- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com

- at_console should not be used any longer
- seunshare: Use setcurrent before setexec

0001-seunshare-Try-to-use-setcurrent-before-setexec.patch

@@ -0,0 +1,62 @@
+From 8b8915f36a1db76bbdd9695f0bb450132b67f2ca Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH 1/3] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail.  This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent.  This rule appears to work:
+
+    allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 97f3920..fe40757 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ 			goto childerr;
+ 		}
+ 
+-		/* selinux context */
+-		if (execcon && setexeccon(execcon) != 0) {
+-			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+-			goto childerr;
+-		}
+-
+ 		if (chdir(pwd->pw_dir)) {
+ 			perror(_("Failed to change dir to homedir"));
+ 			goto childerr;
+ 		}
+ 		setsid();
++
++		/* selinux context */
++		if (execcon) {
++			/* try dyntransition, since no_new_privs can interfere
++			 * with setexeccon */
++			if (setcon(execcon) != 0) {
++				/* failed; fall back to setexeccon */
++				if (setexeccon(execcon) != 0) {
++					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
++					goto childerr;
++				}
++			}
++		}
++
+ 		execv(argv[optind], argv + optind);
+ 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+-- 
+1.9.0
+

0002-at_console-should-not-be-used-any-longer.patch

@@ -0,0 +1,30 @@
+From 84bff58282256f52a25cec2f36c9831daea48987 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Tue, 6 May 2014 14:38:41 -0400
+Subject: [PATCH 2/3] at_console should not be used any longer
+
+---
+ policycoreutils/sepolicy/org.selinux.conf | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.conf b/policycoreutils/sepolicy/org.selinux.conf
+index a350978..1ae079d 100644
+--- a/policycoreutils/sepolicy/org.selinux.conf
++++ b/policycoreutils/sepolicy/org.selinux.conf
+@@ -12,12 +12,8 @@
+ 
+   <!-- Allow anyone to invoke methods on the interfaces,
+        authorization is performed by PolicyKit -->
+-  <policy at_console="true">
+-    <allow send_destination="org.selinux"/>
+-  </policy>
+   <policy context="default">
+-    <allow send_destination="org.selinux"
+-	   send_interface="org.freedesktop.DBus.Introspectable"/>
++    <allow send_destination="org.selinux"/>
+   </policy>
+ 
+ </busconfig>
+-- 
+1.9.0
+

0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch

@@ -0,0 +1,93 @@
+From 7a69cd9e185055fc8e096b466923d8712263a9e8 Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 7 May 2014 10:18:57 +0200
+Subject: [PATCH 3/3] Apply patch for org.selinux.policy to not be desktop
+ centric from stefw@redhat.com
+
+---
+ policycoreutils/sepolicy/org.selinux.policy | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
+index 4023bca..ddd9caa 100644
+--- a/policycoreutils/sepolicy/org.selinux.policy
++++ b/policycoreutils/sepolicy/org.selinux.policy
+@@ -11,7 +11,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents restorecon access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
++            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -20,7 +20,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents setenforce access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
++            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -29,7 +29,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents semanage access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
++            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -38,8 +38,8 @@
+         <description>SELinux Read access</description>
+         <message>System policy prevents read access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+-          <allow_inactive>no</allow_inactive>
++          <allow_any>yes</allow_any>
++          <allow_inactive>yes</allow_inactive>
+ 	  <allow_active>yes</allow_active>
+         </defaults>
+     </action>
+@@ -47,8 +47,8 @@
+         <description>SELinux list modules access</description>
+         <message>System policy prevents read access to SELinux modules</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+-          <allow_inactive>no</allow_inactive>
++          <allow_any>yes</allow_any>
++          <allow_inactive>yes</allow_inactive>
+ 	  <allow_active>yes</allow_active>
+         </defaults>
+     </action>
+@@ -56,7 +56,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents relabel_on_boot access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
++          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -65,7 +65,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents change_default_policy access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
++          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -74,7 +74,7 @@
+         <description>Change SELinux default enforcing mode</description>
+         <message>System policy prevents change_default_policy access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
++          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+-- 
+1.9.0
+

policycoreutils-sepolgen.patch

@@ -1,131 +1,13 @@
-diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index d636091..56919be 100644
---- a/sepolgen/src/sepolgen/audit.py
-+++ b/sepolgen/src/sepolgen/audit.py
-@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
-                 raise ValueError("Error during access vector computation")
- 
-             if self.type == audit2why.CONSTRAINT:
--                self.data = []
-+                self.data = [ self.data ]
-                 if self.scontext.user != self.tcontext.user:
--                    self.data.append("user")
-+                    self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
-                 if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
--                    self.data.append("role")
-+                    self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
-                 if self.scontext.level != self.tcontext.level:
--                    self.data.append("level")
-+                    self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
- 
-             avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
- 
-diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
-index cc9f8ea..ce643e5 100644
---- a/sepolgen/src/sepolgen/policygen.py
-+++ b/sepolgen/src/sepolgen/policygen.py
-@@ -161,21 +161,21 @@ class PolicyGenerator:
-             if self.explain:
-                 rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
-             if av.type == audit2why.ALLOW:
--                rule.comment += "#!!!! This avc is allowed in the current policy\n"
-+                rule.comment += "\n#!!!! This avc is allowed in the current policy"
-             if av.type == audit2why.DONTAUDIT:
--                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
-+                rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
- 
-             if av.type == audit2why.BOOLEAN:
-                 if len(av.data) > 1:
--                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.data))
-+                    rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n#     %s" % ", ".join(map(lambda x: x[0], av.data))
-                 else:
--                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
-+                    rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
- 
-             if av.type == audit2why.CONSTRAINT:
--                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n"
--                rule.comment += "#Constraint rule: "
--                for reason in av.data:
--                    rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
-+                rule.comment += "\n#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.\n"
-+                rule.comment += "#Constraint rule: \n\t" + av.data[0]
-+                for reason in av.data[1:]:
-+                    rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
- 
-             try:
-                 if ( av.type == audit2why.TERULE and
-@@ -189,9 +189,9 @@ class PolicyGenerator:
-                         if i not in self.domains:
-                             types.append(i)
-                     if len(types) == 1:
--                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                        rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-                     elif len(types) >= 1:
--                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                        rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-             except:
-                 pass
-             self.module.children.append(rule)
-diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
-index 7b76261..a05d9d1 100644
---- a/sepolgen/src/sepolgen/refparser.py
-+++ b/sepolgen/src/sepolgen/refparser.py
-@@ -65,6 +65,7 @@ tokens = (
-     'BAR',
-     'EXPL',
-     'EQUAL',
-+    'FILENAME',
-     'IDENTIFIER',
-     'NUMBER',
-     'PATH',
-@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
-     t.lexer.lineno += 1
- 
- def t_IDENTIFIER(t):
--    r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
-+    r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
-     # Handle any keywords
-     t.type = reserved.get(t.value,'IDENTIFIER')
-     return t
- 
-+def t_FILENAME(t):
-+    r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
-+    # Handle any keywords
-+    t.type = reserved.get(t.value,'FILENAME')
-+    return t
-+
- def t_comment(t):
-     r'\#.*\n'
-     # Ignore all comments
-@@ -450,6 +457,7 @@ def p_interface_call_param(p):
-                             | nested_id_set
-                             | TRUE
-                             | FALSE
-+                            | FILENAME
-     '''
-     # Intentionally let single identifiers pass through
-     # List means set, non-list identifier
-@@ -461,6 +469,7 @@ def p_interface_call_param(p):
- def p_interface_call_param_list(p):
-     '''interface_call_param_list : interface_call_param
-                                  | interface_call_param_list COMMA interface_call_param
-+                                 | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
-     '''
-     if len(p) == 2:
-         p[0] = [p[1]]
-@@ -787,6 +796,7 @@ def p_avrule_def(p):
- 
- def p_typerule_def(p):
-     '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
-+                    | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
-                     | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
-                     | TYPE_CHANGE names names COLON names IDENTIFIER SEMI
-                     | TYPE_MEMBER names names COLON names IDENTIFIER SEMI
-@@ -800,6 +810,7 @@ def p_typerule_def(p):
-     t.tgt_types = p[3]
-     t.obj_classes = p[5]
-     t.dest_type = p[6]
-+    t.file_name = p[7]
-     p[0] = t
- 
- def p_bool(p):
+diff --git a/sepolgen/src/sepolgen/interfaces.py b/sepolgen/src/sepolgen/interfaces.py
+index 3258684..88a6dc3 100644
+--- a/sepolgen/src/sepolgen/interfaces.py
++++ b/sepolgen/src/sepolgen/interfaces.py
+@@ -276,7 +276,7 @@ class InterfaceVector:
+         if attributes:
+             for typeattribute in interface.typeattributes():
+                 for attr in typeattribute.attributes:
+-                    if not attributes.has_key(attr):
++                    if not attributes.attributes.has_key(attr):
+                         # print "missing attribute " + attr
+                         continue
+                     attr_vec = attributes.attributes[attr]

policycoreutils.spec

@@ -2,12 +2,12 @@
 %global libsepolver	2.1.9-1
 %global	libsemanagever	2.1.10-1
 %global	libselinuxver	2.1.13-1
-%global	sepolgenver	1.1.9
+%global	sepolgenver	1.2.1
 
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.1.14
-Release: 75%{?dist}
+Version: 2.2.5
+Release: 4%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -16,8 +16,12 @@ Source1:git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
 URL:	 http://www.selinuxproject.org
 Source2: policycoreutils_man_ru2.tar.bz2
 Source3: system-config-selinux.png
+Source4: sepolicy-icons.tgz
 Patch:	 policycoreutils-rhat.patch
-Patch1:	 policycoreutils-sepolgen.patch
+Patch1:  0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
+Patch2:  0002-at_console-should-not-be-used-any-longer.patch
+Patch3:  0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
+#Patch1:	 policycoreutils-sepolgen.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3
 Provides: /sbin/fixfiles
@@ -48,10 +52,14 @@ to switch roles.
 %prep
 %setup -q -a 1
 %patch -p2 -b .rhat
-%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
+%patch1 -p2 -b .seunshare
+%patch2 -p2 -b .at_console
+%patch3 -p2 -b .org.selinux
+#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
+cp %{SOURCE3} gui/
+tar xvf %{SOURCE4}
 
 %build
-cp %{SOURCE3} gui/
 make LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SEMODULE_PATH="/usr/sbin" all
 make -C sepolgen-%{sepolgenver} SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro" all
 
@@ -84,10 +92,15 @@ desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications	\
 			--add-category Settings				\
 %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop
 
+desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications	\
+			--add-category Settings				\
+    %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
+
 desktop-file-install --dir ${RPM_BUILD_ROOT}%{_datadir}/applications	\
 %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
 
 rm -f %{buildroot}%{_datadir}/system-config-selinux/selinux-polgengui.desktop
+rm -f %{buildroot}%{_datadir}/system-config-selinux/sepolicy.desktop
 rm -f %{buildroot}%{_datadir}/system-config-selinux/system-config-selinux.desktop
 
 %find_lang %{name}
@@ -99,6 +112,7 @@ Requires:policycoreutils = %{version}-%{release}
 Requires:libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
 Requires:audit-libs-python >=  %{libauditver}
 Requires(pre): python >= 2.6
+Requires: checkpolicy
 Obsoletes: policycoreutils < 2.0.61-2
 Requires: python-IPy yum
 
@@ -114,8 +128,13 @@ an SELinux environment.
 %{_bindir}/audit2why
 %{_mandir}/man1/audit2allow.1*
 %{_mandir}/ru/man1/audit2allow.1*
+%{_bindir}/semodule_package
+%{_mandir}/man8/semodule_package.8*
+%{_mandir}/ru/man8/semodule_package.8*
 %{_mandir}/man1/audit2why.1*
-%{python_sitearch}/seobject.py*
+%dir %{python_sitelib}/seobject
+%{python_sitelib}/seobject/__init__.py*
+%{python_sitelib}/seobject*.egg-info
 %{python_sitearch}/sepolgen
 %dir %{python_sitearch}/sepolicy
 %{python_sitearch}/sepolicy/*so
@@ -138,10 +157,6 @@ an SELinux environment.
 %{_mandir}/man8/sandbox.8*
 %{_mandir}/man8/semanage*.8*
 %{_mandir}/ru/man8/semanage.8*
-%{_datadir}/system-config-selinux/selinux_server.py
-%{_datadir}/dbus-1/system-services/org.selinux.service
-%{_datadir}/polkit-1/actions/org.selinux.policy
-%{_datadir}/polkit-1/actions/org.fedoraproject.config.selinux.policy 
 %{_datadir}/bash-completion/completions/semanage
 %{_datadir}/bash-completion/completions/setsebool
 
@@ -150,7 +165,6 @@ Summary: SELinux policy core policy devel utilities
 Group:	 System Environment/Base
 Requires: policycoreutils-python = %{version}-%{release}
 Requires: /usr/bin/make
-Requires: checkpolicy
 Requires: selinux-policy-devel
 
 %description devel
@@ -174,6 +188,17 @@ The policycoreutils-devel package contains the management tools use to develop p
 %{_mandir}/man8/sepolicy-manpage.8*
 %{_mandir}/man8/sepolicy-transition.8*
 %{_usr}/share/bash-completion/completions/sepolicy
+%{_bindir}/semodule_deps
+%{_bindir}/semodule_expand
+%{_bindir}/semodule_link
+%{_bindir}/semodule_unpackage
+%{_mandir}/man8/semodule_deps.8*
+%{_mandir}/ru/man8/semodule_deps.8*
+%{_mandir}/man8/semodule_expand.8*
+%{_mandir}/ru/man8/semodule_expand.8*
+%{_mandir}/man8/semodule_link.8*
+%{_mandir}/ru/man8/semodule_link.8*
+%{_mandir}/man8/semodule_unpackage.8*
 
 %package sandbox
 Summary: SELinux sandbox utilities
@@ -207,9 +232,12 @@ or level of a logged in user.
 
 %files newrole
 %attr(0755,root,root) %caps(cap_dac_read_search,cap_setpcap,cap_audit_write,cap_sys_admin,cap_fowner,cap_chown,cap_dac_override=pe) %{_bindir}/newrole
-
+%{_sbindir}/run_init
+%{_mandir}/man8/run_init.8*
+%{_mandir}/ru/man8/run_init.8*
 %{_mandir}/man1/newrole.1.gz
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
+%config(noreplace) %{_sysconfdir}/pam.d/run_init
 
 %package gui
 Summary: SELinux configuration GUI
@@ -226,20 +254,28 @@ system-config-selinux is a utility for managing the SELinux environment
 %files gui
 %{_bindir}/system-config-selinux
 %{_bindir}/selinux-polgengui
+%{_datadir}/applications/sepolicy.desktop
 %{_datadir}/applications/system-config-selinux.desktop
 %{_datadir}/applications/selinux-polgengui.desktop
 %{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
 %{_datadir}/pixmaps/system-config-selinux.png
-%{_datadir}/polkit-1/actions/org.selinux.policy
 %dir %{_datadir}/system-config-selinux
 %{_datadir}/system-config-selinux/system-config-selinux.png
 %{_datadir}/system-config-selinux/*.py*
 %{_datadir}/system-config-selinux/*.glade
 %{python_sitearch}/sepolicy/gui.py*
 %{python_sitearch}/sepolicy/sepolicy.glade
+%dir %{python_sitearch}/sepolicy/help
+%{python_sitearch}/sepolicy/help/*
+%{_datadir}/icons/hicolor/*/apps/sepolicy.png
+%{_datadir}/pixmaps/sepolicy.png
 %{_mandir}/man8/system-config-selinux.8*
 %{_mandir}/man8/selinux-polgengui.8*
 %{_mandir}/man8/sepolicy-gui.8*
+%{_datadir}/system-config-selinux/selinux_server.py
+%{_datadir}/dbus-1/system-services/org.selinux.service
+%{_datadir}/polkit-1/actions/org.selinux.policy
+%{_datadir}/polkit-1/actions/org.selinux.config.policy
 
 %post gui
 /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -257,42 +293,24 @@ fi
 %{_sbindir}/restorecon
 %{_sbindir}/fixfiles
 %{_sbindir}/setfiles
-%{_sbindir}/run_init
 %{_sbindir}/load_policy
 %{_sbindir}/genhomedircon
 %{_sbindir}/setsebool
 %{_sbindir}/semodule
 %{_sbindir}/sestatus
 %{_bindir}/secon
-%{_bindir}/semodule_deps
-%{_bindir}/semodule_expand
-%{_bindir}/semodule_link
-%{_bindir}/semodule_package
-%{_bindir}/semodule_unpackage
 %config(noreplace) %{_sysconfdir}/sestatus.conf
-%config(noreplace) %{_sysconfdir}/pam.d/run_init
 # selinux-policy Requires: policycoreutils, so we own this set of directories and our files within them
 %{_mandir}/man5/selinux_config.5.gz
 %{_mandir}/man5/sestatus.conf.5.gz
 %{_mandir}/man8/fixfiles.8*
 %{_mandir}/ru/man8/fixfiles.8*
-%{_mandir}/man8/run_init.8*
-%{_mandir}/ru/man8/run_init.8*
 %{_mandir}/man8/load_policy.8*
 %{_mandir}/ru/man8/load_policy.8*
 %{_mandir}/man8/restorecon.8*
 %{_mandir}/ru/man8/restorecon.8*
 %{_mandir}/man8/semodule.8*
 %{_mandir}/ru/man8/semodule.8*
-%{_mandir}/man8/semodule_deps.8*
-%{_mandir}/ru/man8/semodule_deps.8*
-%{_mandir}/man8/semodule_expand.8*
-%{_mandir}/ru/man8/semodule_expand.8*
-%{_mandir}/man8/semodule_link.8*
-%{_mandir}/ru/man8/semodule_link.8*
-%{_mandir}/man8/semodule_package.8*
-%{_mandir}/man8/semodule_unpackage.8*
-%{_mandir}/ru/man8/semodule_package.8*
 %{_mandir}/man8/sestatus.8*
 %{_mandir}/ru/man8/sestatus.8*
 %{_mandir}/man8/setfiles.8*
@@ -335,7 +353,199 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
-* Wed Aug 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-75
+* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.5-4
+- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com
+- at_console should not be used any longer
+- seunshare: Use setcurrent before setexec
+
+* Thu Jan 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-3
+- Add Miroslav patch to
+- Fix previously_modified_initialize() to show modified changes properly for all selections
+
+* Wed Jan 8 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-2
+- Do not require /usr/share/selinux/devel/Makefile to build permissive domains
+
+* Mon Jan 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-1
+- Update to upstream 
+	* Ignore selevel/serange if MLS is disabled from Sven Vermeulen.
+
+* Fri Jan 3 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-8
+- Update Tranlations
+- Patch from Yuri Chornoivan to fix typos
+
+* Fri Jan 3 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-7
+- Fixes Customized booleans causing a crash of the sepolicy gui
+
+* Thu Jan 2 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.4-6
+- Fix sepolicy gui selection for advanced screen
+- Update Translations
+- Move requires checkpolicy requirement into policycoreutils-python
+
+* Mon Dec 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-5
+- Fix semanage man page description of import command
+- Fix policy kit file to allow changing to permissive mode
+
+* Mon Dec 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-4
+- Fix broken dependencies.
+
+* Fri Dec 13 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-3
+- Break out python3 code into separate package
+
+* Fri Dec 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-2
+- Add mgrepl patch
+-   ptrace should be a part of deny_ptrace boolean in TEMPLATETYPE_admin
+
+* Tue Dec 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.4-1
+- Update to upstream 
+	* Revert automatic setting of serange and seuser in seobject; was breaking non-MLS systems.
+- Add patches for sepolicy gui from mgrepl to
+  Fix advanced_item_button_push() to allow to select an application in advanced search menu
+  Fix previously_modified_initialize() to show modified changes properly for all selections
+
+* Fri Nov 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.3-1
+- Update to upstream 
+	* Apply polkit check on all dbus interfaces and restrict to active user from Dan Walsh.
+	* Fix typo in sepolicy gui dbus.relabel_on_boot call from Dan Walsh.
+- Apply Miroslav Grepl patch to fix TEMPLATETYPE_domtrans description in sepolicy generate
+
+* Wed Nov 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
+- Fix selinux-polgengui, get_all_modules call
+
+* Fri Nov 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1
+- Speed up startup time of sepolicy gui
+- Clean up ports screen to only show enabled ports.
+- Update to upstream 
+	* Remove import policycoreutils.default_encoding_utf8 from semanage from Dan Walsh.
+	* Make yum/extract_rpms optional for sepolicy generate from Dan Walsh.
+	* Add test suite for audit2allow and sepolgen-ifgen from Dan Walsh.
+
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-2
+- Shift around some of the files to more appropriate packages.
+        * semodule_* packages are required for devel.
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
+- Update to upstream 
+	* Properly build the swig exception file from Laurent Bigonville.
+	* Fix man pages from Laurent Bigonville.
+	* Support overriding PATH and INITDIR in Makefile from Laurent Bigonville.
+	* Fix LDFLAGS usage from Laurent Bigonville.
+	* Fix init_policy warning from Laurent Bigonville.
+	* Fix semanage logging from Laurent Bigonville.
+	* Open newrole stdin as read/write from Sven Vermeulen.
+	* Fix sepolicy transition from Sven Vermeulen.
+	* Support overriding CFLAGS from Simon Ruderich.
+	* Create correct man directory for run_init from Russell Coker.
+	* restorecon GLOB_BRACE change from Michal Trunecka.
+	* Extend audit2why to report additional constraint information.
+	* Catch IOError errors within audit2allow from Dan Walsh.
+	* semanage export/import fixes from Dan Walsh.
+	* Improve setfiles progress reporting from Dan Walsh.
+	* Document setfiles -o option in usage from Dan Walsh.
+	* Change setfiles to always return -1 on failure from Dan Walsh.
+	* Improve setsebool error r eporting from Dan Walsh.
+	* Major overhaul of gui from Dan Walsh.
+	* Fix sepolicy handling of non-MLS policy from Dan Walsh.
+	* Support returning type aliases from Dan Walsh.
+	* Add sepolicy tests from Dan Walsh.
+	* Add org.selinux.config.policy from Dan Walsh.
+	* Improve range and user input checking by semanage from Dan Walsh.
+	* Prevent source or target arguments that end with / for substitutions from Dan Walsh.
+	* Allow use of <<none>> for semanage fcontext from Dan Walsh.
+        * Report customized user levels from Dan Walsh.
+	* Support deleteall for restoring disabled modules from Dan Walsh.
+	* Improve semanage error reporting from Dan Walsh.
+	* Only list disabled modules for module locallist from Dan Walsh.
+	* Fix logging from Dan Walsh.
+	* Define new constants for file type character codes from Dan Walsh.
+	* Improve bash completions from Dan Walsh.
+	* Convert semanage to argparse from Dan Walsh (originally by Dave Quigley).
+	* Add semanage tests from Dan Walsh.
+	* Split semanage man pages from Dan Walsh.
+	* Move bash completion scripts from Dan Walsh.
+	* Replace genhomedircon script with a link to semodule from Dan Walsh.
+	* Fix fixfiles from Dan Walsh.
+	* Add support for systemd service for restorecon from Dan Walsh.
+	* Spelling corrections from Dan Walsh.
+	* Improve sandbox support for home dir symlinks and file caps from Dan Walsh.
+	* Switch sandbox to openbox window manager from Dan Walsh.
+	* Coalesce audit2why and audit2allow from Dan Walsh.
+	* Change audit2allow to append to output file from Dan Walsh.
+	* Update translations from Dan Walsh.
+	* Change audit2why to use selinux_current_policy_path from Dan Walsh.
+
+* Fri Oct 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-89
+- Fix handling of man pages.
+
+* Wed Oct 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-88
+- Cleanup errors found by pychecker
+- Apply patch from Michal Trunecka to allow restorecon to handle {} in globs
+
+* Fri Oct 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-87
+- sepolicy gui
+  - mgrepl fixes for users and login
+- Update Translations.
+
+* Fri Oct 11 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-86
+- sepolicy gui
+  - mgrepl added delete screens for users and login
+  - Fix lots of bugs.
+- Update Translations.
+
+
+* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-85
+- Fixes for fixfiles
+  * exclude_from_dirs should apply to all types of restorecon calls
+  * fixfiles check now works
+  * exit with the correct status
+
+- semanage no longer import selinux
+
+* Wed Oct 2 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-84
+- Fixes for sepolicy gui
+- Fix setsebool to return 0 on success
+- Update Po
+
+* Mon Sep 30 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-83
+- Fix sizes of help screens in sepolicy gui
+
+* Sat Sep 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-82
+- Improvements to sepolicy gui
+  - Add more help information
+  - Cleanup code
+  - Add deny_ptrace on lockdown screen
+  - Make unconfined/permissivedomains lockdown work
+  - Add more support for file equivalency
+
+* Wed Sep 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-81
+- Add back in the help png files
+- Begin Adding support for file equivalency.
+
+* Wed Sep 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-80
+- Random fixes for sepolicy gui
+  * Do not prompt for password until you make a change
+  * Add user mappings and selinux users page
+  * lots of code cleanup
+
+- Verify homedir is owned by user before mounting over it with seunshare
+- Fix fixfiles to handle Relabel properly
+- Fix semanage fcontext -e / command to allow "/"
+
+* Wed Sep 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-79
+- Add Miroslav Grepl setsebool patch to give better error message on bad boolean names
+- Additional help screens for sepolicy gui
+
+* Tue Sep 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-78
+- Random fixes for sepolicy gui
+- Update Translations
+
+* Fri Aug 30 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-77
+- Add help screens for each page
+- Fixes for system page
+
+* Mon Aug 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-76
+- Add Miroslav Grepl Patch to handle semanage -i and semanage -o better
+- Update Translations
+
+* Thu Aug 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-75
 - Update sepolicy gui code, cleanups and add file transition tab
 - Fix semanage fcontext -a --ftype code to work.
 

sources

@@ -1,3 +1,3 @@
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
-22cb999c28b40b59a9d6b11824480ab8  policycoreutils-2.1.14.tgz
-960f29b498ba7efaa3aeb5e3796a1ba3  sepolgen-1.1.9.tgz
+e9134b52e6620c14cbce9234a6b67b20  sepolgen-1.2.1.tgz
+15340f6e3bdc703e2f960cd2dbff9019  policycoreutils-2.2.5.tgz