policycoreutils-2.4-21.fc23

- policycoreutils-gui requires python-slip-dbus (#1314685)

make-rhat-patches.sh

@@ -2,7 +2,7 @@
 
 POLICYCOREUTILS_VERSION=2.4
 SEPOLGEN_VERSION=1.2.2
-BRANCH=master
+BRANCH=f23
 
 REBASEDIR=`mktemp -d rebase.XXXXXX`
 pushd $REBASEDIR

policycoreutils-rhat.patch

@@ -1358,7 +1358,7 @@ index 37c1472..9854fb2 100644
                <packing>
                  <property name="expand">False</property>
 diff --git a/policycoreutils-2.4/gui/polgengui.py b/policycoreutils-2.4/gui/polgengui.py
-index 0f0e564..1b88c47 100644
+index 0f0e564..ac8f78f 100644
 --- a/policycoreutils-2.4/gui/polgengui.py
 +++ b/policycoreutils-2.4/gui/polgengui.py
 @@ -30,29 +30,15 @@ import gnome
@@ -1445,6 +1445,15 @@ index 0f0e564..1b88c47 100644
              self.error(e.message)
  
      def delete(self, args):
+@@ -668,7 +654,7 @@ class childWindow:
+                     entry.set_text("")
+                     return False
+             if name in self.all_modules:
+-                if self.verify(_("Module %s.pp already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
++                if self.verify(_("Module %s already loaded in current policy.\nDo you want to continue?") % name, _("Verify Name")) == gtk.RESPONSE_NO:
+                     entry.set_text("")
+                     return False
+ 
 @@ -687,7 +673,7 @@ class childWindow:
          try:
              generate.verify_ports(self.in_tcp_entry.get_text())
@@ -2186,6 +2195,32 @@ index b863346..d994891 100644
  		// default attribute to be used to mimic gen_require in CIL
  		rc = generate_gen_require_attribute();
  		if (rc != 0) {
+diff --git a/policycoreutils-2.4/newrole/newrole.1 b/policycoreutils-2.4/newrole/newrole.1
+index c47bc52..96cdd14 100644
+--- a/policycoreutils-2.4/newrole/newrole.1
++++ b/policycoreutils-2.4/newrole/newrole.1
+@@ -8,6 +8,7 @@ newrole \- run a shell with a new SELinux role
+ [\fB-t\fR|\fB--type\fR]
+ \fITYPE\fR
+ [\fB-l\fR|\fB--level\fR]
++[\fB-p\fR|\fB--preserve-environment\fR]
+ \fILEVEL\fR [-- [\fIARGS\fR]...]
+ .SH DESCRIPTION
+ .PP
+@@ -38,7 +39,12 @@ specified by
+ If
+ \fILEVEL\fR
+ is a range, the new context will have the sensitivity level and clearance
+-specified by that range.
++specified by that range.  If the
++.B -p
++or
++.B --preserve-environment
++option is specified, the shell with the new SELinux context will preserve environment variables,
++otherwise a new minimal enviroment is created.
+ .PP
+ Additional arguments
+ .I ARGS
 diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c
 index 94794e9..65a945d 100644
 --- a/policycoreutils-2.4/newrole/newrole.c
@@ -654841,7 +654876,7 @@ index b306041..16eb50b 100644
  msgid "Loss of data Dialog"
  msgstr ""
 diff --git a/policycoreutils-2.4/sandbox/sandbox b/policycoreutils-2.4/sandbox/sandbox
-index 3678c5d..5109eca 100644
+index 3678c5d..163afa0 100644
 --- a/policycoreutils-2.4/sandbox/sandbox
 +++ b/policycoreutils-2.4/sandbox/sandbox
 @@ -1,4 +1,4 @@
@@ -654941,7 +654976,17 @@ index 3678c5d..5109eca 100644
  
      def usage(self, message = ""):
             error_exit("%s\n%s" % (self.__parser.usage, message))
-@@ -431,8 +437,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -400,9 +406,6 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
+            self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
+            self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
+     def __setup_dir(self):
+-           if self.__options.level or self.__options.session:
+-                  return
+-
+            if self.__options.homedir:
+                   selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
+                   self.__homedir = self.__options.homedir
+@@ -431,8 +434,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
                                  if self.__options.dpi:
                                         dpi = self.__options.dpi
                                  else:
@@ -654952,7 +654997,7 @@ index 3678c5d..5109eca 100644
  
                                  xmodmapfile = self.__homedir + "/.xmodmap"
                                  xd = open(xmodmapfile,"w")
-@@ -492,13 +498,13 @@ if __name__ == '__main__':
+@@ -492,13 +495,13 @@ if __name__ == '__main__':
      try:
             sandbox = Sandbox()
             rc = sandbox.main()
@@ -655297,6 +655342,104 @@ index 5c29eb9..db53c0b 100755
  
  UNDEFINED=`get_undefined_type` || exit $?
  UNLABELED=`get_unlabeled_type` || exit $?
+diff --git a/policycoreutils-2.4/secon/secon.1 b/policycoreutils-2.4/secon/secon.1
+index 3a8e0dd..a0ff795 100644
+--- a/policycoreutils-2.4/secon/secon.1
++++ b/policycoreutils-2.4/secon/secon.1
+@@ -69,6 +69,9 @@ gets the exec context from the specified process PID
+ \fB\-\-pid\-fs\fR
+ gets the fscreate context from the specified process PID
+ .TP
++\fB\-\-pid\-key\fR
++gets the key context from the specified process PID
++.TP
+ \fB\-\-current\fR, \fB\-\-self\fR
+ gets the context from the current process
+ .TP
+@@ -78,6 +81,9 @@ gets the exec context from the current process
+ \fB\-\-current\-fs\fR, \fB\-\-self\-fs\fR
+ gets the fscreate context from the current process
+ .TP
++\fB\-\-current\-key\fR, \fB\-\-self\-key\fR
++gets the key context from the current process
++.TP
+ \fB\-\-parent\fR
+ gets the context from the parent of the current process
+ .TP
+@@ -86,6 +92,9 @@ gets the exec context from the parent of the current process
+ .TP
+ \fB\-\-parent\-fs\fR
+ gets the fscreate context from the parent of the current process
++.TP
++\fB\-\-parent\-key\fR
++gets the key context from the parent of the current process
+ .PP
+ Additional argument
+ .I CONTEXT
+diff --git a/policycoreutils-2.4/secon/secon.c b/policycoreutils-2.4/secon/secon.c
+index ab4f7d0..134f4ee 100644
+--- a/policycoreutils-2.4/secon/secon.c
++++ b/policycoreutils-2.4/secon/secon.c
+@@ -77,33 +77,32 @@ static void usage(const char *name, int exit_code)
+ {
+ 	fprintf(exit_code ? stderr : stdout,
+ 		"  Usage: %s [-%s] [ context | - ]\n"
+-		"          --help        -h     Show this message.\n"
+-		"          --version     -V     Show the version.\n"
+-		"          --prompt      -P     Output in a format good for a prompt.\n"
+-		"          --user        -u     Show the user of the context.\n"
+-		"          --role        -r     Show the role of the context.\n"
+-		"          --type        -t     Show the type of the context.\n"
+-		"          --sensitivity -s     Show the sensitivity level of the context.\n"
+-		"          --clearance   -c     Show the clearance level of the context.\n"
+-		"          --mls-range   -m     Show the sensitivity to clearance range of \n"
+-		"                               the context.\n"
+-		"          --raw         -R     Show the context in \"raw\" format.\n"
+-		"          --color       -C     Output using ANSI color codes (requires -P).\n"
+-		"          --current            Get the context for the current process.\n"
+-		"          --self               Get the context for the current process.\n"
+-		"          --self-exec          Get the exec context for the current process.\n"
+-		"          --self-fs            Get the fs context for the current process.\n"
+-		"          --self-key           Get the key context for the current process.\n"
+-		"          --parent             Get the context for the parent process.\n"
+-		"          --parent-exec        Get the exec context for the parent process.\n"
+-		"          --parent-fs          Get the fs context for the parent process.\n"
+-		"          --parent-key         Get the key context for the parent process.\n"
+-		"          --pid       -p <arg> Use the context from the specified pid.\n"
+-		"          --pid-exec     <arg> Use the exec context from the specified pid.\n"
+-		"          --pid-fs       <arg> Use the fs context from the specified pid.\n"
+-		"          --pid-key      <arg> Use the key context from the specified pid.\n"
+-		"          --file      -f <arg> Use the context from the specified file.\n"
+-		"          --link      -L <arg> Use the context from the specified link.\n",
++		"          --help          -h            Show this message.\n"
++		"          --version       -V            Show the version.\n"
++		"          --prompt        -P            Output in a format good for a prompt.\n"
++		"          --user          -u            Show the user of the context.\n"
++		"          --role          -r            Show the role of the context.\n"
++		"          --type          -t            Show the type of the context.\n"
++		"          --sensitivity   -s            Show the sensitivity level of the context.\n"
++		"          --clearance     -c            Show the clearance level of the context.\n"
++		"          --mls-range     -m            Show the sensitivity to clearance range of \n"
++		"                                        the context.\n"
++		"          --raw           -R            Show the context in \"raw\" format.\n"
++		"          --color         -C            Output using ANSI color codes (requires -P).\n"
++		"          --current,      --self        Get the context for the current process.\n"
++		"          --current-exec, --self-exec   Get the exec context for the current process.\n"
++		"          --current-fs,   --self-fs     Get the fs context for the current process.\n"
++		"          --current-key,  --self-key    Get the key context for the current process.\n"
++		"          --parent                      Get the context for the parent process.\n"
++		"          --parent-exec                 Get the exec context for the parent process.\n"
++		"          --parent-fs                   Get the fs context for the parent process.\n"
++		"          --parent-key                  Get the key context for the parent process.\n"
++		"          --pid           -p <arg>      Use the context from the specified pid.\n"
++		"          --pid-exec      <arg>         Use the exec context from the specified pid.\n"
++		"          --pid-fs        <arg>         Use the fs context from the specified pid.\n"
++		"          --pid-key       <arg>         Use the key context from the specified pid.\n"
++		"          --file          -f <arg>      Use the context from the specified file.\n"
++		"          --link          -L <arg>      Use the context from the specified link.\n",
+ 		name, SECON_OPTS_SM);
+ 
+ 	exit(exit_code);
 diff --git a/policycoreutils-2.4/semanage/Makefile b/policycoreutils-2.4/semanage/Makefile
 index 60c36a3..84b01a1 100644
 --- a/policycoreutils-2.4/semanage/Makefile
@@ -655456,7 +655599,7 @@ index 0000000..e2befdb
 +      packages=["policycoreutils"],
 +)
 diff --git a/policycoreutils-2.4/semanage/semanage b/policycoreutils-2.4/semanage/semanage
-index dd63010..7fd02ed 100644
+index dd63010..852fecf 100644
 --- a/policycoreutils-2.4/semanage/semanage
 +++ b/policycoreutils-2.4/semanage/semanage
 @@ -1,4 +1,4 @@
@@ -655678,7 +655821,37 @@ index dd63010..7fd02ed 100644
  
  def setupBooleanParser(subparsers):
      generated_usage = generate_custom_usage(usage_boolean, usage_boolean_dict)
-@@ -670,11 +684,11 @@ def setupDontauditParser(subparsers):
+@@ -632,12 +646,17 @@ def handlePermissive(args):
+     OBJECT = object_dict['permissive']()
+     OBJECT.set_reload(args.noreload)
+ 
+-    if args.action is "add":
+-        OBJECT.add(args.type)
+     if args.action is "list":
+         OBJECT.list(args.noheading)
+-    if args.action is "delete":
+-        OBJECT.delete(args.type)
++    elif args.type != None:
++        if args.action is "add":
++            OBJECT.add(args.type)
++        if args.action is "delete":
++            OBJECT.delete(args.type)
++    else:
++        args.parser.print_usage(sys.stderr)
++        sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n'))
++        sys.exit(1)
+ 
+ def setupPermissiveParser(subparsers):
+     permissiveParser = subparsers.add_parser('permissive', help=_('Manage process type enforcement mode'))
+@@ -654,6 +673,7 @@ def setupPermissiveParser(subparsers):
+     parser_add_store(permissiveParser, "permissive")
+     permissiveParser.add_argument('type', nargs='?', default=None, help=_('type'))
+     permissiveParser.set_defaults(func=handlePermissive)
++    permissiveParser.set_defaults(parser=permissiveParser)
+ 
+ def handleDontaudit(args):
+     OBJECT = object_dict['dontaudit']()
+@@ -670,11 +690,11 @@ def setupDontauditParser(subparsers):
  def handleExport(args):
      manageditems=[ "boolean", "login", "interface", "user", "port", "node", "fcontext", "module"]
      for i in manageditems:
@@ -655692,7 +655865,7 @@ index dd63010..7fd02ed 100644
  
      sys.exit(0)
  
-@@ -743,10 +757,10 @@ def handleImport(args):
+@@ -743,10 +763,10 @@ def handleImport(args):
              commandParser = createCommandParser()
              args = commandParser.parse_args(mkargv(l))
              args.func(args)
@@ -655705,7 +655878,7 @@ index dd63010..7fd02ed 100644
              sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
              sys.exit(1)
          except KeyboardInterrupt:
-@@ -764,11 +778,11 @@ def setupImportParser(subparsers):
+@@ -764,11 +784,11 @@ def setupImportParser(subparsers):
  
  def createCommandParser():
      commandParser = seParser(prog='semanage',
@@ -655722,7 +655895,7 @@ index dd63010..7fd02ed 100644
      #To add a new subcommand define the parser for it in a function above and call it here.
      subparsers = commandParser.add_subparsers(dest='subcommand')
      setupImportParser(subparsers)
-@@ -788,7 +802,7 @@ def createCommandParser():
+@@ -788,7 +808,7 @@ def createCommandParser():
  
  def make_io_args(args):
      # import/export backward compability
@@ -655731,7 +655904,7 @@ index dd63010..7fd02ed 100644
      args_file = []
      args_ie = []
      args_subcommand = []
-@@ -808,6 +822,8 @@ def make_io_args(args):
+@@ -808,6 +828,8 @@ def make_io_args(args):
      return args_subcommand+args_ie+args_file
  
  def make_args(sys_args):
@@ -655740,7 +655913,7 @@ index dd63010..7fd02ed 100644
      args = []
      if "-o" in sys_args[1:] or "-i" in sys_args[1:]:
          args=make_io_args(sys_args[1:])
-@@ -822,21 +838,21 @@ def do_parser():
+@@ -822,21 +844,21 @@ def do_parser():
          args = commandParser.parse_args(make_args(sys.argv))
          args.func(args)
          sys.exit(0)
@@ -658706,7 +658879,7 @@ index 458a4d2..b6088af 100644
 +    except dbus.DBusException as e:
 +        print(e)
 diff --git a/policycoreutils-2.4/sepolicy/selinux_server.py b/policycoreutils-2.4/sepolicy/selinux_server.py
-index e94c38f..671be1a 100644
+index e94c38f..6e8d9b2 100644
 --- a/policycoreutils-2.4/sepolicy/selinux_server.py
 +++ b/policycoreutils-2.4/sepolicy/selinux_server.py
 @@ -1,9 +1,9 @@
@@ -658721,7 +658894,7 @@ index e94c38f..671be1a 100644
  import slip.dbus.service
  from slip.dbus import polkit
  import os
-@@ -18,7 +18,7 @@ class selinux_server(slip.dbus.service.Object):
+@@ -18,45 +18,45 @@ class selinux_server(slip.dbus.service.Object):
      #
      # The semanage method runs a transaction on a series of semanage commands,
      # these commnds can take the output of customized
@@ -658730,7 +658903,9 @@ index e94c38f..671be1a 100644
      @slip.dbus.polkit.require_auth("org.selinux.semanage")
      @dbus.service.method("org.selinux", in_signature='s')
      def semanage(self, buf):
-@@ -27,10 +27,10 @@ class selinux_server(slip.dbus.service.Object):
+-        p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE)
++        p = Popen(["/usr/sbin/semanage", "import"],stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
+         p.stdin.write(buf)
          output = p.communicate()
          if p.returncode and p.returncode != 0:
              raise dbus.exceptions.DBusException(output[1])
@@ -658743,16 +658918,29 @@ index e94c38f..671be1a 100644
      # another server to make the two systems have duplicate policy.
      #
      @slip.dbus.polkit.require_auth("org.selinux.customized")
-@@ -42,7 +42,7 @@ class selinux_server(slip.dbus.service.Object):
+     @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+     def customized(self):
+-        p = Popen(["/usr/sbin/semanage", "export"],stdout=PIPE, stderr=PIPE)
++        p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
          if p.returncode and p.returncode != 0:
              raise OSError("Failed to read SELinux configuration: %s", output)
          return buf
 -
 +        
      #
-     # The semodule_list method will return the output of semodule -l, using the customized polkit,
+-    # The semodule_list method will return the output of semodule -l, using the customized polkit,
++    # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
      # since this is a readonly behaviour
-@@ -56,7 +56,7 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
+     @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+     def semodule_list(self):
+-        p = Popen(["/usr/sbin/semodule", "-l"],stdout=PIPE, stderr=PIPE)
++        p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
          if p.returncode and p.returncode != 0:
              raise OSError("Failed to list SELinux modules: %s", output)
          return buf
@@ -658883,7 +659071,7 @@ index 2e67456..0c5f998 100644
  .B sepolicy generate \-\-cgi [\-n NAME] command [\-w WRITE_PATH ]
  .br
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy.py b/policycoreutils-2.4/sepolicy/sepolicy.py
-index 74fb347..50c10d0 100755
+index 74fb347..ec02fb2 100755
 --- a/policycoreutils-2.4/sepolicy/sepolicy.py
 +++ b/policycoreutils-2.4/sepolicy/sepolicy.py
 @@ -1,4 +1,4 @@
@@ -659175,8 +659363,18 @@ index 74fb347..50c10d0 100755
      group.add_argument("--admin_user", dest="policytype", const=AUSER,
                         action="store_const",
                         help=_("Generate '%s' policy") % poltype[AUSER])
-@@ -642,12 +646,12 @@ if __name__ == '__main__':
-             args = parser.parse_args()
+@@ -637,17 +641,20 @@ if __name__ == '__main__':
+ 
+     try:
+         if os.path.basename(sys.argv[0]) == "sepolgen":
+-            args = parser.parse_args([ "generate" ] + sys.argv[1:])
++            parser_args = [ "generate" ] + sys.argv[1:]
++        elif len(sys.argv) > 1:
++            parser_args = sys.argv[1:]
+         else:
+-            args = parser.parse_args()
++            parser_args = ["-h"]
++        args = parser.parse_args(args=parser_args)
          args.func(args)
          sys.exit(0)
 -    except ValueError,e:
@@ -659192,7 +659390,7 @@ index 74fb347..50c10d0 100755
 +        print("Out")
          sys.exit(0)
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
-index 679725d..2e1bfec 100644
+index 679725d..7499c1c 100644
 --- a/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
 +++ b/policycoreutils-2.4/sepolicy/sepolicy/__init__.py
 @@ -1,25 +1,30 @@
@@ -659325,7 +659523,7 @@ index 679725d..2e1bfec 100644
  
 +def get_all_modules():
 +    all_modules = []
-+    cmd = "semodule -l 2>/dev/null"
++    cmd = "semodule --list=full 2>/dev/null"
 +    try:
 +        output = subprocess.check_output(cmd,
 +                                         stderr=subprocess.STDOUT,
@@ -659338,7 +659536,7 @@ index 679725d..2e1bfec 100644
 +
 +    for i in l:
 +        if len(i):
-+            all_modules.append(i.split()[0])
++            all_modules.append(i.split()[1])
 +            
 +    return all_modules
 +
@@ -659353,7 +659551,7 @@ index 679725d..2e1bfec 100644
 +            fd.close()
 +            modules = modules[0].split(" ")[:-1]
 +            for m in modules:
-+                mod_temp.append(m[:-3])
++                mod_temp.append(m)
 +            all_modules.extend(mod_temp)
 +            mod_temp = []
 +        except:
@@ -659665,7 +659863,7 @@ index 9b9a09a..b99b6d4 100755
      return tlist
  
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy/generate.py b/policycoreutils-2.4/sepolicy/sepolicy/generate.py
-index 6b53035..a06c6c4 100644
+index 6b53035..f222bc3 100644
 --- a/policycoreutils-2.4/sepolicy/sepolicy/generate.py
 +++ b/policycoreutils-2.4/sepolicy/sepolicy/generate.py
 @@ -1,4 +1,4 @@
@@ -660871,7 +661069,7 @@ index 6b53035..a06c6c4 100644
  
 -                for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
 -                    for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
-+                pkg_basename = dnf.rpm.miscutils.splitFilename(pkg.sourcerpm)[0]
++                pkg_basename = '-'.join(pkg.sourcerpm.split('-')[0:-2])
 +                for bpkg in installed.filter(name=pkg_basename):
 +                    for fname in bpkg.files:
                          for b in self.DEFAULT_DIRS:
@@ -660927,7 +661125,7 @@ index 6b53035..a06c6c4 100644
              out += "%s # %s\n" % (self.write_te(out_dir), _("Type Enforcement file"))
              out += "%s # %s\n" % (self.write_if(out_dir), _("Interface file"))
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy/gui.py b/policycoreutils-2.4/sepolicy/sepolicy/gui.py
-index 5ca87b9..4437d9e 100644
+index 5ca87b9..23a6c33 100644
 --- a/policycoreutils-2.4/sepolicy/sepolicy/gui.py
 +++ b/policycoreutils-2.4/sepolicy/sepolicy/gui.py
 @@ -1,4 +1,4 @@
@@ -661103,6 +661301,18 @@ index 5ca87b9..4437d9e 100644
                 "on_info_button_button_press_event" : self.on_help_button,
                 "on_back_button_clicked" : self.on_help_back_clicked,
                 "on_forward_button_clicked" : self.on_help_forward_clicked,
+@@ -668,9 +663,9 @@ class SELinuxGui():
+         self.module_dict = {}
+         for m in self.dbus.semodule_list().split("\n"):
+             mod = m.split()
+-            if len(mod) < 2:
++            if len(mod) < 3:
+                 continue
+-            self.module_dict[mod[0]] = { "version": mod[1], "Disabled" : (len(mod) > 2) }
++            self.module_dict[mod[1]] = { "priority": mod[0], "Disabled" : (len(mod) > 3) }
+ 
+         self.enable_unconfined_button.set_active(not self.module_dict["unconfined"]["Disabled"])
+         self.enable_permissive_button.set_active(not self.module_dict["permissivedomains"]["Disabled"])
 @@ -703,7 +698,7 @@ class SELinuxGui():
  
      def match_func(self, completion, key_string, iter, func_data):
@@ -661265,16 +661475,21 @@ index 5ca87b9..4437d9e 100644
              self.modify_button.set_tooltip_text(_("Modify port definitions to which the '%(APP)s' domain is allowed to %(PERM)s.") % {"APP": self.application, "PERM": category})
  
          if self.transitions_radio_button.get_active():
-@@ -1441,7 +1436,7 @@ class SELinuxGui():
+@@ -1440,8 +1435,12 @@ class SELinuxGui():
+     def stripsort(self, model, row1, row2, user_data):
          sort_column, _ = model.get_sort_column_id()
          val1 = self.unmarkup(model.get_value(row1, sort_column))
++        if val1 is None:
++            val1 = ""
          val2 = self.unmarkup(model.get_value(row2, sort_column))
 -        return cmp(val1,val2)
++        if val2 is None:
++            val2 = ""
 +        return (val1 > val2) - (val1 < val2)
  
      def display_more_detail(self, windows, path):
          it = self.boolean_filter.get_iter(path)
-@@ -1627,7 +1622,7 @@ class SELinuxGui():
+@@ -1627,7 +1626,7 @@ class SELinuxGui():
          self.files_type_combolist.clear()
          self.files_class_combolist.clear()
          compare = self.strip_domain(self.application)
@@ -661283,7 +661498,7 @@ index 5ca87b9..4437d9e 100644
              if d[0].startswith(compare) and d[0] != self.application and not d[0].startswith("httpd_sys"):
                  exclude_list.append(self.strip_domain(d[0]))
  
-@@ -1638,7 +1633,7 @@ class SELinuxGui():
+@@ -1638,7 +1637,7 @@ class SELinuxGui():
                  self.files_class_combolist.set_value(iter, 0, sepolicy.file_type_str[files])
  
              if ipage == EXE_PAGE and self.entrypoints != None:
@@ -661292,7 +661507,7 @@ index 5ca87b9..4437d9e 100644
                      if exe.startswith(compare):
                          iter = self.files_type_combolist.append()
                          self.files_type_combolist.set_value(iter, 0, exe)
-@@ -1648,7 +1643,7 @@ class SELinuxGui():
+@@ -1648,7 +1647,7 @@ class SELinuxGui():
                  self.files_class_combobox.set_sensitive(False)
  
              elif ipage == WRITABLE_PAGE and self.writable_files != None:
@@ -661301,7 +661516,7 @@ index 5ca87b9..4437d9e 100644
                      if write.startswith(compare) and not self.exclude_type(write, exclude_list) and write in self.file_types:
                          iter = self.files_type_combolist.append()
                          self.files_type_combolist.set_value(iter, 0, write)
-@@ -1665,7 +1660,7 @@ class SELinuxGui():
+@@ -1665,7 +1664,7 @@ class SELinuxGui():
                          self.more_types_files_liststore.set_value(iter, 0, app)
                  self.files_class_combobox.set_active(0)
          except AttributeError:
@@ -661310,7 +661525,7 @@ index 5ca87b9..4437d9e 100644
              pass
          self.files_type_combobox.set_active(0)
          self.files_mls_entry.set_text("s0")
-@@ -1706,13 +1701,13 @@ class SELinuxGui():
+@@ -1706,13 +1705,13 @@ class SELinuxGui():
  
          try:
              if ipage == OUTBOUND_PAGE:
@@ -661328,7 +661543,7 @@ index 5ca87b9..4437d9e 100644
                  for t,ports in netd[k]:
                      if t not in port_types + ["port_t", "unreserved_port_t"]:
                          if t.endswith("_type"):
-@@ -1807,7 +1802,7 @@ class SELinuxGui():
+@@ -1807,7 +1806,7 @@ class SELinuxGui():
              self.wait_mouse()
              try:
                  self.dbus.semanage(update_buffer)
@@ -661337,7 +661552,7 @@ index 5ca87b9..4437d9e 100644
                  self.error(e)
              self.ready_mouse()
  
-@@ -1885,7 +1880,7 @@ class SELinuxGui():
+@@ -1885,7 +1884,7 @@ class SELinuxGui():
          tree.set_value(iter, 2, fclass)
  
      def restore_to_default(self, *args):
@@ -661346,7 +661561,7 @@ index 5ca87b9..4437d9e 100644
  
      def invalid_entry_retry(self, *args):
          self.closewindow(self.error_check_window)
-@@ -2138,7 +2133,7 @@ class SELinuxGui():
+@@ -2138,7 +2137,7 @@ class SELinuxGui():
  
      def on_save_delete_file_equiv_clicked(self, *args):
          for delete in self.files_delete_liststore:
@@ -661355,7 +661570,7 @@ index 5ca87b9..4437d9e 100644
  
      def on_toggle_update(self, cell, path, model):
          model[path][0] = not model[path][0]
-@@ -2180,7 +2175,6 @@ class SELinuxGui():
+@@ -2180,7 +2179,6 @@ class SELinuxGui():
          self.update = True
          self.update_treestore.clear()
          for bools in self.cur_dict["boolean"]:
@@ -661363,7 +661578,7 @@ index 5ca87b9..4437d9e 100644
              iter = self.update_treestore.append(None)
              self.update_treestore.set_value(iter, 0, True)
              self.update_treestore.set_value(iter, 1,  sepolicy.boolean_desc(bools))
-@@ -2411,8 +2405,11 @@ class SELinuxGui():
+@@ -2411,8 +2409,11 @@ class SELinuxGui():
          cur = selinux.getfilecon(path)[1].split(":")[2]
          con = selinux.matchpathcon(path,0)[1].split(":")[2]
          if self.verify(_("Run restorecon on %(PATH)s to change its type from %(CUR_CONTEXT)s to the default %(DEF_CONTEXT)s?") % {"PATH":path, "CUR_CONTEXT": cur, "DEF_CONTEXT": con}, title="restorecon dialog") == Gtk.ResponseType.YES:
@@ -661377,7 +661592,7 @@ index 5ca87b9..4437d9e 100644
  
      def new_updates(self, *args):
          self.update_button.set_sensitive(self.modified())
-@@ -2446,8 +2443,8 @@ class SELinuxGui():
+@@ -2446,8 +2447,8 @@ class SELinuxGui():
          self.wait_mouse()
          try:
              self.dbus.semanage(update_buffer)
@@ -661388,7 +661603,7 @@ index 5ca87b9..4437d9e 100644
          self.ready_mouse()
          self.init_cur()
  
-@@ -2541,34 +2538,7 @@ class SELinuxGui():
+@@ -2541,34 +2542,7 @@ class SELinuxGui():
          self.network_mls_label.set_visible(advanced)
          self.network_mls_entry.set_visible(advanced)
  
@@ -661424,7 +661639,7 @@ index 5ca87b9..4437d9e 100644
          if label.get_text() == ADVANCED_SEARCH_LABEL[1]:
              label.set_text(ADVANCED_SEARCH_LABEL[0])
              self.close_popup()
-@@ -2576,25 +2546,6 @@ class SELinuxGui():
+@@ -2576,25 +2550,6 @@ class SELinuxGui():
              label.set_text(ADVANCED_SEARCH_LABEL[1])
              self.show_popup(self.advanced_search_window)
  
@@ -661450,7 +661665,7 @@ index 5ca87b9..4437d9e 100644
      def set_enforce_text(self, value):
          if value:
             self.status_bar.push(self.context_id, _("System Status: Enforcing"))
-@@ -2603,8 +2554,14 @@ class SELinuxGui():
+@@ -2603,8 +2558,14 @@ class SELinuxGui():
          self.current_status_permissive.set_active(True)
  
      def set_enforce(self, button):
@@ -661467,7 +661682,7 @@ index 5ca87b9..4437d9e 100644
  
      def on_browse_select(self, *args):
          filename = self.file_dialog.get_filename()
-@@ -2664,16 +2621,22 @@ class SELinuxGui():
+@@ -2664,16 +2625,22 @@ class SELinuxGui():
              self.system_policy_type_combobox.set_active(self.typeHistory)
              return None
  
@@ -661494,7 +661709,7 @@ index 5ca87b9..4437d9e 100644
  
      def import_config_show(self, *args):
          self.file_dialog.set_action(Gtk.FileChooserAction.OPEN)
-@@ -2730,7 +2693,7 @@ class SELinuxGui():
+@@ -2730,7 +2697,7 @@ class SELinuxGui():
              return
          try:
              self.dbus.relabel_on_boot(active)
@@ -661503,7 +661718,7 @@ index 5ca87b9..4437d9e 100644
              self.error(e)
  
      def closewindow(self, window, *args):
-@@ -2816,10 +2779,13 @@ class SELinuxGui():
+@@ -2816,10 +2783,13 @@ class SELinuxGui():
          if not self.finish_init:
              return
          self.wait_mouse()
@@ -661522,7 +661737,7 @@ index 5ca87b9..4437d9e 100644
  
      def confirmation_close(self, button, *args):
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy/interface.py b/policycoreutils-2.4/sepolicy/sepolicy/interface.py
-index bbabb3b..29370ee 100644
+index bbabb3b..cc1260e 100644
 --- a/policycoreutils-2.4/sepolicy/sepolicy/interface.py
 +++ b/policycoreutils-2.4/sepolicy/sepolicy/interface.py
 @@ -1,4 +1,4 @@
@@ -661586,7 +661801,7 @@ index bbabb3b..29370ee 100644
              sys.stderr.write("%s: %s\n" % (e.__class__.__name__, str(e)))
              sys.exit(1)
      else:
-@@ -115,12 +119,20 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
+@@ -115,12 +119,19 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
      global interface_dict
      import os
      import xml.etree.ElementTree
@@ -661598,16 +661813,15 @@ index bbabb3b..29370ee 100644
      interface_dict = {}
      param_list = []
  
-+    if get_all_modules_from_mod_lst():
-+        active_modules = get_all_modules_from_mod_lst()
-+    else:
++    active_modules = get_all_modules_from_mod_lst()
++    if active_modules is None:
 +        print((_("Using only non-base modules.")))
 +        active_modules = get_all_modules()
 +
      xml_path = """<?xml version="1.0" encoding="ISO-8859-1" standalone="no"?>
  <policy>
  <layer name="admin">
-@@ -138,17 +150,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
+@@ -138,17 +149,18 @@ def get_interface_dict(path="/usr/share/selinux/devel/policy.xml"):
              tree = xml.etree.ElementTree.fromstring(xml_path)
          for l in tree.findall("layer"):
              for m in l.findall("module"):
@@ -661637,7 +661851,7 @@ index bbabb3b..29370ee 100644
          pass
      return interface_dict
  
-@@ -159,7 +172,7 @@ def get_interface_format_text(interface,path = "/usr/share/selinux/devel/policy.
+@@ -159,7 +171,7 @@ def get_interface_format_text(interface,path = "/usr/share/selinux/devel/policy.
      return interface_text
  
  def get_interface_compile_format_text(interfaces_dict, interface):
@@ -661646,7 +661860,7 @@ index bbabb3b..29370ee 100644
      param_tmp = []
      for i in interfaces_dict[interface][0]:
          param_tmp.append(test_module.dict_values[i])
-@@ -168,7 +181,7 @@ def get_interface_compile_format_text(interfaces_dict, interface):
+@@ -168,7 +180,7 @@ def get_interface_compile_format_text(interfaces_dict, interface):
      return interface_text
  
  def generate_compile_te(interface, idict, name="compiletest"):
@@ -661655,7 +661869,7 @@ index bbabb3b..29370ee 100644
      te = ""
      te += re.sub("TEMPLATETYPE", name, test_module.te_test_module )
      te += get_interface_compile_format_text(idict,interface)
-@@ -177,39 +190,45 @@ def generate_compile_te(interface, idict, name="compiletest"):
+@@ -177,39 +189,45 @@ def generate_compile_te(interface, idict, name="compiletest"):
  
  def get_xml_file(if_file):
      """ Returns xml format of interfaces for given .if policy file"""
@@ -663409,7 +663623,7 @@ index c6645ef..8965795 100644
 +    except dbus.DBusException as e:
 +        print (e)
 diff --git a/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade b/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade
-index 1275c7f..b848baa 100644
+index 1275c7f..83822dd 100644
 --- a/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade
 +++ b/policycoreutils-2.4/sepolicy/sepolicy/sepolicy.glade
 @@ -2,7 +2,7 @@
@@ -663482,6 +663696,15 @@ index 1275c7f..b848baa 100644
                          <property name="xalign">0.5</property>
                          <property name="draw_indicator">True</property>
                          <signal name="toggled" handler="on_make_path_recursive_toggled" swapped="no"/>
+@@ -1061,7 +1043,7 @@
+               <object class="GtkImage" id="help_image">
+                 <property name="visible">True</property>
+                 <property name="can_focus">False</property>
+-                <property name="pixbuf">images/booleans.png</property>
++                <property name="pixbuf">help/booleans.png</property>
+               </object>
+               <packing>
+                 <property name="expand">False</property>
 @@ -2948,7 +2930,7 @@ Enabled</property>
                                      <property name="tooltip_text" translatable="yes">Executables which will transition to a different domain, when the 'selected domain' executes them.</property>
                                      <property name="xpad">1</property>

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.4
-Release: 14%{?dist}
+Release: 21%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
 Source3: system-config-selinux.png
 Source4: sepolicy-icons.tgz
 # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
-# HEAD https://github.com/fedora-selinux/selinux/commit/e4cbbd53b5639def20ae09f3db44afa4691c7460
+# HEAD https://github.com/fedora-selinux/selinux/commit/84b2132f7671a03512faa81c19f6e9f8cd4e9023
 Patch:	 policycoreutils-rhat.patch
 Patch1:  sepolgen-rhat.patch
 Patch100: policycoreutils-fix-semanage-python3.patch
@@ -290,10 +290,10 @@ or level of a logged in user.
 %package gui
 Summary: SELinux configuration GUI
 Group: System Environment/Base
-Requires: policycoreutils-devel = %{version}-%{release}
+Requires: policycoreutils-devel = %{version}-%{release}, policycoreutils-python = %{version}-%{release}
 Requires: gnome-python2 gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas
 Requires: usermode-gtk
-Requires: python >= 2.6
+Requires: python >= 2.6, python-slip-dbus
 BuildRequires: desktop-file-utils
 
 %description gui
@@ -404,6 +404,31 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Sat Mar 05 2016 Petr Lautrbach <plautrba@redhat.com> 2.4-21
+- policycoreutils-gui requires python-slip-dbus (#1314685)
+
+* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.4-20
+- sepolicy: don't use dnf.rpm.miscutils.splitFilename (#1309868)
+
+* Fri Feb 19 2016 Petr Lautrbach <plautrba@redhat.com> 2.4-19
+- sepolgen: Fix spelling mistake in audit2allow (#129422)
+- Improve newrole and secon man pages
+
+* Mon Dec 14 2015 Petr Lautrbach <plautrba@redhat.com> - 2.4-18
+- Fix 'semanage permissive -l' subcommand (#1286325)
+- Several 'sepolicy gui' fixes (#1281309,#1281309,#1282382)
+
+* Tue Nov 17 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-17
+- Require at least one argument for 'semanage permissive -d' (#1255676)
+
+* Mon Nov 16 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-16
+- Improve sepolicy command line interface
+- Fix sandbox to propagate specified MCS/MLS Security Level. (#1279006)
+- Fix 'audit2allow -R' (#1280418)
+
+* Mon Nov 09 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-15
+- policycoreutils-gui needs policycoreutils-python (#1279046)
+
 * Thu Oct 08 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-14
 - Revert the attempt to port -gui to GTK 3 (#1269328, #1266059)
 

sepolgen-rhat.patch

@@ -977,10 +977,10 @@ index 739452d..7a83aee 100644
              comment = refpolicy.Comment()
              comment.lines.append("============= ROLES ==============")
 diff --git a/sepolgen-1.2.2/src/sepolgen/policygen.py b/sepolgen-1.2.2/src/sepolgen/policygen.py
-index 5f38577..89366df 100644
+index 5f38577..f374132 100644
 --- a/sepolgen-1.2.2/src/sepolgen/policygen.py
 +++ b/sepolgen-1.2.2/src/sepolgen/policygen.py
-@@ -24,17 +24,20 @@ classes and algorithms for the generation of SELinux policy.
+@@ -24,17 +24,18 @@ classes and algorithms for the generation of SELinux policy.
  import itertools
  import textwrap
  
@@ -1001,12 +1001,10 @@ index 5f38577..89366df 100644
 +from . import interfaces
 +from . import matching
 +from . import util
-+if util.PY3:
-+    from .util import cmp
  # Constants for the level of explanation from the generation
  # routines
  NO_EXPLANATION    = 0
-@@ -81,8 +84,9 @@ class PolicyGenerator:
+@@ -81,8 +82,9 @@ class PolicyGenerator:
              self.module = refpolicy.Module()
  
          self.dontaudit = False
@@ -1017,7 +1015,7 @@ index 5f38577..89366df 100644
      def set_gen_refpol(self, if_set=None, perm_maps=None):
          """Set whether reference policy interfaces are generated.
  
-@@ -152,6 +156,18 @@ class PolicyGenerator:
+@@ -152,6 +154,18 @@ class PolicyGenerator:
          """Return the generated module"""
          return self.module
  
@@ -1036,7 +1034,7 @@ index 5f38577..89366df 100644
      def __add_allow_rules(self, avs):
          for av in avs:
              rule = refpolicy.AVRule(av)
-@@ -160,6 +176,34 @@ class PolicyGenerator:
+@@ -160,6 +174,34 @@ class PolicyGenerator:
              rule.comment = ""
              if self.explain:
                  rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
@@ -1063,7 +1061,7 @@ index 5f38577..89366df 100644
 +                    comp = ""
 +                rule.comment += "\n#!!!! WARNING '%s' is not allowed to write or create to %s.  Change the label to %s." % ("".join(base_type[2]), "".join(base_type[1]), "".join(base_type[0]))
 +                if av.obj_path != "":
-+                    rule.comment += "\n#!!!! $ semange fcontext -a -t %s %s%s   \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
++                    rule.comment += "\n#!!!! $ semanage fcontext -a -t %s %s%s   \n#!!!! $ restorecon -R -v %s" % ("".join(base_type[0]), "".join(av.obj_path), "".join(comp) ,"".join(av.obj_path))
 +
 +            self.__restore_label(av)
 +            if self.mislabled is not None and av.type != audit2why.ALLOW:
@@ -1071,7 +1069,7 @@ index 5f38577..89366df 100644
              if av.type == audit2why.ALLOW:
                  rule.comment += "\n#!!!! This avc is allowed in the current policy"
              if av.type == audit2why.DONTAUDIT:
-@@ -167,14 +211,14 @@ class PolicyGenerator:
+@@ -167,14 +209,14 @@ class PolicyGenerator:
  
              if av.type == audit2why.BOOLEAN:
                  if len(av.data) > 1:
@@ -1088,7 +1086,7 @@ index 5f38577..89366df 100644
                  for reason in av.data[1:]:
                      rule.comment += "\n#\tPossible cause is the source %s and target %s are different." % reason
  
-@@ -186,7 +230,7 @@ class PolicyGenerator:
+@@ -186,7 +228,7 @@ class PolicyGenerator:
                          self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
                      types=[]
  
@@ -1097,7 +1095,24 @@ index 5f38577..89366df 100644
                          if i not in self.domains:
                              types.append(i)
                      if len(types) == 1:
-@@ -296,7 +340,7 @@ def call_interface(interface, av):
+@@ -275,15 +317,12 @@ def explain_access(av, ml=None, verbosity=SHORT_EXPLANATION):
+         explain_interfaces()
+     return s
+ 
+-def param_comp(a, b):
+-    return cmp(b.num, a.num)
+-
+ def call_interface(interface, av):
+     params = []
+     args = []
+ 
+     params.extend(interface.params.values())
+-    params.sort(param_comp)
++    params.sort(key=lambda param: param.num, reverse=True)
+ 
+     ifcall = refpolicy.InterfaceCall()
+     ifcall.ifname = interface.name
+@@ -296,7 +335,7 @@ def call_interface(interface, av):
          elif params[i].type == refpolicy.OBJ_CLASS:
              ifcall.args.append(av.obj_class)
          else:
@@ -1106,6 +1121,15 @@ index 5f38577..89366df 100644
              assert(0)
  
      assert(len(ifcall.args) > 0)
+@@ -318,7 +357,7 @@ class InterfaceGenerator:
+         for x in ifs.interfaces.values():
+             params = []
+             params.extend(x.params.values())
+-            params.sort(param_comp)
++            params.sort(key=lambda param: param.num, reverse=True)
+             for i in range(len(params)):
+                 # Check that the paramater position matches
+                 # the number (e.g., $1 is the first arg). This
 diff --git a/sepolgen-1.2.2/src/sepolgen/refparser.py b/sepolgen-1.2.2/src/sepolgen/refparser.py
 index b453a29..f5ff19c 100644
 --- a/sepolgen-1.2.2/src/sepolgen/refparser.py