Fix description of policycoreutils-sandbox

Fix all tests

.gitignore

@@ -214,3 +214,10 @@ policycoreutils-2.0.77.tgz
 policycoreutils-2.0.78.tgz
 sepolgen-1.0.19.tgz
 policycoreutils-2.0.79.tgz
+policycoreutils-2.0.80.tgz
+policycoreutils-2.0.81.tgz
+sepolgen-1.0.20.tgz
+sepolgen-1.0.22.tgz
+policycoreutils-2.0.82.tgz
+sepolgen-1.0.23.tgz
+policycoreutils-2.0.83.tgz

branch

@@ -0,0 +1 @@
+F-13

policycoreutils-sepolgen.patch

@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
---- nsasepolgen/src/sepolgen/access.py	2009-05-18 13:53:14.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py	2009-12-08 17:05:49.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py	2010-06-16 08:22:43.000000000 -0400
 @@ -32,6 +32,7 @@
  """
  
@@ -18,15 +18,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
  
          # The direction of the information flow represented by this
          # access vector - used for matching
-@@ -127,7 +130,7 @@
-         return self.to_string()
- 
-     def to_string(self):
--        return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
-+        return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
-                                         self.obj_class, self.perms.to_space_str())
- 
-     def __cmp__(self, other):
 @@ -253,20 +256,22 @@
          for av in l:
              self.add_av(AccessVector(av))
@@ -54,38 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
  
          access.perms.update(perms)
          if audit_msg:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
---- nsasepolgen/src/sepolgen/audit.py	2009-12-01 15:46:50.000000000 -0500
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py	2010-01-06 09:52:35.000000000 -0500
-@@ -23,6 +23,27 @@
- 
- # Convenience functions
- 
-+def get_audit_boot_msgs():
-+    """Obtain all of the avc and policy load messages from the audit
-+    log. This function uses ausearch and requires that the current
-+    process have sufficient rights to run ausearch.
-+
-+    Returns:
-+       string contain all of the audit messages returned by ausearch.
-+    """
-+    import subprocess
-+    import time
-+    fd=open("/proc/uptime", "r")
-+    off=float(fd.read().split()[0])
-+    fd.close
-+    s = time.localtime(time.time() - off)
-+    date = time.strftime("%D/%Y", s).split("/")
-+    bootdate="%s/%s/%s" % (date[0], date[1], date[3])
-+    boottime = time.strftime("%X", s)
-+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
-+                              stdout=subprocess.PIPE).communicate()[0]
-+    return output
-+
- def get_audit_msgs():
-     """Obtain all of the avc and policy load messages from the audit
-     log. This function uses ausearch and requires that the current
-@@ -47,6 +68,17 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py	2010-06-16 08:22:43.000000000 -0400
+@@ -68,6 +68,17 @@
                                stdout=subprocess.PIPE).communicate()[0]
      return output
  
@@ -103,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  # Classes representing audit messages
  
  class AuditMessage:
-@@ -106,6 +138,9 @@
+@@ -127,6 +138,9 @@
              if fields[0] == "path":
                  self.path = fields[1][1:-1]
                  return
@@ -113,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  
  class AVCMessage(AuditMessage):
      """AVC message representing an access denial or granted message.
-@@ -146,6 +181,8 @@
+@@ -167,6 +181,8 @@
          self.path = ""
          self.accesses = []
          self.denial = True
@@ -122,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  
      def __parse_access(self, recs, start):
          # This is kind of sucky - the access that is in a space separated
-@@ -205,7 +242,31 @@
+@@ -226,7 +242,31 @@
  
          if not found_src or not found_tgt or not found_class or not found_access:
              raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@@ -138,7 +101,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +        else:
 +            self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
 +            if self.type == audit2why.NOPOLICY:
-+                raise ValueError("Must call policy_init first")
++                self.type = audit2why.TERULE
 +            if self.type == audit2why.BADTCON:
 +                raise ValueError("Invalid Target Context %s\n" % tcontext)
 +            if self.type == audit2why.BADSCON:
@@ -149,39 +112,13 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +                raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
 +            if self.type == audit2why.BADCOMPUTE:
 +                raise ValueError("Error during access vector computation")
-+
++            
 +            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
 +
  class PolicyLoadMessage(AuditMessage):
      """Audit message indicating that the policy was reloaded."""
      def __init__(self, message):
-@@ -285,6 +346,9 @@
- 
-     def __initialize(self):
-         self.avc_msgs = []
-+        self.constraint_msgs = []
-+        self.dontaudit_msgs = []
-+        self.rbac_msgs = []
-         self.compute_sid_msgs = []
-         self.invalid_msgs = []
-         self.policy_load_msgs = []
-@@ -314,7 +378,7 @@
-             elif i == "security_compute_sid:":
-                 msg = ComputeSidMessage(line)
-                 found = True
--            elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
-+            elif i == "type=MAC_POLICY_LOAD":
-                 msg = PolicyLoadMessage(line)
-                 found = True
-             elif i == "type=AVC_PATH":
-@@ -442,16 +506,17 @@
-            audit logs parsed by this object.
-         """
-         av_set = access.AccessVectorSet()
-+
-         for avc in self.avc_msgs:
-             if avc.denial != True and only_denials:
-                 continue
+@@ -469,10 +509,10 @@
              if avc_filter:
                  if avc_filter.filter(avc):
                      av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@@ -194,15 +131,171 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
          return av_set
  
  class AVCTypeFilter:
-@@ -477,5 +542,3 @@
-         if self.regex.match(avc.tcontext.type):
-             return True
-         return False
--
--
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
---- nsasepolgen/src/sepolgen/policygen.py	2008-09-12 11:48:15.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2010-01-08 09:33:54.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py
+--- nsasepolgen/src/sepolgen/defaults.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py	2010-06-16 08:22:43.000000000 -0400
+@@ -30,6 +30,9 @@
+ def interface_info():
+     return data_dir() + "/interface_info"
+ 
++def attribute_info():
++    return data_dir() + "/attribute_info"
++
+ def refpolicy_devel():
+     return "/usr/share/selinux/devel"
+ 
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py
+--- nsasepolgen/src/sepolgen/interfaces.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py	2010-06-16 08:22:43.000000000 -0400
+@@ -29,6 +29,8 @@
+ 
+ from sepolgeni18n import _
+ 
++import copy
++
+ class Param:
+     """
+     Object representing a paramater for an interface.
+@@ -197,10 +199,48 @@
+                 ret = 1
+ 
+     return ret
+-            
++
++class AttributeVector:
++    def __init__(self):
++        self.name = ""
++        self.access = access.AccessVectorSet()
++
++    def add_av(self, av):
++        self.access.add_av(av)
++
++class AttributeSet:
++    def __init__(self):
++        self.attributes = { }
++
++    def add_attr(self, attr):
++        self.attributes[attr.name] = attr
++
++    def from_file(self, fd):
++        def parse_attr(line):
++            fields = line[1:-1].split()
++            if len(fields) != 2 or fields[0] != "Attribute":
++                raise SyntaxError("Syntax error Attribute statement %s" % line)
++            a = AttributeVector()
++            a.name = fields[1]
++
++            return a
++
++        a = None
++        for line in fd:
++            line = line[:-1]
++            if line[0] == "[":
++                if a:
++                    self.add_attr(a)
++                a = parse_attr(line)
++            elif a:
++                l = line.split(",")
++                av = access.AccessVector(l)
++                a.add_av(av)
++        if a:
++            self.add_attr(a)
+ 
+ class InterfaceVector:
+-    def __init__(self, interface=None):
++    def __init__(self, interface=None, attributes={}):
+         # Enabled is a loose concept currently - we are essentially
+         # not enabling interfaces that we can't handle currently.
+         # See InterfaceVector.add_ifv for more information.
+@@ -214,10 +254,10 @@
+         # value: Param object).
+         self.params = { }
+         if interface:
+-            self.from_interface(interface)
++            self.from_interface(interface, attributes)
+         self.expanded = False
+ 
+-    def from_interface(self, interface):
++    def from_interface(self, interface, attributes={}):
+         self.name = interface.name
+ 
+         # Add allow rules
+@@ -232,6 +272,23 @@
+             for av in avs:
+                 self.add_av(av)
+ 
++        # Add typeattribute access
++        if attributes != None:
++            for typeattribute in interface.typeattributes():
++                for attr in typeattribute.attributes:
++                    if not attributes.attributes.has_key(attr):
++                        # print "missing attribute " + attr
++                        continue
++                    attr_vec = attributes.attributes[attr]
++                    for a in attr_vec.access:
++                        av = copy.copy(a)
++                        if av.src_type == attr_vec.name:
++                            av.src_type = typeattribute.type
++                        if av.tgt_type == attr_vec.name:
++                            av.tgt_type = typeattribute.type
++                        self.add_av(av)
++
++
+         # Extract paramaters from roles
+         for role in interface.roles():
+             if role_extract_params(role, self.params):
+@@ -346,13 +403,13 @@
+                 l = self.tgt_type_map.setdefault(type, [])
+                 l.append(ifv)
+ 
+-    def add(self, interface):
+-        ifv = InterfaceVector(interface)
++    def add(self, interface, attributes={}):
++        ifv = InterfaceVector(interface, attributes)
+         self.add_ifv(ifv)
+ 
+-    def add_headers(self, headers, output=None):
++    def add_headers(self, headers, output=None, attributes={}):
+         for i in itertools.chain(headers.interfaces(), headers.templates()):
+-            self.add(i)
++            self.add(i, attributes)
+ 
+         self.expand_ifcalls(headers)
+         self.index()
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py
+--- nsasepolgen/src/sepolgen/matching.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py	2010-06-16 08:22:43.000000000 -0400
+@@ -50,7 +50,7 @@
+                 return 1
+ 
+ class MatchList:
+-    DEFAULT_THRESHOLD = 120
++    DEFAULT_THRESHOLD = 150
+     def __init__(self):
+         # Match objects that pass the threshold
+         self.children = []
+@@ -63,14 +63,15 @@
+     def best(self):
+         if len(self.children):
+             return self.children[0]
+-        else:
+-            return None
++        if len(self.bastards):
++            return self.bastards[0]
++        return None
+ 
+     def __len__(self):
+         # Only return the length of the matches so
+         # that this can be used to test if there is
+         # a match.
+-        return len(self.children)
++        return len(self.children) + len(self.bastards)
+ 
+     def __iter__(self):
+         return iter(self.children)
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py	2010-06-21 10:10:01.000000000 -0400
 @@ -29,6 +29,8 @@
  import access
  import interfaces
@@ -212,121 +305,198 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
  
  # Constants for the level of explanation from the generation
  # routines
-@@ -74,7 +76,7 @@
-             self.moduel = module
-         else:
-             self.module = refpolicy.Module()
--
+@@ -77,6 +79,7 @@
+ 
+         self.dontaudit = False
+ 
 +        self.domains = None
      def set_gen_refpol(self, if_set=None, perm_maps=None):
          """Set whether reference policy interfaces are generated.
  
-@@ -141,15 +143,42 @@
-         """Return the generated module"""
-         return self.module
- 
--    def __add_allow_rules(self, avs):
-+    def __add_allow_rules(self, avs, dontaudit):
-         for av in avs:
--            rule = refpolicy.AVRule(av)
-+            rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+@@ -151,8 +154,41 @@
+             rule = refpolicy.AVRule(av)
+             if self.dontaudit:
+                 rule.rule_type = rule.DONTAUDIT
 +            rule.comment = ""
              if self.explain:
-                 rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+-                rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++                rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
 +            if av.type == audit2why.ALLOW:
 +                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
 +            if av.type == audit2why.DONTAUDIT:
 +                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" 
++
 +            if av.type == audit2why.BOOLEAN:
 +                if len(av.bools) > 1:
-+                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
++                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.bools))
 +                else:
 +                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
 +
 +            if av.type == audit2why.CONSTRAINT:
 +                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
++                rule.comment += "#Contraint rule: "
++
 +            if av.type == audit2why.TERULE:
 +                if "write" in av.perms:
 +                    if "dir" in av.obj_class or "open" in av.perms:
 +                        if not self.domains:
 +                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
 +                        types=[]
-+                        for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
-+                            if i not in self.domains:
-+                                types.append(i)
-+                        if len(types) == 1:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                        elif len(types) >= 1:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                            
++                        
++                        try:
++                            for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
++                                if i not in self.domains:
++                                    types.append(i)
++                            if len(types) == 1:
++                                rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                            elif len(types) >= 1:
++                                rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                        except:
++                            pass
              self.module.children.append(rule)
  
  
--    def add_access(self, av_set):
-+    def add_access(self, av_set, dontaudit=False):
-         """Add the access from the access vector set to this
-         module.
-         """
-@@ -165,7 +194,7 @@
-             raw_allow = av_set
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py
+--- nsasepolgen/src/sepolgen/refparser.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py	2010-06-16 08:22:43.000000000 -0400
+@@ -1044,7 +1044,7 @@
+         # of misc_macros. We are just going to pretend that this is an interface
+         # to make the expansion work correctly.
+         can_exec = refpolicy.Interface("can_exec")
+-        av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
++        av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
+                                   "getattr","lock","execute","ioctl"])
  
-         # Generate the raw allow rules from the filtered list
--        self.__add_allow_rules(raw_allow)
-+        self.__add_allow_rules(raw_allow, dontaudit)
+         can_exec.children.append(refpolicy.AVRule(av))
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map
+--- nsasepolgen/src/share/perm_map	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map	2010-06-16 08:22:43.000000000 -0400
+@@ -124,7 +124,7 @@
+           quotamod     w           1
+           quotaget     r           1
  
-     def add_role_types(self, role_type_set):
-         for role_type in role_type_set:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
---- nsasepolgen/src/sepolgen/refparser.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:05:49.000000000 -0500
-@@ -973,7 +973,7 @@
- def list_headers(root):
-     modules = []
-     support_macros = None
--    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
-+    blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
+-class file 20
++class file 21
+   execute_no_trans     r           1
+         entrypoint     r           1
+            execmod     n           1
+@@ -141,48 +141,50 @@
+             unlink     w           1
+               link     w           1
+             rename     w           5
+-           execute     r           100
++           execute     r           10
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
-     for dirpath, dirnames, filenames in os.walk(root):
-         for name in filenames:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
---- nsasepolgen/src/sepolgen/refpolicy.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2010-01-08 09:33:37.000000000 -0500
-@@ -398,6 +398,7 @@
-         return "attribute %s;" % self.name
+-class dir 22
+-          add_name     w           5
++class dir 23
++          add_name     w           1
+        remove_name     w           1
+           reparent     w           1
+             search     r           1
+              rmdir     b           1
+              ioctl     n           1
+-              read     r          10
+-             write     w          10
++              read     r           1
++             write     w           1
+             create     w           1
+-           getattr     r           7
+-           setattr     w           7
++           getattr     r           1
++           setattr     w           1
+               lock     n           1
+-       relabelfrom     r           10
+-         relabelto     w           10
++       relabelfrom     r           1
++         relabelto     w           1
+             append     w           1
+             unlink     w           1
+               link     w           1
+-            rename     w           5
++            rename     w           1
+            execute     r           1
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
- # Classes representing rules
-+import selinux.audit2why as audit2why
+ class fd 1
+                use     b           1
  
- class AVRule(Leaf):
-     """SELinux access vector (AV) rule.
-@@ -420,21 +421,26 @@
-     AUDITALLOW = 2
-     NEVERALLOW = 3
+-class lnk_file 17
++class lnk_file 18
+              ioctl     n           1
+-              read     r          10
+-             write     w          10
++              read     r           1
++             write     w           1
+             create     w           1
+-           getattr     r           7
+-           setattr     w           7
++           getattr     r           1
++           setattr     w           1
+               lock     n           1
+-       relabelfrom     r           10
+-         relabelto     w           10
++       relabelfrom     r           1
++         relabelto     w           1
+             append     w           1
+             unlink     w           1
+               link     w           1
+@@ -191,8 +193,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
--    def __init__(self, av=None, parent=None):
-+    def __init__(self, av=None, parent=None, dontaudit=False):
-         Leaf.__init__(self, parent)
-         self.src_types = IdSet()
-         self.tgt_types = IdSet()
-         self.obj_classes = IdSet()
-         self.perms = IdSet()
--        self.rule_type = self.ALLOW
-+        if dontaudit:
-+            self.rule_type = audit2why.DONTAUDIT
-+        else:
-+            self.rule_type = audit2why.TERULE
-         if av:
-             self.from_av(av)
+-class chr_file 20
++class chr_file 21
+   execute_no_trans     r           1
+         entrypoint     r           1
+            execmod     n           1
+@@ -213,8 +216,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
-     def __rule_type_str(self):
--        if self.rule_type == self.ALLOW:
-+        if self.rule_type == audit2why.TERULE:
-             return "allow"
--        elif self.rule_type == self.DONTAUDIT:
-+        elif self.rule_type == audit2why.DONTAUDIT:
-             return "dontaudit"
-+        elif self.rule_type == audit2why.CONSTRAINT:
-+            return "#constraint allow"
-         else:
-             return "auditallow"
+-class blk_file 17
++class blk_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -232,8 +236,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
+-class sock_file 17
++class sock_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -251,8 +256,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
+ 
+-class fifo_file 17
++class fifo_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -270,6 +276,7 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
+ 
+ class socket 22
+              ioctl     n           1

policycoreutils.spec

@@ -1,14 +1,14 @@
 %define	libauditver	1.4.2-1
-%define	libsepolver	2.0.41-1
-%define	libsemanagever	2.0.43-3
-%define	libselinuxver	2.0.90-1
-%define	sepolgenver	1.0.19
+%define	libsepolver	2.0.41-3
+%define	libsemanagever	2.0.43-4
+%define	libselinuxver	2.0.90-3
+%define	sepolgenver	1.0.23
 
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.79
-Release: 1%{?dist}
-License: GPLv2+
+Version: 2.0.83
+Release: 33.9%{?dist}
+License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
 Source1: http://www.nsa.gov/selinux/archives/sepolgen-%{sepolgenver}.tgz
@@ -20,7 +20,6 @@ Source5: system-config-selinux.console
 Source6: selinux-polgengui.desktop
 Source7: selinux-polgengui.console
 Source8: policycoreutils_man_ru2.tar.bz2
-Source9: sandbox.init
 Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
@@ -31,7 +30,7 @@ Obsoletes: policycoreutils < 2.0.61-2
 
 %global pkgpythondir  %{python_sitelib}/%{name}
 
-BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
+BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
 BuildRequires: python-devel
 Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff rpm /bin/sed
@@ -65,7 +64,7 @@ context.
 %patch4 -p1 -b .sepolgen
 
 %build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all 
 make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
 
 %install
@@ -80,20 +79,24 @@ mkdir -p %{buildroot}%{_mandir}/man8
 mkdir -p %{buildroot}%{_sysconfdir}/pam.d
 mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
-install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
+%{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
+%{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
+%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}-%{version}/
+cp COPYING %{buildroot}/%{_usr}/share/doc/%{name}-%{version}/
 
 make LSPP_PRIV=y  DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 
-install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux/
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/security/console.apps/selinux-polgengui
 tar -jxf %{SOURCE8} -C %{buildroot}/
 rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
 ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
-ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
+ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
 
 desktop-file-install	--vendor fedora \
 			--dir ${RPM_BUILD_ROOT}%{_datadir}/applications	\
@@ -109,12 +112,12 @@ desktop-file-install	--vendor fedora \
 Summary: SELinux policy core python utilities
 Group:	 System Environment/Base
 Requires: policycoreutils = %{version}-%{release} 
-Requires: libsemanage-python >= %{libsemanagever} libselinux-python
+Requires: libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
 Requires: audit-libs-python >=  %{libauditver} 
 Requires: /usr/bin/make
 Requires(pre): python >= 2.6
 Obsoletes: policycoreutils < 2.0.61-2
-Requires: setools-libs-python
+Requires: setools-libs-python >= 3.3.7-6
 
 %description python
 The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@@ -127,11 +130,11 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_bindir}/chcat
 %{_bindir}/sandbox
 %{_bindir}/sepolgen-ifgen
+%{_bindir}/sepolgen-ifgen-attr-helper
 %{python_sitelib}/seobject.py*
 %{python_sitelib}/sepolgen
-%{python_sitelib}/%{name}	
 %{python_sitelib}/%{name}*.egg-info
-%{pkgpythondir}/default_encoding_utf8.so
+%{pkgpythondir}
 %dir  /var/lib/sepolgen
 %dir  /var/lib/selinux
 /var/lib/sepolgen/perm_map
@@ -145,29 +148,31 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/ru/man8/semanage.8*
 
 %post python
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null 
 exit 0
 
 %package sandbox
 Summary: SELinux sandbox utilities
 Group:	 System Environment/Base
 Requires: policycoreutils-python = %{version}-%{release} 
-Requires: xorg-x11-server-Xephyr
+Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
 Requires: matchbox-window-manager
 Requires(post): /sbin/chkconfig
 BuildRequires: libcap-ng-devel
 
 %description sandbox
-The policycoreutils-python package contains the scripts to create graphical sandboxes
+The policycoreutils-sandbox package contains the scripts to create graphical sandboxes
 
 %files sandbox
 %defattr(-,root,root,-)
-%{_sysconfdir}/rc.d/init.d/sandbox
-%{_sbindir}/seunshare
 %{_datadir}/sandbox/sandboxX.sh
+%{_datadir}/sandbox/start
+%attr(4755,root,root) %{_sbindir}/seunshare
+%{_mandir}/man8/seunshare.8*
+%{_mandir}/man5/sandbox.conf.5*
 
 %triggerin python -- selinux-policy
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
 exit 0
 
 %post sandbox
@@ -192,6 +197,7 @@ or level of a logged in user.
 %defattr(-,root,root)
 %attr(4755,root,root) %{_bindir}/newrole
 %{_mandir}/man1/newrole.1.gz
+%config(noreplace) %{_sysconfdir}/pam.d/newrole
 
 %package gui
 Summary: SELinux configuration GUI
@@ -214,17 +220,18 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_bindir}/sepolgen
 %{_datadir}/applications/fedora-system-config-selinux.desktop
 %{_datadir}/applications/fedora-selinux-polgengui.desktop
+%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
+%{_datadir}/pixmaps/system-config-selinux.png
 %dir %{_datadir}/system-config-selinux
 %dir %{_datadir}/system-config-selinux/templates
+%{_datadir}/system-config-selinux/system-config-selinux.png
 %{_datadir}/system-config-selinux/*.py*
 %{_datadir}/system-config-selinux/selinux.tbl
-%{_datadir}/system-config-selinux/*png
 %{_datadir}/system-config-selinux/*.glade
 %{_datadir}/system-config-selinux/templates/*.py*
 %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
 %config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
 %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
-%config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
 
 %clean
 rm -rf %{buildroot}
@@ -248,7 +255,8 @@ rm -rf %{buildroot}
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
-%config(noreplace) %{_sysconfdir}/pam.d/newrole
+%{_sysconfdir}/rc.d/init.d/sandbox
+%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
 %config(noreplace) %{_sysconfdir}/pam.d/run_init
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 %attr(755,root,root) /etc/rc.d/init.d/restorecond
@@ -287,6 +295,8 @@ rm -rf %{buildroot}
 %{_mandir}/ru/man8/setsebool.8*
 %{_mandir}/man1/secon.1*
 %{_mandir}/ru/man1/secon.1*
+%{_mandir}/man8/genhomedircon.8*
+%doc %{_usr}/share/doc/%{name}-%{version}
 
 %preun
 if [ $1 -eq 0 ]; then
@@ -306,7 +316,314 @@ fi
 exit 0
 
 %changelog
-* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.9
+- Fix policycoreutils-sandbox description
+
+* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.8
+- rsynccmd should run outside of execcon
+
+* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.7
+- More fixes for seunshare
+
+* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.5
+- Fix rsync command to work if the directory is old.
+- Fix all tests
+
+* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.4
+- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
+
+* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.4
+- Fix seunshare man page to go back to original, allowing -t tmpfile
+
+* Tue Mar 15 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.3
+- Change sepolgen-ifgen to search all available policy files
+- Fix portspage in system-config-selinux to not crash
+- fix to sandbox 
+  - Fix seunshare to use more secure handling of /tmp
+    - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
+   - Change to allow sandbox to run on nfs homedirs, add start python script
+   - change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
+   - Move seunshare to sandbox package
+   - Fix sandbox to show correct types in  usage statement
+
+- Fixes for sepologen 
+  - Usage statement needs -n name
+  - Names with _ are being prevented
+  - dbus apps should get _chat interface
+  - Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name
+  - Add sandbox to sepolgen
+  - Polgengui raises the wrong type of exception.  #471078
+- Cleanup chcat man page
+- Update translations
+- restorecond fixes
+  - Have restorecond watch more directories in homedir
+  - Fix restorecond watching utmp file for people logging in our out
+  - Exit in restorecond if it can not find a UID in the passwd database
+
+- Stop fixfiles from complaining about missing dirs
+
+- Semanage fixes
+  - Fix up node handling in semanage command
+  - Fix proper handling of getopt errors
+  - Do not allow modules names to contain spaces
+  - Change semanage to not allow it to semanage module -D
+
+- Change setsebool to suggest run as root on failure
+- Don't report error on load_policy when system is disabled.
+
+* Fri Feb 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.2
+- Only allow names in polgengui that contain letters and numbers
+- Update translations
+
+* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.1
+- Fix setools require line
+
+* Fri Oct 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-33
+- Move /etc/pam.d/newrole in to polcicycoreutils-newrole
+- Additiona capability  checking in sepolgen
+
+* Mon Oct 18 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-31
+- Fix sandbox handling of files with spaces in them
+
+* Mon Sep 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-30
+- Catch TypeError exception on sandbox processing -I files
+
+* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-29
+- Fix semanage man page
+
+* Mon Sep 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-28
+- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox.
+
+* Mon Sep 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-27
+- Fix sandbox copyfile when copying a dir with a socket, print error
+
+* Fri Sep 10 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-26
+- Stop polgengui from crashing if selinux policy is not installed
+
+* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-25
+- Fix bug preventing sandbox from using -l 
+
+* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-24
+- Eliminate quotes fro desktop files
+
+* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-23
+- Add -w windowsize patch from Christoph A.
+
+* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-22
+- Update po
+
+* Wed Aug 25 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-21
+- Update po
+
+* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-20
+- Tighten down seunshare to create /tmp dir with sticky bit and  MS_NODEV | MS_NOSUID | MS_NOEXEC;
+- Remove setsid on seunshare so ^c on sandbox will cause apps to exit
+- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox
+- Clean up error handling so error will get sent back to sandbox tool
+
+* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-19
+- Fix translation handling in file context page of system-config-selinux
+
+* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-18
+- Fix sandbox error handling
+
+* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-17
+- Apply patch to restorecond from Chris Adams, which will cause restorecond 
+- to watch first user that logs in.
+
+* Thu Aug 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-16
+- Add COPYING file to doc dir
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-15
+- Update po and translations
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-14
+- More fixes for polgen tools
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-13
+- Remove requirement to run selinux-polgen as root
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-12
+- Update po and translations
+- Fix gui policy generation tools
+
+* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-11
+- Update po and translations
+
+* Sat Jul 31 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.83-10
+- rebuild against python 2.7
+
+* Wed Jul 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-9
+- Update selinux-polgengui to sepolgen policy generation
+
+* Wed Jul 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-8
+- Fix invalid free in seunshare and fix man page
+
+* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-7
+- Update translations
+
+* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-6
+- Fix sandbox man page
+
+* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.83-5
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-4
+- Add translations for menus
+- Fixup man page from Russell Coker
+
+* Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-3
+- Change python scripts to use -s flag
+- Update po
+
+* Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-1
+- Update to upstream
+	* Add sandbox support from Dan Walsh with modifications from Steve Lawrence.
+
+* Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-31
+- Fix sepolgen code generation
+Resolve: #603001
+
+* Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-30
+- Add cgroup support for sandbox 
+
+* Mon Jun 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-29
+- Allow creation of /var/cache/DOMAIN from sepolgen
+
+* Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-28
+- Fix sandbox init script 
+- Add dbus-launch to sandbox -X
+Resolve: #599599
+
+* Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-27
+- Move genhomedircon.8 to same package as genhomedircon
+- Fix sandbox to pass unit test
+
+* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-26
+- Fix listing of booleans from audit2allow
+
+* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-25
+- Fix audit2allow to output if the current policy has avc
+- Update translations
+- Fix icon
+
+* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
+- Man page fixes
+- sandbox fixes
+- Move seunshare to base package
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-23
+- Fix seunshare translations
+- Fix seunshare to work on all arches
+- Fix icon for system-config-selinux
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-22
+- Fix can_exec definition in sepolgen
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-21
+- Add man page for seunshare and genhomedircon
+- Fix node management via semanage
+
+* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-20
+- Fixes from upstream for sandbox command
+
+* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-18
+- Fix sandbox error handling on copyfile
+- Fix desktop files
+
+* Tue May 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-17
+- Fix policy tool to have correct name in menus
+- Fix seunshare to handle /tmp being in ~/home
+- Fix saving of altered files
+- Update translations
+
+* Tue May 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-15
+- Allow audit2allow to specify alternative policy file for analysis
+
+* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-14
+- Update po
+- Fix sepolgen --no_attrs
+
+* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-13
+- Make semanage boolean work on disabled machines and during livecd xguest
+- Fix homedir and tmpdir handling in sandbox
+
+* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-11
+- Make semanage boolean work on disabled machines 
+
+* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-10
+- Make sepolgen-ifgen be quiet
+
+* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-8
+- Make sepolgen report on more interfaces 
+- Fix system-config-selinux display of modules
+
+* Thu Apr 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-7
+- Fix crash when args are empty
+- Fix semange to exit on bad options
+- Fix semanage dontaudit man page section
+
+* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-6
+- Remove debug line from semanage
+- Update po
+
+* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-5
+- Fix sandbox comment on HOMEDIRS
+- Fix sandbox to throw error on bad executable
+
+* Tue Apr 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-4
+- Fix spacing in templates 
+
+* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-3
+- Fix semanage return codes
+
+* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-2
+- Fix sepolgen to confirm to the "Reference Policy Style Guide" 
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-1
+- Update to upstream 
+	* Add avc's since boot from Dan Walsh.
+	* Fix unit tests from Dan Walsh.
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-4
+- Update to upstream - sepolgen
+	* Add since-last-boot option to audit2allow from Dan Walsh.
+	* Fix sepolgen output to match what Chris expects for upstream
+	  refpolicy from Dan Walsh.
+
+* Mon Mar 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-3
+- Allow restorecon on > 2 Gig files
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-2
+- Fix semanage handling of boolean options
+- Update translations
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-1
+- Update to upstream
+	* Add dontaudit flag to audit2allow from Dan Walsh.
+
+* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-2
+- Use --rbind in sandbox init scripts
+
+* Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-1
+- Update to upstream
+	* Module enable/disable support from Dan Walsh.
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-5
+- Rewrite of sandbox script, add unit test for sandbox 
+- Update translations
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-4
+- Fix patch for dontaudit rules from audit2allow for upstream acceptance
+
+* Fri Feb 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-3
+- Fixes for fixfiles
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
+- Fix sandbox to complain if mount-shared has not been run
+- Fix to use /etc/sysconfig/sandbox
+
+* Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
 - Update to upstream
 	* Fix double-free in newrole
 - Fix python language handling
@@ -325,7 +642,6 @@ exit 0
 
 * Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-16
 - Cleanup spec file
-Resolves: 555835
 
 * Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-15
 - Add use_resolve to sepolgen
@@ -1453,18 +1769,15 @@ Resolves: 555835
 
 * Tue Jan 16 2007 Dan Walsh <dwalsh@redhat.com> 1.33.12-3
 - Fix handling of audit messages for useradd change
-Resolves: #222159
 
 * Fri Jan 12 2007 Dan Walsh <dwalsh@redhat.com> 1.33.12-2
 - Update man pages by adding SELinux to header to fix apropos database
-Resolves: #217881
 
 * Tue Jan 9 2007 Dan Walsh <dwalsh@redhat.com> 1.33.12-1
 - Want to update to match api
 - Update to upstream
 	* Merged newrole securetty check from Dan Walsh.
 	* Merged semodule patch to generalize list support from Karl MacMillan.
-Resolves: #200110
 
 * Tue Jan 9 2007 Dan Walsh <dwalsh@redhat.com> 1.33.11-1
 - Update to upstream
@@ -1479,7 +1792,6 @@ Resolves: #200110
 
 * Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> 1.33.8-2
 - Stop newrole -l from working on non secure ttys
-Resolves: #200110
 
 * Thu Jan 4 2007 Dan Walsh <dwalsh@redhat.com> 1.33.8-1
 - Update to upstream
@@ -1495,35 +1807,29 @@ Resolves: #200110
 * Tue Jan 2 2007 Dan Walsh <dwalsh@redhat.com> 1.33.6-9
 - Fix fixfiles script to use tty command correctly.  If this command fails, it 
 should set the LOGFILE to /dev/null
-Resolves: #220879
 
 * Wed Dec 20 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-8
 - Remove hard coding of python2.4 from Makefiles
 
 * Tue Dec 19 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-7
 - add exists switch to semanage to tell it not to check for existance of Linux user
-Resolves: #219421
 
 * Mon Dec 18 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-6
 - Fix audit2allow generating reference policy
 - Fix semanage to manage user roles properly 
-Resolves: #220071
 
 * Fri Dec 8 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-5
 - Update po files
 - Fix newrole to open stdout and stderr rdrw so more will work on MLS machines
-Resolves: #216920
 
 * Thu Dec  7 2006 Jeremy Katz <katzj@redhat.com> - 1.33.6-4
 - rebuild for python 2.5
 
 * Wed Dec 6 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-3
 - Update po files
-Resolves: #216920
 
 * Fri Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-2
 - Update po files
-Resolves: #216920
 
 * Wed Nov 29 2006 Dan Walsh <dwalsh@redhat.com> 1.33.6-1
 - Update to upstream
@@ -1535,20 +1841,16 @@ Resolves: #216920
 	
 * Wed Nov 29 2006 Dan Walsh <dwalsh@redhat.com> 1.33.5-4
 - Fixing the Makefile line again to build with LSPP support
-Resolves: #208838
 
 * Wed Nov 29 2006 Dan Walsh <dwalsh@redhat.com> 1.33.5-3
 - Don't report errors on restorecond when file system does not support XATTRS
-Resolves: #217694
 
 * Tue Nov 28 2006 Dan Walsh <dwalsh@redhat.com> 1.33.5-2
 - Fix -q qualifier on load_policy
-Resolves: #214827
 
 * Tue Nov 28 2006 Dan Walsh <dwalsh@redhat.com> 1.33.5-1
 - Merge to upstream
 - Fix makefile line
-Resolves: #208838
 
 * Fri Nov 24 2006 Dan Walsh <dwalsh@redhat.com> 1.33.4-2
 - Additional po changes

sandbox.init

@@ -1,60 +0,0 @@
-#!/bin/bash
-## BEGIN INIT INFO
-# Provides: sandbox
-# Default-Start: 5
-# Default-Stop: 0 1 2 3 4 6
-# Required-Start:
-#              
-## END INIT INFO
-# sandbox:        Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
-#
-# chkconfig: 5 1 99
-#
-# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and 
-#              /home/sandbox accounts.  This script will setup the / mount 
-#              point as shared and all of the subdirectories just these 
-#              directories as unshared.
-#
-
-# Source function library.
-. /etc/init.d/functions
-
-LOCKFILE=/var/lock/subsys/sandbox
-
-base=${0##*/}
-
-case "$1" in
-    start)
-	[ -f "$LOCKFILE" ] && exit 0
-
-	touch $LOCKFILE
-	mount --make-rshared /
-	mount --bind /tmp /tmp
-	mount --bind /var/tmp /var/tmp
-	mount --bind /home /home
-	mount --make-private /home
-	mount --make-private /tmp
-	mount --make-private /var/tmp
-	RETVAL=$?
-	exit $RETVAL
-	;;
-
-    status)
-	if [ -f "$LOCKFILE" ]; then 
-	    echo "$base is running"
-	else
-	    echo "$base is stopped"
-	fi
-	exit 0
-	;;
-
-    stop)
-	rm -f $LOCKFILE
-	exit 0
-	;;
-
-    *)
-	echo $"Usage: $0 {start|stop}"
-	exit 3
-	;;
-esac

selinux-polgengui.desktop

@@ -1,9 +1,64 @@
 [Desktop Entry]
 Name=SELinux Policy Generation Tool
-GenericName=SELinux
+Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
+Name[ca]=Eina de generació de polítiques del SELinux
+Name[da]=Regelsætgenereringsværktøj til SELinux
+Name[de]=Tool zur Erstellung von SELinux-Richtlinien
+Name[es]=Generador de Políticas de SELinux
+Name[fi]=SELinux-käytäntöjen generointityökalu
+Name[fr]=Outil de génération de stratégies SELinux
+Name[gu]=SELinux પોલિસી બનાવટ સાધન
+Name[hi]=SELinux पॉलिसी जनन औजार
+Name[it]=Tool di generazione della policy di SELinux
+Name[ja]=SELinux ポリシー生成ツール
+Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ
+Name[ko]=SELinux 정책 생성 도구
+Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം
+Name[mr]=SELinux करार निर्माण साधन
+Name[nl]=SELinux tactiek generatie gereedschap
+Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ
+Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ
+Name[pl]=Narzędzie tworzenia polityki SELinuksa
+Name[pt]=Ferramenta de Geração de Políticas SELinux
+Name[pt_BR]=Ferramenta de criação de políticas do SELinux
+Name[ru]=Средство создания политики SELinux
+Name[sv]=Genereringsverktyg för SELinuxpolicy
+Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Утиліта генерації правил SELinux
+Name[zh_CN]=SELinux 策略生成工具
+Name[zh_TW]=SELinux 政策產生工具（SELinux Policy Generation Tool）
 Comment=Generate SELinux policy modules
+Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
+Comment[ca]=Genera els mòduls de les polítiques de SELinux
+Comment[da]=Generér SELinux-regelsætmodul
+Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
+Comment[es]=Generar módulos de política de SELinux
+Comment[fi]=Generoi SELinuxin käytäntömoduuleja
+Comment[fr]=Génére des modules de stratégie SELinux
+Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો
+Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें
+Comment[it]=Genera moduli della politica di SELinux
+Comment[ja]=新しいポリシーモジュールの作成
+Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು
+Comment[ko]=SELinux 정책 모듈 생성
+Comment[ml]=SELinux യ പോളിസി ഘങ്ങള്‍ തയ്യാറാക്കുക
+Comment[mr]=SELinux करार घटके निर्माण करा
+Comment[nl]=Maak een SELinux tactiek module aan
+Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ
+Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ
+Comment[pl]=Tworzenie nowych modułów polityki SELinuksa
+Comment[pt]=Gerar módulos de políticas SELinux
+Comment[pt_BR]=Gerar módulos de política do SELinux
+Comment[ru]=Генерация модулей политики SELinux
+Comment[sv]=Generera SELinux-policymoduler
+Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும்
+Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము
+Comment[uk]=Створення модулів контролю доступу SELinux
+Comment[zh_CN]=生成 SELinux 策略模块
+Comment[zh_TW]=產生 SELinux 政策模組
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/selinux-polgengui
 Type=Application
 Terminal=false

sources

@@ -1,3 +1,3 @@
-2ae1a9f7242e33413aae036d2edeb1d8  sepolgen-1.0.19.tgz
-e09466b2b02ca5672ce3b43e02c5498f  policycoreutils-2.0.79.tgz
+49faa2e5f343317bcfcf34d7286f6037  sepolgen-1.0.23.tgz
+85a84b4521dfdde649d0143e15f724f9  policycoreutils-2.0.83.tgz
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2

system-config-selinux.desktop

@@ -1,9 +1,64 @@
 [Desktop Entry]
 Name=SELinux Management
-GenericName=SELinux
+Name[bn_IN]=SELinux পরিচালনা
+Name[da]=Håndtering af SELinux
+Name[de]=SELinux-Management
+Name[ca]=Gestió de SELinux
+Name[es]=Administración de SELinux
+Name[fi]=SELinuxin ylläpito
+Name[fr]=Gestion de SELinux
+Name[gu]=SELinux સંચાલન
+Name[hi]=SELinux प्रबंधन
+Name[jp]=SELinux 管理
+Name[it]=Gestione di SELinux
+Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ
+Name[ko]=SELinux 관리
+Name[ml]=SELinux മാനേജ്മെന്റ്
+Name[mr]=SELinux मॅनेजमेंट
+Name[nl]=SELinux beheer
+Name[or]=SELinux ପରିଚାଳନା
+Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ
+Name[pl]=Zarządzanie SELinuksem
+Name[pt_BR]=Gerenciamento do SELinux
+Name[pt]=Gestão de SELinux
+Name[ru]=Управление SELinux
+Name[sv]=SELinux-hantering
+Name[ta]=SELinux மேலாண்மை
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Керування SELinux
+Name[zh_CN]=SELinux 管理
+Name[zh_TW]=SELinux 管理
 Comment=Configure SELinux in a graphical setting
+Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
+Comment[ca]=Configura SELinuc an mode de preferències gràfiques
+Comment[da]=Konfigurér SELinux i et grafisk miljø
+Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
+Comment[es]=Defina SELinux en una configuración de interfaz gráfica
+Comment[fi]=Tee SELinuxin asetukset graafisesti
+Comment[fr]=Configure SELinux dans un environnement graphique
+Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો
+Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें
+Comment[it]=Configura SELinux in una impostazione grafica
+Comment[jp]=グラフィカルな設定画面で SELinux を設定する
+Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정
+Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ
+Comment[ml]=ഒരു ഗ്രാഫിക്കല്‍ സജ്ജീകരണത്തില്‍ SELinux ക്രമീകരിയ്ക്കുക
+Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा
+Comment[nl]=Configureer SELinux in een grafische omgeving
+Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ
+Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ
+Comment[pl]=Konfiguracja SELinuksa w trybie graficznym
+Comment[pt]=Configurar o SELinux num ambiente gráfico
+Comment[pt_BR]=Configure o SELinux em uma configuração gráfica
+Comment[ru]=Настройка SELinux в графическом режиме
+Comment[sv]=Konfigurera SELinux i en grafisk miljö
+Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும்
+Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము
+Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом
+Comment[zh_CN]=在图形设置中配置 SELinux
+Comment[zh_TW]=在圖形話設定中配置 SELinux
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/system-config-selinux
 Type=Application
 Terminal=false