Backport sandbox fixes from F16

Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
Add -k qualifier to seunshare to have it attempt to kill all processes with
the matching MCS label.
Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
Change --cgroups short name -c rather then -C for consistancy
Fix memory and fd leaks in seunshare

.gitignore

@@ -221,3 +221,5 @@ sepolgen-1.0.22.tgz
 policycoreutils-2.0.82.tgz
 sepolgen-1.0.23.tgz
 policycoreutils-2.0.83.tgz
+/policycoreutils-2.0.84.tgz
+/policycoreutils-2.0.85.tgz

policycoreutils-2.0.83-disable.patch

@@ -0,0 +1,25 @@
+diff -up policycoreutils-2.0.83/load_policy/load_policy.c.init policycoreutils-2.0.83/load_policy/load_policy.c
+--- policycoreutils-2.0.83/load_policy/load_policy.c.init	2010-11-08 13:46:37.000000000 -0500
++++ policycoreutils-2.0.83/load_policy/load_policy.c	2010-11-22 13:43:58.000000000 -0500
+@@ -74,6 +74,7 @@ int main(int argc, char **argv)
+ 			"%s:  Warning!  Boolean file argument (%s) is no longer supported, installed booleans file is always used.  Continuing...\n",
+ 			argv[0], argv[optind++]);
+ 	}
++	errno = 0;
+ 	if (init) {
+ 		if (is_selinux_enabled() == 1) {
+ 			/* SELinux is already enabled, we should not do an initial load again */
+@@ -98,7 +99,12 @@ int main(int argc, char **argv)
+ 	else {
+ 		ret = selinux_mkload_policy(1);
+ 	}
+-	if (ret < 0) {
++
++	/* selinux_init_load_policy returns -1 if it did not load_policy
++         * On SELinux disabled system it will always return -1
++         * So check errno to see if anything went wrong
++         */
++	if (ret < 0 && errno != 0) {
+ 		char *path=policy_path();
+ 		fprintf(stderr, _("%s:  Can't load policy file %s:  %s\n"),
+ 			argv[0], path, strerror(errno));

policycoreutils-sandbox.patch

@@ -0,0 +1,390 @@
+diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
+--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox	2011-06-13 13:47:06.552590955 -0400
++++ policycoreutils-2.0.86/restorecond/restorecond_user.conf	2011-06-13 13:47:27.757820459 -0400
+@@ -4,4 +4,4 @@
+ ~/local/*
+ ~/.fonts/*
+ ~/.cache/*
+-
++~/.config/*
+diff -up policycoreutils-2.0.86/sandbox/sandbox.8.sandbox policycoreutils-2.0.86/sandbox/sandbox.8
+--- policycoreutils-2.0.86/sandbox/sandbox.8.sandbox	2011-07-07 14:42:18.298415909 -0400
++++ policycoreutils-2.0.86/sandbox/sandbox.8	2011-07-07 14:42:30.567508958 -0400
+@@ -3,11 +3,11 @@
+ sandbox \- Run cmd under an SELinux sandbox
+ .SH SYNOPSIS
+ .B sandbox
+-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
++[-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+ 
+ .br
+ .B sandbox
+-[-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
++[-C] [-c] [-l level ] [[-M | -X]  -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+ .br
+ .SH DESCRIPTION
+ .PP
+@@ -60,8 +60,11 @@ Default to /usr/bin/matchbox-window-mana
+ Create an X based Sandbox for gui apps, temporary files for
+ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+ .TP
+-\fB\-C\fR
++\fB\-c\fR
+ Use control groups to control this copy of sandbox.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
++.TP
++\fB\-C\fR
++Use capabilities within the sandbox.  By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
+ .PP
+ .SH "SEE ALSO"
+ .TP
+diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
+--- policycoreutils-2.0.86/sandbox/sandbox.sandbox	2011-06-13 13:44:44.678086035 -0400
++++ policycoreutils-2.0.86/sandbox/sandbox	2011-07-07 14:42:50.587660702 -0400
+@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
+ 
+               except shutil.Error, elist:
+                      for e in elist.message:
+-                            # ignore files that are missing 
+-                            if not e[2].startswith("[Errno 2]"):
+-                                   sys.stderr.write(e[2])
++                            sys.stderr.write(e[2])
+                      
+               SAVE_FILES[file] = (dest, os.path.getmtime(dest))
+ 
+@@ -311,17 +309,21 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+         parser.add_option("-l", "--level", dest="level", 
+                           help=_("MCS/MLS level for the sandbox"))
+ 
+-        parser.add_option("-C", "--cgroups",
++        parser.add_option("-c", "--cgroups",
+                          action="store_true", dest="usecgroup", default=False,
+                          help="Use cgroups to limit this sandbox.")
+ 
++        parser.add_option("-C", "--capabilities",
++                         action="store_true", dest="usecaps", default=False,
++                         help="Allow apps requiring capabilities to run within the sandbox.")
++
+         self.__parser=parser
+ 
+         self.__options, cmds = parser.parse_args()
+ 
+         if self.__options.X_ind:
+                self.setype = DEFAULT_X_TYPE
+-
++               self.dpi=commands.getoutput("xrdb -query | grep dpi  | /bin/cut -f 2")
+         if self.__options.setype:
+                self.setype = self.__options.setype
+ 
+@@ -392,8 +394,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+     def __execute(self):
+            try:
+                   cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
+-                  if self.__options.usecgroup == True:
++                  if self.__options.usecgroup:
+                          cmds.append('-c')
++                  if self.__options.usecaps:
++                         cmds.append('-C')
++                  if not self.__options.level:
++                         cmds.append('-k')
+                   if self.__mount:
+                          cmds +=  [ "-t", self.__tmpdir, "-h", self.__homedir ]
+ 
+@@ -405,7 +411,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
+ 
+                                 self.__setup_sandboxrc(self.__options.wm)
+ 
+-                                cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
++                                cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
+                          else:
+                                 cmds += [ "--" ] + self.__paths
+                          return subprocess.Popen(cmds).wait()
+diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
+--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox	2011-06-13 13:44:44.684086096 -0400
++++ policycoreutils-2.0.86/sandbox/sandboxX.sh	2011-07-07 14:41:50.536205201 -0400
+@@ -1,10 +1,12 @@
+ #!/bin/bash 
+-context=`id -Z | secon -t `
+-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
+-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
++trap "" TERM
++context=`id -Z | secon -t -l -P`
++export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
++[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1" 
++[ -z $2 ] && export DPI="96" || export DPI="$2" 
+ trap "exit 0" HUP
+ 
+-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do 
++(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do 
+     export DISPLAY=:$D
+     cat > ~/seremote << __EOF
+ #!/bin/sh
+@@ -13,7 +15,7 @@ __EOF
+     chmod +x ~/seremote
+     /usr/share/sandbox/start $HOME/.sandboxrc
+     export EXITCODE=$?
+-    kill -HUP 0
++    kill -TERM 0
+     break
+ done
+ exit 0
+diff -up policycoreutils-2.0.86/sandbox/seunshare.8.sandbox policycoreutils-2.0.86/sandbox/seunshare.8
+--- policycoreutils-2.0.86/sandbox/seunshare.8.sandbox	2011-07-07 14:41:16.065943281 -0400
++++ policycoreutils-2.0.86/sandbox/seunshare.8	2011-07-07 14:41:26.300021079 -0400
+@@ -3,7 +3,7 @@
+ seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
+ .SH SYNOPSIS
+ .B seunshare
+-[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
++[-v] [-c] [-C] [-k] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+ .br
+ .SH DESCRIPTION
+ .PP
+@@ -18,9 +18,15 @@ Alternate homedir to be used by the appl
+ \fB\-t\ tmpdir
+ Use alternate tempory directory to mount on /tmp.  tmpdir must be owned by the user.
+ .TP
+-\fB\-c cgroups\fR
++\fB\-c --cgroups\fR
+ Use cgroups to control this copy of seunshare.  Specify parameters in /etc/sysconfig/sandbox.  Max memory usage and cpu usage are to be specified in percent.  You can specify which CPUs to use by numbering them 0,1,2... etc.
+ .TP
++\fB\-C --capabilities\fR
++Allow apps executed within the namespace to use capabilities.  Default is no capabilities.
++.TP
++\fB\-k --kill\fR
++Kill all processes with matching MCS level.
++.TP
+ \fB\-Z\ context
+ Use alternate SELinux context while runing the executable.
+ .TP
+diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
+--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox	2011-06-13 13:44:44.687086129 -0400
++++ policycoreutils-2.0.86/sandbox/seunshare.c	2011-07-07 14:41:08.038882237 -0400
+@@ -29,6 +29,7 @@
+ 
+ #include <selinux/selinux.h>
+ #include <selinux/context.h>	/* for context-mangling functions */
++#include <dirent.h>
+ 
+ #ifdef USE_NLS
+ #include <locale.h>		/* for setlocale() */
+@@ -53,20 +54,22 @@
+ #define BUF_SIZE 1024
+ #define DEFAULT_PATH "/usr/bin:/bin"
+ 
+-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]")
++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]")
+ 
+ static int verbose = 0;
++static int child = 0;
+ 
++static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+ 
+ /**
+  * This function will drop all capabilities.
+  */
+ static int drop_caps()
+ {
+-	if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
++	if (capng_have_capabilities(cap_set) == CAPNG_NONE)
+ 		return 0;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-	if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
++	capng_clear(cap_set);
++	if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
+ 		fprintf(stderr, _("Failed to drop all capabilities\n"));
+ 		return -1;
+ 	}
+@@ -86,6 +89,13 @@ static int drop_privs(uid_t uid)
+ }
+ 
+ /**
++ * If the user sends a siginto to seunshare, kill the child's session
++ */
++void handler(int sig) {
++	if (child > 0) kill(-child,sig);
++}
++
++/**
+  * Take care of any signal setup.
+  */
+ static int set_signal_handles(void)
+@@ -101,7 +111,12 @@ static int set_signal_handles(void)
+ 	(void)sigprocmask(SIG_SETMASK, &empty, NULL);
+ 
+ 	/* Terminate on SIGHUP */
+-	if (signal(SIGHUP, SIG_IGN) == SIG_ERR) {
++	if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
++		perror("Unable to set SIGHUP handler");
++		return -1;
++	}
++
++	if (signal(SIGINT, handler) == SIG_ERR) {
+ 		perror("Unable to set SIGHUP handler");
+ 		return -1;
+ 	}
+@@ -334,6 +349,7 @@ static int setup_cgroups()
+ 	char buf[BUF_SIZE];
+ 	char *tok = NULL;
+ 	int rc = -1;
++	char *str = NULL;
+ 	const char* fname = "/etc/sysconfig/sandbox";	
+ 	
+ 	if ((fp = fopen(fname, "rt")) == NULL) {
+@@ -346,7 +362,8 @@ static int setup_cgroups()
+ 		
+ 		/* Copy the string, ignoring whitespace */
+ 		int len = strlen(buf);
+-		char *str = malloc((len + 1) * sizeof(char));
++		free(str);
++		str = malloc((len + 1) * sizeof(char));
+ 		
+ 		int ind = 0;	
+ 		int i;
+@@ -487,6 +504,8 @@ static int setup_cgroups()
+ 
+ 	rc = 0;
+ err:
++	fclose(fp);
++	free(str);
+ 	free(mem);
+ 	free(cgroupname);
+ 	free(cpus);
+@@ -734,12 +753,75 @@ good:
+ 	return tmpdir;
+ }
+ 
++#define PROC_BASE "/proc"
++
++static int
++killall (security_context_t execcon)
++{
++	DIR *dir;
++	security_context_t scon;
++	struct dirent *de;
++	pid_t *pid_table, pid, self;
++	int i;
++	int pids, max_pids;
++	int running = 0;
++	self = getpid();
++	if (!(dir = opendir(PROC_BASE))) {
++		return -1;
++	}
++	max_pids = 256;
++	pid_table = malloc(max_pids * sizeof (pid_t));
++	if (!pid_table) {
++		return -1;
++	}
++	pids = 0;
++	context_t con;
++	con = context_new(execcon);
++	const char *mcs = context_range_get(con);
++	printf("mcs=%s\n", mcs);
++	while ((de = readdir (dir)) != NULL) {
++		if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
++			continue;
++
++		if (pids == max_pids) {
++			if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
++				return -1;
++			}
++			max_pids *= 2;
++		}
++		pid_table[pids++] = pid;
++	}
++
++	(void)closedir(dir);
++
++	for (i = 0; i < pids; i++) {
++		pid_t id = pid_table[i];
++
++		if (getpidcon(id, &scon) == 0) {
++			
++			context_t pidcon = context_new(scon);
++			/* Attempt to kill remaining processes */
++			if (strcmp(context_range_get(pidcon), mcs) == 0)
++				kill(id, SIGKILL);
++
++			context_free(pidcon);
++			freecon(scon);
++		}
++		running++;
++	}
++
++	context_free(con);
++	free(pid_table);
++	return running;
++}
++
+ int main(int argc, char **argv) {
+ 	int status = -1;
+ 	security_context_t execcon = NULL;
+ 
+ 	int clflag;		/* holds codes for command line flags */
+ 	int usecgroups = 0;
++	int kill_all = 0;
+ 
+ 	char *homedir_s = NULL;	/* homedir spec'd by user in argv[] */
+ 	char *tmpdir_s = NULL;	/* tmpdir spec'd by user in argv[] */
+@@ -752,9 +834,11 @@ int main(int argc, char **argv) {
+ 	const struct option long_options[] = {
+ 		{"homedir", 1, 0, 'h'},
+ 		{"tmpdir", 1, 0, 't'},
++		{"kill", 1, 0, 'k'},
+ 		{"verbose", 1, 0, 'v'},
+ 		{"cgroups", 1, 0, 'c'},
+ 		{"context", 1, 0, 'Z'},
++		{"capabilities", 1, 0, 'C'},
+ 		{NULL, 0, 0, 0}
+ 	};
+ 
+@@ -783,7 +867,7 @@ int main(int argc, char **argv) {
+ 	}
+ 
+ 	while (1) {
+-		clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL);
++		clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
+ 		if (clflag == -1)
+ 			break;
+ 
+@@ -791,6 +875,9 @@ int main(int argc, char **argv) {
+ 		case 't':
+ 			tmpdir_s = optarg;
+ 			break;
++		case 'k':
++			kill_all = 1;
++			break;
+ 		case 'h':
+ 			homedir_s = optarg;
+ 			break;
+@@ -800,6 +887,9 @@ int main(int argc, char **argv) {
+ 		case 'c':
+ 			usecgroups = 1;
+ 			break;
++		case 'C':
++			cap_set = CAPNG_SELECT_CAPS;
++			break;
+ 		case 'Z':
+ 			execcon = optarg;
+ 			break;
+@@ -851,7 +941,7 @@ int main(int argc, char **argv) {
+ 	}
+ 
+ 	/* spawn child process */
+-	int child = fork();
++	child = fork();
+ 	if (child == -1) {
+ 		perror(_("Unable to fork"));
+ 		goto err;
+@@ -926,6 +1016,12 @@ childerr:
+ 	waitpid(child, &status, 0);
+ 	status_to_retval(status, status);
+ 
++	/* Make sure all child processes exit */
++	kill(-child,SIGTERM);
++
++	if (execcon && kill_all)
++		killall(execcon);
++
+ 	if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
+ 
+ err:

policycoreutils.spec

@@ -6,12 +6,13 @@
 
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.83
-Release: 7%{?dist}
-License: GPLv2+
+Version: 2.0.85
+Release: 30.3%{?dist}
+License: GPLv2
 Group:	 System Environment/Base
-Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
-Source1: http://www.nsa.gov/selinux/archives/sepolgen-%{sepolgenver}.tgz
+# Based on git repository with tag 20101221
+Source:  git://oss.tresys.com/git/selinux/policycoreutils-%{version}.tgz
+Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
 URL:	 http://www.selinuxproject.org
 Source2: system-config-selinux.png
 Source3: system-config-selinux.desktop
@@ -24,6 +25,7 @@ Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
 Patch4:	 policycoreutils-sepolgen.patch
+Patch5:	 policycoreutils-sandbox.patch
 Obsoletes: policycoreutils < 2.0.61-2
 
 %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
@@ -62,9 +64,10 @@ context.
 %patch1 -p1 -b .rhatpo
 %patch3 -p1 -b .gui
 %patch4 -p1 -b .sepolgen
+#%patch5 -p1 -b .sandbox
 
 %build
-make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
+make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all 
 make -C sepolgen-%{sepolgenver} LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all 
 
 %install
@@ -81,6 +84,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
 %{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
 %{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
+%{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}-%{version}/
+cp COPYING %{buildroot}/%{_usr}/share/doc/%{name}-%{version}/
 
 make LSPP_PRIV=y  DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
@@ -91,11 +96,10 @@ install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
-install -m 644 %{SOURCE7} %{buildroot}%{_sysconfdir}/security/console.apps/selinux-polgengui
 tar -jxf %{SOURCE8} -C %{buildroot}/
 rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
 ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
-ln -sf consolehelper %{buildroot}%{_bindir}/selinux-polgengui
+ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
 
 desktop-file-install	--vendor fedora \
 			--dir ${RPM_BUILD_ROOT}%{_datadir}/applications	\
@@ -116,7 +120,8 @@ Requires: audit-libs-python >=  %{libauditver}
 Requires: /usr/bin/make
 Requires(pre): python >= 2.6
 Obsoletes: policycoreutils < 2.0.61-2
-Requires: setools-libs-python
+Requires: setools-libs-python >= 3.3.7-6
+Requires: python-IPy
 
 %description python
 The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@@ -140,7 +145,6 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/man1/audit2allow.1*
 %{_mandir}/ru/man1/audit2allow.1*
 %{_mandir}/man1/audit2why.1*
-%{_mandir}/man5/sandbox.conf.5*
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
 %{_mandir}/man8/sandbox.8*
@@ -155,17 +159,21 @@ exit 0
 Summary: SELinux sandbox utilities
 Group:	 System Environment/Base
 Requires: policycoreutils-python = %{version}-%{release} 
-Requires: xorg-x11-server-Xephyr
+Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
 Requires: matchbox-window-manager
 Requires(post): /sbin/chkconfig
 BuildRequires: libcap-ng-devel
 
 %description sandbox
-The policycoreutils-python package contains the scripts to create graphical sandboxes
+The policycoreutils-sandbox package contains the scripts to create graphical sandboxes
 
 %files sandbox
 %defattr(-,root,root,-)
 %{_datadir}/sandbox/sandboxX.sh
+%{_datadir}/sandbox/start
+%{_sbindir}/seunshare
+%{_mandir}/man8/seunshare.8*
+%{_mandir}/man5/sandbox.conf.5*
 
 %triggerin python -- selinux-policy
 selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
@@ -193,6 +201,7 @@ or level of a logged in user.
 %defattr(-,root,root)
 %attr(4755,root,root) %{_bindir}/newrole
 %{_mandir}/man1/newrole.1.gz
+%config(noreplace) %{_sysconfdir}/pam.d/newrole
 
 %package gui
 Summary: SELinux configuration GUI
@@ -227,7 +236,6 @@ system-config-selinux is a utility for managing the SELinux environment
 %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
 %config(noreplace) %{_sysconfdir}/pam.d/selinux-polgengui
 %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-selinux
-%config(noreplace) %{_sysconfdir}/security/console.apps/selinux-polgengui
 
 %clean
 rm -rf %{buildroot}
@@ -238,7 +246,6 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
-%{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/restorecond
@@ -254,7 +261,6 @@ rm -rf %{buildroot}
 %{_bindir}/semodule_package
 %{_sysconfdir}/rc.d/init.d/sandbox
 %config(noreplace) %{_sysconfdir}/sysconfig/sandbox
-%config(noreplace) %{_sysconfdir}/pam.d/newrole
 %config(noreplace) %{_sysconfdir}/pam.d/run_init
 %config(noreplace) %{_sysconfdir}/sestatus.conf
 %attr(755,root,root) /etc/rc.d/init.d/restorecond
@@ -293,8 +299,8 @@ rm -rf %{buildroot}
 %{_mandir}/ru/man8/setsebool.8*
 %{_mandir}/man1/secon.1*
 %{_mandir}/ru/man1/secon.1*
-%{_mandir}/man8/seunshare.8*
 %{_mandir}/man8/genhomedircon.8*
+%doc %{_usr}/share/doc/%{name}-%{version}
 
 %preun
 if [ $1 -eq 0 ]; then
@@ -314,6 +320,249 @@ fi
 exit 0
 
 %changelog
+* Tue Sep 6 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.3
+- Backport sandbox fixes from F16
+
+* Thu Jul 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.2
+- Change seunshare to send kill signals to the childs session. 
+- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
+- Add -k qualifier to seunshare to have it attempt to kill all processes with 
+the matching MCS label.
+- Add -C option to sandbox and seunshare to maintain capabilities, otherwise 
+the bounding set will be dropped.
+- Change --cgroups short name -c rather then -C for consistancy
+- Fix memory and fd leaks in seunshare
+
+* Fri Jun 17 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-30.1
+- Backport lots of fixes from F15 including:
+- Do not drop capability bounding set in seunshare, this allows sandbox to 
+- run setuid apps.
+- Cleanup policy generation template
+- Pass dpi settings to sandbox
+- Add .config/* to restorecond_users.conf
+- Clean up some of the templates for sepolgen
+- Apply patches from Christoph A.
+  * fix sandbox title 
+  * stop xephyr from li
+- Also ignore errors on sandbox include of directory missing files
+- Change fixfiles restore to delete unlabeled sockets in /tmp
+
+* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-30
+- Add Elia Pinto patches to allow user to specify directories to ignore
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-29
+- Fix policycoreutils-sandbox description
+
+* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
+- rsynccmd should run outside of execcon
+
+* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
+- Fix semange node handling of ipv6 addresses
+
+* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-26
+- Fix sepolgen-ifgen call, add -p option
+
+* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-25
+- Fix sepolgen-ifgen call
+
+* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-24
+- Fix rsync command to work if the directory is old.
+- Fix all tests
+
+* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-23
+- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
+
+* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-22
+- Return to original seunshare man page
+
+* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
+- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
+- This will allow default sandboxes to work on NFS homedirs without allowing 
+  access to homedir data
+
+* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
+- Change sepolgen-ifgen to search all available policy files
+- Exit in restorecond if it can not find a UID in the passwd database
+
+* Wed Mar 9 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-19
+- Fix portspage in system-config-selinux to not crash
+- More fixes for seunshare from Tomas Hoger
+
+* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-18
+- put back in old handling of -T in sandbox command
+- Put back setsid in seunshare
+- Fix rsync to maintain times
+
+* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-17
+- Use rewritten seunshare from thoger
+
+* Mon Mar 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-16
+- Require python-IPy for policycoreutils-python package
+- Fixes for sepologen 
+  - Usage statement needs -n name
+  - Names with _ are being prevented
+  - dbus apps should get _chat interface
+
+* Thu Mar 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-15
+- Fix error message in seunshare, check for tmpdir existance before unlink.
+
+* Fri Feb 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-13
+- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
+- Only allow names in polgengui that contain letters and numbers
+- Fix up node handling in semanage command
+- Update translations
+
+* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Thu Feb 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-11
+- Fix sandbox policy creation with udp connect ports
+
+* Thu Feb 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-10
+- Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name
+- Cleanup chcat man page
+
+* Wed Feb 2 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-9
+- Report full errors on OSError on Sandbox
+
+* Wed Jan 21 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-8
+- Fix newrole hanlding of pcap
+
+* Wed Jan 19 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-7
+- Have restorecond watch more directories in homedir
+
+* Fri Jan 14 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-6
+- Add sandbox to sepolgen
+
+* Thu Jan 6 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-4
+- Fix proper handling of getopt errors
+- Do not allow modules names to contain spaces
+
+* Wed Jan 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-3
+- Polgengui raises the wrong type of exception.  #471078
+- Change semanage to not allow it to semanage module -D
+- Change setsebool to suggest run as root on failure
+
+* Wed Dec 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.85-2
+- Fix restorecond watching utmp file for people logging in our out
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.85-1
+- Update to upstream
+
+* Thu Dec 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.84-5
+- Change to allow sandbox to run on nfs homedirs, add start python script
+
+* Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.84-4
+- Move seunshare to sandbox package
+
+* Mon Nov 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.84-3
+- Fix sandbox to show correct types in  usage statement
+
+* Mon Nov 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.84-2
+- Stop fixfiles from complaining about missing dirs
+
+* Mon Nov 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.84-1
+- Update to upstream
+- List types available for sandbox in usage statement
+
+* Mon Nov 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-37
+- Don't report error on load_policy when system is disabled.
+
+* Mon Nov 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-36
+- Fix up problems pointed out by solar designer on dropping capabilities
+
+* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-35
+- Check if you have full privs and reset otherwise dont drop caps
+
+* Mon Nov 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-34
+- Fix setools require line
+
+* Fri Oct 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-33
+- Move /etc/pam.d/newrole in to polcicycoreutils-newrole
+- Additiona capability  checking in sepolgen
+
+* Mon Oct 25 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-32
+- Remove setuid flag and replace with file capabilities
+- Fix sandbox handling of files with spaces in them
+
+* Wed Sep 29 2010 jkeating - 2.0.83-31
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-30
+- Move restorecond into its own subpackage
+
+* Thu Sep 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-29
+- Fix semanage man page
+
+* Mon Sep 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-28
+- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox.
+
+* Mon Sep 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-27
+- Fix sandbox copyfile when copying a dir with a socket, print error
+
+* Fri Sep 10 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-26
+- Stop polgengui from crashing if selinux policy is not installed
+
+* Thu Sep 9 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-25
+- Fix bug preventing sandbox from using -l 
+
+* Tue Sep 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-24
+- Eliminate quotes fro desktop files
+
+* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-23
+- Add -w windowsize patch from Christoph A.
+
+* Mon Aug 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-22
+- Update po
+
+* Wed Aug 25 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-21
+- Update po
+
+* Tue Aug 24 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-20
+- Tighten down seunshare to create /tmp dir with sticky bit and  MS_NODEV | MS_NOSUID | MS_NOEXEC;
+- Remove setsid on seunshare so ^c on sandbox will cause apps to exit
+- Add dbus-launch --exit-with-session so all processes launched within the sandbox exit with the sandbox
+- Clean up error handling so error will get sent back to sandbox tool
+
+* Mon Aug 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-19
+- Fix translation handling in file context page of system-config-selinux
+
+* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-18
+- Fix sandbox error handling
+
+* Fri Aug 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-17
+- Apply patch to restorecond from Chris Adams, which will cause restorecond 
+- to watch first user that logs in.
+
+* Thu Aug 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-16
+- Add COPYING file to doc dir
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-15
+- Update po and translations
+Resolves: #610473
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-14
+- More fixes for polgen tools
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-13
+- Remove requirement to run selinux-polgen as root
+
+* Thu Aug 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-12
+- Update po and translations
+- Fix gui policy generation tools
+
+* Wed Aug 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-11
+- Update po and translations
+
+* Sat Jul 31 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.83-10
+- rebuild against python 2.7
+
+* Wed Jul 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-9
+- Update selinux-polgengui to sepolgen policy generation
+
+* Wed Jul 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-8
+- Fix invalid free in seunshare and fix man page
+
 * Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-7
 - Update translations
 
@@ -3134,4 +3383,3 @@ written to.  fails on 64-bit archs
 
 * Mon Jun 2 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
 - Initial version
-

selinux-polgengui.desktop

@@ -1,20 +1,62 @@
 [Desktop Entry]
 Name=SELinux Policy Generation Tool
-Name[es]="Herramienta de Generación de Políticas de SELinux"
-Name[ja]="SELinux ポリシー生成ツール"
-Name[mr]="SELinux करार निर्माण साधन"
-Name[nl]="SELinux tactiek generatie gereedschap"
-Name[or]="SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ"
-Name[pa]="SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ"
-Name[pl]="Narzędzie tworzenia polityki SELinuksa"
+Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
+Name[ca]=Eina de generació de polítiques del SELinux
+Name[da]=Regelsætgenereringsværktøj til SELinux
+Name[de]=Tool zur Erstellung von SELinux-Richtlinien
+Name[es]=Generador de Políticas de SELinux
+Name[fi]=SELinux-käytäntöjen generointityökalu
+Name[fr]=Outil de génération de stratégies SELinux
+Name[gu]=SELinux પોલિસી બનાવટ સાધન
+Name[hi]=SELinux पॉलिसी जनन औजार
+Name[it]=Tool di generazione della policy di SELinux
+Name[ja]=SELinux ポリシー生成ツール
+Name[kn]=SELinux ಪಾಲಿಸಿ ಉತ್ಪಾದನಾ ಉಪಕರಣ
+Name[ko]=SELinux 정책 생성 도구
+Name[ml]=SELinux പോളിസി ഉത്പാദന പ്രയോഗം
+Name[mr]=SELinux करार निर्माण साधन
+Name[nl]=SELinux tactiek generatie gereedschap
+Name[or]=SELinux ନୀତି ସୃଷ୍ଟି ଉପକରଣ
+Name[pa]=SELinux ਪਾਲਿਸੀ ਨਿਰਮਾਣ ਜੰਤਰ
+Name[pl]=Narzędzie tworzenia polityki SELinuksa
+Name[pt]=Ferramenta de Geração de Políticas SELinux
+Name[pt_BR]=Ferramenta de criação de políticas do SELinux
+Name[ru]=Средство создания политики SELinux
+Name[sv]=Genereringsverktyg för SELinuxpolicy
+Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Утиліта генерації правил SELinux
+Name[zh_CN]=SELinux 策略生成工具
+Name[zh_TW]=SELinux 政策產生工具（SELinux Policy Generation Tool）
 Comment=Generate SELinux policy modules
-Comment[es]="Generar módulos de política de SELinux"
-Comment[ja]="新しいポリシーモジュールの作成"
-Comment[mr]="SELinux करार घटके निर्माण करा"
-Comment[nl]="Maak een SELinux tactiek module aan"
-Comment[or]="SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ"
-Comment[pa]="SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ"
-Comment[pl]="Tworzenie nowych modułów polityki SELinuksa"
+Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
+Comment[ca]=Genera els mòduls de les polítiques de SELinux
+Comment[da]=Generér SELinux-regelsætmodul
+Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
+Comment[es]=Generar módulos de política de SELinux
+Comment[fi]=Generoi SELinuxin käytäntömoduuleja
+Comment[fr]=Génére des modules de stratégie SELinux
+Comment[gu]=SELinux પોલિસી મોડ્યુલોને ઉત્પન્ન કરો
+Comment[hi]=नया पॉलिसी मॉड्यूल उत्पन्न करें
+Comment[it]=Genera moduli della politica di SELinux
+Comment[ja]=新しいポリシーモジュールの作成
+Comment[kn]=SELinux ಪಾಲಿಸಿ ಘಟಕಗಳನ್ನು ಉತ್ಪಾದಿಸು
+Comment[ko]=SELinux 정책 모듈 생성
+Comment[ml]=SELinux യ പോളിസി ഘങ്ങള്‍ തയ്യാറാക്കുക
+Comment[mr]=SELinux करार घटके निर्माण करा
+Comment[nl]=Maak een SELinux tactiek module aan
+Comment[or]=SELinux ନୀତି ଏକକାଂଶ ସୃଷ୍ଟିକରନ୍ତୁ
+Comment[pa]=SELinux ਪਾਲਿਸੀ ਮੈਡਿਊਲ ਬਣਾਓ
+Comment[pl]=Tworzenie nowych modułów polityki SELinuksa
+Comment[pt]=Gerar módulos de políticas SELinux
+Comment[pt_BR]=Gerar módulos de política do SELinux
+Comment[ru]=Генерация модулей политики SELinux
+Comment[sv]=Generera SELinux-policymoduler
+Comment[ta]=SELinux கொள்கை தொகுதியை உருவாக்கவும்
+Comment[te]=SELinux పాలసీ మాడ్యూళ్ళను వుద్భవింపచేయుము
+Comment[uk]=Створення модулів контролю доступу SELinux
+Comment[zh_CN]=生成 SELinux 策略模块
+Comment[zh_TW]=產生 SELinux 政策模組
 StartupNotify=true
 Icon=system-config-selinux
 Exec=/usr/bin/selinux-polgengui

sources

@@ -1,3 +1,3 @@
 49faa2e5f343317bcfcf34d7286f6037  sepolgen-1.0.23.tgz
-85a84b4521dfdde649d0143e15f724f9  policycoreutils-2.0.83.tgz
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
+92fa615448d443b22c4ad6ecf89fc974  policycoreutils-2.0.85.tgz

system-config-selinux.desktop

@@ -1,20 +1,62 @@
 [Desktop Entry]
 Name=SELinux Management
-Name[es]="Administración de SELinux"
-Name[jp]="SELinux 管理"
-Name[mr]="SELinux मॅनेजमेंट"
-Name[nl]="SELinux beheer"
-Name[or]="SELinux ପରିଚାଳନା"
-Name[pa]="SELinux ਮੈਨੇਜਮੈਂਟ"
-Name[pl]="Zarządzanie SELinuksem"
+Name[bn_IN]=SELinux পরিচালনা
+Name[da]=Håndtering af SELinux
+Name[de]=SELinux-Management
+Name[ca]=Gestió de SELinux
+Name[es]=Administración de SELinux
+Name[fi]=SELinuxin ylläpito
+Name[fr]=Gestion de SELinux
+Name[gu]=SELinux સંચાલન
+Name[hi]=SELinux प्रबंधन
+Name[jp]=SELinux 管理
+Name[it]=Gestione di SELinux
+Name[kn]=SELinux ವ್ಯವಸ್ಥಾಪನೆ
+Name[ko]=SELinux 관리
+Name[ml]=SELinux മാനേജ്മെന്റ്
+Name[mr]=SELinux मॅनेजमेंट
+Name[nl]=SELinux beheer
+Name[or]=SELinux ପରିଚାଳନା
+Name[pa]=SELinux ਮੈਨੇਜਮੈਂਟ
+Name[pl]=Zarządzanie SELinuksem
+Name[pt_BR]=Gerenciamento do SELinux
+Name[pt]=Gestão de SELinux
+Name[ru]=Управление SELinux
+Name[sv]=SELinux-hantering
+Name[ta]=SELinux மேலாண்மை
+Name[te]=SELinux నిర్వహణ
+Name[uk]=Керування SELinux
+Name[zh_CN]=SELinux 管理
+Name[zh_TW]=SELinux 管理
 Comment=Configure SELinux in a graphical setting
-Comment[es]="Defina SELinux en una configuración de interfaz gráfica"
-Comment[jp]="グラフィカルな設定画面で SELinux を設定する"
-Comment[mr]="ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा"
-Comment[nl]="Configureer SELinux in een grafische omgeving"
-Comment[or]="SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ"
-Comment[pa]="SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ"
-Comment[pl]="Konfiguracja SELinuksa w trybie graficznym"
+Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
+Comment[ca]=Configura SELinuc an mode de preferències gràfiques
+Comment[da]=Konfigurér SELinux i et grafisk miljø
+Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
+Comment[es]=Defina SELinux en una configuración de interfaz gráfica
+Comment[fi]=Tee SELinuxin asetukset graafisesti
+Comment[fr]=Configure SELinux dans un environnement graphique
+Comment[gu]=ગ્રાફિકલ સુયોજનમાં SELinux ને રૂપરેખાંકિત કરો
+Comment[hi]=SELinux को आलेखी सेटिंग में विन्यस्त करें
+Comment[it]=Configura SELinux in una impostazione grafica
+Comment[jp]=グラフィカルな設定画面で SELinux を設定する
+Comment[ko]=SELinux를 그래픽 사용자 인터페이스로 설정
+Comment[kn]=SELinux ಅನ್ನು ಒಂದು ಚಿತ್ರಾತ್ಮಕ ಸಿದ್ದತೆಯಲ್ಲಿ ಸಂರಚಿಸಿ
+Comment[ml]=ഒരു ഗ്രാഫിക്കല്‍ സജ്ജീകരണത്തില്‍ SELinux ക്രമീകരിയ്ക്കുക
+Comment[mr]=ग्राफिकल सेटिंगमध्ये SELinux संरचीत करा
+Comment[nl]=Configureer SELinux in een grafische omgeving
+Comment[or]=SELinux କୁ ଆଲେଖିକ ସଂରଚନାରେ ବିନ୍ୟାସ କରନ୍ତୁ
+Comment[pa]=SELinux ਨੂੰ ਗਰਾਫੀਕਲ ਸੈਟਿੰਗ ਵਿੱਚ ਸੰਰਚਿਤ ਕਰੋ
+Comment[pl]=Konfiguracja SELinuksa w trybie graficznym
+Comment[pt]=Configurar o SELinux num ambiente gráfico
+Comment[pt_BR]=Configure o SELinux em uma configuração gráfica
+Comment[ru]=Настройка SELinux в графическом режиме
+Comment[sv]=Konfigurera SELinux i en grafisk miljö
+Comment[ta]=SELinuxஐ ஒரு வரைகலை அமைவில் கட்டமைக்கவும்
+Comment[te]=SELinuxను గ్రాఫికల్ అమర్పునందు ఆకృతీకరించుము
+Comment[uk]=Засіб для налаштування SELinux з графічним інтерфейсом
+Comment[zh_CN]=在图形设置中配置 SELinux
+Comment[zh_TW]=在圖形話設定中配置 SELinux
 StartupNotify=true
 Icon=system-config-selinux
 Exec=/usr/bin/system-config-selinux