SELinux userspace 3.3 release

The policycoreutils-devel package is used not only for working with an
installed policy, but also for building the policy from sources. In the
latter case, there is no need to install selinux-policy-devel (and
selinux-policy along with it), so make the dependency conditional on
selinux-policy.

Since policy is often built from source in a mock chroot or a container,
this will avoid the awkward and unnecessary cyclic build dependency of
selinux-policy on itself.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>

.gitignore

@@ -322,3 +322,21 @@ policycoreutils-2.0.83.tgz
 /selinux-python-3.1.tar.gz
 /selinux-sandbox-3.1.tar.gz
 /semodule-utils-3.1.tar.gz
+/policycoreutils-3.2-rc1.tar.gz
+/restorecond-3.2-rc1.tar.gz
+/selinux-dbus-3.2-rc1.tar.gz
+/selinux-gui-3.2-rc1.tar.gz
+/selinux-python-3.2-rc1.tar.gz
+/selinux-sandbox-3.2-rc1.tar.gz
+/semodule-utils-3.2-rc1.tar.gz
+/policycoreutils-3.2-rc2.tar.gz
+/restorecond-3.2-rc2.tar.gz
+/selinux-dbus-3.2-rc2.tar.gz
+/selinux-gui-3.2-rc2.tar.gz
+/selinux-python-3.2-rc2.tar.gz
+/selinux-sandbox-3.2-rc2.tar.gz
+/semodule-utils-3.2-rc2.tar.gz
+/selinux-3.2.tar.gz
+/selinux-3.3-rc2.tar.gz
+/selinux-3.3-rc3.tar.gz
+/selinux-3.3.tar.gz

0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch

@@ -1,34 +0,0 @@
-From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
-From: "W. Michael Petullo" <mike@flyn.org>
-Date: Thu, 16 Jul 2020 15:29:20 -0500
-Subject: [PATCH] python/audit2allow: add #include <limits.h> to
- sepolgen-ifgen-attr-helper.c
-
-I found that building on OpenWrt/musl failed with:
-
-  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
-
-Musl is less "generous" than glibc in recursively including header
-files, and I suspect this is the reason for this error. Explicitly
-including limits.h fixes the problem.
-
-Signed-off-by: W. Michael Petullo <mike@flyn.org>
----
- python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-index 53f20818722a..f010c9584c1f 100644
---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
-+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-@@ -28,6 +28,7 @@
- 
- #include <selinux/selinux.h>
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/stat.h>
--- 
-2.29.0
-

0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,4 +1,4 @@
-From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
+From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.29.0
+2.32.0
 

0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,4 +1,4 @@
-From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
+From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@@ -9,10 +9,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 3e8a3be907e3..a1d70623cff0 100755
+index 2f847abb87e2..dccd778ed4be 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -735,10 +735,13 @@ Default Defined Ports:""")
+@@ -737,10 +737,13 @@ Default Defined Ports:""")
  
      def _file_context(self):
          flist = []
@@ -26,9 +26,9 @@ index 3e8a3be907e3..a1d70623cff0 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
          if len(mpaths) == 0:
-@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  SELinux defines the file context types for the %(domainname)s, if you wanted to
- store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
+ store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
  
 -.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
 +.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
@@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.29.0
+2.32.0
 

0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch

@@ -1,26 +0,0 @@
-From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Thu, 16 Jul 2020 14:22:13 +0200
-Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
- restorecond.desktop file
-
-This completely inactivate the .desktop file incase the user session is
-managed by systemd as restorecond also provide a service file
-
-Signed-off-by: Laurent Bigonville <bigon@bigon.be>
----
- restorecond/restorecond.desktop | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
-index af7286801c24..7df854727a3f 100644
---- a/restorecond/restorecond.desktop
-+++ b/restorecond/restorecond.desktop
-@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
- Type=Application
- StartupNotify=false
- X-GNOME-Autostart-enabled=false
-+X-GNOME-HiddenUnderSystemd=true
--- 
-2.29.0
-

0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,4 +1,4 @@
-From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
+From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
@@ -9,10 +9,10 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index a1d70623cff0..2d33eabb2536 100755
+index dccd778ed4be..81333928d552 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  .PP
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
@@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.29.0
+2.32.0
 

0003-fixfiles-correctly-restore-context-of-mountpoints.patch

@@ -1,136 +0,0 @@
-From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
-From: bauen1 <j2468h@googlemail.com>
-Date: Thu, 6 Aug 2020 16:48:36 +0200
-Subject: [PATCH] fixfiles: correctly restore context of mountpoints
-
-By bind mounting every filesystem we want to relabel we can access all
-files without anything hidden due to active mounts.
-
-This comes at the cost of user experience, because setfiles only
-displays the percentage if no path is given or the path is /
-
-Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
- policycoreutils/scripts/fixfiles.8 |  8 ++++++--
- 2 files changed, 31 insertions(+), 6 deletions(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5d7770348349..30dadb4f4cb6 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -112,6 +112,7 @@ FORCEFLAG=""
- RPMFILES=""
- PREFC=""
- RESTORE_MODE=""
-+BIND_MOUNT_FILESYSTEMS=""
- SETFILES=/sbin/setfiles
- RESTORECON=/sbin/restorecon
- FILESYSTEMSRW=`get_rw_labeled_mounts`
-@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
- 	if [ -n "${FILESYSTEMSRW}" ]; then
- 	    LogReadOnly
- 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
--	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+
-+	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
-+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+	    else
-+	        # we bind mount so we can fix the labels of files that have already been
-+	        # mounted over
-+	        for m in `echo $FILESYSTEMSRW`; do
-+	            TMP_MOUNT="$(mktemp -d)"
-+	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
-+
-+	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
-+	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
-+	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
-+	            umount "${TMP_MOUNT}${m}" || exit 1
-+	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
-+	        done;
-+	    fi
- 	else
- 	    echo >&2 "fixfiles: No suitable file systems found"
- 	fi
-@@ -313,6 +330,7 @@ case "$1" in
- 	> /.autorelabel || exit $?
- 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
- 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
-+	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
- 	# Force full relabel if SELinux is not enabled
- 	selinuxenabled || echo -F > /.autorelabel
- 	echo "System will relabel on next boot"
-@@ -324,7 +342,7 @@ esac
- }
- usage() {
- 	echo $"""
--Usage: $0 [-v] [-F] [-f] relabel
-+Usage: $0 [-v] [-F] [-M] [-f] relabel
- or
- Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
- or
-@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
- or
- Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
- or
--Usage: $0 [-F] [-B] onboot
-+Usage: $0 [-F] [-M] [-B] onboot
- """
- }
- 
-@@ -353,7 +371,7 @@ set_restore_mode() {
- }
- 
- # See how we were called.
--while getopts "N:BC:FfR:l:v" i; do
-+while getopts "N:BC:FfR:l:vM" i; do
-     case "$i" in
- 	B)
- 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
-@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
- 		echo "Redirecting output to $OPTARG"
- 		exec >>"$OPTARG" 2>&1
- 		;;
-+	M)
-+		BIND_MOUNT_FILESYSTEMS="-M"
-+		;;
- 	F)
- 		FORCEFLAG="-F"
- 		;;
-diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
-index 9f447f03d444..123425308416 100644
---- a/policycoreutils/scripts/fixfiles.8
-+++ b/policycoreutils/scripts/fixfiles.8
-@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
- .na
- 
- .B fixfiles
--.I [\-v] [\-F] [\-f] relabel
-+.I [\-v] [\-F] [-M] [\-f] relabel
- 
- .B fixfiles
- .I [\-v] [\-F] { check | restore | verify } dir/file ...
-@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
- .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
- 
- .B fixfiles
--.I [-F] [-B] onboot
-+.I [-F] [-M] [-B] onboot
- 
- .ad
- 
-@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
- Only act on files created after the specified date.  Date must be specified in
- "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
- 
-+.TP
-+.B \-M
-+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
-+
- .TP
- .B -v
- Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--- 
-2.29.0
-

0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,4 +1,4 @@
-From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
+From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
 Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@@ -11,10 +11,10 @@ Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
  2 files changed, 13 insertions(+), 77 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index e4540977d042..ad718797ca68 100644
+index e8654abbceb3..a2475d22547a 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
+@@ -1225,27 +1225,14 @@ def boolean_desc(boolean):
  
  
  def get_os_version():
@@ -49,10 +49,10 @@ index e4540977d042..ad718797ca68 100644
  
  def reinit():
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 2d33eabb2536..acc77f368d95 100755
+index 81333928d552..dc3e5207c57c 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -149,10 +149,6 @@ def prettyprint(f, trim):
+@@ -151,10 +151,6 @@ def prettyprint(f, trim):
  manpage_domains = []
  manpage_roles = []
  
@@ -63,7 +63,7 @@ index 2d33eabb2536..acc77f368d95 100755
  def get_alphabet_manpages(manpage_list):
      alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
      for i in string.ascii_letters:
-@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
+@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
  class HTMLManPages:
  
      """
@@ -72,7 +72,7 @@ index 2d33eabb2536..acc77f368d95 100755
      """
  
      def __init__(self, manpage_roles, manpage_domains, path, os_version):
-@@ -190,9 +186,9 @@ class HTMLManPages:
+@@ -192,9 +188,9 @@ class HTMLManPages:
          self.manpage_domains = get_alphabet_manpages(manpage_domains)
          self.os_version = os_version
          self.old_path = path + "/"
@@ -84,7 +84,7 @@ index 2d33eabb2536..acc77f368d95 100755
              self.__gen_html_manpages()
          else:
              print("SELinux HTML man pages can not be generated for this %s" % os_version)
-@@ -201,7 +197,6 @@ class HTMLManPages:
+@@ -203,7 +199,6 @@ class HTMLManPages:
      def __gen_html_manpages(self):
          self._write_html_manpage()
          self._gen_index()
@@ -92,7 +92,7 @@ index 2d33eabb2536..acc77f368d95 100755
          self._gen_css()
  
      def _write_html_manpage(self):
-@@ -219,67 +214,21 @@ class HTMLManPages:
+@@ -221,67 +216,21 @@ class HTMLManPages:
                      convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
  
      def _gen_index(self):
@@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755
              if len(self.manpage_roles[letter]):
                  fd.write("""
 -- 
-2.29.0
+2.32.0
 

0004-sepolgen-print-extended-permissions-in-hexadecimal.patch

@@ -1,112 +0,0 @@
-From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:33 +0200
-Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All tools like ausearch(8) or sesearch(1) and online documentation[1]
-use hexadecimal values for extended permissions.
-Hence use them, e.g. for audit2allow output, as well.
-
-[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
- python/sepolgen/tests/test_access.py      | 10 +++++-----
- python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
- 3 files changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
-index 43cecfc77385..747636875ef7 100644
---- a/python/sepolgen/src/sepolgen/refpolicy.py
-+++ b/python/sepolgen/src/sepolgen/refpolicy.py
-@@ -407,10 +407,9 @@ class XpermSet():
- 
-         # print single value without braces
-         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
--            return compl + str(self.ranges[0][0])
-+            return compl + hex(self.ranges[0][0])
- 
--        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
--                   self.ranges)
-+        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
- 
-         return "%s{ %s }" % (compl, " ".join(vals))
- 
-diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
-index 73a5407df617..623588e09aeb 100644
---- a/python/sepolgen/tests/test_access.py
-+++ b/python/sepolgen/tests/test_access.py
-@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def text_merge_xperm2(self):
-         """Test merging AV that does not contain xperms with AV that does"""
-@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def test_merge_xperm_diff_op(self):
-         """Test merging two AVs that contain xperms with different operation"""
-@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
--        self.assertEqual(a.xperms["asdf"].to_string(), "23")
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
-                          
-     def test_merge_xperm_same_op(self):
-         """Test merging two AVs that contain xperms with same operation"""
-@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
- 
- class TestUtilFunctions(unittest.TestCase):
-     def test_is_idparam(self):
-diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
-index 4b50c8aada96..c7219fd568e9 100644
---- a/python/sepolgen/tests/test_refpolicy.py
-+++ b/python/sepolgen/tests/test_refpolicy.py
-@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
-         a.complement = True
-         self.assertEqual(a.to_string(), "")
-         a.add(1234)
--        self.assertEqual(a.to_string(), "~ 1234")
-+        self.assertEqual(a.to_string(), "~ 0x4d2")
-         a.complement = False
--        self.assertEqual(a.to_string(), "1234")
-+        self.assertEqual(a.to_string(), "0x4d2")
-         a.add(2345)
--        self.assertEqual(a.to_string(), "{ 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
-         a.complement = True
--        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
-         a.add(42,64)
--        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
-         a.complement = False
--        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
- 
- class TestSecurityContext(unittest.TestCase):
-     def test_init(self):
--- 
-2.29.0
-

0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,4 +1,4 @@
-From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
+From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
 Subject: [PATCH] We want to remove the trailing newline for
@@ -9,10 +9,10 @@ Subject: [PATCH] We want to remove the trailing newline for
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ad718797ca68..ea05d892bf3b 100644
+index a2475d22547a..8055a12f6020 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1211,7 +1211,7 @@ def get_os_version():
+@@ -1228,7 +1228,7 @@ def get_os_version():
      system_release = ""
      try:
          with open('/etc/system-release') as f:
@@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
          system_release = "Misc"
  
 -- 
-2.29.0
+2.32.0
 

0005-sepolgen-sort-extended-rules-like-normal-ones.patch

@@ -1,109 +0,0 @@
-From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:34 +0200
-Subject: [PATCH] sepolgen: sort extended rules like normal ones
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-Changed:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/output.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
-index 3a21b64c19f7..aeeaafc889e7 100644
---- a/python/sepolgen/src/sepolgen/output.py
-+++ b/python/sepolgen/src/sepolgen/output.py
-@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
-         return ret
- 
-     # At this point, who cares - just return something
--    return cmp(len(a.perms), len(b.perms))
-+    return 0
- 
- # Compare two interface calls
- def ifcall_cmp(a, b):
-@@ -100,7 +100,7 @@ def rule_cmp(a, b):
-         else:
-             return id_set_cmp([a.args[0]], b.src_types)
-     else:
--        if isinstance(b, refpolicy.AVRule):
-+        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
-             return avrule_cmp(a,b)
-         else:
-             return id_set_cmp(a.src_types, [b.args[0]])
-@@ -130,6 +130,7 @@ def sort_filter(module):
-         # we assume is the first argument for interfaces).
-         rules = []
-         rules.extend(node.avrules())
-+        rules.extend(node.avextrules())
-         rules.extend(node.interface_calls())
-         rules.sort(key=util.cmp_to_key(rule_cmp))
- 
--- 
-2.29.0
-

0006-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,4 +1,4 @@
-From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
+From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
 Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@@ -8,10 +8,10 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index acc77f368d95..4aeb3e2e51ba 100755
+index dc3e5207c57c..6420ebe2e08e 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -220,7 +220,7 @@ class HTMLManPages:
+@@ -222,7 +222,7 @@ class HTMLManPages:
  <html>
  <head>
  	<link rel=stylesheet type="text/css" href="style.css" title="style">
@@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755
  <body>
  <h1>SELinux man pages for %s</h1>
 -- 
-2.29.0
+2.32.0
 

0006-newrole-support-cross-compilation-with-PAM-and-audit.patch

@@ -1,32 +0,0 @@
-From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@defensec.nl>
-Date: Tue, 1 Sep 2020 18:16:41 +0200
-Subject: [PATCH] newrole: support cross-compilation with PAM and audit
-
-Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
-
-Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/newrole/Makefile | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
-index 73ebd413da85..0e7ebce3dd56 100644
---- a/policycoreutils/newrole/Makefile
-+++ b/policycoreutils/newrole/Makefile
-@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
- MANDIR ?= $(PREFIX)/share/man
- ETCDIR ?= /etc
- LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
--PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
--AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-+INCLUDEDIR ?= $(PREFIX)/include
-+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
-+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
- # Enable capabilities to permit newrole to generate audit records.
- # This will make newrole a setuid root program.
- # The capabilities used are: CAP_AUDIT_WRITE.
--- 
-2.29.0
-

0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
+From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 30dadb4f4cb6..e73bb81c3336 100755
+index 6fb12e0451a9..cb20002ab613 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755
  RPMFILES=""
  PREFC=""
 -- 
-2.29.0
+2.32.0
 

0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,4 +1,4 @@
-From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
+From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@@ -11,10 +11,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 4aeb3e2e51ba..330b055af214 100755
+index 6420ebe2e08e..d15522135288 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -125,8 +125,24 @@ def gen_domains():
+@@ -127,8 +127,24 @@ def gen_domains():
      domains.sort()
      return domains
  
@@ -40,7 +40,7 @@ index 4aeb3e2e51ba..330b055af214 100755
  
  def _gen_types():
      global types
-@@ -372,6 +388,8 @@ class ManPage:
+@@ -374,6 +390,8 @@ class ManPage:
          self.all_file_types = sepolicy.get_all_file_types()
          self.role_allows = sepolicy.get_all_role_allows()
          self.types = _gen_types()
@@ -49,7 +49,7 @@ index 4aeb3e2e51ba..330b055af214 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -689,7 +707,7 @@ Default Defined Ports:""")
+@@ -691,7 +709,7 @@ Default Defined Ports:""")
          for f in self.all_file_types:
              if f.startswith(self.domainname):
                  flist.append(f)
@@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.29.0
+2.32.0
 

0009-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,4 +1,4 @@
-From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
+From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
 Subject: [PATCH] sepolicy: Another small optimization for mcs types
@@ -8,10 +8,10 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
  1 file changed, 11 insertions(+), 5 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 330b055af214..f8584436960d 100755
+index d15522135288..ffcedb547993 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -142,6 +142,15 @@ def _gen_entry_types():
+@@ -144,6 +144,15 @@ def _gen_entry_types():
          entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
      return entry_types
  
@@ -27,7 +27,7 @@ index 330b055af214..f8584436960d 100755
  types = None
  
  def _gen_types():
-@@ -390,6 +399,7 @@ class ManPage:
+@@ -392,6 +401,7 @@ class ManPage:
          self.types = _gen_types()
          self.exec_types = _gen_exec_types()
          self.entry_types = _gen_entry_types()
@@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
+@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
  %s""" % ", ".join(paths))
  
      def _mcs_types(self):
@@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755
          self.fd.write ("""
  .SH "MCS Constrained"
 -- 
-2.29.0
+2.32.0
 

0010-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,4 +1,4 @@
-From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
+From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
 Subject: [PATCH] Move po/ translation files into the right sub-directories
@@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
 @@ -0,0 +1 @@
 +../sandbox
 -- 
-2.29.0
+2.32.0
 

0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,4 +1,4 @@
-From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
+From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@@ -55,7 +55,7 @@ index bad5140d8c59..6bbe4de5884f 100644
      import gettext
      kwargs = {}
 diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
-index 370bbee40786..e424366da26f 100644
+index d26aa1b405a9..52292cae01d2 100644
 --- a/gui/fcontextPage.py
 +++ b/gui/fcontextPage.py
 @@ -47,7 +47,7 @@ class context:
@@ -185,20 +185,20 @@ index fdd2e46ee3f9..839ddd3b54b6 100755
      import gettext
      kwargs = {}
 diff --git a/python/semanage/semanage b/python/semanage/semanage
-index b2fabea67a87..3cc30a160a74 100644
+index 18a2710531ca..0980aecb6311 100644
 --- a/python/semanage/semanage
 +++ b/python/semanage/semanage
-@@ -27,7 +27,7 @@ import traceback
- import argparse
- import seobject
+@@ -30,7 +30,7 @@ import seobject
  import sys
+ import traceback
+ 
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
  try:
      import gettext
      kwargs = {}
 diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 6a14f7b47dd5..b51a7e3e7ca3 100644
+index 21adbf6eb74f..69e60db80060 100644
 --- a/python/semanage/seobject.py
 +++ b/python/semanage/seobject.py
 @@ -29,7 +29,7 @@ import sys
@@ -208,8 +208,8 @@ index 6a14f7b47dd5..b51a7e3e7ca3 100644
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
  import sepolicy
- import setools
- import ipaddress
+ from setools.policyrep import SELinuxPolicy
+ from setools.typequery import TypeQuery
 diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
 index 998c4356415c..56ebd807c69c 100644
 --- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -237,12 +237,12 @@ index 7b2230651099..32956e58f52e 100755
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ea05d892bf3b..9a9c2ae9f237 100644
+index 8055a12f6020..aa8beda313c8 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -13,7 +13,7 @@ import os
- import re
- import gzip
+@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery
+ from setools.typequery import TypeQuery
+ from setools.userquery import UserQuery
  
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
@@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
      import gettext
      kwargs = {}
 -- 
-2.29.0
+2.32.0
 

0012-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,4 +1,4 @@
-From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
+From a4183d4c2d335fca940f741bec1f1839394ea783 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
 +msgid "Invalid value %s"
 +msgstr ""
 -- 
-2.29.0
+2.32.0
 

0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,4 +1,4 @@
-From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
+From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@@ -13,18 +13,18 @@ Resolves: rhbz#1271327
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index e328a5628682..02e0960289d3 100644
+index 4d28bc9a95c1..8e6c4ab94841 100644
 --- a/policycoreutils/setfiles/setfiles.8
 +++ b/policycoreutils/setfiles/setfiles.8
-@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
+@@ -57,7 +57,7 @@ option will force a replacement of the entire context.
+ check the validity of the contexts against the specified binary policy.
  .TP
  .B \-d
- show what specification matched each file (do not abort validation
--after ABORT_ON_ERRORS errors).
-+after ABORT_ON_ERRORS errors). Not affected by "\-q"
+-show what specification matched each file.
++show what specification matched each file. Not affected by "\-q".
  .TP
  .BI \-e \ directory
  directory to exclude (repeat option for more than one directory).
 -- 
-2.29.0
+2.32.0
 

0014-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
+From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.29.0
+2.32.0
 

0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,4 +1,4 @@
-From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
+From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
  	}
  
 -- 
-2.29.0
+2.32.0
 

0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
+From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.29.0
+2.32.0
 

0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch

@@ -1,4 +1,4 @@
-From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
+From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001
 From: Ondrej Mosnacek <omosnace@redhat.com>
 Date: Tue, 28 Jul 2020 14:37:13 +0200
 Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
@@ -20,10 +20,10 @@ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index f8584436960d..6a3e08fca58c 100755
+index ffcedb547993..c013c0d48502 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -717,7 +717,7 @@ Default Defined Ports:""")
+@@ -719,7 +719,7 @@ Default Defined Ports:""")
          for f in self.all_file_types:
              if f.startswith(self.domainname):
                  flist.append(f)
@@ -32,7 +32,7 @@ index f8584436960d..6a3e08fca58c 100755
                      flist_non_exec.append(f)
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
-@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
          if flist_non_exec:
@@ -42,5 +42,5 @@ index f8584436960d..6a3e08fca58c 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.29.0
+2.32.0
 

0018-Use-SHA-2-instead-of-SHA-1.patch

@@ -0,0 +1,297 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ policycoreutils/setfiles/restorecon.8          | 10 +++++-----
+ policycoreutils/setfiles/restorecon_xattr.8    |  8 ++++----
+ policycoreutils/setfiles/restorecon_xattr.c    | 12 ++++++------
+ policycoreutils/setfiles/ru/restorecon.8       |  8 ++++----
+ policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
+ policycoreutils/setfiles/ru/setfiles.8         |  8 ++++----
+ policycoreutils/setfiles/setfiles.8            | 10 +++++-----
+ 7 files changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
+index 668486f66113..a8900f02b3f3 100644
+--- a/policycoreutils/setfiles/restorecon.8
++++ b/policycoreutils/setfiles/restorecon.8
+@@ -93,14 +93,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -191,7 +191,7 @@ the
+ .B \-D
+ option to
+ .B restorecon
+-will cause it to store a SHA1 digest of the default specfiles set in an extended
++will cause it to store a SHA256 digest of the default specfiles set in an extended
+ attribute named
+ .IR security.sehash
+ on each directory specified in
+@@ -208,7 +208,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
+index e04528e60824..4b1ce304d995 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.8
++++ b/policycoreutils/setfiles/restorecon_xattr.8
+@@ -23,7 +23,7 @@ or
+ 
+ .SH "DESCRIPTION"
+ .B restorecon_xattr
+-will display the SHA1 digests added to extended attributes
++will display the SHA256 digests added to extended attributes
+ .I security.sehash
+ or delete the attribute completely. These attributes are set by
+ .BR restorecon (8)
+@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
+ .sp
+ By default
+ .B restorecon_xattr
+-will display the SHA1 digests with "Match" appended if they match the default
++will display the SHA256 digests with "Match" appended if they match the default
+ specfile set or the
+ .I specfile
+ set used with the
+ .B \-f
+-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
++option. Non-matching SHA256 digests will be displayed with "No Match" appended.
+ This feature can be disabled by the
+ .B \-n
+ option.
+@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
+ recursively descend directories.
+ .TP
+ .B \-v
+-display SHA1 digest generated by specfile set (Note that this digest is not
++display SHA256 digest generated by specfile set (Note that this digest is not
+ used to match the
+ .I security.sehash
+ directory digest entries, and is shown for reference only).
+diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
+index 31fb82fd2099..bc22d3fd4560 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.c
++++ b/policycoreutils/setfiles/restorecon_xattr.c
+@@ -38,7 +38,7 @@ int main(int argc, char **argv)
+ 	unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
+ 	unsigned int delete_all_digests = 0, ignore_mounts = 0;
+ 	bool display_digest = false;
+-	char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
++	char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ 	unsigned char *fc_digest = NULL;
+ 	size_t i, fc_digest_len = 0, num_specfiles;
+ 
+@@ -133,8 +133,8 @@ int main(int argc, char **argv)
+ 			exit(-1);
+ 		}
+ 
+-		sha1_buf = malloc(fc_digest_len * 2 + 1);
+-		if (!sha1_buf) {
++		sha256_buf = malloc(fc_digest_len * 2 + 1);
++		if (!sha256_buf) {
+ 			fprintf(stderr,
+ 				"Error allocating digest buffer: %s\n",
+ 							    strerror(errno));
+@@ -143,16 +143,16 @@ int main(int argc, char **argv)
+ 		}
+ 
+ 		for (i = 0; i < fc_digest_len; i++)
+-			sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
++			sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
+ 
+-		printf("specfiles SHA1 digest: %s\n", sha1_buf);
++		printf("specfiles SHA256 digest: %s\n", sha256_buf);
+ 
+ 		printf("calculated using the following specfile(s):\n");
+ 		if (specfiles) {
+ 			for (i = 0; i < num_specfiles; i++)
+ 				printf("%s\n", specfiles[i]);
+ 		}
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		printf("\n");
+ 	}
+ 
+diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
+index 9be3a63db356..745135020f4b 100644
+--- a/policycoreutils/setfiles/ru/restorecon.8
++++ b/policycoreutils/setfiles/ru/restorecon.8
+@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
+ игнорировать файлы, которые не существуют.
+ .TP
+ .B \-I
+-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+ .B ПРИМЕЧАНИЯ.
+ .TP
+ .B \-D
+-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+ .IR security.restorecon_last.
+ .TP
+ .B \-m
+@@ -159,7 +159,7 @@ GNU
+ .B \-D
+ команды
+ .B restorecon
+-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
++обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
+ .IR security.restorecon_last
+ для каталогов, указанных в соответствующих путях
+ .IR pathname \ ...
+@@ -173,7 +173,7 @@ GNU
+ .sp
+ Параметр
+ .B \-I
+-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в 
++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
+ .IR pathname \ ...
+ , и, при условии, что НЕ установлен параметр
+ .B \-n
+diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
+index 41c441b8c5c2..25c4c3033334 100644
+--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
++++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
+@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
+ 
+ .SH "ОПИСАНИЕ"
+ .B restorecon_xattr
+-покажет дайджесты SHA1, добавленные в расширенные атрибуты
++покажет дайджесты SHA256, добавленные в расширенные атрибуты
+ .I security.restorecon_last,
+ или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
+ .BR restorecon (8)
+@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
+ .sp
+ По умолчанию
+ .B restorecon_xattr
+-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
++показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+ .I specfile,
+ который установлен с помощью параметра
+ .B \-f.
+-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
++Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
+ Эту возможность можно отключить с помощью параметра
+ .B \-n.
+ 
+@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
+ рекурсивно спускаться по каталогам.
+ .TP
+ .B \-v
+-показать дайджест SHA1, созданный установленным файлом спецификации.
++показать дайджест SHA256, созданный установленным файлом спецификации.
+ .TP
+ .B \-e
+ .I directory
+@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
+ .BR file_contexts (5).
+ Он будет использоваться
+ .BR selabel_open (3)
+-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
++для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
+ .BR selabel_digest (3).
+ Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
+ 
+diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
+index 910101452625..7f2daa09191b 100644
+--- a/policycoreutils/setfiles/ru/setfiles.8
++++ b/policycoreutils/setfiles/ru/setfiles.8
+@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
+ игнорировать файлы, которые не существуют.
+ .TP
+ .B \-I
+-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+ .B ПРИМЕЧАНИЯ.
+ .TP
+ .B \-D
+-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+ .IR security.restorecon_last.
+ .TP
+ .B \-l
+@@ -186,7 +186,7 @@ GNU
+ .B \-D
+ команды
+ .B setfiles .
+-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
++Он обеспечивает сохранение дайджеста SHA256 файла спецификации
+ .B spec_file 
+ в расширенном атрибуте с именем
+ .IR security.restorecon_last
+@@ -204,7 +204,7 @@ GNU
+ .sp
+ Параметр
+ .B \-I
+-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в 
++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
+ .IR pathname \ ...
+ , и, при условии, что НЕ установлен параметр
+ .B \-n
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index 8e6c4ab94841..0692121f2f4d 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -85,14 +85,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -230,7 +230,7 @@ the
+ .B \-D
+ option to
+ .B setfiles
+-will cause it to store a SHA1 digest of the
++will cause it to store a SHA256 digest of the
+ .B spec_file
+ set in an extended attribute named
+ .IR security.sehash
+@@ -251,7 +251,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+-- 
+2.32.0
+

0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch

@@ -1,29 +0,0 @@
-From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Wed, 11 Nov 2020 17:23:40 +0100
-Subject: [PATCH] selinux_config(5): add a note that runtime disable is
- deprecated
-
-...and refer to selinux(8), which explains it further.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policycoreutils/man/man5/selinux_config.5 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
-index 1ffade150128..58b42a0e234d 100644
---- a/policycoreutils/man/man5/selinux_config.5
-+++ b/policycoreutils/man/man5/selinux_config.5
-@@ -48,7 +48,7 @@ SELinux security policy is enforced.
- .IP \fIpermissive\fR 4
- SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
- .IP \fIdisabled\fR
--SELinux is disabled and no policy is loaded.
-+No SELinux policy is loaded.  This option was used to disable SELinux completely, which is now deprecated.  Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
- .RE
- .sp
- The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
--- 
-2.29.2
-

0025-python-sepolicy-allow-to-override-manpage-date.patch

@@ -1,51 +0,0 @@
-From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Fri, 30 Oct 2020 22:53:09 +0100
-Subject: [PATCH] python/sepolicy: allow to override manpage date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good
-and https://reproducible-builds.org/specs/source-date-epoch/
-for the definition of this variable.
-
-This patch was done while working on reproducible builds for openSUSE.
-
-Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
----
- python/sepolicy/sepolicy/manpage.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 6a3e08fca58c..c013c0d48502 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -39,6 +39,8 @@ typealias_types = {
- equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
- 
- equiv_dirs = ["/var"]
-+man_date = time.strftime("%y-%m-%d", time.gmtime(
-+        int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
- modules_dict = None
- 
- 
-@@ -546,7 +548,7 @@ class ManPage:
- 
-     def _typealias(self,typealias):
-         self.fd.write('.TH  "%(typealias)s_selinux"  "8"  "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
--                 % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
-+                 % {'typealias':typealias, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
-@@ -565,7 +567,7 @@ man page for more details.
- 
-     def _header(self):
-         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
--                      % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
-+                      % {'domainname': self.domainname, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
--- 
-2.29.2
-

policycoreutils.spec

@@ -1,7 +1,7 @@
 %global libauditver     3.0
-%global libsepolver     3.1-5
-%global libsemanagever  3.1-5
-%global libselinuxver   3.1-5
+%global libsepolver     3.3-1
+%global libsemanagever  3.3-1
+%global libselinuxver   3.3-1
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -10,17 +10,11 @@
 
 Summary: SELinux policy core utilities
 Name:    policycoreutils
-Version: 3.1
-Release: 8%{?dist}
+Version: 3.3
+Release: 1%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
-Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
-Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz
-Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz
-Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz
-Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz
-Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/selinux-3.3.tar.gz
 URL:     https://github.com/SELinuxProject/selinux
 Source13: system-config-selinux.png
 Source14: sepolicy-icons.tgz
@@ -34,34 +28,27 @@ Source21: python-po.tgz
 Source22: gui-po.tgz
 Source23: sandbox-po.tgz
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.3 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
-Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
-Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
-Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
-Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
-Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
-Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
-Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
-Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
-Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
-Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
-Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch
+Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
+Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
+Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
+Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
+Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
+Patch0018: 0018-Use-SHA-2-instead-of-SHA-1.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2
@@ -97,32 +84,15 @@ load_policy to load policies, setfiles to label filesystems, newrole
 to switch roles.
 
 %prep -p /usr/bin/bash
-# create selinux/ directory and extract sources
-%autosetup -S git -N -c -n selinux
-%autosetup -S git -N -T -D -a 1 -n selinux
-%autosetup -S git -N -T -D -a 2 -n selinux
-%autosetup -S git -N -T -D -a 3 -n selinux
-%autosetup -S git -N -T -D -a 4 -n selinux
-%autosetup -S git -N -T -D -a 5 -n selinux
-%autosetup -S git -N -T -D -a 6 -n selinux
-
-for i in *; do
-    git mv $i ${i/-%{version}/}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
-done
-
-for i in selinux-*; do
-    git mv $i ${i#selinux-}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
-done
-
-git am %{_sourcedir}/[0-9]*.patch
+%autosetup -n selinux-%{version} -p 1
 
 cp %{SOURCE13} gui/
 tar -xvf %{SOURCE14} -C python/sepolicy/
 
 # Since patches containing translation changes were too big, translations were moved to separate tarballs
 # For more information see README.translations
+# First remove old translation files
+rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
 tar -x -f %{SOURCE20} -C policycoreutils -z
 tar -x -f %{SOURCE21} -C python -z
 tar -x -f %{SOURCE22} -C gui -z
@@ -132,7 +102,7 @@ tar -x -f %{SOURCE23} -C sandbox -z
 %set_build_flags
 export PYTHON=%{__python3}
 
-make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
+make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@@ -244,8 +214,8 @@ an SELinux environment.
 %package dbus
 Summary:    SELinux policy core DBUS api
 Requires:   python3-policycoreutils = %{version}-%{release}
-Requires:   python3-slip-dbus
 Requires:   python3-gobject-base
+Requires:   polkit
 BuildArch:  noarch
 
 %description dbus
@@ -304,7 +274,7 @@ by python 3 in an SELinux environment.
 Summary: SELinux policy core policy devel utilities
 Requires: policycoreutils-python-utils = %{version}-%{release}
 Requires: /usr/bin/make dnf
-Requires: selinux-policy-devel
+Requires: (selinux-policy-devel if selinux-policy)
 
 %description devel
 The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
@@ -415,12 +385,14 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_sbindir}/genhomedircon
 %{_sbindir}/setsebool
 %{_sbindir}/semodule
+# symlink to %%{_bindir}/sestatus
 %{_sbindir}/sestatus
 %{_bindir}/secon
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
 %{_bindir}/semodule_unpackage
+%{_bindir}/sestatus
 %{_libexecdir}/selinux/hll
 %{_libexecdir}/selinux/selinux-autorelabel
 %{_unitdir}/selinux-autorelabel-mark.service
@@ -483,42 +455,6 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_datadir}/dbus-1/services/org.selinux.Restorecond.service
 %{_mandir}/man8/restorecond.8*
 %{_mandir}/ru/man8/restorecond.8*
-/usr/share/man/ru/man1/audit2why.1.gz
-/usr/share/man/ru/man1/newrole.1.gz
-/usr/share/man/ru/man5/sandbox.5.gz
-/usr/share/man/ru/man5/selinux_config.5.gz
-/usr/share/man/ru/man5/sestatus.conf.5.gz
-/usr/share/man/ru/man8/genhomedircon.8.gz
-/usr/share/man/ru/man8/restorecon_xattr.8.gz
-/usr/share/man/ru/man8/sandbox.8.gz
-/usr/share/man/ru/man8/selinux-polgengui.8.gz
-/usr/share/man/ru/man8/semanage-boolean.8.gz
-/usr/share/man/ru/man8/semanage-dontaudit.8.gz
-/usr/share/man/ru/man8/semanage-export.8.gz
-/usr/share/man/ru/man8/semanage-fcontext.8.gz
-/usr/share/man/ru/man8/semanage-ibendport.8.gz
-/usr/share/man/ru/man8/semanage-ibpkey.8.gz
-/usr/share/man/ru/man8/semanage-import.8.gz
-/usr/share/man/ru/man8/semanage-interface.8.gz
-/usr/share/man/ru/man8/semanage-login.8.gz
-/usr/share/man/ru/man8/semanage-module.8.gz
-/usr/share/man/ru/man8/semanage-node.8.gz
-/usr/share/man/ru/man8/semanage-permissive.8.gz
-/usr/share/man/ru/man8/semanage-port.8.gz
-/usr/share/man/ru/man8/semanage-user.8.gz
-/usr/share/man/ru/man8/semodule_unpackage.8.gz
-/usr/share/man/ru/man8/sepolgen.8.gz
-/usr/share/man/ru/man8/sepolicy-booleans.8.gz
-/usr/share/man/ru/man8/sepolicy-communicate.8.gz
-/usr/share/man/ru/man8/sepolicy-generate.8.gz
-/usr/share/man/ru/man8/sepolicy-gui.8.gz
-/usr/share/man/ru/man8/sepolicy-interface.8.gz
-/usr/share/man/ru/man8/sepolicy-manpage.8.gz
-/usr/share/man/ru/man8/sepolicy-network.8.gz
-/usr/share/man/ru/man8/sepolicy-transition.8.gz
-/usr/share/man/ru/man8/sepolicy.8.gz
-/usr/share/man/ru/man8/seunshare.8.gz
-/usr/share/man/ru/man8/system-config-selinux.8.gz
 
 %{!?_licensedir:%global license %%doc}
 %license policycoreutils/COPYING
@@ -539,6 +475,48 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Tue Aug  3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
+- Drop forgotten ru/ man pages from -restorecond
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
+- Rebase on upstream commit 32611aea6543
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-3
+- Rebuilt for Python 3.10
+
+* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
+- Do not use Python slip
+- fixfiles: do not exclude /dev and /run in -C mode
+- dbus: use GLib.MainLoop
+
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
 * Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
 - Fix BuildRequires to libsemanage-devel
 

sources

@@ -1,11 +1,6 @@
-SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
-SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
-SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
-SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
-SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
-SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
-SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
+SHA512 (selinux-3.3-rc3.tar.gz) = 239a10ce5ab31233dbd4fccf3668c2643df66e6b19065a0e57396a2b277cf4769985292613df67011b82afa25ff8dbd02123bd09d59cd8984b8b5d4d572284bc
 SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
 SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
 SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
+SHA512 (selinux-3.3.tar.gz) = 3d1ad92e63484a7533257ae65e4d35d7acb2c9f17b3900240dbfa61c7a7aa4cdf7d7c0c4077e66b30cada26026f9d2ca1ca7d194bfa990d04b0259aef53af100