ -2566,10 +2578,15 @@ class fcontextRecords(semanageRecords):
+             if rc < 0:
+                 raise ValueError(_("Could not list file contexts"))
+ 
++            (rc, fchomedirs) = semanage_fcontext_list_homedirs(self.sh)
++            if rc < 0:
++                raise ValueError(_("Could not list file contexts for home directories"))
++
+             (rc, fclocal) = semanage_fcontext_list_local(self.sh)
+             if rc < 0:
+                 raise ValueError(_("Could not list local file contexts"))
+ 
++            self.flist += fchomedirs
+             self.flist += fclocal
+ 
+         ddict = {}
+@@ -2627,8 +2644,8 @@ class fcontextRecords(semanageRecords):
+ 
+ class booleanRecords(semanageRecords):
+ 
+-    def __init__(self, store=""):
+-        semanageRecords.__init__(self, store)
++    def __init__(self, args = None):
++        semanageRecords.__init__(self, args)
+         self.dict = {}
+         self.dict["TRUE"] = 1
+         self.dict["FALSE"] = 0
+diff --git selinux-python-2.7/sepolicy/sepolicy.8 selinux-python-2.7/sepolicy/sepolicy.8
+index 7900586..09d2b24 100644
+--- selinux-python-2.7/sepolicy/sepolicy.8
++++ selinux-python-2.7/sepolicy/sepolicy.8
+@@ -22,14 +22,15 @@ Query SELinux policy to see if domains can communicate with each other
+ .br
+ 
+ .B    generate
+-.br 
+ .br
+ Generate SELinux Policy module template
+-.B    gui
++.B sepolicy-generate(8)
+ .br
++
++.B    gui
+ .br
+ Launch Graphical User Interface for SELinux Policy, requires policycoreutils-gui package.
+-.B sepolicy-generate(8)
++.B sepolicy-gui(8)
+ .br
+ 
+ .B    interface
 diff --git selinux-python-2.7/sepolicy/sepolicy/__init__.py selinux-python-2.7/sepolicy/sepolicy/__init__.py
-index 5cfc071..a10dbcd 100644
+index 5cfc071..24e3526 100644
 --- selinux-python-2.7/sepolicy/sepolicy/__init__.py
 +++ selinux-python-2.7/sepolicy/sepolicy/__init__.py
-@@ -1136,27 +1136,14 @@ def boolean_desc(boolean):
+@@ -4,6 +4,7 @@
+ # Author: Ryan Hallisey <rhallise@redhat.com>
+ # Author: Jason Zaman <perfinion@gentoo.org>
+ 
++import errno
+ import selinux
+ import setools
+ import glob
+@@ -207,10 +208,17 @@ def info(setype, name=None):
+             elif len(ports) == 1:
+                 q.ports = (ports[0], ports[0])
+ 
++        if _pol.mls:
++            return ({
++                'high': x.ports.high,
++                'protocol': str(x.protocol),
++                'range': str(x.context.range_),
++                'type': str(x.context.type_),
++                'low': x.ports.low,
++            } for x in q.results())
+         return ({
+             'high': x.ports.high,
+             'protocol': str(x.protocol),
+-            'range': str(x.context.range_),
+             'type': str(x.context.type_),
+             'low': x.ports.low,
+         } for x in q.results())
+@@ -220,11 +228,16 @@ def info(setype, name=None):
+         if name:
+             q.name = name
+ 
++        if _pol.mls:
++            return ({
++                'range': str(x.mls_range),
++                'name': str(x),
++                'roles': list(map(str, x.roles)),
++                'level': str(x.mls_level),
++            } for x in q.results())
+         return ({
+-            'range': str(x.mls_range),
+             'name': str(x),
+             'roles': list(map(str, x.roles)),
+-            'level': str(x.mls_level),
+         } for x in q.results())
+ 
+     elif setype == BOOLEAN:
+@@ -511,12 +524,15 @@ def find_entrypoint_path(exe, exclude_list=[]):
+ 
+ 
+ def read_file_equiv(edict, fc_path, modify):
+-    fd = open(fc_path, "r")
+-    fc = fd.readlines()
+-    fd.close()
+-    for e in fc:
+-        f = e.split()
+-        edict[f[0]] = {"equiv": f[1], "modify": modify}
++    try:
++        with open(fc_path, "r") as fd:
++            for e in fd:
++                f = e.split()
++                if f and not f[0].startswith('#'):
++                    edict[f[0]] = {"equiv": f[1], "modify": modify}
++    except OSError as e:
++        if e.errno != errno.ENOENT:
++            raise
+     return edict
+ 
+ 
+@@ -543,9 +559,13 @@ def get_local_file_paths(fc_path=selinux.selinux_file_context_path()):
+     if local_files:
+         return local_files
+     local_files = []
+-    fd = open(fc_path + ".local", "r")
+-    fc = fd.readlines()
+-    fd.close()
++    try:
++        with open(fc_path + ".local", "r") as fd:
++            fc = fd.readlines()
++    except OSError as e:
++        if e.errno != errno.ENOENT:
++            raise
++        return []
+     for i in fc:
+         rec = i.split()
+         if len(rec) == 0:
+@@ -573,9 +593,12 @@ def get_fcdict(fc_path=selinux.selinux_file_context_path()):
+     fc += fd.readlines()
+     fd.close()
+     fcdict = {}
+-    fd = open(fc_path + ".local", "r")
+-    fc += fd.readlines()
+-    fd.close()
++    try:
++        with open(fc_path + ".local", "r") as fd:
++            fc += fd.readlines()
++    except OSError as e:
++        if e.errno != errno.ENOENT:
++            raise
+ 
+     for i in fc:
+         rec = i.split()
+@@ -856,8 +879,9 @@ def get_selinux_users():
+     global selinux_user_list
+     if not selinux_user_list:
+         selinux_user_list = list(info(USER))
+-        for x in selinux_user_list:
+-            x['range'] = "".join(x['range'].split(" "))
++        if _pol.mls:
++            for x in selinux_user_list:
++                x['range'] = "".join(x['range'].split(" "))
+     return selinux_user_list
+ 
+ 
+@@ -955,7 +979,7 @@ def get_description(f, markup=markup):
+     if f.endswith("_db_t"):
+         return txt + "treat the files as %s database content." % prettyprint(f, "_db_t")
+     if f.endswith("_ra_content_t"):
+-        return txt + "treat the files as %s read/append content." % prettyprint(f, "_ra_conten_t")
++        return txt + "treat the files as %s read/append content." % prettyprint(f, "_ra_content_t")
+     if f.endswith("_cert_t"):
+         return txt + "treat the files as %s certificate data." % prettyprint(f, "_cert_t")
+     if f.endswith("_key_t"):
+@@ -1136,27 +1160,14 @@ def boolean_desc(boolean):
  
  
  def get_os_version():
@@ -90,11 +775,124 @@ index 5cfc071..a10dbcd 100644
  
  
  def reinit():
+diff --git selinux-python-2.7/sepolicy/sepolicy/gui.py selinux-python-2.7/sepolicy/sepolicy/gui.py
+index 007c94a..6562aa8 100644
+--- selinux-python-2.7/sepolicy/sepolicy/gui.py
++++ selinux-python-2.7/sepolicy/sepolicy/gui.py
+@@ -907,8 +907,8 @@ class SELinuxGui():
+             if "object_r" in roles:
+                 roles.remove("object_r")
+             self.user_liststore.set_value(iter, 1, ", ".join(roles))
+-            self.user_liststore.set_value(iter, 2, u["level"])
+-            self.user_liststore.set_value(iter, 3, u["range"])
++            self.user_liststore.set_value(iter, 2, u.get("level", ""))
++            self.user_liststore.set_value(iter, 3, u.get("range", ""))
+             self.user_liststore.set_value(iter, 4, True)
+         self.ready_mouse()
+ 
+@@ -1755,14 +1755,14 @@ class SELinuxGui():
+         if self.login_mls_entry.get_text() == "":
+             for u in sepolicy.get_selinux_users():
+                 if seuser == u['name']:
+-                    self.login_mls_entry.set_text(u['range'])
++                    self.login_mls_entry.set_text(u.get('range', ''))
+ 
+     def user_roles_combobox_change(self, combo, *args):
+         serole = self.combo_get_active_text(combo)
+         if self.user_mls_entry.get_text() == "":
+             for u in sepolicy.get_all_roles():
+                 if serole == u['name']:
+-                    self.user_mls_entry.set_text(u['range'])
++                    self.user_mls_entry.set_text(u.get('range', ''))
+ 
+     def get_selected_iter(self):
+         iter = None
+@@ -1973,7 +1973,10 @@ class SELinuxGui():
+             self.cur_dict["user"][name] = {"action": "-m", "range": mls_range, "level": level, "role": roles, "oldrange": oldrange, "oldlevel": oldlevel, "oldroles": oldroles, "oldname": oldname}
+         else:
+             iter = self.liststore.append(None)
+-            self.cur_dict["user"][name] = {"action": "-a", "range": mls_range, "level": level, "role": roles}
++            if mls_range or level:
++                self.cur_dict["user"][name] = {"action": "-a", "range": mls_range, "level": level, "role": roles}
++            else:
++                self.cur_dict["user"][name] = {"action": "-a", "role": roles}
+ 
+         self.liststore.set_value(iter, 0, name)
+         self.liststore.set_value(iter, 1, roles)
+@@ -2089,8 +2092,8 @@ class SELinuxGui():
+             user_dict = self.cust_dict["user"]
+             for user in user_dict:
+                 roles = user_dict[user]["role"]
+-                mls = user_dict[user]["range"]
+-                level = user_dict[user]["level"]
++                mls = user_dict[user].get("range", "")
++                level = user_dict[user].get("level", "")
+                 iter = self.user_delete_liststore.append()
+                 self.user_delete_liststore.set_value(iter, 1, user)
+                 self.user_delete_liststore.set_value(iter, 2, roles)
+@@ -2104,7 +2107,7 @@ class SELinuxGui():
+             login_dict = self.cust_dict["login"]
+             for login in login_dict:
+                 seuser = login_dict[login]["seuser"]
+-                mls = login_dict[login]["range"]
++                mls = login_dict[login].get("range", "")
+                 iter = self.login_delete_liststore.append()
+                 self.login_delete_liststore.set_value(iter, 1, seuser)
+                 self.login_delete_liststore.set_value(iter, 2, login)
+@@ -2268,7 +2271,7 @@ class SELinuxGui():
+             self.update_treestore.set_value(niter, 3, False)
+             roles = self.cur_dict["user"][user]["role"]
+             self.update_treestore.set_value(niter, 1, (_("Roles: %s")) % roles)
+-            mls = self.cur_dict["user"][user]["range"]
++            mls = self.cur_dict["user"][user].get("range", "")
+             niter = self.update_treestore.append(iter)
+             self.update_treestore.set_value(niter, 3, False)
+             self.update_treestore.set_value(niter, 1, _("MLS/MCS Range: %s") % mls)
+@@ -2293,7 +2296,7 @@ class SELinuxGui():
+             self.update_treestore.set_value(niter, 3, False)
+             seuser = self.cur_dict["login"][login]["seuser"]
+             self.update_treestore.set_value(niter, 1, (_("SELinux User: %s")) % seuser)
+-            mls = self.cur_dict["login"][login]["range"]
++            mls = self.cur_dict["login"][login].get("range", "")
+             niter = self.update_treestore.append(iter)
+             self.update_treestore.set_value(niter, 3, False)
+             self.update_treestore.set_value(niter, 1, _("MLS/MCS Range: %s") % mls)
+@@ -2487,14 +2490,18 @@ class SELinuxGui():
+                 for l in self.cur_dict[k]:
+                     if self.cur_dict[k][l]["action"] == "-d":
+                         update_buffer += "login -d %s\n" % l
+-                    else:
++                    elif "range" in self.cur_dict[k][l]:
+                         update_buffer += "login %s -s %s -r %s %s\n" % (self.cur_dict[k][l]["action"], self.cur_dict[k][l]["seuser"], self.cur_dict[k][l]["range"], l)
++                    else:
++                        update_buffer += "login %s -s %s %s\n" % (self.cur_dict[k][l]["action"], self.cur_dict[k][l]["seuser"], l)
+             if k in "user":
+                 for u in self.cur_dict[k]:
+                     if self.cur_dict[k][u]["action"] == "-d":
+                         update_buffer += "user -d %s\n" % u
+-                    else:
++                    elif "level" in self.cur_dict[k][u] and "range" in self.cur_dict[k][u]:
+                         update_buffer += "user %s -L %s -r %s -R %s %s\n" % (self.cur_dict[k][u]["action"], self.cur_dict[k][u]["level"], self.cur_dict[k][u]["range"], self.cur_dict[k][u]["role"], u)
++                    else:
++                        update_buffer += "user %s -R %s %s\n" % (self.cur_dict[k][u]["action"], self.cur_dict[k][u]["role"], u)
+ 
+             if k in "fcontext-equiv":
+                 for f in self.cur_dict[k]:
 diff --git selinux-python-2.7/sepolicy/sepolicy/manpage.py selinux-python-2.7/sepolicy/sepolicy/manpage.py
-index 4d84636..4772b50 100755
+index 4d84636..b463165 100755
 --- selinux-python-2.7/sepolicy/sepolicy/manpage.py
 +++ selinux-python-2.7/sepolicy/sepolicy/manpage.py
-@@ -125,8 +125,33 @@ def gen_domains():
+@@ -84,7 +84,8 @@ def get_all_users_info():
+ 
+     for d in allusers_info:
+         allusers.append(d['name'])
+-        users_range[d['name'].split("_")[0]] = d['range']
++        if 'range' in d:
++            users_range[d['name'].split("_")[0]] = d['range']
+ 
+     for u in allusers:
+         if u not in ["system_u", "root", "unconfined_u"]:
+@@ -125,8 +126,36 @@ def gen_domains():
      domains.sort()
      return domains
  
@@ -121,7 +919,10 @@ index 4d84636..4772b50 100755
 +def _gen_mcs_constrained_types():
 +    global mcs_constrained_types
 +    if mcs_constrained_types is None:
-+        mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
++        try:
++            mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
++        except StopIteration:
++            mcs_constrained_types = []
 +    return mcs_constrained_types
 +
 +
@@ -129,7 +930,7 @@ index 4d84636..4772b50 100755
  
  def _gen_types():
      global types
-@@ -149,10 +174,6 @@ def prettyprint(f, trim):
+@@ -149,10 +178,6 @@ def prettyprint(f, trim):
  manpage_domains = []
  manpage_roles = []
  
@@ -140,7 +941,7 @@ index 4d84636..4772b50 100755
  def get_alphabet_manpages(manpage_list):
      alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
      for i in string.ascii_letters:
-@@ -182,7 +203,7 @@ def convert_manpage_to_html(html_manpage, manpage):
+@@ -182,7 +207,7 @@ def convert_manpage_to_html(html_manpage, manpage):
  class HTMLManPages:
  
      """
@@ -149,7 +950,7 @@ index 4d84636..4772b50 100755
      """
  
      def __init__(self, manpage_roles, manpage_domains, path, os_version):
-@@ -190,9 +211,9 @@ class HTMLManPages:
+@@ -190,9 +215,9 @@ class HTMLManPages:
          self.manpage_domains = get_alphabet_manpages(manpage_domains)
          self.os_version = os_version
          self.old_path = path + "/"
@@ -161,7 +962,7 @@ index 4d84636..4772b50 100755
              self.__gen_html_manpages()
          else:
              print("SELinux HTML man pages can not be generated for this %s" % os_version)
-@@ -201,7 +222,6 @@ class HTMLManPages:
+@@ -201,7 +226,6 @@ class HTMLManPages:
      def __gen_html_manpages(self):
          self._write_html_manpage()
          self._gen_index()
@@ -169,7 +970,7 @@ index 4d84636..4772b50 100755
          self._gen_css()
  
      def _write_html_manpage(self):
-@@ -219,67 +239,21 @@ class HTMLManPages:
+@@ -219,67 +243,21 @@ class HTMLManPages:
                      convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
  
      def _gen_index(self):
@@ -241,7 +1042,7 @@ index 4d84636..4772b50 100755
          for letter in self.manpage_roles:
              if len(self.manpage_roles[letter]):
                  fd.write("""
-@@ -423,6 +397,9 @@ class ManPage:
+@@ -423,6 +401,9 @@ class ManPage:
          self.all_file_types = sepolicy.get_all_file_types()
          self.role_allows = sepolicy.get_all_role_allows()
          self.types = _gen_types()
@@ -251,7 +1052,7 @@ index 4d84636..4772b50 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -735,10 +712,13 @@ Default Defined Ports:""")
+@@ -735,10 +716,13 @@ Default Defined Ports:""")
  
      def _file_context(self):
          flist = []
@@ -265,7 +1066,7 @@ index 4d84636..4772b50 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
          if len(mpaths) == 0:
-@@ -790,19 +770,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -790,19 +774,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  .PP
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
@@ -289,7 +1090,17 @@ index 4d84636..4772b50 100755
  
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
-@@ -974,8 +955,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
+@@ -921,8 +906,7 @@ This manual page was auto-generated using
+ .B "sepolicy manpage".
+ 
+ .SH "SEE ALSO"
+-selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
+-""" % (self.domainname))
++selinux(8), %s(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)""" % (self.domainname))
+ 
+         if self.booltext != "":
+             self.fd.write(", setsebool(8)")
+@@ -974,8 +958,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
  %s""" % ", ".join(paths))
  
      def _mcs_types(self):