* Mon Jun 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-29

- Allow creation of /var/cache/DOMAIN from sepolgen

.cvsignore

@@ -214,3 +214,9 @@ policycoreutils-2.0.77.tgz
 policycoreutils-2.0.78.tgz
 sepolgen-1.0.19.tgz
 policycoreutils-2.0.79.tgz
+policycoreutils-2.0.80.tgz
+policycoreutils-2.0.81.tgz
+sepolgen-1.0.20.tgz
+sepolgen-1.0.22.tgz
+policycoreutils-2.0.82.tgz
+sepolgen-1.0.23.tgz

branch

@@ -0,0 +1 @@
+F-13

policycoreutils-sepolgen.patch

@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
---- nsasepolgen/src/sepolgen/access.py	2009-05-18 13:53:14.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py	2009-12-08 17:05:49.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py
+--- nsasepolgen/src/sepolgen/access.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/access.py	2010-04-28 17:12:20.000000000 -0400
 @@ -32,6 +32,7 @@
  """
  
@@ -18,15 +18,6 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
  
          # The direction of the information flow represented by this
          # access vector - used for matching
-@@ -127,7 +130,7 @@
-         return self.to_string()
- 
-     def to_string(self):
--        return "allow %s %s : %s %s;" % (self.src_type, self.tgt_type,
-+        return "allow %s %s:%s %s;" % (self.src_type, self.tgt_type,
-                                         self.obj_class, self.perms.to_space_str())
- 
-     def __cmp__(self, other):
 @@ -253,20 +256,22 @@
          for av in l:
              self.add_av(AccessVector(av))
@@ -54,38 +45,10 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
  
          access.perms.update(perms)
          if audit_msg:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
---- nsasepolgen/src/sepolgen/audit.py	2009-12-01 15:46:50.000000000 -0500
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py	2010-01-06 09:52:35.000000000 -0500
-@@ -23,6 +23,27 @@
- 
- # Convenience functions
- 
-+def get_audit_boot_msgs():
-+    """Obtain all of the avc and policy load messages from the audit
-+    log. This function uses ausearch and requires that the current
-+    process have sufficient rights to run ausearch.
-+
-+    Returns:
-+       string contain all of the audit messages returned by ausearch.
-+    """
-+    import subprocess
-+    import time
-+    fd=open("/proc/uptime", "r")
-+    off=float(fd.read().split()[0])
-+    fd.close
-+    s = time.localtime(time.time() - off)
-+    date = time.strftime("%D/%Y", s).split("/")
-+    bootdate="%s/%s/%s" % (date[0], date[1], date[3])
-+    boottime = time.strftime("%X", s)
-+    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],
-+                              stdout=subprocess.PIPE).communicate()[0]
-+    return output
-+
- def get_audit_msgs():
-     """Obtain all of the avc and policy load messages from the audit
-     log. This function uses ausearch and requires that the current
-@@ -47,6 +68,17 @@
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py
+--- nsasepolgen/src/sepolgen/audit.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/audit.py	2010-04-28 17:12:20.000000000 -0400
+@@ -68,6 +68,17 @@
                                stdout=subprocess.PIPE).communicate()[0]
      return output
  
@@ -103,7 +66,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  # Classes representing audit messages
  
  class AuditMessage:
-@@ -106,6 +138,9 @@
+@@ -127,6 +138,9 @@
              if fields[0] == "path":
                  self.path = fields[1][1:-1]
                  return
@@ -113,7 +76,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  
  class AVCMessage(AuditMessage):
      """AVC message representing an access denial or granted message.
-@@ -146,6 +181,8 @@
+@@ -167,6 +181,8 @@
          self.path = ""
          self.accesses = []
          self.denial = True
@@ -122,7 +85,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
  
      def __parse_access(self, recs, start):
          # This is kind of sucky - the access that is in a space separated
-@@ -205,7 +242,31 @@
+@@ -226,7 +242,31 @@
  
          if not found_src or not found_tgt or not found_class or not found_access:
              raise ValueError("AVC message in invalid format [%s]\n" % self.message)
@@ -138,7 +101,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +        else:
 +            self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
 +            if self.type == audit2why.NOPOLICY:
-+                raise ValueError("Must call policy_init first")
++                self.type = audit2why.TERULE
 +            if self.type == audit2why.BADTCON:
 +                raise ValueError("Invalid Target Context %s\n" % tcontext)
 +            if self.type == audit2why.BADSCON:
@@ -149,39 +112,13 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
 +                raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
 +            if self.type == audit2why.BADCOMPUTE:
 +                raise ValueError("Error during access vector computation")
-+
++            
 +            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
 +
  class PolicyLoadMessage(AuditMessage):
      """Audit message indicating that the policy was reloaded."""
      def __init__(self, message):
-@@ -285,6 +346,9 @@
- 
-     def __initialize(self):
-         self.avc_msgs = []
-+        self.constraint_msgs = []
-+        self.dontaudit_msgs = []
-+        self.rbac_msgs = []
-         self.compute_sid_msgs = []
-         self.invalid_msgs = []
-         self.policy_load_msgs = []
-@@ -314,7 +378,7 @@
-             elif i == "security_compute_sid:":
-                 msg = ComputeSidMessage(line)
-                 found = True
--            elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
-+            elif i == "type=MAC_POLICY_LOAD":
-                 msg = PolicyLoadMessage(line)
-                 found = True
-             elif i == "type=AVC_PATH":
-@@ -442,16 +506,17 @@
-            audit logs parsed by this object.
-         """
-         av_set = access.AccessVectorSet()
-+
-         for avc in self.avc_msgs:
-             if avc.denial != True and only_denials:
-                 continue
+@@ -469,10 +509,10 @@
              if avc_filter:
                  if avc_filter.filter(avc):
                      av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
@@ -194,15 +131,171 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
          return av_set
  
  class AVCTypeFilter:
-@@ -477,5 +542,3 @@
-         if self.regex.match(avc.tcontext.type):
-             return True
-         return False
--
--
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
---- nsasepolgen/src/sepolgen/policygen.py	2008-09-12 11:48:15.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py	2010-01-08 09:33:54.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py
+--- nsasepolgen/src/sepolgen/defaults.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/defaults.py	2010-04-28 17:12:20.000000000 -0400
+@@ -30,6 +30,9 @@
+ def interface_info():
+     return data_dir() + "/interface_info"
+ 
++def attribute_info():
++    return data_dir() + "/attribute_info"
++
+ def refpolicy_devel():
+     return "/usr/share/selinux/devel"
+ 
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py
+--- nsasepolgen/src/sepolgen/interfaces.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/interfaces.py	2010-05-03 09:33:11.000000000 -0400
+@@ -29,6 +29,8 @@
+ 
+ from sepolgeni18n import _
+ 
++import copy
++
+ class Param:
+     """
+     Object representing a paramater for an interface.
+@@ -197,10 +199,48 @@
+                 ret = 1
+ 
+     return ret
+-            
++
++class AttributeVector:
++    def __init__(self):
++        self.name = ""
++        self.access = access.AccessVectorSet()
++
++    def add_av(self, av):
++        self.access.add_av(av)
++
++class AttributeSet:
++    def __init__(self):
++        self.attributes = { }
++
++    def add_attr(self, attr):
++        self.attributes[attr.name] = attr
++
++    def from_file(self, fd):
++        def parse_attr(line):
++            fields = line[1:-1].split()
++            if len(fields) != 2 or fields[0] != "Attribute":
++                raise SyntaxError("Syntax error Attribute statement %s" % line)
++            a = AttributeVector()
++            a.name = fields[1]
++
++            return a
++
++        a = None
++        for line in fd:
++            line = line[:-1]
++            if line[0] == "[":
++                if a:
++                    self.add_attr(a)
++                a = parse_attr(line)
++            elif a:
++                l = line.split(",")
++                av = access.AccessVector(l)
++                a.add_av(av)
++        if a:
++            self.add_attr(a)
+ 
+ class InterfaceVector:
+-    def __init__(self, interface=None):
++    def __init__(self, interface=None, attributes={}):
+         # Enabled is a loose concept currently - we are essentially
+         # not enabling interfaces that we can't handle currently.
+         # See InterfaceVector.add_ifv for more information.
+@@ -214,10 +254,10 @@
+         # value: Param object).
+         self.params = { }
+         if interface:
+-            self.from_interface(interface)
++            self.from_interface(interface, attributes)
+         self.expanded = False
+ 
+-    def from_interface(self, interface):
++    def from_interface(self, interface, attributes={}):
+         self.name = interface.name
+ 
+         # Add allow rules
+@@ -232,6 +272,23 @@
+             for av in avs:
+                 self.add_av(av)
+ 
++        # Add typeattribute access
++        if attributes != None:
++            for typeattribute in interface.typeattributes():
++                for attr in typeattribute.attributes:
++                    if not attributes.attributes.has_key(attr):
++                        # print "missing attribute " + attr
++                        continue
++                    attr_vec = attributes.attributes[attr]
++                    for a in attr_vec.access:
++                        av = copy.copy(a)
++                        if av.src_type == attr_vec.name:
++                            av.src_type = typeattribute.type
++                        if av.tgt_type == attr_vec.name:
++                            av.tgt_type = typeattribute.type
++                        self.add_av(av)
++
++
+         # Extract paramaters from roles
+         for role in interface.roles():
+             if role_extract_params(role, self.params):
+@@ -346,13 +403,13 @@
+                 l = self.tgt_type_map.setdefault(type, [])
+                 l.append(ifv)
+ 
+-    def add(self, interface):
+-        ifv = InterfaceVector(interface)
++    def add(self, interface, attributes={}):
++        ifv = InterfaceVector(interface, attributes)
+         self.add_ifv(ifv)
+ 
+-    def add_headers(self, headers, output=None):
++    def add_headers(self, headers, output=None, attributes={}):
+         for i in itertools.chain(headers.interfaces(), headers.templates()):
+-            self.add(i)
++            self.add(i, attributes)
+ 
+         self.expand_ifcalls(headers)
+         self.index()
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py
+--- nsasepolgen/src/sepolgen/matching.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/matching.py	2010-04-28 17:12:20.000000000 -0400
+@@ -50,7 +50,7 @@
+                 return 1
+ 
+ class MatchList:
+-    DEFAULT_THRESHOLD = 120
++    DEFAULT_THRESHOLD = 150
+     def __init__(self):
+         # Match objects that pass the threshold
+         self.children = []
+@@ -63,14 +63,15 @@
+     def best(self):
+         if len(self.children):
+             return self.children[0]
+-        else:
+-            return None
++        if len(self.bastards):
++            return self.bastards[0]
++        return None
+ 
+     def __len__(self):
+         # Only return the length of the matches so
+         # that this can be used to test if there is
+         # a match.
+-        return len(self.children)
++        return len(self.children) + len(self.bastards)
+ 
+     def __iter__(self):
+         return iter(self.children)
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py
+--- nsasepolgen/src/sepolgen/policygen.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/policygen.py	2010-06-02 11:45:17.000000000 -0400
 @@ -29,6 +29,8 @@
  import access
  import interfaces
@@ -212,121 +305,198 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
  
  # Constants for the level of explanation from the generation
  # routines
-@@ -74,7 +76,7 @@
-             self.moduel = module
-         else:
-             self.module = refpolicy.Module()
--
+@@ -77,6 +79,7 @@
+ 
+         self.dontaudit = False
+ 
 +        self.domains = None
      def set_gen_refpol(self, if_set=None, perm_maps=None):
          """Set whether reference policy interfaces are generated.
  
-@@ -141,15 +143,42 @@
-         """Return the generated module"""
-         return self.module
- 
--    def __add_allow_rules(self, avs):
-+    def __add_allow_rules(self, avs, dontaudit):
-         for av in avs:
--            rule = refpolicy.AVRule(av)
-+            rule = refpolicy.AVRule(av, dontaudit=dontaudit)
+@@ -151,8 +154,41 @@
+             rule = refpolicy.AVRule(av)
+             if self.dontaudit:
+                 rule.rule_type = rule.DONTAUDIT
 +            rule.comment = ""
              if self.explain:
-                 rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+-                rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
++                rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
 +            if av.type == audit2why.ALLOW:
 +                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
 +            if av.type == audit2why.DONTAUDIT:
 +                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" 
++
 +            if av.type == audit2why.BOOLEAN:
 +                if len(av.bools) > 1:
-+                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: av.bools[0][0], av.bools))
++                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.bools))
 +                else:
 +                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
 +
 +            if av.type == audit2why.CONSTRAINT:
 +                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
++                rule.comment += "#Contraint rule: "
++
 +            if av.type == audit2why.TERULE:
 +                if "write" in av.perms:
 +                    if "dir" in av.obj_class or "open" in av.perms:
 +                        if not self.domains:
 +                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
 +                        types=[]
-+                        for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
-+                            if i not in self.domains:
-+                                types.append(i)
-+                        if len(types) == 1:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                        elif len(types) >= 1:
-+                            rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                            
++                        
++                        try:
++                            for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
++                                if i not in self.domains:
++                                    types.append(i)
++                                if len(types) == 1:
++                                    rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                                elif len(types) >= 1:
++                                    rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                        except:
++                            pass
              self.module.children.append(rule)
  
  
--    def add_access(self, av_set):
-+    def add_access(self, av_set, dontaudit=False):
-         """Add the access from the access vector set to this
-         module.
-         """
-@@ -165,7 +194,7 @@
-             raw_allow = av_set
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py
+--- nsasepolgen/src/sepolgen/refparser.py	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/sepolgen/refparser.py	2010-05-21 10:26:43.000000000 -0400
+@@ -1044,7 +1044,7 @@
+         # of misc_macros. We are just going to pretend that this is an interface
+         # to make the expansion work correctly.
+         can_exec = refpolicy.Interface("can_exec")
+-        av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
++        av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
+                                   "getattr","lock","execute","ioctl"])
  
-         # Generate the raw allow rules from the filtered list
--        self.__add_allow_rules(raw_allow)
-+        self.__add_allow_rules(raw_allow, dontaudit)
+         can_exec.children.append(refpolicy.AVRule(av))
+diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map
+--- nsasepolgen/src/share/perm_map	2010-05-19 14:45:51.000000000 -0400
++++ policycoreutils-2.0.82/sepolgen-1.0.23/src/share/perm_map	2010-04-28 17:12:20.000000000 -0400
+@@ -124,7 +124,7 @@
+           quotamod     w           1
+           quotaget     r           1
  
-     def add_role_types(self, role_type_set):
-         for role_type in role_type_set:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
---- nsasepolgen/src/sepolgen/refparser.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py	2009-12-08 17:05:49.000000000 -0500
-@@ -973,7 +973,7 @@
- def list_headers(root):
-     modules = []
-     support_macros = None
--    blacklist = ["init.if", "inetd.if", "uml.if", "thunderbird.if"]
-+    blacklist = ["uml.if", "thunderbird.if", "unconfined.if"]
+-class file 20
++class file 21
+   execute_no_trans     r           1
+         entrypoint     r           1
+            execmod     n           1
+@@ -141,48 +141,50 @@
+             unlink     w           1
+               link     w           1
+             rename     w           5
+-           execute     r           100
++           execute     r           10
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
-     for dirpath, dirnames, filenames in os.walk(root):
-         for name in filenames:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
---- nsasepolgen/src/sepolgen/refpolicy.py	2009-10-29 15:21:39.000000000 -0400
-+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py	2010-01-08 09:33:37.000000000 -0500
-@@ -398,6 +398,7 @@
-         return "attribute %s;" % self.name
+-class dir 22
+-          add_name     w           5
++class dir 23
++          add_name     w           1
+        remove_name     w           1
+           reparent     w           1
+             search     r           1
+              rmdir     b           1
+              ioctl     n           1
+-              read     r          10
+-             write     w          10
++              read     r           1
++             write     w           1
+             create     w           1
+-           getattr     r           7
+-           setattr     w           7
++           getattr     r           1
++           setattr     w           1
+               lock     n           1
+-       relabelfrom     r           10
+-         relabelto     w           10
++       relabelfrom     r           1
++         relabelto     w           1
+             append     w           1
+             unlink     w           1
+               link     w           1
+-            rename     w           5
++            rename     w           1
+            execute     r           1
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
- # Classes representing rules
-+import selinux.audit2why as audit2why
+ class fd 1
+                use     b           1
  
- class AVRule(Leaf):
-     """SELinux access vector (AV) rule.
-@@ -420,21 +421,26 @@
-     AUDITALLOW = 2
-     NEVERALLOW = 3
+-class lnk_file 17
++class lnk_file 18
+              ioctl     n           1
+-              read     r          10
+-             write     w          10
++              read     r           1
++             write     w           1
+             create     w           1
+-           getattr     r           7
+-           setattr     w           7
++           getattr     r           1
++           setattr     w           1
+               lock     n           1
+-       relabelfrom     r           10
+-         relabelto     w           10
++       relabelfrom     r           1
++         relabelto     w           1
+             append     w           1
+             unlink     w           1
+               link     w           1
+@@ -191,8 +193,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
--    def __init__(self, av=None, parent=None):
-+    def __init__(self, av=None, parent=None, dontaudit=False):
-         Leaf.__init__(self, parent)
-         self.src_types = IdSet()
-         self.tgt_types = IdSet()
-         self.obj_classes = IdSet()
-         self.perms = IdSet()
--        self.rule_type = self.ALLOW
-+        if dontaudit:
-+            self.rule_type = audit2why.DONTAUDIT
-+        else:
-+            self.rule_type = audit2why.TERULE
-         if av:
-             self.from_av(av)
+-class chr_file 20
++class chr_file 21
+   execute_no_trans     r           1
+         entrypoint     r           1
+            execmod     n           1
+@@ -213,8 +216,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
-     def __rule_type_str(self):
--        if self.rule_type == self.ALLOW:
-+        if self.rule_type == audit2why.TERULE:
-             return "allow"
--        elif self.rule_type == self.DONTAUDIT:
-+        elif self.rule_type == audit2why.DONTAUDIT:
-             return "dontaudit"
-+        elif self.rule_type == audit2why.CONSTRAINT:
-+            return "#constraint allow"
-         else:
-             return "auditallow"
+-class blk_file 17
++class blk_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -232,8 +236,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
  
+-class sock_file 17
++class sock_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -251,8 +256,9 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
+ 
+-class fifo_file 17
++class fifo_file 18
+              ioctl     n           1
+               read     r          10
+              write     w          10
+@@ -270,6 +276,7 @@
+             swapon     b           1
+            quotaon     b           1
+            mounton     b           1
++	      open     r	   1
+ 
+ class socket 22
+              ioctl     n           1

policycoreutils.spec

@@ -1,13 +1,13 @@
 %define	libauditver	1.4.2-1
-%define	libsepolver	2.0.41-1
-%define	libsemanagever	2.0.43-3
-%define	libselinuxver	2.0.90-1
-%define	sepolgenver	1.0.19
+%define	libsepolver	2.0.41-3
+%define	libsemanagever	2.0.43-4
+%define	libselinuxver	2.0.90-3
+%define	sepolgenver	1.0.23
 
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
-Version: 2.0.79
-Release: 1%{?dist}
+Version: 2.0.82
+Release: 29%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -20,7 +20,6 @@ Source5: system-config-selinux.console
 Source6: selinux-polgengui.desktop
 Source7: selinux-polgengui.console
 Source8: policycoreutils_man_ru2.tar.bz2
-Source9: sandbox.init
 Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-po.patch
 Patch3:	 policycoreutils-gui.patch
@@ -80,12 +79,15 @@ mkdir -p %{buildroot}%{_mandir}/man8
 mkdir -p %{buildroot}%{_sysconfdir}/pam.d
 mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
 %{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
-install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
+%{__mkdir} -p %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
+%{__mkdir} -p %{buildroot}%{_datadir}/pixmaps
 
 make LSPP_PRIV=y  DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
 
-install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux/
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/pixmaps
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/icons/hicolor/24x24/apps
+install -m 644 %{SOURCE2} %{buildroot}%{_datadir}/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/system-config-selinux
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
@@ -127,11 +129,11 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_bindir}/chcat
 %{_bindir}/sandbox
 %{_bindir}/sepolgen-ifgen
+%{_bindir}/sepolgen-ifgen-attr-helper
 %{python_sitelib}/seobject.py*
 %{python_sitelib}/sepolgen
-%{python_sitelib}/%{name}	
 %{python_sitelib}/%{name}*.egg-info
-%{pkgpythondir}/default_encoding_utf8.so
+%{pkgpythondir}
 %dir  /var/lib/sepolgen
 %dir  /var/lib/selinux
 /var/lib/sepolgen/perm_map
@@ -145,7 +147,7 @@ The policycoreutils-python package contains the management tools use to manage a
 %{_mandir}/ru/man8/semanage.8*
 
 %post python
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null 
 exit 0
 
 %package sandbox
@@ -162,12 +164,10 @@ The policycoreutils-python package contains the scripts to create graphical sand
 
 %files sandbox
 %defattr(-,root,root,-)
-%{_sysconfdir}/rc.d/init.d/sandbox
-%{_sbindir}/seunshare
 %{_datadir}/sandbox/sandboxX.sh
 
 %triggerin python -- selinux-policy
-[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 
+selinuxenabled && [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen 2>/dev/null
 exit 0
 
 %post sandbox
@@ -214,11 +214,13 @@ system-config-selinux is a utility for managing the SELinux environment
 %{_bindir}/sepolgen
 %{_datadir}/applications/fedora-system-config-selinux.desktop
 %{_datadir}/applications/fedora-selinux-polgengui.desktop
+%{_datadir}/icons/hicolor/24x24/apps/system-config-selinux.png
+%{_datadir}/pixmaps/system-config-selinux.png
 %dir %{_datadir}/system-config-selinux
 %dir %{_datadir}/system-config-selinux/templates
+%{_datadir}/system-config-selinux/system-config-selinux.png
 %{_datadir}/system-config-selinux/*.py*
 %{_datadir}/system-config-selinux/selinux.tbl
-%{_datadir}/system-config-selinux/*png
 %{_datadir}/system-config-selinux/*.glade
 %{_datadir}/system-config-selinux/templates/*.py*
 %config(noreplace) %{_sysconfdir}/pam.d/system-config-selinux
@@ -235,6 +237,7 @@ rm -rf %{buildroot}
 /sbin/fixfiles
 /sbin/setfiles
 /sbin/load_policy
+%{_sbindir}/seunshare
 %{_sbindir}/genhomedircon
 %{_sbindir}/load_policy
 %{_sbindir}/restorecond
@@ -248,6 +251,8 @@ rm -rf %{buildroot}
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
 %{_bindir}/semodule_package
+%{_sysconfdir}/rc.d/init.d/sandbox
+%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
 %config(noreplace) %{_sysconfdir}/pam.d/newrole
 %config(noreplace) %{_sysconfdir}/pam.d/run_init
 %config(noreplace) %{_sysconfdir}/sestatus.conf
@@ -287,6 +292,8 @@ rm -rf %{buildroot}
 %{_mandir}/ru/man8/setsebool.8*
 %{_mandir}/man1/secon.1*
 %{_mandir}/ru/man1/secon.1*
+%{_mandir}/man8/seunshare.8*
+%{_mandir}/man8/genhomedircon.8*
 
 %preun
 if [ $1 -eq 0 ]; then
@@ -306,7 +313,151 @@ fi
 exit 0
 
 %changelog
-* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
+* Mon Jun 7 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-29
+- Allow creation of /var/cache/DOMAIN from sepolgen
+
+* Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-28
+- Fix sandbox init script 
+- Add dbus-launch to sandbox -X
+Resolve: #599599
+
+* Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-27
+- Move genhomedircon.8 to same package as genhomedircon
+- Fix sandbox to pass unit test
+Resolves: #595796
+
+* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-26
+- Fix listing of booleans from audit2allow
+
+* Wed Jun 2 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-25
+- Fix audit2allow to output if the current policy has avc
+- Update translations
+- Fix icon
+
+* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
+- Man page fixes
+- sandbox fixes
+- Move seunshare to base package
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-23
+- Fix seunshare translations
+- Fix seunshare to work on all arches
+- Fix icon for system-config-selinux
+Resolves: #595276
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-22
+- Fix can_exec definition in sepolgen
+
+* Fri May 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-21
+- Add man page for seunshare and genhomedircon
+Resolves: #594303
+- Fix node management via semanage
+
+* Wed May 19 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-20
+- Fixes from upstream for sandbox command
+Resolves: #580938
+
+* Thu May 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-18
+- Fix sandbox error handling on copyfile
+- Fix desktop files
+
+* Tue May 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-17
+- Fix policy tool to have correct name in menus
+- Fix seunshare to handle /tmp being in ~/home
+- Fix saving of altered files
+- Update translations
+
+* Tue May 4 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-15
+- Allow audit2allow to specify alternative policy file for analysis
+
+* Mon May 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-14
+- Update po
+- Fix sepolgen --no_attrs
+Resolves: #588280
+
+* Thu Apr 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-13
+- Make semanage boolean work on disabled machines and during livecd xguest
+- Fix homedir and tmpdir handling in sandbox
+Resolves: #587263
+
+* Wed Apr 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-11
+- Make semanage boolean work on disabled machines 
+
+* Tue Apr 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-10
+- Make sepolgen-ifgen be quiet
+
+* Wed Apr 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-8
+- Make sepolgen report on more interfaces 
+- Fix system-config-selinux display of modules
+
+* Thu Apr 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-7
+- Fix crash when args are empty
+Resolves: #582542
+- Fix semange to exit on bad options
+- Fix semanage dontaudit man page section
+Resolves: #582533
+
+* Wed Apr 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-6
+- Remove debug line from semanage
+- Update po
+
+* Tue Apr 13 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-5
+- Fix sandbox comment on HOMEDIRS
+- Fix sandbox to throw error on bad executable
+
+* Tue Apr 6 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-4
+- Fix spacing in templates 
+
+* Wed Mar 31 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-3
+- Fix semanage return codes
+
+* Tue Mar 30 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-2
+- Fix sepolgen to confirm to the "Reference Policy Style Guide" 
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-1
+- Update to upstream 
+	* Add avc's since boot from Dan Walsh.
+	* Fix unit tests from Dan Walsh.
+
+* Tue Mar 23 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-4
+- Update to upstream - sepolgen
+	* Add since-last-boot option to audit2allow from Dan Walsh.
+	* Fix sepolgen output to match what Chris expects for upstream
+	  refpolicy from Dan Walsh.
+
+* Mon Mar 22 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-3
+- Allow restorecon on > 2 Gig files
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-2
+- Fix semanage handling of boolean options
+- Update translations
+
+* Fri Mar 12 2010 Dan Walsh <dwalsh@redhat.com> 2.0.81-1
+- Update to upstream
+	* Add dontaudit flag to audit2allow from Dan Walsh.
+
+* Thu Mar 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-2
+- Use --rbind in sandbox init scripts
+
+* Mon Mar 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.80-1
+- Update to upstream
+	* Module enable/disable support from Dan Walsh.
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-5
+- Rewrite of sandbox script, add unit test for sandbox 
+- Update translations
+
+* Mon Mar 1 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-4
+- Fix patch for dontaudit rules from audit2allow for upstream acceptance
+
+* Fri Feb 26 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-3
+- Fixes for fixfiles
+
+* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
+- Fix sandbox to complain if mount-shared has not been run
+- Fix to use /etc/sysconfig/sandbox
+
+* Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
 - Update to upstream
 	* Fix double-free in newrole
 - Fix python language handling

sandbox.init

@@ -1,60 +0,0 @@
-#!/bin/bash
-## BEGIN INIT INFO
-# Provides: sandbox
-# Default-Start: 5
-# Default-Stop: 0 1 2 3 4 6
-# Required-Start:
-#              
-## END INIT INFO
-# sandbox:        Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
-#
-# chkconfig: 5 1 99
-#
-# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and 
-#              /home/sandbox accounts.  This script will setup the / mount 
-#              point as shared and all of the subdirectories just these 
-#              directories as unshared.
-#
-
-# Source function library.
-. /etc/init.d/functions
-
-LOCKFILE=/var/lock/subsys/sandbox
-
-base=${0##*/}
-
-case "$1" in
-    start)
-	[ -f "$LOCKFILE" ] && exit 0
-
-	touch $LOCKFILE
-	mount --make-rshared /
-	mount --bind /tmp /tmp
-	mount --bind /var/tmp /var/tmp
-	mount --bind /home /home
-	mount --make-private /home
-	mount --make-private /tmp
-	mount --make-private /var/tmp
-	RETVAL=$?
-	exit $RETVAL
-	;;
-
-    status)
-	if [ -f "$LOCKFILE" ]; then 
-	    echo "$base is running"
-	else
-	    echo "$base is stopped"
-	fi
-	exit 0
-	;;
-
-    stop)
-	rm -f $LOCKFILE
-	exit 0
-	;;
-
-    *)
-	echo $"Usage: $0 {start|stop}"
-	exit 3
-	;;
-esac

selinux-polgengui.desktop

@@ -1,9 +1,8 @@
 [Desktop Entry]
 Name=SELinux Policy Generation Tool
-GenericName=SELinux
 Comment=Generate SELinux policy modules
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/selinux-polgengui
 Type=Application
 Terminal=false

sources

@@ -1,3 +1,3 @@
-2ae1a9f7242e33413aae036d2edeb1d8  sepolgen-1.0.19.tgz
-e09466b2b02ca5672ce3b43e02c5498f  policycoreutils-2.0.79.tgz
+e4deacb4df1e2ec081a91fd59da1dcc5  policycoreutils-2.0.82.tgz
+49faa2e5f343317bcfcf34d7286f6037  sepolgen-1.0.23.tgz
 59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2

system-config-selinux.desktop

@@ -1,9 +1,8 @@
 [Desktop Entry]
 Name=SELinux Management
-GenericName=SELinux
 Comment=Configure SELinux in a graphical setting
 StartupNotify=true
-Icon=/usr/share/system-config-selinux/system-config-selinux.png
+Icon=system-config-selinux
 Exec=/usr/bin/system-config-selinux
 Type=Application
 Terminal=false