policycoreutils-3.3-4

- semodule: add command-line option to detect module changes
- fixfiles: Use parallel relabeling

.gitignore

@@ -322,3 +322,21 @@ policycoreutils-2.0.83.tgz
 /selinux-python-3.1.tar.gz
 /selinux-sandbox-3.1.tar.gz
 /semodule-utils-3.1.tar.gz
+/policycoreutils-3.2-rc1.tar.gz
+/restorecond-3.2-rc1.tar.gz
+/selinux-dbus-3.2-rc1.tar.gz
+/selinux-gui-3.2-rc1.tar.gz
+/selinux-python-3.2-rc1.tar.gz
+/selinux-sandbox-3.2-rc1.tar.gz
+/semodule-utils-3.2-rc1.tar.gz
+/policycoreutils-3.2-rc2.tar.gz
+/restorecond-3.2-rc2.tar.gz
+/selinux-dbus-3.2-rc2.tar.gz
+/selinux-gui-3.2-rc2.tar.gz
+/selinux-python-3.2-rc2.tar.gz
+/selinux-sandbox-3.2-rc2.tar.gz
+/semodule-utils-3.2-rc2.tar.gz
+/selinux-3.2.tar.gz
+/selinux-3.3-rc2.tar.gz
+/selinux-3.3-rc3.tar.gz
+/selinux-3.3.tar.gz

0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch

@@ -1,34 +0,0 @@
-From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
-From: "W. Michael Petullo" <mike@flyn.org>
-Date: Thu, 16 Jul 2020 15:29:20 -0500
-Subject: [PATCH] python/audit2allow: add #include <limits.h> to
- sepolgen-ifgen-attr-helper.c
-
-I found that building on OpenWrt/musl failed with:
-
-  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
-
-Musl is less "generous" than glibc in recursively including header
-files, and I suspect this is the reason for this error. Explicitly
-including limits.h fixes the problem.
-
-Signed-off-by: W. Michael Petullo <mike@flyn.org>
----
- python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-index 53f20818722a..f010c9584c1f 100644
---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
-+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-@@ -28,6 +28,7 @@
- 
- #include <selinux/selinux.h>
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/stat.h>
--- 
-2.29.0
-

0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,4 +1,4 @@
-From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
+From ec3bf6f3e5468ba7b5164cc588ef5746454808a5 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.29.0
+2.32.0
 

0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,4 +1,4 @@
-From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
+From 7a548cae4303f8429040ba6be67be182b7f9a943 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@@ -9,10 +9,10 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 3e8a3be907e3..a1d70623cff0 100755
+index 2f847abb87e2..dccd778ed4be 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -735,10 +735,13 @@ Default Defined Ports:""")
+@@ -737,10 +737,13 @@ Default Defined Ports:""")
  
      def _file_context(self):
          flist = []
@@ -26,9 +26,9 @@ index 3e8a3be907e3..a1d70623cff0 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
          if len(mpaths) == 0:
-@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -799,12 +802,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  SELinux defines the file context types for the %(domainname)s, if you wanted to
- store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
+ store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
  
 -.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
 +.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
@@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.29.0
+2.32.0
 

0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch

@@ -1,26 +0,0 @@
-From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Thu, 16 Jul 2020 14:22:13 +0200
-Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
- restorecond.desktop file
-
-This completely inactivate the .desktop file incase the user session is
-managed by systemd as restorecond also provide a service file
-
-Signed-off-by: Laurent Bigonville <bigon@bigon.be>
----
- restorecond/restorecond.desktop | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
-index af7286801c24..7df854727a3f 100644
---- a/restorecond/restorecond.desktop
-+++ b/restorecond/restorecond.desktop
-@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
- Type=Application
- StartupNotify=false
- X-GNOME-Autostart-enabled=false
-+X-GNOME-HiddenUnderSystemd=true
--- 
-2.29.0
-

0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,4 +1,4 @@
-From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
+From b3cb362afe86278c600d6e97cc7abf9c0b102071 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
@@ -9,10 +9,10 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index a1d70623cff0..2d33eabb2536 100755
+index dccd778ed4be..81333928d552 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -795,7 +795,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  .PP
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
@@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.29.0
+2.32.0
 

0003-fixfiles-correctly-restore-context-of-mountpoints.patch

@@ -1,136 +0,0 @@
-From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
-From: bauen1 <j2468h@googlemail.com>
-Date: Thu, 6 Aug 2020 16:48:36 +0200
-Subject: [PATCH] fixfiles: correctly restore context of mountpoints
-
-By bind mounting every filesystem we want to relabel we can access all
-files without anything hidden due to active mounts.
-
-This comes at the cost of user experience, because setfiles only
-displays the percentage if no path is given or the path is /
-
-Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
- policycoreutils/scripts/fixfiles.8 |  8 ++++++--
- 2 files changed, 31 insertions(+), 6 deletions(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5d7770348349..30dadb4f4cb6 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -112,6 +112,7 @@ FORCEFLAG=""
- RPMFILES=""
- PREFC=""
- RESTORE_MODE=""
-+BIND_MOUNT_FILESYSTEMS=""
- SETFILES=/sbin/setfiles
- RESTORECON=/sbin/restorecon
- FILESYSTEMSRW=`get_rw_labeled_mounts`
-@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
- 	if [ -n "${FILESYSTEMSRW}" ]; then
- 	    LogReadOnly
- 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
--	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+
-+	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
-+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+	    else
-+	        # we bind mount so we can fix the labels of files that have already been
-+	        # mounted over
-+	        for m in `echo $FILESYSTEMSRW`; do
-+	            TMP_MOUNT="$(mktemp -d)"
-+	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
-+
-+	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
-+	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
-+	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
-+	            umount "${TMP_MOUNT}${m}" || exit 1
-+	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
-+	        done;
-+	    fi
- 	else
- 	    echo >&2 "fixfiles: No suitable file systems found"
- 	fi
-@@ -313,6 +330,7 @@ case "$1" in
- 	> /.autorelabel || exit $?
- 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
- 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
-+	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
- 	# Force full relabel if SELinux is not enabled
- 	selinuxenabled || echo -F > /.autorelabel
- 	echo "System will relabel on next boot"
-@@ -324,7 +342,7 @@ esac
- }
- usage() {
- 	echo $"""
--Usage: $0 [-v] [-F] [-f] relabel
-+Usage: $0 [-v] [-F] [-M] [-f] relabel
- or
- Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
- or
-@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
- or
- Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
- or
--Usage: $0 [-F] [-B] onboot
-+Usage: $0 [-F] [-M] [-B] onboot
- """
- }
- 
-@@ -353,7 +371,7 @@ set_restore_mode() {
- }
- 
- # See how we were called.
--while getopts "N:BC:FfR:l:v" i; do
-+while getopts "N:BC:FfR:l:vM" i; do
-     case "$i" in
- 	B)
- 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
-@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
- 		echo "Redirecting output to $OPTARG"
- 		exec >>"$OPTARG" 2>&1
- 		;;
-+	M)
-+		BIND_MOUNT_FILESYSTEMS="-M"
-+		;;
- 	F)
- 		FORCEFLAG="-F"
- 		;;
-diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
-index 9f447f03d444..123425308416 100644
---- a/policycoreutils/scripts/fixfiles.8
-+++ b/policycoreutils/scripts/fixfiles.8
-@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
- .na
- 
- .B fixfiles
--.I [\-v] [\-F] [\-f] relabel
-+.I [\-v] [\-F] [-M] [\-f] relabel
- 
- .B fixfiles
- .I [\-v] [\-F] { check | restore | verify } dir/file ...
-@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
- .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
- 
- .B fixfiles
--.I [-F] [-B] onboot
-+.I [-F] [-M] [-B] onboot
- 
- .ad
- 
-@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
- Only act on files created after the specified date.  Date must be specified in
- "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
- 
-+.TP
-+.B \-M
-+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
-+
- .TP
- .B -v
- Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--- 
-2.29.0
-

0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,4 +1,4 @@
-From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
+From b954ff8379e03714f707daa85111f6bf2f265772 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
 Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@@ -11,10 +11,10 @@ Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
  2 files changed, 13 insertions(+), 77 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index e4540977d042..ad718797ca68 100644
+index e8654abbceb3..a2475d22547a 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
+@@ -1225,27 +1225,14 @@ def boolean_desc(boolean):
  
  
  def get_os_version():
@@ -49,10 +49,10 @@ index e4540977d042..ad718797ca68 100644
  
  def reinit():
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 2d33eabb2536..acc77f368d95 100755
+index 81333928d552..dc3e5207c57c 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -149,10 +149,6 @@ def prettyprint(f, trim):
+@@ -151,10 +151,6 @@ def prettyprint(f, trim):
  manpage_domains = []
  manpage_roles = []
  
@@ -63,7 +63,7 @@ index 2d33eabb2536..acc77f368d95 100755
  def get_alphabet_manpages(manpage_list):
      alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
      for i in string.ascii_letters:
-@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
+@@ -184,7 +180,7 @@ def convert_manpage_to_html(html_manpage, manpage):
  class HTMLManPages:
  
      """
@@ -72,7 +72,7 @@ index 2d33eabb2536..acc77f368d95 100755
      """
  
      def __init__(self, manpage_roles, manpage_domains, path, os_version):
-@@ -190,9 +186,9 @@ class HTMLManPages:
+@@ -192,9 +188,9 @@ class HTMLManPages:
          self.manpage_domains = get_alphabet_manpages(manpage_domains)
          self.os_version = os_version
          self.old_path = path + "/"
@@ -84,7 +84,7 @@ index 2d33eabb2536..acc77f368d95 100755
              self.__gen_html_manpages()
          else:
              print("SELinux HTML man pages can not be generated for this %s" % os_version)
-@@ -201,7 +197,6 @@ class HTMLManPages:
+@@ -203,7 +199,6 @@ class HTMLManPages:
      def __gen_html_manpages(self):
          self._write_html_manpage()
          self._gen_index()
@@ -92,7 +92,7 @@ index 2d33eabb2536..acc77f368d95 100755
          self._gen_css()
  
      def _write_html_manpage(self):
-@@ -219,67 +214,21 @@ class HTMLManPages:
+@@ -221,67 +216,21 @@ class HTMLManPages:
                      convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
  
      def _gen_index(self):
@@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755
              if len(self.manpage_roles[letter]):
                  fd.write("""
 -- 
-2.29.0
+2.32.0
 

0004-sepolgen-print-extended-permissions-in-hexadecimal.patch

@@ -1,112 +0,0 @@
-From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:33 +0200
-Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All tools like ausearch(8) or sesearch(1) and online documentation[1]
-use hexadecimal values for extended permissions.
-Hence use them, e.g. for audit2allow output, as well.
-
-[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
- python/sepolgen/tests/test_access.py      | 10 +++++-----
- python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
- 3 files changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
-index 43cecfc77385..747636875ef7 100644
---- a/python/sepolgen/src/sepolgen/refpolicy.py
-+++ b/python/sepolgen/src/sepolgen/refpolicy.py
-@@ -407,10 +407,9 @@ class XpermSet():
- 
-         # print single value without braces
-         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
--            return compl + str(self.ranges[0][0])
-+            return compl + hex(self.ranges[0][0])
- 
--        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
--                   self.ranges)
-+        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
- 
-         return "%s{ %s }" % (compl, " ".join(vals))
- 
-diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
-index 73a5407df617..623588e09aeb 100644
---- a/python/sepolgen/tests/test_access.py
-+++ b/python/sepolgen/tests/test_access.py
-@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def text_merge_xperm2(self):
-         """Test merging AV that does not contain xperms with AV that does"""
-@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def test_merge_xperm_diff_op(self):
-         """Test merging two AVs that contain xperms with different operation"""
-@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
--        self.assertEqual(a.xperms["asdf"].to_string(), "23")
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
-                          
-     def test_merge_xperm_same_op(self):
-         """Test merging two AVs that contain xperms with same operation"""
-@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
- 
- class TestUtilFunctions(unittest.TestCase):
-     def test_is_idparam(self):
-diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
-index 4b50c8aada96..c7219fd568e9 100644
---- a/python/sepolgen/tests/test_refpolicy.py
-+++ b/python/sepolgen/tests/test_refpolicy.py
-@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
-         a.complement = True
-         self.assertEqual(a.to_string(), "")
-         a.add(1234)
--        self.assertEqual(a.to_string(), "~ 1234")
-+        self.assertEqual(a.to_string(), "~ 0x4d2")
-         a.complement = False
--        self.assertEqual(a.to_string(), "1234")
-+        self.assertEqual(a.to_string(), "0x4d2")
-         a.add(2345)
--        self.assertEqual(a.to_string(), "{ 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
-         a.complement = True
--        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
-         a.add(42,64)
--        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
-         a.complement = False
--        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
- 
- class TestSecurityContext(unittest.TestCase):
-     def test_init(self):
--- 
-2.29.0
-

0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,4 +1,4 @@
-From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
+From 7572bbec8b6a422e722864348a53d5e0f855e7f6 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
 Subject: [PATCH] We want to remove the trailing newline for
@@ -9,10 +9,10 @@ Subject: [PATCH] We want to remove the trailing newline for
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ad718797ca68..ea05d892bf3b 100644
+index a2475d22547a..8055a12f6020 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1211,7 +1211,7 @@ def get_os_version():
+@@ -1228,7 +1228,7 @@ def get_os_version():
      system_release = ""
      try:
          with open('/etc/system-release') as f:
@@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
          system_release = "Misc"
  
 -- 
-2.29.0
+2.32.0
 

0005-sepolgen-sort-extended-rules-like-normal-ones.patch

@@ -1,109 +0,0 @@
-From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:34 +0200
-Subject: [PATCH] sepolgen: sort extended rules like normal ones
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-Changed:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/output.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
-index 3a21b64c19f7..aeeaafc889e7 100644
---- a/python/sepolgen/src/sepolgen/output.py
-+++ b/python/sepolgen/src/sepolgen/output.py
-@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
-         return ret
- 
-     # At this point, who cares - just return something
--    return cmp(len(a.perms), len(b.perms))
-+    return 0
- 
- # Compare two interface calls
- def ifcall_cmp(a, b):
-@@ -100,7 +100,7 @@ def rule_cmp(a, b):
-         else:
-             return id_set_cmp([a.args[0]], b.src_types)
-     else:
--        if isinstance(b, refpolicy.AVRule):
-+        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
-             return avrule_cmp(a,b)
-         else:
-             return id_set_cmp(a.src_types, [b.args[0]])
-@@ -130,6 +130,7 @@ def sort_filter(module):
-         # we assume is the first argument for interfaces).
-         rules = []
-         rules.extend(node.avrules())
-+        rules.extend(node.avextrules())
-         rules.extend(node.interface_calls())
-         rules.sort(key=util.cmp_to_key(rule_cmp))
- 
--- 
-2.29.0
-

0006-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,4 +1,4 @@
-From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
+From a4d59dcce863a02895fe40e487176149f3a4ad5b Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
 Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@@ -8,10 +8,10 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index acc77f368d95..4aeb3e2e51ba 100755
+index dc3e5207c57c..6420ebe2e08e 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -220,7 +220,7 @@ class HTMLManPages:
+@@ -222,7 +222,7 @@ class HTMLManPages:
  <html>
  <head>
  	<link rel=stylesheet type="text/css" href="style.css" title="style">
@@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755
  <body>
  <h1>SELinux man pages for %s</h1>
 -- 
-2.29.0
+2.32.0
 

0006-newrole-support-cross-compilation-with-PAM-and-audit.patch

@@ -1,32 +0,0 @@
-From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@defensec.nl>
-Date: Tue, 1 Sep 2020 18:16:41 +0200
-Subject: [PATCH] newrole: support cross-compilation with PAM and audit
-
-Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
-
-Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/newrole/Makefile | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
-index 73ebd413da85..0e7ebce3dd56 100644
---- a/policycoreutils/newrole/Makefile
-+++ b/policycoreutils/newrole/Makefile
-@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
- MANDIR ?= $(PREFIX)/share/man
- ETCDIR ?= /etc
- LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
--PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
--AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-+INCLUDEDIR ?= $(PREFIX)/include
-+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
-+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
- # Enable capabilities to permit newrole to generate audit records.
- # This will make newrole a setuid root program.
- # The capabilities used are: CAP_AUDIT_WRITE.
--- 
-2.29.0
-

0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
+From f183dd36c66069c95726e1dab47639e76077d86a Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 30dadb4f4cb6..e73bb81c3336 100755
+index 6fb12e0451a9..cb20002ab613 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755
  RPMFILES=""
  PREFC=""
 -- 
-2.29.0
+2.32.0
 

0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,4 +1,4 @@
-From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
+From fae31a306e7b6084710c02b658ace668766fc004 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@@ -11,10 +11,10 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 4aeb3e2e51ba..330b055af214 100755
+index 6420ebe2e08e..d15522135288 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -125,8 +125,24 @@ def gen_domains():
+@@ -127,8 +127,24 @@ def gen_domains():
      domains.sort()
      return domains
  
@@ -40,7 +40,7 @@ index 4aeb3e2e51ba..330b055af214 100755
  
  def _gen_types():
      global types
-@@ -372,6 +388,8 @@ class ManPage:
+@@ -374,6 +390,8 @@ class ManPage:
          self.all_file_types = sepolicy.get_all_file_types()
          self.role_allows = sepolicy.get_all_role_allows()
          self.types = _gen_types()
@@ -49,7 +49,7 @@ index 4aeb3e2e51ba..330b055af214 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -689,7 +707,7 @@ Default Defined Ports:""")
+@@ -691,7 +709,7 @@ Default Defined Ports:""")
          for f in self.all_file_types:
              if f.startswith(self.domainname):
                  flist.append(f)
@@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.29.0
+2.32.0
 

0009-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,4 +1,4 @@
-From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
+From afe686ec783ccf442c8e2bbcb9dbdb7650328253 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
 Subject: [PATCH] sepolicy: Another small optimization for mcs types
@@ -8,10 +8,10 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
  1 file changed, 11 insertions(+), 5 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 330b055af214..f8584436960d 100755
+index d15522135288..ffcedb547993 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -142,6 +142,15 @@ def _gen_entry_types():
+@@ -144,6 +144,15 @@ def _gen_entry_types():
          entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
      return entry_types
  
@@ -27,7 +27,7 @@ index 330b055af214..f8584436960d 100755
  types = None
  
  def _gen_types():
-@@ -390,6 +399,7 @@ class ManPage:
+@@ -392,6 +401,7 @@ class ManPage:
          self.types = _gen_types()
          self.exec_types = _gen_exec_types()
          self.entry_types = _gen_entry_types()
@@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
+@@ -946,11 +956,7 @@ All executables with the default executable label, usually stored in /usr/bin an
  %s""" % ", ".join(paths))
  
      def _mcs_types(self):
@@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755
          self.fd.write ("""
  .SH "MCS Constrained"
 -- 
-2.29.0
+2.32.0
 

0010-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,4 +1,4 @@
-From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
+From 28879b771a804242d00a8a978bdbc4b85210814d Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
 Subject: [PATCH] Move po/ translation files into the right sub-directories
@@ -511,5 +511,5 @@ index 000000000000..deff3f2f4656
 @@ -0,0 +1 @@
 +../sandbox
 -- 
-2.29.0
+2.32.0
 

0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,4 +1,4 @@
-From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
+From a8cacf2944ddd803909d2111bdf2d43ab90e1111 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@@ -55,7 +55,7 @@ index bad5140d8c59..6bbe4de5884f 100644
      import gettext
      kwargs = {}
 diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
-index 370bbee40786..e424366da26f 100644
+index d26aa1b405a9..52292cae01d2 100644
 --- a/gui/fcontextPage.py
 +++ b/gui/fcontextPage.py
 @@ -47,7 +47,7 @@ class context:
@@ -185,20 +185,20 @@ index fdd2e46ee3f9..839ddd3b54b6 100755
      import gettext
      kwargs = {}
 diff --git a/python/semanage/semanage b/python/semanage/semanage
-index b2fabea67a87..3cc30a160a74 100644
+index 18a2710531ca..0980aecb6311 100644
 --- a/python/semanage/semanage
 +++ b/python/semanage/semanage
-@@ -27,7 +27,7 @@ import traceback
- import argparse
- import seobject
+@@ -30,7 +30,7 @@ import seobject
  import sys
+ import traceback
+ 
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
  try:
      import gettext
      kwargs = {}
 diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 6a14f7b47dd5..b51a7e3e7ca3 100644
+index 21adbf6eb74f..69e60db80060 100644
 --- a/python/semanage/seobject.py
 +++ b/python/semanage/seobject.py
 @@ -29,7 +29,7 @@ import sys
@@ -208,8 +208,8 @@ index 6a14f7b47dd5..b51a7e3e7ca3 100644
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
  import sepolicy
- import setools
- import ipaddress
+ from setools.policyrep import SELinuxPolicy
+ from setools.typequery import TypeQuery
 diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
 index 998c4356415c..56ebd807c69c 100644
 --- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
@@ -237,12 +237,12 @@ index 7b2230651099..32956e58f52e 100755
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ea05d892bf3b..9a9c2ae9f237 100644
+index 8055a12f6020..aa8beda313c8 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -13,7 +13,7 @@ import os
- import re
- import gzip
+@@ -23,7 +23,7 @@ from setools.typeattrquery import TypeAttributeQuery
+ from setools.typequery import TypeQuery
+ from setools.userquery import UserQuery
  
 -PROGNAME = "policycoreutils"
 +PROGNAME = "selinux-python"
@@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
      import gettext
      kwargs = {}
 -- 
-2.29.0
+2.32.0
 

0012-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,4 +1,4 @@
-From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
+From a4183d4c2d335fca940f741bec1f1839394ea783 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
 +msgid "Invalid value %s"
 +msgstr ""
 -- 
-2.29.0
+2.32.0
 

0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,4 +1,4 @@
-From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
+From f5045f645cfa10fed01b4225d26d98ea9f81f085 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@@ -13,18 +13,18 @@ Resolves: rhbz#1271327
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index e328a5628682..02e0960289d3 100644
+index 4d28bc9a95c1..8e6c4ab94841 100644
 --- a/policycoreutils/setfiles/setfiles.8
 +++ b/policycoreutils/setfiles/setfiles.8
-@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
+@@ -57,7 +57,7 @@ option will force a replacement of the entire context.
+ check the validity of the contexts against the specified binary policy.
  .TP
  .B \-d
- show what specification matched each file (do not abort validation
--after ABORT_ON_ERRORS errors).
-+after ABORT_ON_ERRORS errors). Not affected by "\-q"
+-show what specification matched each file.
++show what specification matched each file. Not affected by "\-q".
  .TP
  .BI \-e \ directory
  directory to exclude (repeat option for more than one directory).
 -- 
-2.29.0
+2.32.0
 

0014-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
+From 53c27e891b9053a9bbbbca5a854deb4fc526a8a2 Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.29.0
+2.32.0
 

0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,4 +1,4 @@
-From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
+From f1acc9a3057e199d62c6b8ec6e77fc33ca3db1d1 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
  	}
  
 -- 
-2.29.0
+2.32.0
 

0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
+From be804ecd456a52803067e1aa11e20ef69788221c Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.29.0
+2.32.0
 

0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch

@@ -1,4 +1,4 @@
-From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
+From 0e40b5541773c6daf58bba7048fae6918d74de74 Mon Sep 17 00:00:00 2001
 From: Ondrej Mosnacek <omosnace@redhat.com>
 Date: Tue, 28 Jul 2020 14:37:13 +0200
 Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
@@ -20,10 +20,10 @@ Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index f8584436960d..6a3e08fca58c 100755
+index ffcedb547993..c013c0d48502 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
-@@ -717,7 +717,7 @@ Default Defined Ports:""")
+@@ -719,7 +719,7 @@ Default Defined Ports:""")
          for f in self.all_file_types:
              if f.startswith(self.domainname):
                  flist.append(f)
@@ -32,7 +32,7 @@ index f8584436960d..6a3e08fca58c 100755
                      flist_non_exec.append(f)
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
-@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+@@ -773,7 +773,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
  """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
  
          if flist_non_exec:
@@ -42,5 +42,5 @@ index f8584436960d..6a3e08fca58c 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.29.0
+2.32.0
 

0018-Use-SHA-2-instead-of-SHA-1.patch

@@ -0,0 +1,297 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ policycoreutils/setfiles/restorecon.8          | 10 +++++-----
+ policycoreutils/setfiles/restorecon_xattr.8    |  8 ++++----
+ policycoreutils/setfiles/restorecon_xattr.c    | 12 ++++++------
+ policycoreutils/setfiles/ru/restorecon.8       |  8 ++++----
+ policycoreutils/setfiles/ru/restorecon_xattr.8 | 10 +++++-----
+ policycoreutils/setfiles/ru/setfiles.8         |  8 ++++----
+ policycoreutils/setfiles/setfiles.8            | 10 +++++-----
+ 7 files changed, 33 insertions(+), 33 deletions(-)
+
+diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
+index 668486f66113..a8900f02b3f3 100644
+--- a/policycoreutils/setfiles/restorecon.8
++++ b/policycoreutils/setfiles/restorecon.8
+@@ -93,14 +93,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -191,7 +191,7 @@ the
+ .B \-D
+ option to
+ .B restorecon
+-will cause it to store a SHA1 digest of the default specfiles set in an extended
++will cause it to store a SHA256 digest of the default specfiles set in an extended
+ attribute named
+ .IR security.sehash
+ on each directory specified in
+@@ -208,7 +208,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+diff --git a/policycoreutils/setfiles/restorecon_xattr.8 b/policycoreutils/setfiles/restorecon_xattr.8
+index e04528e60824..4b1ce304d995 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.8
++++ b/policycoreutils/setfiles/restorecon_xattr.8
+@@ -23,7 +23,7 @@ or
+ 
+ .SH "DESCRIPTION"
+ .B restorecon_xattr
+-will display the SHA1 digests added to extended attributes
++will display the SHA256 digests added to extended attributes
+ .I security.sehash
+ or delete the attribute completely. These attributes are set by
+ .BR restorecon (8)
+@@ -48,12 +48,12 @@ extended attribute and are automatically excluded from searches.
+ .sp
+ By default
+ .B restorecon_xattr
+-will display the SHA1 digests with "Match" appended if they match the default
++will display the SHA256 digests with "Match" appended if they match the default
+ specfile set or the
+ .I specfile
+ set used with the
+ .B \-f
+-option. Non-matching SHA1 digests will be displayed with "No Match" appended.
++option. Non-matching SHA256 digests will be displayed with "No Match" appended.
+ This feature can be disabled by the
+ .B \-n
+ option.
+@@ -87,7 +87,7 @@ Do not append "Match" or "No Match" to displayed digests.
+ recursively descend directories.
+ .TP
+ .B \-v
+-display SHA1 digest generated by specfile set (Note that this digest is not
++display SHA256 digest generated by specfile set (Note that this digest is not
+ used to match the
+ .I security.sehash
+ directory digest entries, and is shown for reference only).
+diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
+index 31fb82fd2099..bc22d3fd4560 100644
+--- a/policycoreutils/setfiles/restorecon_xattr.c
++++ b/policycoreutils/setfiles/restorecon_xattr.c
+@@ -38,7 +38,7 @@ int main(int argc, char **argv)
+ 	unsigned int xattr_flags = 0, delete_digest = 0, recurse = 0;
+ 	unsigned int delete_all_digests = 0, ignore_mounts = 0;
+ 	bool display_digest = false;
+-	char *sha1_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
++	char *sha256_buf, **specfiles, *fc_file = NULL, *pathname = NULL;
+ 	unsigned char *fc_digest = NULL;
+ 	size_t i, fc_digest_len = 0, num_specfiles;
+ 
+@@ -133,8 +133,8 @@ int main(int argc, char **argv)
+ 			exit(-1);
+ 		}
+ 
+-		sha1_buf = malloc(fc_digest_len * 2 + 1);
+-		if (!sha1_buf) {
++		sha256_buf = malloc(fc_digest_len * 2 + 1);
++		if (!sha256_buf) {
+ 			fprintf(stderr,
+ 				"Error allocating digest buffer: %s\n",
+ 							    strerror(errno));
+@@ -143,16 +143,16 @@ int main(int argc, char **argv)
+ 		}
+ 
+ 		for (i = 0; i < fc_digest_len; i++)
+-			sprintf((&sha1_buf[i * 2]), "%02x", fc_digest[i]);
++			sprintf((&sha256_buf[i * 2]), "%02x", fc_digest[i]);
+ 
+-		printf("specfiles SHA1 digest: %s\n", sha1_buf);
++		printf("specfiles SHA256 digest: %s\n", sha256_buf);
+ 
+ 		printf("calculated using the following specfile(s):\n");
+ 		if (specfiles) {
+ 			for (i = 0; i < num_specfiles; i++)
+ 				printf("%s\n", specfiles[i]);
+ 		}
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		printf("\n");
+ 	}
+ 
+diff --git a/policycoreutils/setfiles/ru/restorecon.8 b/policycoreutils/setfiles/ru/restorecon.8
+index 9be3a63db356..745135020f4b 100644
+--- a/policycoreutils/setfiles/ru/restorecon.8
++++ b/policycoreutils/setfiles/ru/restorecon.8
+@@ -82,11 +82,11 @@ restorecon \- восстановить SELinux-контексты безопас
+ игнорировать файлы, которые не существуют.
+ .TP
+ .B \-I
+-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+ .B ПРИМЕЧАНИЯ.
+ .TP
+ .B \-D
+-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+ .IR security.restorecon_last.
+ .TP
+ .B \-m
+@@ -159,7 +159,7 @@ GNU
+ .B \-D
+ команды
+ .B restorecon
+-обеспечит сохранение дайджеста SHA1 файлов спецификации по умолчанию в расширенном атрибуте с именем
++обеспечит сохранение дайджеста SHA256 файлов спецификации по умолчанию в расширенном атрибуте с именем
+ .IR security.restorecon_last
+ для каталогов, указанных в соответствующих путях
+ .IR pathname \ ...
+@@ -173,7 +173,7 @@ GNU
+ .sp
+ Параметр
+ .B \-I
+-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в 
++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
+ .IR pathname \ ...
+ , и, при условии, что НЕ установлен параметр
+ .B \-n
+diff --git a/policycoreutils/setfiles/ru/restorecon_xattr.8 b/policycoreutils/setfiles/ru/restorecon_xattr.8
+index 41c441b8c5c2..25c4c3033334 100644
+--- a/policycoreutils/setfiles/ru/restorecon_xattr.8
++++ b/policycoreutils/setfiles/ru/restorecon_xattr.8
+@@ -23,7 +23,7 @@ restorecon_xattr \- управление записями расширенных
+ 
+ .SH "ОПИСАНИЕ"
+ .B restorecon_xattr
+-покажет дайджесты SHA1, добавленные в расширенные атрибуты
++покажет дайджесты SHA256, добавленные в расширенные атрибуты
+ .I security.restorecon_last,
+ или полностью удалит эти атрибуты. Эти атрибуты устанавливаются командой
+ .BR restorecon (8)
+@@ -47,11 +47,11 @@ restorecon_xattr \- управление записями расширенных
+ .sp
+ По умолчанию
+ .B restorecon_xattr
+-показывает дайджесты SHA1, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
++показывает дайджесты SHA256, добавляя в конце "Match", если они соответствуют установленному по умолчанию файлу спецификации или файлу спецификации
+ .I specfile,
+ который установлен с помощью параметра
+ .B \-f.
+-Несоответствующие дайджесты SHA1 будут показаны с добавлением "No Match" в конце.
++Несоответствующие дайджесты SHA256 будут показаны с добавлением "No Match" в конце.
+ Эту возможность можно отключить с помощью параметра
+ .B \-n.
+ 
+@@ -81,7 +81,7 @@ restorecon_xattr \- управление записями расширенных
+ рекурсивно спускаться по каталогам.
+ .TP
+ .B \-v
+-показать дайджест SHA1, созданный установленным файлом спецификации.
++показать дайджест SHA256, созданный установленным файлом спецификации.
+ .TP
+ .B \-e
+ .I directory
+@@ -97,7 +97,7 @@ restorecon_xattr \- управление записями расширенных
+ .BR file_contexts (5).
+ Он будет использоваться
+ .BR selabel_open (3)
+-для получения набора записей меток; получение дайджеста SHA1 выполняется с помощью
++для получения набора записей меток; получение дайджеста SHA256 выполняется с помощью
+ .BR selabel_digest (3).
+ Если этот параметр не указан, будет использоваться файл file_contexts по умолчанию.
+ 
+diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
+index 910101452625..7f2daa09191b 100644
+--- a/policycoreutils/setfiles/ru/setfiles.8
++++ b/policycoreutils/setfiles/ru/setfiles.8
+@@ -69,11 +69,11 @@ setfiles \- установить SELinux-контексты безопаснос
+ игнорировать файлы, которые не существуют.
+ .TP
+ .B \-I
+-игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA1 соответствует дайджесту SHA1 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
++игнорировать дайджест, чтобы принудительно проверить метки, даже если хранимый дайджест SHA256 соответствует дайджесту SHA256 файлов спецификации. Затем (при условии отсутствия ошибок) дайджест будет обновлён. Более подробные сведения доступны в разделе
+ .B ПРИМЕЧАНИЯ.
+ .TP
+ .B \-D
+-установить или обновить дайджесты SHA1 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
++установить или обновить дайджесты SHA256 для любых каталогов. Используйте этот параметр, чтобы включить использование расширенного атрибута
+ .IR security.restorecon_last.
+ .TP
+ .B \-l
+@@ -186,7 +186,7 @@ GNU
+ .B \-D
+ команды
+ .B setfiles .
+-Он обеспечивает сохранение дайджеста SHA1 файла спецификации
++Он обеспечивает сохранение дайджеста SHA256 файла спецификации
+ .B spec_file 
+ в расширенном атрибуте с именем
+ .IR security.restorecon_last
+@@ -204,7 +204,7 @@ GNU
+ .sp
+ Параметр
+ .B \-I
+-позволяет игнорировать дайджест SHA1 из каждого каталога, указанного в 
++позволяет игнорировать дайджест SHA256 из каждого каталога, указанного в
+ .IR pathname \ ...
+ , и, при условии, что НЕ установлен параметр
+ .B \-n
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index 8e6c4ab94841..0692121f2f4d 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -85,14 +85,14 @@ display usage information and exit.
+ ignore files that do not exist.
+ .TP
+ .B \-I
+-ignore digest to force checking of labels even if the stored SHA1 digest
+-matches the specfiles SHA1 digest. The digest will then be updated provided
++ignore digest to force checking of labels even if the stored SHA256 digest
++matches the specfiles SHA256 digest. The digest will then be updated provided
+ there are no errors. See the
+ .B NOTES
+ section for further details.
+ .TP
+ .B \-D
+-Set or update any directory SHA1 digests. Use this option to
++Set or update any directory SHA256 digests. Use this option to
+ enable usage of the
+ .IR security.sehash
+ extended attribute.
+@@ -230,7 +230,7 @@ the
+ .B \-D
+ option to
+ .B setfiles
+-will cause it to store a SHA1 digest of the
++will cause it to store a SHA256 digest of the
+ .B spec_file
+ set in an extended attribute named
+ .IR security.sehash
+@@ -251,7 +251,7 @@ for further details.
+ .sp
+ The
+ .B \-I
+-option will ignore the SHA1 digest from each directory specified in
++option will ignore the SHA256 digest from each directory specified in
+ .IR pathname \ ...
+ and provided the
+ .B \-n
+-- 
+2.32.0
+

0019-setfiles-restorecon-support-parallel-relabeling.patch

@@ -0,0 +1,253 @@
+From fba88f42bf8490a23fa6dcd33de2ccd59170009b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:39 +0200
+Subject: [PATCH] setfiles/restorecon: support parallel relabeling
+
+Use the newly introduced selinux_restorecon_parallel(3) in
+setfiles/restorecon and a -T option to both to allow enabling parallel
+relabeling. The default behavior without specifying the -T option is to
+use 1 thread; parallel relabeling must be requested explicitly by
+passing -T 0 (which will use as many threads as there are available CPU
+cores) or -T <N>, which will use <N> threads.
+
+=== Benchmarks ===
+As measured on a 32-core cloud VM with Fedora 34. Not a fully
+representative environment, but still the scaling is quite good.
+
+WITHOUT PATCHES:
+$ time restorecon -rn /usr
+
+real    0m21.689s
+user    0m21.070s
+sys     0m0.494s
+
+WITH PATCHES:
+$ time restorecon -rn /usr
+
+real    0m23.940s
+user    0m23.127s
+sys     0m0.653s
+$ time restorecon -rn -T 2 /usr
+
+real    0m13.145s
+user    0m25.306s
+sys     0m0.695s
+$ time restorecon -rn -T 4 /usr
+
+real    0m7.559s
+user    0m28.470s
+sys     0m1.099s
+$ time restorecon -rn -T 8 /usr
+
+real    0m5.186s
+user    0m37.450s
+sys     0m2.094s
+$ time restorecon -rn -T 16 /usr
+
+real    0m3.831s
+user    0m51.220s
+sys     0m4.895s
+$ time restorecon -rn -T 32 /usr
+
+real    0m2.650s
+user    1m5.136s
+sys     0m6.614s
+
+Note that the benchmarks were performed in read-only mode (-n), so the
+labels were only read and looked up in the database, not written. When
+fixing labels on a heavily mislabeled system, the scaling would likely
+be event better, since a larger % of work could be done in parallel.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policycoreutils/setfiles/Makefile     |  2 +-
+ policycoreutils/setfiles/restore.c    |  7 ++++---
+ policycoreutils/setfiles/restore.h    |  2 +-
+ policycoreutils/setfiles/restorecon.8 |  9 +++++++++
+ policycoreutils/setfiles/setfiles.8   |  9 +++++++++
+ policycoreutils/setfiles/setfiles.c   | 28 ++++++++++++++++-----------
+ 6 files changed, 41 insertions(+), 16 deletions(-)
+
+diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
+index 63d818509791..d7670a8ff54b 100644
+--- a/policycoreutils/setfiles/Makefile
++++ b/policycoreutils/setfiles/Makefile
+@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
+ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+ 
+ CFLAGS ?= -g -Werror -Wall -W
+-override LDLIBS += -lselinux -lsepol
++override LDLIBS += -lselinux -lsepol -lpthread
+ 
+ ifeq ($(AUDITH), y)
+ 	override CFLAGS += -DUSE_AUDIT
+diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
+index 9d688c609f79..74d48bb3752d 100644
+--- a/policycoreutils/setfiles/restore.c
++++ b/policycoreutils/setfiles/restore.c
+@@ -72,7 +72,7 @@ void restore_finish(void)
+ 	}
+ }
+ 
+-int process_glob(char *name, struct restore_opts *opts)
++int process_glob(char *name, struct restore_opts *opts, size_t nthreads)
+ {
+ 	glob_t globbuf;
+ 	size_t i = 0;
+@@ -91,8 +91,9 @@ int process_glob(char *name, struct restore_opts *opts)
+ 			continue;
+ 		if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
+ 			continue;
+-		rc = selinux_restorecon(globbuf.gl_pathv[i],
+-					opts->restorecon_flags);
++		rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
++						 opts->restorecon_flags,
++						 nthreads);
+ 		if (rc < 0)
+ 			errors = rc;
+ 	}
+diff --git a/policycoreutils/setfiles/restore.h b/policycoreutils/setfiles/restore.h
+index ac6ad6809f4f..bb35a1db9e34 100644
+--- a/policycoreutils/setfiles/restore.h
++++ b/policycoreutils/setfiles/restore.h
+@@ -49,7 +49,7 @@ struct restore_opts {
+ void restore_init(struct restore_opts *opts);
+ void restore_finish(void);
+ void add_exclude(const char *directory);
+-int process_glob(char *name, struct restore_opts *opts);
++int process_glob(char *name, struct restore_opts *opts, size_t nthreads);
+ extern char **exclude_list;
+ 
+ #endif
+diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
+index a8900f02b3f3..dbd55ce7c512 100644
+--- a/policycoreutils/setfiles/restorecon.8
++++ b/policycoreutils/setfiles/restorecon.8
+@@ -33,6 +33,8 @@ restorecon \- restore file(s) default SELinux security contexts.
+ .RB [ \-W ]
+ .RB [ \-I | \-D ]
+ .RB [ \-x ]
++.RB [ \-T
++.IR nthreads ]
+ 
+ .SH "DESCRIPTION"
+ This manual page describes the
+@@ -160,6 +162,13 @@ prevent
+ .B restorecon
+ from crossing file system boundaries.
+ .TP
++.BI \-T \ nthreads
++use up to
++.I nthreads
++threads.  Specify 0 to create as many threads as there are available
++CPU cores; 1 to use only a single thread (default); or any positive
++number to use the given number of threads (if possible).
++.TP
+ .SH "ARGUMENTS"
+ .IR pathname \ ...
+ The pathname for the file(s) to be relabeled.
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index 0692121f2f4d..8ef9f602e843 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -19,6 +19,8 @@ setfiles \- set SELinux file security contexts.
+ .RB [ \-W ]
+ .RB [ \-F ]
+ .RB [ \-I | \-D ]
++.RB [ \-T
++.IR nthreads ]
+ .I spec_file
+ .IR pathname \ ...
+ 
+@@ -161,6 +163,13 @@ quote marks or backslashes.  The
+ option of GNU
+ .B find
+ produces input suitable for this mode.
++.TP
++.BI \-T \ nthreads
++use up to
++.I nthreads
++threads.  Specify 0 to create as many threads as there are available
++CPU cores; 1 to use only a single thread (default); or any positive
++number to use the given number of threads (if possible).
+ 
+ .SH "ARGUMENTS"
+ .TP
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index f018d161aa9e..2313a21fa0f3 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -1,4 +1,5 @@
+ #include "restore.h"
++#include <stdlib.h>
+ #include <unistd.h>
+ #include <fcntl.h>
+ #include <stdio_ext.h>
+@@ -34,14 +35,14 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
+ {
+ 	if (iamrestorecon) {
+ 		fprintf(stderr,
+-			"usage:  %s [-iIDFmnprRv0x] [-e excludedir] pathname...\n"
+-			"usage:  %s [-iIDFmnprRv0x] [-e excludedir] -f filename\n",
++			"usage:  %s [-iIDFmnprRv0xT] [-e excludedir] pathname...\n"
++			"usage:  %s [-iIDFmnprRv0xT] [-e excludedir] -f filename\n",
+ 			name, name);
+ 	} else {
+ 		fprintf(stderr,
+-			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
+-			"usage:  %s [-diIDlmnpqvEFW] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
+-			"usage:  %s -s [-diIDlmnpqvFW] spec_file\n",
++			"usage:  %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file pathname...\n"
++			"usage:  %s [-diIDlmnpqvEFWT] [-e excludedir] [-r alt_root_path] [-c policyfile] spec_file -f filename\n"
++			"usage:  %s -s [-diIDlmnpqvFWT] spec_file\n",
+ 			name, name, name);
+ 	}
+ 	exit(-1);
+@@ -144,12 +145,12 @@ int main(int argc, char **argv)
+ 	int opt, i = 0;
+ 	const char *input_filename = NULL;
+ 	int use_input_file = 0;
+-	char *buf = NULL;
+-	size_t buf_len;
++	char *buf = NULL, *endptr;
++	size_t buf_len, nthreads = 1;
+ 	const char *base;
+ 	int errors = 0;
+-	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0x";
+-	const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0";
++	const char *ropts = "e:f:hiIDlmno:pqrsvFRW0xT:";
++	const char *sopts = "c:de:f:hiIDlmno:pqr:svEFR:W0T:";
+ 	const char *opts;
+ 	union selinux_callback cb;
+ 
+@@ -370,6 +371,11 @@ int main(int argc, char **argv)
+ 				usage(argv[0]);
+                         }
+                         break;
++		case 'T':
++			nthreads = strtoull(optarg, &endptr, 10);
++			if (*optarg == '\0' || *endptr != '\0')
++				usage(argv[0]);
++			break;
+ 		case 'h':
+ 		case '?':
+ 			usage(argv[0]);
+@@ -448,13 +454,13 @@ int main(int argc, char **argv)
+ 			buf[len - 1] = 0;
+ 			if (!strcmp(buf, "/"))
+ 				r_opts.mass_relabel = SELINUX_RESTORECON_MASS_RELABEL;
+-			errors |= process_glob(buf, &r_opts) < 0;
++			errors |= process_glob(buf, &r_opts, nthreads) < 0;
+ 		}
+ 		if (strcmp(input_filename, "-") != 0)
+ 			fclose(f);
+ 	} else {
+ 		for (i = optind; i < argc; i++)
+-			errors |= process_glob(argv[i], &r_opts) < 0;
++			errors |= process_glob(argv[i], &r_opts, nthreads) < 0;
+ 	}
+ 
+ 	maybe_audit_mass_relabel(r_opts.mass_relabel, errors);
+-- 
+2.33.1
+

0020-semodule-add-m-checksum-option.patch

@@ -0,0 +1,674 @@
+From 4e6165719d3315b6502f3d290a549f9fa14c3238 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 16 Nov 2021 14:27:11 +0100
+Subject: [PATCH] semodule: add -m | --checksum option
+
+Since cil doesn't store module name and module version in module itself,
+there's no simple way how to compare that installed module is the same
+version as the module which is supposed to be installed. Even though the
+version was not used by semodule itself, it was apparently used by some
+team.
+
+With `semodule -l --checksum` users get SHA256 hashes of modules and
+could compare them with their files which is faster than installing
+modules again and again.
+
+E.g.
+
+    # time (
+    semodule -l --checksum | grep localmodule
+    /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
+    )
+    localmodule db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd
+    db002f64ddfa3983257b42b54da7b182c9b2e476f47880ae3494f9099e1a42bd  -
+
+    real    0m0.876s
+    user    0m0.849s
+    sys     0m0.028s
+
+vs
+
+    # time semodule -i localmodule.pp
+
+    real    0m6.147s
+    user    0m5.800s
+    sys     0m0.231s
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/semodule/Makefile   |   2 +-
+ policycoreutils/semodule/semodule.8 |   6 +
+ policycoreutils/semodule/semodule.c |  95 ++++++++-
+ policycoreutils/semodule/sha256.c   | 294 ++++++++++++++++++++++++++++
+ policycoreutils/semodule/sha256.h   |  89 +++++++++
+ 5 files changed, 480 insertions(+), 6 deletions(-)
+ create mode 100644 policycoreutils/semodule/sha256.c
+ create mode 100644 policycoreutils/semodule/sha256.h
+
+diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
+index 73801e487a76..9875ac383280 100644
+--- a/policycoreutils/semodule/Makefile
++++ b/policycoreutils/semodule/Makefile
+@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override LDLIBS += -lsepol -lselinux -lsemanage
+-SEMODULE_OBJS = semodule.o
++SEMODULE_OBJS = semodule.o sha256.o
+ 
+ all: semodule genhomedircon
+ 
+diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
+index 18d4f708661c..3a2fb21c2481 100644
+--- a/policycoreutils/semodule/semodule.8
++++ b/policycoreutils/semodule/semodule.8
+@@ -95,6 +95,9 @@ only modules listed in \-\-extract after this option.
+ .B  \-H,\-\-hll
+ Extract module as an HLL file. This only affects the \-\-extract option and
+ only modules listed in \-\-extract after this option.
++.TP
++.B  \-m,\-\-checksum
++Add SHA256 checksum of modules to the list output.
+ 
+ .SH EXAMPLE
+ .nf
+@@ -130,6 +133,9 @@ $ semodule \-B \-S "/tmp/var/lib/selinux"
+ # Write the HLL version of puppet and the CIL version of wireshark
+ # modules at priority 400 to the current working directory
+ $ semodule \-X 400 \-\-hll \-E puppet \-\-cil \-E wireshark
++# Check whether a module in "localmodule.pp" file is same as installed module "localmodule"
++$ /usr/libexec/selinux/hll/pp localmodule.pp | sha256sum
++$ semodule -l -m | grep localmodule
+ .fi
+ 
+ .SH SEE ALSO
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index c815f01546b4..ddbf10455abf 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -25,6 +25,8 @@
+ #include <sepol/cil/cil.h>
+ #include <semanage/modules.h>
+ 
++#include "sha256.h"
++
+ enum client_modes {
+ 	NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
+ 	LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
+@@ -57,6 +59,7 @@ static semanage_handle_t *sh = NULL;
+ static char *store;
+ static char *store_root;
+ int extract_cil = 0;
++static int checksum = 0;
+ 
+ extern char *optarg;
+ extern int optind;
+@@ -147,6 +150,7 @@ static void usage(char *progname)
+ 	printf("  -S,--store-path  use an alternate path for the policy store root\n");
+ 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
+ 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
++	printf("  -m, --checksum   print module checksum (SHA256).\n");
+ }
+ 
+ /* Sets the global mode variable to new_mode, but only if no other
+@@ -200,6 +204,7 @@ static void parse_command_line(int argc, char **argv)
+ 		{"disable", required_argument, NULL, 'd'},
+ 		{"path", required_argument, NULL, 'p'},
+ 		{"store-path", required_argument, NULL, 'S'},
++		{"checksum", 0, NULL, 'm'},
+ 		{NULL, 0, NULL, 0}
+ 	};
+ 	int extract_selected = 0;
+@@ -210,7 +215,7 @@ static void parse_command_line(int argc, char **argv)
+ 	no_reload = 0;
+ 	priority = 400;
+ 	while ((i =
+-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cH", opts,
++		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
+ 			    NULL)) != -1) {
+ 		switch (i) {
+ 		case 'b':
+@@ -287,6 +292,9 @@ static void parse_command_line(int argc, char **argv)
+ 		case 'd':
+ 			set_mode(DISABLE_M, optarg);
+ 			break;
++		case 'm':
++			checksum = 1;
++			break;
+ 		case '?':
+ 		default:{
+ 				usage(argv[0]);
+@@ -338,6 +346,61 @@ static void parse_command_line(int argc, char **argv)
+ 	}
+ }
+ 
++/* Get module checksum */
++static char *hash_module_data(const char *module_name, const int prio) {
++	semanage_module_info_t *extract_info = NULL;
++	semanage_module_key_t *modkey = NULL;
++	Sha256Context context;
++	uint8_t sha256_hash[SHA256_HASH_SIZE];
++	char *sha256_buf = NULL;
++	void *data;
++	size_t data_len = 0, i;
++	int result;
++
++	result = semanage_module_key_create(sh, &modkey);
++	if (result != 0) {
++		goto cleanup_extract;
++	}
++
++	result = semanage_module_key_set_name(sh, modkey, module_name);
++	if (result != 0) {
++		goto cleanup_extract;
++	}
++
++	result = semanage_module_key_set_priority(sh, modkey, prio);
++	if (result != 0) {
++		goto cleanup_extract;
++	}
++
++	result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
++									 &extract_info);
++	if (result != 0) {
++		goto cleanup_extract;
++	}
++
++	Sha256Initialise(&context);
++	Sha256Update(&context, data, data_len);
++
++	Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
++
++	sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
++
++	if (sha256_buf == NULL)
++		goto cleanup_extract;
++
++	for (i = 0; i < SHA256_HASH_SIZE; i++) {
++		sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
++	}
++	sha256_buf[i * 2] = 0;
++
++cleanup_extract:
++	semanage_module_info_destroy(sh, extract_info);
++	free(extract_info);
++	semanage_module_key_destroy(sh, modkey);
++	free(modkey);
++	return sha256_buf;
++}
++
+ int main(int argc, char *argv[])
+ {
+ 	int i, commit = 0;
+@@ -546,6 +609,8 @@ cleanup_extract:
+ 				int modinfos_len = 0;
+ 				semanage_module_info_t *m = NULL;
+ 				int j = 0;
++				char *module_checksum = NULL;
++				uint16_t pri = 0;
+ 
+ 				if (verbose) {
+ 					printf
+@@ -570,7 +635,18 @@ cleanup_extract:
+ 						result = semanage_module_info_get_name(sh, m, &name);
+ 						if (result != 0) goto cleanup_list;
+ 
+-						printf("%s\n", name);
++						result = semanage_module_info_get_priority(sh, m, &pri);
++						if (result != 0) goto cleanup_list;
++
++						printf("%s", name);
++						if (checksum) {
++							module_checksum = hash_module_data(name, pri);
++							if (module_checksum) {
++								printf(" %s", module_checksum);
++								free(module_checksum);
++							}
++						}
++						printf("\n");
+ 					}
+ 				}
+ 				else if (strcmp(mode_arg, "full") == 0) {
+@@ -585,11 +661,12 @@ cleanup_extract:
+ 					}
+ 
+ 					/* calculate column widths */
+-					size_t column[4] = { 0, 0, 0, 0 };
++					size_t column[5] = { 0, 0, 0, 0, 0 };
+ 
+ 					/* fixed width columns */
+ 					column[0] = sizeof("000") - 1;
+ 					column[3] = sizeof("disabled") - 1;
++					column[4] = 64; /* SHA256_HASH_SIZE * 2 */
+ 
+ 					/* variable width columns */
+ 					const char *tmp = NULL;
+@@ -612,7 +689,6 @@ cleanup_extract:
+ 
+ 					/* print out each module */
+ 					for (j = 0; j < modinfos_len; j++) {
+-						uint16_t pri = 0;
+ 						const char *name = NULL;
+ 						int enabled = 0;
+ 						const char *lang_ext = NULL;
+@@ -631,11 +707,20 @@ cleanup_extract:
+ 						result = semanage_module_info_get_lang_ext(sh, m, &lang_ext);
+ 						if (result != 0) goto cleanup_list;
+ 
+-						printf("%0*u %-*s %-*s %-*s\n",
++						printf("%0*u %-*s %-*s %-*s",
+ 							(int)column[0], pri,
+ 							(int)column[1], name,
+ 							(int)column[2], lang_ext,
+ 							(int)column[3], enabled ? "" : "disabled");
++						if (checksum) {
++							module_checksum = hash_module_data(name, pri);
++							if (module_checksum) {
++								printf(" %-*s", (int)column[4], module_checksum);
++								free(module_checksum);
++							}
++						}
++						printf("\n");
++
+ 					}
+ 				}
+ 				else {
+diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
+new file mode 100644
+index 000000000000..fe2aeef07f53
+--- /dev/null
++++ b/policycoreutils/semodule/sha256.c
+@@ -0,0 +1,294 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include "sha256.h"
++#include <memory.h>
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  MACROS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
++
++#define MIN(x, y) ( ((x)<(y))?(x):(y) )
++
++#define STORE32H(x, y)                                                                     \
++     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
++       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
++
++#define LOAD32H(x, y)                            \
++     { x = ((uint32_t)((y)[0] & 255)<<24) | \
++           ((uint32_t)((y)[1] & 255)<<16) | \
++           ((uint32_t)((y)[2] & 255)<<8)  | \
++           ((uint32_t)((y)[3] & 255)); }
++
++#define STORE64H(x, y)                                                                     \
++   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
++     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
++     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
++     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  CONSTANTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// The K array
++static const uint32_t K[64] = {
++    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
++    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
++    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
++    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
++    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
++    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
++    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
++    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
++    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
++    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++#define BLOCK_SIZE          64
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  INTERNAL FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// Various logical functions
++#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
++#define Maj( x, y, z )    (((x | y) & z) | (x & y))
++#define S( x, n )         ror((x),(n))
++#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
++#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
++#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
++#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
++#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
++
++#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
++     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
++     t1 = Sigma0(a) + Maj(a, b, c);                    \
++     d += t0;                                          \
++     h  = t0 + t1;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  TransformFunction
++//
++//  Compress 512-bits
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++static
++void
++    TransformFunction
++    (
++        Sha256Context*      Context,
++        uint8_t const*      Buffer
++    )
++{
++    uint32_t    S[8];
++    uint32_t    W[64];
++    uint32_t    t0;
++    uint32_t    t1;
++    uint32_t    t;
++    int         i;
++
++    // Copy state into S
++    for( i=0; i<8; i++ )
++    {
++        S[i] = Context->state[i];
++    }
++
++    // Copy the state into 512-bits into W[0..15]
++    for( i=0; i<16; i++ )
++    {
++        LOAD32H( W[i], Buffer + (4*i) );
++    }
++
++    // Fill W[16..63]
++    for( i=16; i<64; i++ )
++    {
++        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
++    }
++
++    // Compress
++    for( i=0; i<64; i++ )
++    {
++        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
++        t = S[7];
++        S[7] = S[6];
++        S[6] = S[5];
++        S[5] = S[4];
++        S[4] = S[3];
++        S[3] = S[2];
++        S[2] = S[1];
++        S[1] = S[0];
++        S[0] = t;
++    }
++
++    // Feedback
++    for( i=0; i<8; i++ )
++    {
++        Context->state[i] = Context->state[i] + S[i];
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    )
++{
++    Context->curlen = 0;
++    Context->length = 0;
++    Context->state[0] = 0x6A09E667UL;
++    Context->state[1] = 0xBB67AE85UL;
++    Context->state[2] = 0x3C6EF372UL;
++    Context->state[3] = 0xA54FF53AUL;
++    Context->state[4] = 0x510E527FUL;
++    Context->state[5] = 0x9B05688CUL;
++    Context->state[6] = 0x1F83D9ABUL;
++    Context->state[7] = 0x5BE0CD19UL;
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    )
++{
++    uint32_t n;
++
++    if( Context->curlen > sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    while( BufferSize > 0 )
++    {
++        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
++        {
++           TransformFunction( Context, (uint8_t*)Buffer );
++           Context->length += BLOCK_SIZE * 8;
++           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
++           BufferSize -= BLOCK_SIZE;
++        }
++        else
++        {
++           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
++           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
++           Context->curlen += n;
++           Buffer = (uint8_t*)Buffer + n;
++           BufferSize -= n;
++           if( Context->curlen == BLOCK_SIZE )
++           {
++              TransformFunction( Context, Context->buf );
++              Context->length += 8*BLOCK_SIZE;
++              Context->curlen = 0;
++           }
++       }
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    )
++{
++    int i;
++
++    if( Context->curlen >= sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    // Increase the length of the message
++    Context->length += Context->curlen * 8;
++
++    // Append the '1' bit
++    Context->buf[Context->curlen++] = (uint8_t)0x80;
++
++    // if the length is currently above 56 bytes we append zeros
++    // then compress.  Then we can fall back to padding zeros and length
++    // encoding like normal.
++    if( Context->curlen > 56 )
++    {
++        while( Context->curlen < 64 )
++        {
++            Context->buf[Context->curlen++] = (uint8_t)0;
++        }
++        TransformFunction(Context, Context->buf);
++        Context->curlen = 0;
++    }
++
++    // Pad up to 56 bytes of zeroes
++    while( Context->curlen < 56 )
++    {
++        Context->buf[Context->curlen++] = (uint8_t)0;
++    }
++
++    // Store length
++    STORE64H( Context->length, Context->buf+56 );
++    TransformFunction( Context, Context->buf );
++
++    // Copy output
++    for( i=0; i<8; i++ )
++    {
++        STORE32H( Context->state[i], Digest->bytes+(4*i) );
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    )
++{
++    Sha256Context context;
++
++    Sha256Initialise( &context );
++    Sha256Update( &context, Buffer, BufferSize );
++    Sha256Finalise( &context, Digest );
++}
+diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
+new file mode 100644
+index 000000000000..406ed869cd82
+--- /dev/null
++++ b/policycoreutils/semodule/sha256.h
+@@ -0,0 +1,89 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#pragma once
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include <stdint.h>
++#include <stdio.h>
++
++typedef struct
++{
++    uint64_t    length;
++    uint32_t    state[8];
++    uint32_t    curlen;
++    uint8_t     buf[64];
++} Sha256Context;
++
++#define SHA256_HASH_SIZE           ( 256 / 8 )
++
++typedef struct
++{
++    uint8_t      bytes [SHA256_HASH_SIZE];
++} SHA256_HASH;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    );
+-- 
+2.33.1
+

0021-semodule-Fix-lang_ext-column-index.patch

@@ -0,0 +1,29 @@
+From 7537374e7f5802852c0c64b4cb2a9646402e3cba Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 16 Nov 2021 16:11:22 +0100
+Subject: [PATCH] semodule: Fix lang_ext column index
+
+lang_ext is 3. column - index number 2.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/semodule/semodule.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index ddbf10455abf..57f005ce2c62 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -684,7 +684,7 @@ cleanup_extract:
+ 						if (result != 0) goto cleanup_list;
+ 
+ 						size = strlen(tmp);
+-						if (size > column[3]) column[3] = size;
++						if (size > column[2]) column[2] = size;
+ 					}
+ 
+ 					/* print out each module */
+-- 
+2.33.1
+

0022-semodule-Don-t-forget-to-munmap-data.patch

@@ -0,0 +1,32 @@
+From 0c4e5d70fde006977e798d6cc7d80db2e8af7bb9 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 23 Nov 2021 17:38:51 +0100
+Subject: [PATCH] semodule: Don't forget to munmap() data
+
+semanage_module_extract() mmap()'s the module raw data but it leaves on
+the caller to munmap() them.
+
+Reported-by: Ondrej Mosnacek <omosnace@redhat.com>
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ policycoreutils/semodule/semodule.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index 57f005ce2c62..94a9d131bb79 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -394,6 +394,9 @@ static char *hash_module_data(const char *module_name, const int prio) {
+ 	sha256_buf[i * 2] = 0;
+ 
+ cleanup_extract:
++	if (data_len > 0) {
++		munmap(data, data_len);
++	}
+ 	semanage_module_info_destroy(sh, extract_info);
+ 	free(extract_info);
+ 	semanage_module_key_destroy(sh, modkey);
+-- 
+2.33.1
+

0023-semodule-libsemanage-move-module-hashing-into-libsem.patch

@@ -0,0 +1,539 @@
+From 7809f29b68e17a455478990ae9b22728381a126b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 3 Feb 2022 17:53:23 +0100
+Subject: [PATCH] semodule,libsemanage: move module hashing into libsemanage
+
+The main goal of this move is to have the SHA-256 implementation under
+libsemanage, since upcoming patches will make use of SHA-256 for a
+different (but similar) purpose in libsemanage. Having the hashing code
+in libsemanage will reduce code duplication and allow for easier hash
+algorithm upgrade in the future.
+
+Note that libselinux currently also contains a hash function
+implementation (for yet another different purpose). This patch doesn't
+make any effort to address that duplicity yet.
+
+This patch also changes the format of the hash string printed by
+semodule to include the name of the hash. The intent is to avoid
+ambiguity and potential collisions when the algorithm is potentially
+changed in the future.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policycoreutils/semodule/Makefile   |   2 +-
+ policycoreutils/semodule/semodule.c |  53 ++---
+ policycoreutils/semodule/sha256.c   | 294 ----------------------------
+ policycoreutils/semodule/sha256.h   |  89 ---------
+ 4 files changed, 17 insertions(+), 421 deletions(-)
+ delete mode 100644 policycoreutils/semodule/sha256.c
+ delete mode 100644 policycoreutils/semodule/sha256.h
+
+diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
+index 9875ac383280..73801e487a76 100644
+--- a/policycoreutils/semodule/Makefile
++++ b/policycoreutils/semodule/Makefile
+@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
+ 
+ CFLAGS ?= -Werror -Wall -W
+ override LDLIBS += -lsepol -lselinux -lsemanage
+-SEMODULE_OBJS = semodule.o sha256.o
++SEMODULE_OBJS = semodule.o
+ 
+ all: semodule genhomedircon
+ 
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index 94a9d131bb79..f4a76289efa3 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -25,8 +25,6 @@
+ #include <sepol/cil/cil.h>
+ #include <semanage/modules.h>
+ 
+-#include "sha256.h"
+-
+ enum client_modes {
+ 	NO_MODE, INSTALL_M, REMOVE_M, EXTRACT_M, CIL_M, HLL_M,
+ 	LIST_M, RELOAD, PRIORITY_M, ENABLE_M, DISABLE_M
+@@ -348,60 +346,38 @@ static void parse_command_line(int argc, char **argv)
+ 
+ /* Get module checksum */
+ static char *hash_module_data(const char *module_name, const int prio) {
+-	semanage_module_info_t *extract_info = NULL;
+ 	semanage_module_key_t *modkey = NULL;
+-	Sha256Context context;
+-	uint8_t sha256_hash[SHA256_HASH_SIZE];
+-	char *sha256_buf = NULL;
+-	void *data;
+-	size_t data_len = 0, i;
++	char *hash_str = NULL;
++	void *hash = NULL;
++	size_t hash_len = 0;
+ 	int result;
+ 
+ 	result = semanage_module_key_create(sh, &modkey);
+ 	if (result != 0) {
+-		goto cleanup_extract;
++		goto cleanup;
+ 	}
+ 
+ 	result = semanage_module_key_set_name(sh, modkey, module_name);
+ 	if (result != 0) {
+-		goto cleanup_extract;
++		goto cleanup;
+ 	}
+ 
+ 	result = semanage_module_key_set_priority(sh, modkey, prio);
+ 	if (result != 0) {
+-		goto cleanup_extract;
++		goto cleanup;
+ 	}
+ 
+-	result = semanage_module_extract(sh, modkey, 1, &data, &data_len,
+-									 &extract_info);
++	result = semanage_module_compute_checksum(sh, modkey, 1, &hash_str,
++						  &hash_len);
+ 	if (result != 0) {
+-		goto cleanup_extract;
+-	}
+-
+-	Sha256Initialise(&context);
+-	Sha256Update(&context, data, data_len);
+-
+-	Sha256Finalise(&context, (SHA256_HASH *)sha256_hash);
+-
+-	sha256_buf = calloc(1, SHA256_HASH_SIZE * 2 + 1);
+-
+-	if (sha256_buf == NULL)
+-		goto cleanup_extract;
+-
+-	for (i = 0; i < SHA256_HASH_SIZE; i++) {
+-		sprintf((&sha256_buf[i * 2]), "%02x", sha256_hash[i]);
++		goto cleanup;
+ 	}
+-	sha256_buf[i * 2] = 0;
+ 
+-cleanup_extract:
+-	if (data_len > 0) {
+-		munmap(data, data_len);
+-	}
+-	semanage_module_info_destroy(sh, extract_info);
+-	free(extract_info);
++cleanup:
++	free(hash);
+ 	semanage_module_key_destroy(sh, modkey);
+ 	free(modkey);
+-	return sha256_buf;
++	return hash_str;
+ }
+ 
+ int main(int argc, char *argv[])
+@@ -669,7 +645,10 @@ cleanup_extract:
+ 					/* fixed width columns */
+ 					column[0] = sizeof("000") - 1;
+ 					column[3] = sizeof("disabled") - 1;
+-					column[4] = 64; /* SHA256_HASH_SIZE * 2 */
++
++					result = semanage_module_compute_checksum(sh, NULL, 0, NULL,
++										  &column[4]);
++					if (result != 0) goto cleanup_list;
+ 
+ 					/* variable width columns */
+ 					const char *tmp = NULL;
+diff --git a/policycoreutils/semodule/sha256.c b/policycoreutils/semodule/sha256.c
+deleted file mode 100644
+index fe2aeef07f53..000000000000
+--- a/policycoreutils/semodule/sha256.c
++++ /dev/null
+@@ -1,294 +0,0 @@
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  WjCryptLib_Sha256
+-//
+-//  Implementation of SHA256 hash function.
+-//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include "sha256.h"
+-#include <memory.h>
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  MACROS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
+-
+-#define MIN(x, y) ( ((x)<(y))?(x):(y) )
+-
+-#define STORE32H(x, y)                                                                     \
+-     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
+-       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
+-
+-#define LOAD32H(x, y)                            \
+-     { x = ((uint32_t)((y)[0] & 255)<<24) | \
+-           ((uint32_t)((y)[1] & 255)<<16) | \
+-           ((uint32_t)((y)[2] & 255)<<8)  | \
+-           ((uint32_t)((y)[3] & 255)); }
+-
+-#define STORE64H(x, y)                                                                     \
+-   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
+-     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
+-     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
+-     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  CONSTANTS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// The K array
+-static const uint32_t K[64] = {
+-    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
+-    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
+-    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
+-    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
+-    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
+-    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
+-    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
+-    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
+-    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
+-    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
+-    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
+-    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
+-    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
+-};
+-
+-#define BLOCK_SIZE          64
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  INTERNAL FUNCTIONS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// Various logical functions
+-#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
+-#define Maj( x, y, z )    (((x | y) & z) | (x & y))
+-#define S( x, n )         ror((x),(n))
+-#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
+-#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
+-#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
+-#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
+-#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
+-
+-#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
+-     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
+-     t1 = Sigma0(a) + Maj(a, b, c);                    \
+-     d += t0;                                          \
+-     h  = t0 + t1;
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TransformFunction
+-//
+-//  Compress 512-bits
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-static
+-void
+-    TransformFunction
+-    (
+-        Sha256Context*      Context,
+-        uint8_t const*      Buffer
+-    )
+-{
+-    uint32_t    S[8];
+-    uint32_t    W[64];
+-    uint32_t    t0;
+-    uint32_t    t1;
+-    uint32_t    t;
+-    int         i;
+-
+-    // Copy state into S
+-    for( i=0; i<8; i++ )
+-    {
+-        S[i] = Context->state[i];
+-    }
+-
+-    // Copy the state into 512-bits into W[0..15]
+-    for( i=0; i<16; i++ )
+-    {
+-        LOAD32H( W[i], Buffer + (4*i) );
+-    }
+-
+-    // Fill W[16..63]
+-    for( i=16; i<64; i++ )
+-    {
+-        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
+-    }
+-
+-    // Compress
+-    for( i=0; i<64; i++ )
+-    {
+-        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
+-        t = S[7];
+-        S[7] = S[6];
+-        S[6] = S[5];
+-        S[5] = S[4];
+-        S[4] = S[3];
+-        S[3] = S[2];
+-        S[2] = S[1];
+-        S[1] = S[0];
+-        S[0] = t;
+-    }
+-
+-    // Feedback
+-    for( i=0; i<8; i++ )
+-    {
+-        Context->state[i] = Context->state[i] + S[i];
+-    }
+-}
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Initialise
+-//
+-//  Initialises a SHA256 Context. Use this to initialise/reset a context.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Initialise
+-    (
+-        Sha256Context*      Context         // [out]
+-    )
+-{
+-    Context->curlen = 0;
+-    Context->length = 0;
+-    Context->state[0] = 0x6A09E667UL;
+-    Context->state[1] = 0xBB67AE85UL;
+-    Context->state[2] = 0x3C6EF372UL;
+-    Context->state[3] = 0xA54FF53AUL;
+-    Context->state[4] = 0x510E527FUL;
+-    Context->state[5] = 0x9B05688CUL;
+-    Context->state[6] = 0x1F83D9ABUL;
+-    Context->state[7] = 0x5BE0CD19UL;
+-}
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Update
+-//
+-//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Update
+-    (
+-        Sha256Context*      Context,        // [in out]
+-        void const*         Buffer,         // [in]
+-        uint32_t            BufferSize      // [in]
+-    )
+-{
+-    uint32_t n;
+-
+-    if( Context->curlen > sizeof(Context->buf) )
+-    {
+-       return;
+-    }
+-
+-    while( BufferSize > 0 )
+-    {
+-        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
+-        {
+-           TransformFunction( Context, (uint8_t*)Buffer );
+-           Context->length += BLOCK_SIZE * 8;
+-           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
+-           BufferSize -= BLOCK_SIZE;
+-        }
+-        else
+-        {
+-           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
+-           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
+-           Context->curlen += n;
+-           Buffer = (uint8_t*)Buffer + n;
+-           BufferSize -= n;
+-           if( Context->curlen == BLOCK_SIZE )
+-           {
+-              TransformFunction( Context, Context->buf );
+-              Context->length += 8*BLOCK_SIZE;
+-              Context->curlen = 0;
+-           }
+-       }
+-    }
+-}
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+-//  calling this, Sha256Initialised must be used to reuse the context.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Finalise
+-    (
+-        Sha256Context*      Context,        // [in out]
+-        SHA256_HASH*        Digest          // [out]
+-    )
+-{
+-    int i;
+-
+-    if( Context->curlen >= sizeof(Context->buf) )
+-    {
+-       return;
+-    }
+-
+-    // Increase the length of the message
+-    Context->length += Context->curlen * 8;
+-
+-    // Append the '1' bit
+-    Context->buf[Context->curlen++] = (uint8_t)0x80;
+-
+-    // if the length is currently above 56 bytes we append zeros
+-    // then compress.  Then we can fall back to padding zeros and length
+-    // encoding like normal.
+-    if( Context->curlen > 56 )
+-    {
+-        while( Context->curlen < 64 )
+-        {
+-            Context->buf[Context->curlen++] = (uint8_t)0;
+-        }
+-        TransformFunction(Context, Context->buf);
+-        Context->curlen = 0;
+-    }
+-
+-    // Pad up to 56 bytes of zeroes
+-    while( Context->curlen < 56 )
+-    {
+-        Context->buf[Context->curlen++] = (uint8_t)0;
+-    }
+-
+-    // Store length
+-    STORE64H( Context->length, Context->buf+56 );
+-    TransformFunction( Context, Context->buf );
+-
+-    // Copy output
+-    for( i=0; i<8; i++ )
+-    {
+-        STORE32H( Context->state[i], Digest->bytes+(4*i) );
+-    }
+-}
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Calculate
+-//
+-//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+-//  buffer.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Calculate
+-    (
+-        void  const*        Buffer,         // [in]
+-        uint32_t            BufferSize,     // [in]
+-        SHA256_HASH*        Digest          // [in]
+-    )
+-{
+-    Sha256Context context;
+-
+-    Sha256Initialise( &context );
+-    Sha256Update( &context, Buffer, BufferSize );
+-    Sha256Finalise( &context, Digest );
+-}
+diff --git a/policycoreutils/semodule/sha256.h b/policycoreutils/semodule/sha256.h
+deleted file mode 100644
+index 406ed869cd82..000000000000
+--- a/policycoreutils/semodule/sha256.h
++++ /dev/null
+@@ -1,89 +0,0 @@
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  WjCryptLib_Sha256
+-//
+-//  Implementation of SHA256 hash function.
+-//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#pragma once
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include <stdint.h>
+-#include <stdio.h>
+-
+-typedef struct
+-{
+-    uint64_t    length;
+-    uint32_t    state[8];
+-    uint32_t    curlen;
+-    uint8_t     buf[64];
+-} Sha256Context;
+-
+-#define SHA256_HASH_SIZE           ( 256 / 8 )
+-
+-typedef struct
+-{
+-    uint8_t      bytes [SHA256_HASH_SIZE];
+-} SHA256_HASH;
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Initialise
+-//
+-//  Initialises a SHA256 Context. Use this to initialise/reset a context.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Initialise
+-    (
+-        Sha256Context*      Context         // [out]
+-    );
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Update
+-//
+-//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Update
+-    (
+-        Sha256Context*      Context,        // [in out]
+-        void const*         Buffer,         // [in]
+-        uint32_t            BufferSize      // [in]
+-    );
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
+-//  calling this, Sha256Initialised must be used to reuse the context.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Finalise
+-    (
+-        Sha256Context*      Context,        // [in out]
+-        SHA256_HASH*        Digest          // [out]
+-    );
+-
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha256Calculate
+-//
+-//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
+-//  buffer.
+-////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha256Calculate
+-    (
+-        void  const*        Buffer,         // [in]
+-        uint32_t            BufferSize,     // [in]
+-        SHA256_HASH*        Digest          // [in]
+-    );
+-- 
+2.34.1
+

0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch

@@ -1,29 +0,0 @@
-From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Wed, 11 Nov 2020 17:23:40 +0100
-Subject: [PATCH] selinux_config(5): add a note that runtime disable is
- deprecated
-
-...and refer to selinux(8), which explains it further.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policycoreutils/man/man5/selinux_config.5 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
-index 1ffade150128..58b42a0e234d 100644
---- a/policycoreutils/man/man5/selinux_config.5
-+++ b/policycoreutils/man/man5/selinux_config.5
-@@ -48,7 +48,7 @@ SELinux security policy is enforced.
- .IP \fIpermissive\fR 4
- SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
- .IP \fIdisabled\fR
--SELinux is disabled and no policy is loaded.
-+No SELinux policy is loaded.  This option was used to disable SELinux completely, which is now deprecated.  Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
- .RE
- .sp
- The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
--- 
-2.29.2
-

0024-semodule-add-command-line-option-to-detect-module-ch.patch

@@ -0,0 +1,144 @@
+From 9341da3478625bb2ba2e7d4f3e227735cc9c8198 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Thu, 3 Feb 2022 17:53:27 +0100
+Subject: [PATCH] semodule: add command-line option to detect module changes
+
+Add a new command-line option "--rebuild-if-modules-changed" to control
+the newly introduced check_ext_changes libsemanage flag.
+
+For example, running `semodule --rebuild-if-modules-changed` will ensure
+that any externally added/removed modules (e.g. by an RPM transaction)
+are reflected in the compiled policy, while skipping the most expensive
+part of the rebuild if no module change was deteceted since the last
+libsemanage transaction.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policycoreutils/semodule/semodule.8 |  7 +++++++
+ policycoreutils/semodule/semodule.c | 32 ++++++++++++++++++++++-------
+ 2 files changed, 32 insertions(+), 7 deletions(-)
+
+diff --git a/policycoreutils/semodule/semodule.8 b/policycoreutils/semodule/semodule.8
+index 3a2fb21c2481..d1735d216276 100644
+--- a/policycoreutils/semodule/semodule.8
++++ b/policycoreutils/semodule/semodule.8
+@@ -23,6 +23,13 @@ force a reload of policy
+ .B \-B, \-\-build
+ force a rebuild of policy (also reloads unless \-n is used)
+ .TP
++.B \-\-rebuild-if-modules-changed
++Force a rebuild of the policy if any changes to module content are detected
++(by comparing with checksum from the last transaction).  One can use this
++instead of \-B to ensure that any changes to the module store done by an
++external tool (e.g. a package manager) are applied, while automatically
++skipping the rebuild if there are no new changes.
++.TP
+ .B \-D, \-\-disable_dontaudit
+ Temporarily remove dontaudits from policy.  Reverts whenever policy is rebuilt
+ .TP
+diff --git a/policycoreutils/semodule/semodule.c b/policycoreutils/semodule/semodule.c
+index f4a76289efa3..1ed8e69054e0 100644
+--- a/policycoreutils/semodule/semodule.c
++++ b/policycoreutils/semodule/semodule.c
+@@ -47,6 +47,7 @@ static int verbose;
+ static int reload;
+ static int no_reload;
+ static int build;
++static int check_ext_changes;
+ static int disable_dontaudit;
+ static int preserve_tunables;
+ static int ignore_module_cache;
+@@ -149,6 +150,9 @@ static void usage(char *progname)
+ 	printf("  -c, --cil extract module as cil. This only affects module extraction.\n");
+ 	printf("  -H, --hll extract module as hll. This only affects module extraction.\n");
+ 	printf("  -m, --checksum   print module checksum (SHA256).\n");
++	printf("      --rebuild-if-modules-changed\n"
++	       "                   force policy rebuild if module content changed since\n"
++	       "                   last rebuild (based on checksum)\n");
+ }
+ 
+ /* Sets the global mode variable to new_mode, but only if no other
+@@ -180,6 +184,7 @@ static void set_mode(enum client_modes new_mode, char *arg)
+ static void parse_command_line(int argc, char **argv)
+ {
+ 	static struct option opts[] = {
++		{"rebuild-if-modules-changed", 0, NULL, '\0'},
+ 		{"store", required_argument, NULL, 's'},
+ 		{"base", required_argument, NULL, 'b'},
+ 		{"help", 0, NULL, 'h'},
+@@ -207,15 +212,26 @@ static void parse_command_line(int argc, char **argv)
+ 	};
+ 	int extract_selected = 0;
+ 	int cil_hll_set = 0;
+-	int i;
++	int i, longind;
+ 	verbose = 0;
+ 	reload = 0;
+ 	no_reload = 0;
++	check_ext_changes = 0;
+ 	priority = 400;
+ 	while ((i =
+-		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm", opts,
+-			    NULL)) != -1) {
++		getopt_long(argc, argv, "s:b:hi:l::vr:u:RnNBDCPX:e:d:p:S:E:cHm",
++			    opts, &longind)) != -1) {
+ 		switch (i) {
++		case '\0':
++			switch(longind) {
++			case 0: /* --rebuild-if-modules-changed */
++				check_ext_changes = 1;
++				break;
++			default:
++				usage(argv[0]);
++				exit(1);
++			}
++			break;
+ 		case 'b':
+ 			fprintf(stderr, "The --base option is deprecated. Use --install instead.\n");
+ 			set_mode(INSTALL_M, optarg);
+@@ -300,13 +316,13 @@ static void parse_command_line(int argc, char **argv)
+ 			}
+ 		}
+ 	}
+-	if ((build || reload) && num_commands) {
++	if ((build || reload || check_ext_changes) && num_commands) {
+ 		fprintf(stderr,
+ 			"build or reload should not be used with other commands\n");
+ 		usage(argv[0]);
+ 		exit(1);
+ 	}
+-	if (num_commands == 0 && reload == 0 && build == 0) {
++	if (num_commands == 0 && reload == 0 && build == 0 && check_ext_changes == 0) {
+ 		fprintf(stderr, "At least one mode must be specified.\n");
+ 		usage(argv[0]);
+ 		exit(1);
+@@ -395,7 +411,7 @@ int main(int argc, char *argv[])
+ 
+ 	cil_set_log_level(CIL_ERR + verbose);
+ 
+-	if (build)
++	if (build || check_ext_changes)
+ 		commit = 1;
+ 
+ 	sh = semanage_handle_create();
+@@ -434,7 +450,7 @@ int main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	if (build) {
++	if (build || check_ext_changes) {
+ 		if ((result = semanage_begin_transaction(sh)) < 0) {
+ 			fprintf(stderr, "%s:  Could not begin transaction:  %s\n",
+ 				argv[0], errno ? strerror(errno) : "");
+@@ -807,6 +823,8 @@ cleanup_disable:
+ 			semanage_set_reload(sh, 0);
+ 		if (build)
+ 			semanage_set_rebuild(sh, 1);
++		if (check_ext_changes)
++			semanage_set_check_ext_changes(sh, 1);
+ 		if (disable_dontaudit)
+ 			semanage_set_disable_dontaudit(sh, 1);
+ 		else if (build)
+-- 
+2.34.1
+

0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch

@@ -0,0 +1,180 @@
+From 09f700e9f953769d1697c46179faba32e4b80c0f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 4 Feb 2022 13:41:12 +0100
+Subject: [PATCH] policycoreutils/fixfiles: Use parallel relabeling
+
+Commit 93902fc8340f ("setfiles/restorecon: support parallel relabeling")
+implemented support for parallel relabeling in setfiles. This is
+available for fixfiles now.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles   | 35 +++++++++++++++++-------------
+ policycoreutils/scripts/fixfiles.8 | 17 ++++++++++-----
+ 2 files changed, 31 insertions(+), 21 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index cb20002ab613..a4a419ab62de 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -110,6 +110,7 @@ BOOTTIME=""
+ VERBOSE="-p"
+ [ -t 1 ] || VERBOSE=""
+ FORCEFLAG=""
++THREADS=""
+ RPMFILES=""
+ PREFC=""
+ RESTORE_MODE=""
+@@ -153,7 +154,7 @@ newer() {
+     shift
+     LogReadOnly
+     for m in `echo $FILESYSTEMSRW`; do
+-	find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} $* -i -0 -f -
++	find $m -mount -newermt $DATE -print0 2>/dev/null | ${RESTORECON} ${FORCEFLAG} ${VERBOSE} ${THREADS} $* -i -0 -f -
+     done;
+ }
+ 
+@@ -197,7 +198,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
+ 		  esac; \
+ 	       fi; \
+ 	    done | \
+-	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -; \
++	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -; \
+ 	rm -f ${TEMPFILE} ${PREFCTEMPFILE}
+ fi
+ }
+@@ -235,11 +236,11 @@ LogExcluded
+ case "$RESTORE_MODE" in
+     RPMFILES)
+ 	for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
+-	    rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -i -R -f -
++	    rpmlist $i | ${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -i -R -f -
+ 	done
+     ;;
+     FILEPATH)
+-	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
++	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -R -- "$FILEPATH"
+     ;;
+     *)
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+@@ -247,7 +248,7 @@ case "$RESTORE_MODE" in
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+ 
+ 	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+-	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
++	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${THREADS} ${FC} ${FILESYSTEMSRW}
+ 	    else
+ 	        # we bind mount so we can fix the labels of files that have already been
+ 	        # mounted over
+@@ -257,7 +258,7 @@ case "$RESTORE_MODE" in
+ 
+ 	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
+ 	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+-	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
++	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} ${THREADS} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+ 	            umount "${TMP_MOUNT}${m}" || exit 1
+ 	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+ 	        done;
+@@ -330,8 +331,9 @@ case "$1" in
+ 	fi
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+-	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+-	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
++	[ -z "$BOOTTIME" ] || echo -n "-N $BOOTTIME " >> /.autorelabel
++	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo -n "-M " >> /.autorelabel
++	[ -z "$THREADS" ] || echo -n "$THREADS " >> /.autorelabel
+ 	# Force full relabel if SELinux is not enabled
+ 	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+@@ -343,17 +345,17 @@ esac
+ }
+ usage() {
+ 	echo $"""
+-Usage: $0 [-v] [-F] [-M] [-f] relabel
++Usage: $0 [-v] [-F] [-M] [-f] [-T nthreads] relabel
+ or
+-Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
++Usage: $0 [-v] [-F] [-B | -N time ]  [-T nthreads] { check | restore | verify }
+ or
+-Usage: $0 [-v] [-F] { check | restore | verify } dir/file ...
++Usage: $0 [-v] [-F] [-T nthreads] { check | restore | verify } dir/file ...
+ or
+-Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
++Usage: $0 [-v] [-F] [-T nthreads] -R rpmpackage[,rpmpackage...] { check | restore | verify }
+ or
+-Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
++Usage: $0 [-v] [-F] [-T nthreads] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+ or
+-Usage: $0 [-F] [-M] [-B] onboot
++Usage: $0 [-F] [-M] [-B] [-T nthreads] onboot
+ """
+ }
+ 
+@@ -372,7 +374,7 @@ set_restore_mode() {
+ }
+ 
+ # See how we were called.
+-while getopts "N:BC:FfR:l:vM" i; do
++while getopts "N:BC:FfR:l:vMT:" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+@@ -407,6 +409,9 @@ while getopts "N:BC:FfR:l:vM" i; do
+ 	f)
+ 		fullFlag=1
+ 		;;
++	T)
++		THREADS="-T $OPTARG"
++		;;
+ 	*)
+ 	    usage
+ 	    exit 1
+diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
+index c4e894e56e8f..9a317d9181e2 100644
+--- a/policycoreutils/scripts/fixfiles.8
++++ b/policycoreutils/scripts/fixfiles.8
+@@ -6,22 +6,22 @@ fixfiles \- fix file SELinux security contexts.
+ .na
+ 
+ .B fixfiles
+-.I [\-v] [\-F] [-M] [\-f] relabel
++.I [\-v] [\-F] [-M] [\-f] [\-T nthreads] relabel
+ 
+ .B fixfiles
+-.I [\-v] [\-F] { check | restore | verify } dir/file ...
++.I [\-v] [\-F] [\-T nthreads] { check | restore | verify } dir/file ...
+ 
+ .B fixfiles
+-.I [\-v] [\-F] [\-B | \-N time ] { check | restore | verify }
++.I [\-v] [\-F] [\-B | \-N time ] [\-T nthreads] { check | restore | verify }
+ 
+ .B fixfiles 
+-.I [\-v] [\-F] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
++.I [\-v] [\-F] [\-T nthreads] \-R rpmpackagename[,rpmpackagename...] { check | restore | verify }
+ 
+ .B fixfiles
+-.I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
++.I [\-v] [\-F] [\-T nthreads] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
+ 
+ .B fixfiles
+-.I [-F] [-M] [-B] onboot
++.I [-F] [-M] [-B] [\-T nthreads] onboot
+ 
+ .ad
+ 
+@@ -76,6 +76,11 @@ Bind mount filesystems before relabeling them, this allows fixing the context of
+ .B -v
+ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
+ 
++.TP
++.B \-T nthreads
++Use parallel relabeling, see
++.B setfiles(8)
++
+ .SH "ARGUMENTS"
+ One of:
+ .TP 
+-- 
+2.34.1
+

0025-python-sepolicy-allow-to-override-manpage-date.patch

@@ -1,51 +0,0 @@
-From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Fri, 30 Oct 2020 22:53:09 +0100
-Subject: [PATCH] python/sepolicy: allow to override manpage date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good
-and https://reproducible-builds.org/specs/source-date-epoch/
-for the definition of this variable.
-
-This patch was done while working on reproducible builds for openSUSE.
-
-Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
----
- python/sepolicy/sepolicy/manpage.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 6a3e08fca58c..c013c0d48502 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -39,6 +39,8 @@ typealias_types = {
- equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
- 
- equiv_dirs = ["/var"]
-+man_date = time.strftime("%y-%m-%d", time.gmtime(
-+        int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
- modules_dict = None
- 
- 
-@@ -546,7 +548,7 @@ class ManPage:
- 
-     def _typealias(self,typealias):
-         self.fd.write('.TH  "%(typealias)s_selinux"  "8"  "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
--                 % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
-+                 % {'typealias':typealias, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
-@@ -565,7 +567,7 @@ man page for more details.
- 
-     def _header(self):
-         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
--                      % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
-+                      % {'domainname': self.domainname, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
--- 
-2.29.2
-

policycoreutils.spec

@@ -1,7 +1,7 @@
 %global libauditver     3.0
-%global libsepolver     3.1-5
-%global libsemanagever  3.1-5
-%global libselinuxver   3.1-5
+%global libsepolver     3.3-1
+%global libsemanagever  3.3-3
+%global libselinuxver   3.3-2
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -10,17 +10,11 @@
 
 Summary: SELinux policy core utilities
 Name:    policycoreutils
-Version: 3.1
-Release: 8%{?dist}
+Version: 3.3
+Release: 4%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
-Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
-Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz
-Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz
-Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz
-Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz
-Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/selinux-3.3.tar.gz
 URL:     https://github.com/SELinuxProject/selinux
 Source13: system-config-selinux.png
 Source14: sepolicy-icons.tgz
@@ -34,34 +28,34 @@ Source21: python-po.tgz
 Source22: gui-po.tgz
 Source23: sandbox-po.tgz
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.3 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
-Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
-Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
-Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
-Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
-Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
-Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
-Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
-Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
-Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
-Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
-Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch
+Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0002: 0002-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0003: 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0004: 0004-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+Patch0005: 0005-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+Patch0006: 0006-Fix-title-in-manpage.py-to-not-contain-online.patch
+Patch0007: 0007-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0008: 0008-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0009: 0009-sepolicy-Another-small-optimization-for-mcs-types.patch
+Patch0010: 0010-Move-po-translation-files-into-the-right-sub-directo.patch
+Patch0011: 0011-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+Patch0012: 0012-Initial-.pot-files-for-gui-python-sandbox.patch
+Patch0013: 0013-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
+Patch0018: 0018-Use-SHA-2-instead-of-SHA-1.patch
+Patch0019: 0019-setfiles-restorecon-support-parallel-relabeling.patch
+Patch0020: 0020-semodule-add-m-checksum-option.patch
+Patch0021: 0021-semodule-Fix-lang_ext-column-index.patch
+Patch0022: 0022-semodule-Don-t-forget-to-munmap-data.patch
+Patch0023: 0023-semodule-libsemanage-move-module-hashing-into-libsem.patch
+Patch0024: 0024-semodule-add-command-line-option-to-detect-module-ch.patch
+Patch0025: 0025-policycoreutils-fixfiles-Use-parallel-relabeling.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2
@@ -97,32 +91,15 @@ load_policy to load policies, setfiles to label filesystems, newrole
 to switch roles.
 
 %prep -p /usr/bin/bash
-# create selinux/ directory and extract sources
-%autosetup -S git -N -c -n selinux
-%autosetup -S git -N -T -D -a 1 -n selinux
-%autosetup -S git -N -T -D -a 2 -n selinux
-%autosetup -S git -N -T -D -a 3 -n selinux
-%autosetup -S git -N -T -D -a 4 -n selinux
-%autosetup -S git -N -T -D -a 5 -n selinux
-%autosetup -S git -N -T -D -a 6 -n selinux
-
-for i in *; do
-    git mv $i ${i/-%{version}/}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i/-%{version}/}"
-done
-
-for i in selinux-*; do
-    git mv $i ${i#selinux-}
-    git commit -q --allow-empty -a --author 'rpm-build <rpm-build>' -m "$i -> ${i#selinux-}"
-done
-
-git am %{_sourcedir}/[0-9]*.patch
+%autosetup -n selinux-%{version} -p 1
 
 cp %{SOURCE13} gui/
 tar -xvf %{SOURCE14} -C python/sepolicy/
 
 # Since patches containing translation changes were too big, translations were moved to separate tarballs
 # For more information see README.translations
+# First remove old translation files
+rm -f policycoreutils/po/*.po python/po/*.po gui/po/*.po sandbox/po/*.po
 tar -x -f %{SOURCE20} -C policycoreutils -z
 tar -x -f %{SOURCE21} -C python -z
 tar -x -f %{SOURCE22} -C gui -z
@@ -132,7 +109,7 @@ tar -x -f %{SOURCE23} -C sandbox -z
 %set_build_flags
 export PYTHON=%{__python3}
 
-make -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
+make -C policycoreutils SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C python SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C gui SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
 make -C sandbox SBINDIR="%{_sbindir}" LSPP_PRIV=y LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" all
@@ -244,8 +221,8 @@ an SELinux environment.
 %package dbus
 Summary:    SELinux policy core DBUS api
 Requires:   python3-policycoreutils = %{version}-%{release}
-Requires:   python3-slip-dbus
 Requires:   python3-gobject-base
+Requires:   polkit
 BuildArch:  noarch
 
 %description dbus
@@ -304,7 +281,7 @@ by python 3 in an SELinux environment.
 Summary: SELinux policy core policy devel utilities
 Requires: policycoreutils-python-utils = %{version}-%{release}
 Requires: /usr/bin/make dnf
-Requires: selinux-policy-devel
+Requires: (selinux-policy-devel if selinux-policy)
 
 %description devel
 The policycoreutils-devel package contains the management tools use to develop policy in an SELinux environment.
@@ -415,12 +392,14 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_sbindir}/genhomedircon
 %{_sbindir}/setsebool
 %{_sbindir}/semodule
+# symlink to %%{_bindir}/sestatus
 %{_sbindir}/sestatus
 %{_bindir}/secon
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
 %{_bindir}/semodule_unpackage
+%{_bindir}/sestatus
 %{_libexecdir}/selinux/hll
 %{_libexecdir}/selinux/selinux-autorelabel
 %{_unitdir}/selinux-autorelabel-mark.service
@@ -483,42 +462,6 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_datadir}/dbus-1/services/org.selinux.Restorecond.service
 %{_mandir}/man8/restorecond.8*
 %{_mandir}/ru/man8/restorecond.8*
-/usr/share/man/ru/man1/audit2why.1.gz
-/usr/share/man/ru/man1/newrole.1.gz
-/usr/share/man/ru/man5/sandbox.5.gz
-/usr/share/man/ru/man5/selinux_config.5.gz
-/usr/share/man/ru/man5/sestatus.conf.5.gz
-/usr/share/man/ru/man8/genhomedircon.8.gz
-/usr/share/man/ru/man8/restorecon_xattr.8.gz
-/usr/share/man/ru/man8/sandbox.8.gz
-/usr/share/man/ru/man8/selinux-polgengui.8.gz
-/usr/share/man/ru/man8/semanage-boolean.8.gz
-/usr/share/man/ru/man8/semanage-dontaudit.8.gz
-/usr/share/man/ru/man8/semanage-export.8.gz
-/usr/share/man/ru/man8/semanage-fcontext.8.gz
-/usr/share/man/ru/man8/semanage-ibendport.8.gz
-/usr/share/man/ru/man8/semanage-ibpkey.8.gz
-/usr/share/man/ru/man8/semanage-import.8.gz
-/usr/share/man/ru/man8/semanage-interface.8.gz
-/usr/share/man/ru/man8/semanage-login.8.gz
-/usr/share/man/ru/man8/semanage-module.8.gz
-/usr/share/man/ru/man8/semanage-node.8.gz
-/usr/share/man/ru/man8/semanage-permissive.8.gz
-/usr/share/man/ru/man8/semanage-port.8.gz
-/usr/share/man/ru/man8/semanage-user.8.gz
-/usr/share/man/ru/man8/semodule_unpackage.8.gz
-/usr/share/man/ru/man8/sepolgen.8.gz
-/usr/share/man/ru/man8/sepolicy-booleans.8.gz
-/usr/share/man/ru/man8/sepolicy-communicate.8.gz
-/usr/share/man/ru/man8/sepolicy-generate.8.gz
-/usr/share/man/ru/man8/sepolicy-gui.8.gz
-/usr/share/man/ru/man8/sepolicy-interface.8.gz
-/usr/share/man/ru/man8/sepolicy-manpage.8.gz
-/usr/share/man/ru/man8/sepolicy-network.8.gz
-/usr/share/man/ru/man8/sepolicy-transition.8.gz
-/usr/share/man/ru/man8/sepolicy.8.gz
-/usr/share/man/ru/man8/seunshare.8.gz
-/usr/share/man/ru/man8/system-config-selinux.8.gz
 
 %{!?_licensedir:%global license %%doc}
 %license policycoreutils/COPYING
@@ -539,6 +482,59 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Sat Feb 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3-4
+- semodule: add command-line option to detect module changes
+- fixfiles: Use parallel relabeling
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
+- setfiles/restorecon: support parallel relabeling with -T <N> option
+- semodule: add -m | --checksum option
+
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Mon Oct 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Tue Aug  3 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-6
+- Drop forgotten ru/ man pages from -restorecond
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
+- Rebase on upstream commit 32611aea6543
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Thu Jun 03 2021 Python Maint <python-maint@redhat.com> - 3.2-3
+- Rebuilt for Python 3.10
+
+* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
+- Do not use Python slip
+- fixfiles: do not exclude /dev and /run in -C mode
+- dbus: use GLib.MainLoop
+
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 3.2-0.rc2.1.1
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
 * Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
 - Fix BuildRequires to libsemanage-devel
 

sources

@@ -1,11 +1,6 @@
-SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
-SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
-SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
-SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
-SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
-SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
-SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
+SHA512 (selinux-3.3-rc3.tar.gz) = 239a10ce5ab31233dbd4fccf3668c2643df66e6b19065a0e57396a2b277cf4769985292613df67011b82afa25ff8dbd02123bd09d59cd8984b8b5d4d572284bc
 SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
 SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
 SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
+SHA512 (selinux-3.3.tar.gz) = 3d1ad92e63484a7533257ae65e4d35d7acb2c9f17b3900240dbfa61c7a7aa4cdf7d7c0c4077e66b30cada26026f9d2ca1ca7d194bfa990d04b0259aef53af100