policycoreutils-2.9-6.fc31

- semanage: Do not use default s0 range in "semanage login -a" (#1312283)

.gitignore

@@ -301,24 +301,3 @@ policycoreutils-2.0.83.tgz
 /selinux-python-2.9.tar.gz
 /selinux-sandbox-2.9.tar.gz
 /semodule-utils-2.9.tar.gz
-/policycoreutils-3.0-rc1.tar.gz
-/restorecond-3.0-rc1.tar.gz
-/selinux-dbus-3.0-rc1.tar.gz
-/selinux-gui-3.0-rc1.tar.gz
-/selinux-python-3.0-rc1.tar.gz
-/selinux-sandbox-3.0-rc1.tar.gz
-/semodule-utils-3.0-rc1.tar.gz
-/policycoreutils-3.0.tar.gz
-/restorecond-3.0.tar.gz
-/selinux-dbus-3.0.tar.gz
-/selinux-gui-3.0.tar.gz
-/selinux-python-3.0.tar.gz
-/selinux-sandbox-3.0.tar.gz
-/semodule-utils-3.0.tar.gz
-/policycoreutils-3.1.tar.gz
-/restorecond-3.1.tar.gz
-/selinux-dbus-3.1.tar.gz
-/selinux-gui-3.1.tar.gz
-/selinux-python-3.1.tar.gz
-/selinux-sandbox-3.1.tar.gz
-/semodule-utils-3.1.tar.gz

0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch

@@ -0,0 +1,43 @@
+From c778509dd0ed3b184d720032f31971f975e42973 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 5 Mar 2019 17:38:55 +0100
+Subject: [PATCH] gui: Install polgengui.py to /usr/bin/selinux-polgengui
+
+polgengui.py is a standalone gui tool which should be in /usr/bin with other
+tools.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ gui/Makefile       | 2 +-
+ gui/modulesPage.py | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gui/Makefile b/gui/Makefile
+index c2f982de..b2375fbf 100644
+--- a/gui/Makefile
++++ b/gui/Makefile
+@@ -31,7 +31,7 @@ install: all
+ 	-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
+ 	install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
+ 	install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
+-	install -m 755 polgengui.py $(DESTDIR)$(SHAREDIR)
++	install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
+ 	install -m 644 $(TARGETS) $(DESTDIR)$(SHAREDIR)
+ 	install -m 644 system-config-selinux.8 $(DESTDIR)$(MANDIR)/man8
+ 	install -m 644 selinux-polgengui.8 $(DESTDIR)$(MANDIR)/man8
+diff --git a/gui/modulesPage.py b/gui/modulesPage.py
+index 34c5d9e3..cb856b2d 100644
+--- a/gui/modulesPage.py
++++ b/gui/modulesPage.py
+@@ -118,7 +118,7 @@ class modulesPage(semanagePage):
+ 
+     def new_module(self, args):
+         try:
+-            Popen(["/usr/share/system-config-selinux/polgengui.py"])
++            Popen(["selinux-polgengui"])
+         except ValueError as e:
+             self.error(e.args[0])
+ 
+-- 
+2.22.0
+

0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch

@@ -1,34 +0,0 @@
-From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
-From: "W. Michael Petullo" <mike@flyn.org>
-Date: Thu, 16 Jul 2020 15:29:20 -0500
-Subject: [PATCH] python/audit2allow: add #include <limits.h> to
- sepolgen-ifgen-attr-helper.c
-
-I found that building on OpenWrt/musl failed with:
-
-  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
-
-Musl is less "generous" than glibc in recursively including header
-files, and I suspect this is the reason for this error. Explicitly
-including limits.h fixes the problem.
-
-Signed-off-by: W. Michael Petullo <mike@flyn.org>
----
- python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-index 53f20818722a..f010c9584c1f 100644
---- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
-+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
-@@ -28,6 +28,7 @@
- 
- #include <selinux/selinux.h>
- 
-+#include <limits.h>
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/stat.h>
--- 
-2.29.0
-

0002-gui-Install-.desktop-files-to-usr-share-applications.patch

@@ -0,0 +1,49 @@
+From 04b632e6de14ec0336e14988bf4c2bd581f7308e Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 5 Mar 2019 17:25:00 +0100
+Subject: [PATCH] gui: Install .desktop files to /usr/share/applications by
+ default
+
+/usr/share/applications is a standard directory for .desktop files.
+Installation path can be changed using DESKTOPDIR variable in installation
+phase, e.g.
+
+make DESKTOPDIR=/usr/local/share/applications install
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ gui/Makefile | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/gui/Makefile b/gui/Makefile
+index b2375fbf..ca965c94 100644
+--- a/gui/Makefile
++++ b/gui/Makefile
+@@ -5,6 +5,7 @@ BINDIR ?= $(PREFIX)/bin
+ SHAREDIR ?= $(PREFIX)/share/system-config-selinux
+ DATADIR ?= $(PREFIX)/share
+ MANDIR ?= $(PREFIX)/share/man
++DESKTOPDIR ?= $(PREFIX)/share/applications
+ 
+ TARGETS= \
+ booleansPage.py \
+@@ -29,6 +30,7 @@ install: all
+ 	-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
+ 	-mkdir -p $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
+ 	-mkdir -p $(DESTDIR)$(DATADIR)/polkit-1/actions/
++	-mkdir -p $(DESTDIR)$(DESKTOPDIR)
+ 	install -m 755 system-config-selinux.py $(DESTDIR)$(SHAREDIR)
+ 	install -m 755 system-config-selinux $(DESTDIR)$(BINDIR)
+ 	install -m 755 polgengui.py $(DESTDIR)$(BINDIR)/selinux-polgengui
+@@ -44,7 +46,7 @@ install: all
+ 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/pixmaps
+ 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/icons/hicolor/24x24/apps
+ 	install -m 644 system-config-selinux.png $(DESTDIR)$(DATADIR)/system-config-selinux
+-	install -m 644 *.desktop $(DESTDIR)$(DATADIR)/system-config-selinux
++	install -m 644 *.desktop $(DESTDIR)$(DESKTOPDIR)
+ 	-mkdir -p $(DESTDIR)$(DATADIR)/pixmaps
+ 	install -m 644 sepolicy_256.png $(DESTDIR)$(DATADIR)/pixmaps/sepolicy.png
+ 	for i in 16 22 32 48 256; do \
+-- 
+2.22.0
+

0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch

@@ -1,26 +0,0 @@
-From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
-From: Laurent Bigonville <bigon@bigon.be>
-Date: Thu, 16 Jul 2020 14:22:13 +0200
-Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
- restorecond.desktop file
-
-This completely inactivate the .desktop file incase the user session is
-managed by systemd as restorecond also provide a service file
-
-Signed-off-by: Laurent Bigonville <bigon@bigon.be>
----
- restorecond/restorecond.desktop | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
-index af7286801c24..7df854727a3f 100644
---- a/restorecond/restorecond.desktop
-+++ b/restorecond/restorecond.desktop
-@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
- Type=Application
- StartupNotify=false
- X-GNOME-Autostart-enabled=false
-+X-GNOME-HiddenUnderSystemd=true
--- 
-2.29.0
-

0003-fixfiles-correctly-restore-context-of-mountpoints.patch

@@ -1,136 +0,0 @@
-From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
-From: bauen1 <j2468h@googlemail.com>
-Date: Thu, 6 Aug 2020 16:48:36 +0200
-Subject: [PATCH] fixfiles: correctly restore context of mountpoints
-
-By bind mounting every filesystem we want to relabel we can access all
-files without anything hidden due to active mounts.
-
-This comes at the cost of user experience, because setfiles only
-displays the percentage if no path is given or the path is /
-
-Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
- policycoreutils/scripts/fixfiles.8 |  8 ++++++--
- 2 files changed, 31 insertions(+), 6 deletions(-)
-
-diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 5d7770348349..30dadb4f4cb6 100755
---- a/policycoreutils/scripts/fixfiles
-+++ b/policycoreutils/scripts/fixfiles
-@@ -112,6 +112,7 @@ FORCEFLAG=""
- RPMFILES=""
- PREFC=""
- RESTORE_MODE=""
-+BIND_MOUNT_FILESYSTEMS=""
- SETFILES=/sbin/setfiles
- RESTORECON=/sbin/restorecon
- FILESYSTEMSRW=`get_rw_labeled_mounts`
-@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
- 	if [ -n "${FILESYSTEMSRW}" ]; then
- 	    LogReadOnly
- 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
--	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+
-+	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
-+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
-+	    else
-+	        # we bind mount so we can fix the labels of files that have already been
-+	        # mounted over
-+	        for m in `echo $FILESYSTEMSRW`; do
-+	            TMP_MOUNT="$(mktemp -d)"
-+	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
-+
-+	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
-+	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
-+	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
-+	            umount "${TMP_MOUNT}${m}" || exit 1
-+	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
-+	        done;
-+	    fi
- 	else
- 	    echo >&2 "fixfiles: No suitable file systems found"
- 	fi
-@@ -313,6 +330,7 @@ case "$1" in
- 	> /.autorelabel || exit $?
- 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
- 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
-+	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
- 	# Force full relabel if SELinux is not enabled
- 	selinuxenabled || echo -F > /.autorelabel
- 	echo "System will relabel on next boot"
-@@ -324,7 +342,7 @@ esac
- }
- usage() {
- 	echo $"""
--Usage: $0 [-v] [-F] [-f] relabel
-+Usage: $0 [-v] [-F] [-M] [-f] relabel
- or
- Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
- or
-@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
- or
- Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
- or
--Usage: $0 [-F] [-B] onboot
-+Usage: $0 [-F] [-M] [-B] onboot
- """
- }
- 
-@@ -353,7 +371,7 @@ set_restore_mode() {
- }
- 
- # See how we were called.
--while getopts "N:BC:FfR:l:v" i; do
-+while getopts "N:BC:FfR:l:vM" i; do
-     case "$i" in
- 	B)
- 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
-@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
- 		echo "Redirecting output to $OPTARG"
- 		exec >>"$OPTARG" 2>&1
- 		;;
-+	M)
-+		BIND_MOUNT_FILESYSTEMS="-M"
-+		;;
- 	F)
- 		FORCEFLAG="-F"
- 		;;
-diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
-index 9f447f03d444..123425308416 100644
---- a/policycoreutils/scripts/fixfiles.8
-+++ b/policycoreutils/scripts/fixfiles.8
-@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
- .na
- 
- .B fixfiles
--.I [\-v] [\-F] [\-f] relabel
-+.I [\-v] [\-F] [-M] [\-f] relabel
- 
- .B fixfiles
- .I [\-v] [\-F] { check | restore | verify } dir/file ...
-@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
- .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
- 
- .B fixfiles
--.I [-F] [-B] onboot
-+.I [-F] [-M] [-B] onboot
- 
- .ad
- 
-@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
- Only act on files created after the specified date.  Date must be specified in
- "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
- 
-+.TP
-+.B \-M
-+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
-+
- .TP
- .B -v
- Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
--- 
-2.29.0
-

0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch

@@ -1,4 +1,4 @@
-From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
+From 52e0583f6adfe70825b009b626e19c290b49763a Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 20 Aug 2015 12:58:41 +0200
 Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
@@ -9,7 +9,7 @@ Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
-index eaa500d08143..4774528027ef 100644
+index eaa500d0..47745280 100644
 --- a/sandbox/sandboxX.sh
 +++ b/sandbox/sandboxX.sh
 @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
@@ -22,5 +22,5 @@ index eaa500d08143..4774528027ef 100644
      cat > ~/seremote << __EOF
  #!/bin/sh
 -- 
-2.29.0
+2.22.0
 

0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch

@@ -1,4 +1,4 @@
-From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
+From 7504614fdd7dcf11b3a7568ca9b4b921973531dd Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 21 Apr 2014 13:54:40 -0400
 Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
@@ -9,7 +9,7 @@ Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
  1 file changed, 5 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 3e8a3be907e3..a1d70623cff0 100755
+index 1d367962..24e311a3 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -735,10 +735,13 @@ Default Defined Ports:""")
@@ -42,5 +42,5 @@ index 3e8a3be907e3..a1d70623cff0 100755
          self.fd.write(r"""
  .I The following file types are defined for %(domainname)s:
 -- 
-2.29.0
+2.22.0
 

0004-sepolgen-print-extended-permissions-in-hexadecimal.patch

@@ -1,112 +0,0 @@
-From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:33 +0200
-Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-All tools like ausearch(8) or sesearch(1) and online documentation[1]
-use hexadecimal values for extended permissions.
-Hence use them, e.g. for audit2allow output, as well.
-
-[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
- python/sepolgen/tests/test_access.py      | 10 +++++-----
- python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
- 3 files changed, 13 insertions(+), 14 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
-index 43cecfc77385..747636875ef7 100644
---- a/python/sepolgen/src/sepolgen/refpolicy.py
-+++ b/python/sepolgen/src/sepolgen/refpolicy.py
-@@ -407,10 +407,9 @@ class XpermSet():
- 
-         # print single value without braces
-         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
--            return compl + str(self.ranges[0][0])
-+            return compl + hex(self.ranges[0][0])
- 
--        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
--                   self.ranges)
-+        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
- 
-         return "%s{ %s }" % (compl, " ".join(vals))
- 
-diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
-index 73a5407df617..623588e09aeb 100644
---- a/python/sepolgen/tests/test_access.py
-+++ b/python/sepolgen/tests/test_access.py
-@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def text_merge_xperm2(self):
-         """Test merging AV that does not contain xperms with AV that does"""
-@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
- 
-     def test_merge_xperm_diff_op(self):
-         """Test merging two AVs that contain xperms with different operation"""
-@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
--        self.assertEqual(a.xperms["asdf"].to_string(), "23")
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
-+        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
-                          
-     def test_merge_xperm_same_op(self):
-         """Test merging two AVs that contain xperms with same operation"""
-@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
-         a.merge(b)
-         self.assertEqual(list(a.perms), ["read"])
-         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
--        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
-+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
- 
- class TestUtilFunctions(unittest.TestCase):
-     def test_is_idparam(self):
-diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
-index 4b50c8aada96..c7219fd568e9 100644
---- a/python/sepolgen/tests/test_refpolicy.py
-+++ b/python/sepolgen/tests/test_refpolicy.py
-@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
-         a.complement = True
-         self.assertEqual(a.to_string(), "")
-         a.add(1234)
--        self.assertEqual(a.to_string(), "~ 1234")
-+        self.assertEqual(a.to_string(), "~ 0x4d2")
-         a.complement = False
--        self.assertEqual(a.to_string(), "1234")
-+        self.assertEqual(a.to_string(), "0x4d2")
-         a.add(2345)
--        self.assertEqual(a.to_string(), "{ 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
-         a.complement = True
--        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
-         a.add(42,64)
--        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
-         a.complement = False
--        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
-+        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
- 
- class TestSecurityContext(unittest.TestCase):
-     def test_init(self):
--- 
-2.29.0
-

0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch

@@ -1,4 +1,4 @@
-From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
+From 9847a26b7f8358432ee4c7019efb3cbad0c162b0 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Mon, 12 May 2014 14:11:22 +0200
 Subject: [PATCH] If there is no executable we don't want to print a part of
@@ -9,7 +9,7 @@ Subject: [PATCH] If there is no executable we don't want to print a part of
  1 file changed, 2 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index a1d70623cff0..2d33eabb2536 100755
+index 24e311a3..46092be0 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
@@ -23,5 +23,5 @@ index a1d70623cff0..2d33eabb2536 100755
  .B STANDARD FILE CONTEXT
  
 -- 
-2.29.0
+2.22.0
 

0005-sepolgen-sort-extended-rules-like-normal-ones.patch

@@ -1,109 +0,0 @@
-From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Wed, 19 Aug 2020 17:05:34 +0200
-Subject: [PATCH] sepolgen: sort extended rules like normal ones
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-Changed:
-
-    #============= sshd_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t ptmx_t:chr_file ioctl;
-    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t sshd_devpts_t:chr_file ioctl;
-    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow sshd_t user_devpts_t:chr_file ioctl;
-    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
-
-    #============= user_t ==============
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t devtty_t:chr_file ioctl;
-    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
-
-    #!!!! This avc is allowed in the current policy
-    #!!!! This av rule may have been overridden by an extended permission av rule
-    allow user_t user_devpts_t:chr_file ioctl;
-    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- python/sepolgen/src/sepolgen/output.py | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
-index 3a21b64c19f7..aeeaafc889e7 100644
---- a/python/sepolgen/src/sepolgen/output.py
-+++ b/python/sepolgen/src/sepolgen/output.py
-@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
-         return ret
- 
-     # At this point, who cares - just return something
--    return cmp(len(a.perms), len(b.perms))
-+    return 0
- 
- # Compare two interface calls
- def ifcall_cmp(a, b):
-@@ -100,7 +100,7 @@ def rule_cmp(a, b):
-         else:
-             return id_set_cmp([a.args[0]], b.src_types)
-     else:
--        if isinstance(b, refpolicy.AVRule):
-+        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
-             return avrule_cmp(a,b)
-         else:
-             return id_set_cmp(a.src_types, [b.args[0]])
-@@ -130,6 +130,7 @@ def sort_filter(module):
-         # we assume is the first argument for interfaces).
-         rules = []
-         rules.extend(node.avrules())
-+        rules.extend(node.avextrules())
-         rules.extend(node.interface_calls())
-         rules.sort(key=util.cmp_to_key(rule_cmp))
- 
--- 
-2.29.0
-

0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch

@@ -1,4 +1,4 @@
-From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
+From b2993d464e05291020dbf60fc2948ac152eb0003 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Thu, 19 Feb 2015 17:45:15 +0100
 Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
@@ -11,10 +11,10 @@ Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
  2 files changed, 13 insertions(+), 77 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index e4540977d042..ad718797ca68 100644
+index 6aed31bd..88a2b8f6 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
+@@ -1209,27 +1209,14 @@ def boolean_desc(boolean):
  
  
  def get_os_version():
@@ -49,7 +49,7 @@ index e4540977d042..ad718797ca68 100644
  
  def reinit():
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 2d33eabb2536..acc77f368d95 100755
+index 46092be0..d60acfaf 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -149,10 +149,6 @@ def prettyprint(f, trim):
@@ -165,5 +165,5 @@ index 2d33eabb2536..acc77f368d95 100755
              if len(self.manpage_roles[letter]):
                  fd.write("""
 -- 
-2.29.0
+2.22.0
 

0006-newrole-support-cross-compilation-with-PAM-and-audit.patch

@@ -1,32 +0,0 @@
-From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
-From: Dominick Grift <dominick.grift@defensec.nl>
-Date: Tue, 1 Sep 2020 18:16:41 +0200
-Subject: [PATCH] newrole: support cross-compilation with PAM and audit
-
-Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
-
-Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- policycoreutils/newrole/Makefile | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
-index 73ebd413da85..0e7ebce3dd56 100644
---- a/policycoreutils/newrole/Makefile
-+++ b/policycoreutils/newrole/Makefile
-@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
- MANDIR ?= $(PREFIX)/share/man
- ETCDIR ?= /etc
- LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
--PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
--AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
-+INCLUDEDIR ?= $(PREFIX)/include
-+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
-+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
- # Enable capabilities to permit newrole to generate audit records.
- # This will make newrole a setuid root program.
- # The capabilities used are: CAP_AUDIT_WRITE.
--- 
-2.29.0
-

0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch

@@ -1,4 +1,4 @@
-From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
+From bfcb599d9424ef6ffcd250931c89675b451edd00 Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:01 +0100
 Subject: [PATCH] We want to remove the trailing newline for
@@ -9,10 +9,10 @@ Subject: [PATCH] We want to remove the trailing newline for
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ad718797ca68..ea05d892bf3b 100644
+index 88a2b8f6..0c66f4d5 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
-@@ -1211,7 +1211,7 @@ def get_os_version():
+@@ -1212,7 +1212,7 @@ def get_os_version():
      system_release = ""
      try:
          with open('/etc/system-release') as f:
@@ -22,5 +22,5 @@ index ad718797ca68..ea05d892bf3b 100644
          system_release = "Misc"
  
 -- 
-2.29.0
+2.22.0
 

0008-Fix-title-in-manpage.py-to-not-contain-online.patch

@@ -1,4 +1,4 @@
-From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
+From 4ea504acce6389c3e28134c4b8e6bf9072c295ce Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Fri, 20 Feb 2015 16:42:53 +0100
 Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
@@ -8,7 +8,7 @@ Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index acc77f368d95..4aeb3e2e51ba 100755
+index d60acfaf..de8184d8 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -220,7 +220,7 @@ class HTMLManPages:
@@ -21,5 +21,5 @@ index acc77f368d95..4aeb3e2e51ba 100755
  <body>
  <h1>SELinux man pages for %s</h1>
 -- 
-2.29.0
+2.22.0
 

0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch

@@ -1,4 +1,4 @@
-From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
+From 8af697659bd662517571577bf47946a2113f34a1 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -8,7 +8,7 @@ Subject: [PATCH] Don't be verbose if you are not on a tty
  1 file changed, 1 insertion(+)
 
 diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
-index 30dadb4f4cb6..e73bb81c3336 100755
+index b2779581..53d28c7b 100755
 --- a/policycoreutils/scripts/fixfiles
 +++ b/policycoreutils/scripts/fixfiles
 @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@@ -20,5 +20,5 @@ index 30dadb4f4cb6..e73bb81c3336 100755
  RPMFILES=""
  PREFC=""
 -- 
-2.29.0
+2.22.0
 

0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch

@@ -1,4 +1,4 @@
-From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
+From ef0f54ffc6d691d10e66a0793204edd159cd45d0 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 27 Feb 2017 17:12:39 +0100
 Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
@@ -11,7 +11,7 @@ Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
  1 file changed, 20 insertions(+), 2 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 4aeb3e2e51ba..330b055af214 100755
+index de8184d8..f8a94fc0 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -125,8 +125,24 @@ def gen_domains():
@@ -59,5 +59,5 @@ index 4aeb3e2e51ba..330b055af214 100755
                  if f in self.fcdict:
                      mpaths = mpaths + self.fcdict[f]["regex"]
 -- 
-2.29.0
+2.22.0
 

0011-sepolicy-Another-small-optimization-for-mcs-types.patch

@@ -1,4 +1,4 @@
-From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
+From e54db76a3bff8e911ddd7c7ce834c024d634d9e1 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Tue, 28 Feb 2017 21:29:46 +0100
 Subject: [PATCH] sepolicy: Another small optimization for mcs types
@@ -8,7 +8,7 @@ Subject: [PATCH] sepolicy: Another small optimization for mcs types
  1 file changed, 11 insertions(+), 5 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 330b055af214..f8584436960d 100755
+index f8a94fc0..67d39301 100755
 --- a/python/sepolicy/sepolicy/manpage.py
 +++ b/python/sepolicy/sepolicy/manpage.py
 @@ -142,6 +142,15 @@ def _gen_entry_types():
@@ -35,7 +35,7 @@ index 330b055af214..f8584436960d 100755
  
          if self.source_files:
              self.fcpath = self.root + "file_contexts"
-@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
+@@ -944,11 +954,7 @@ All executeables with the default executable label, usually stored in /usr/bin a
  %s""" % ", ".join(paths))
  
      def _mcs_types(self):
@@ -49,5 +49,5 @@ index 330b055af214..f8584436960d 100755
          self.fd.write ("""
  .SH "MCS Constrained"
 -- 
-2.29.0
+2.22.0
 

0012-Move-po-translation-files-into-the-right-sub-directo.patch

@@ -1,4 +1,4 @@
-From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
+From 4015e9299bfda622e9d407cdbcc536000688aa8f Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:23:00 +0200
 Subject: [PATCH] Move po/ translation files into the right sub-directories
@@ -35,7 +35,7 @@ See https://github.com/fedora-selinux/selinux/issues/43
  create mode 100644 sandbox/po/POTFILES
 
 diff --git a/gui/Makefile b/gui/Makefile
-index ca965c942912..5a5bf6dcae19 100644
+index ca965c94..5a5bf6dc 100644
 --- a/gui/Makefile
 +++ b/gui/Makefile
 @@ -22,6 +22,7 @@ system-config-selinux.ui \
@@ -57,7 +57,7 @@ index ca965c942912..5a5bf6dcae19 100644
  indent:
 diff --git a/gui/po/Makefile b/gui/po/Makefile
 new file mode 100644
-index 000000000000..a0f5439f2d1c
+index 00000000..a0f5439f
 --- /dev/null
 +++ b/gui/po/Makefile
 @@ -0,0 +1,82 @@
@@ -145,7 +145,7 @@ index 000000000000..a0f5439f2d1c
 +relabel:
 diff --git a/gui/po/POTFILES b/gui/po/POTFILES
 new file mode 100644
-index 000000000000..1795c5c1951b
+index 00000000..1795c5c1
 --- /dev/null
 +++ b/gui/po/POTFILES
 @@ -0,0 +1,17 @@
@@ -167,7 +167,7 @@ index 000000000000..1795c5c1951b
 +../system-config-selinux.ui
 +../usersPage.py
 diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
-index 575e143122e6..18bc1dff8d1f 100644
+index 575e1431..18bc1dff 100644
 --- a/policycoreutils/po/Makefile
 +++ b/policycoreutils/po/Makefile
 @@ -3,7 +3,6 @@
@@ -267,7 +267,7 @@ index 575e143122e6..18bc1dff8d1f 100644
  	for cat in $(POFILES); do \
 diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
 new file mode 100644
-index 000000000000..12237dc61ee4
+index 00000000..12237dc6
 --- /dev/null
 +++ b/policycoreutils/po/POTFILES
 @@ -0,0 +1,9 @@
@@ -281,7 +281,7 @@ index 000000000000..12237dc61ee4
 +../setfiles/setfiles.c
 +../secon/secon.c
 diff --git a/python/Makefile b/python/Makefile
-index 9b66d52fbd4d..00312dbdb5c6 100644
+index 9b66d52f..00312dbd 100644
 --- a/python/Makefile
 +++ b/python/Makefile
 @@ -1,4 +1,4 @@
@@ -292,7 +292,7 @@ index 9b66d52fbd4d..00312dbdb5c6 100644
  	@for subdir in $(SUBDIRS); do \
 diff --git a/python/po/Makefile b/python/po/Makefile
 new file mode 100644
-index 000000000000..4e052d5a2bd7
+index 00000000..4e052d5a
 --- /dev/null
 +++ b/python/po/Makefile
 @@ -0,0 +1,83 @@
@@ -381,7 +381,7 @@ index 000000000000..4e052d5a2bd7
 +relabel:
 diff --git a/python/po/POTFILES b/python/po/POTFILES
 new file mode 100644
-index 000000000000..128eb870a69e
+index 00000000..128eb870
 --- /dev/null
 +++ b/python/po/POTFILES
 @@ -0,0 +1,10 @@
@@ -396,7 +396,7 @@ index 000000000000..128eb870a69e
 +../sepolicy/sepolicy/interface.py
 +../sepolicy/sepolicy.py
 diff --git a/sandbox/Makefile b/sandbox/Makefile
-index 9da5e58db9e6..b817824e2102 100644
+index 9da5e58d..b817824e 100644
 --- a/sandbox/Makefile
 +++ b/sandbox/Makefile
 @@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
@@ -417,7 +417,7 @@ index 9da5e58db9e6..b817824e2102 100644
  	@$(PYTHON) test_sandbox.py -v
 diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
 new file mode 100644
-index 000000000000..0556bbe953f0
+index 00000000..0556bbe9
 --- /dev/null
 +++ b/sandbox/po/Makefile
 @@ -0,0 +1,82 @@
@@ -505,11 +505,11 @@ index 000000000000..0556bbe953f0
 +relabel:
 diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
 new file mode 100644
-index 000000000000..deff3f2f4656
+index 00000000..deff3f2f
 --- /dev/null
 +++ b/sandbox/po/POTFILES
 @@ -0,0 +1 @@
 +../sandbox
 -- 
-2.29.0
+2.22.0
 

0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch

@@ -1,4 +1,4 @@
-From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
+From 57cd23e11e1a700802a5955e84a0a7e04c30ec73 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 13:37:07 +0200
 Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
@@ -29,7 +29,7 @@ https://github.com/fedora-selinux/selinux/issues/43
  21 files changed, 21 insertions(+), 21 deletions(-)
 
 diff --git a/gui/booleansPage.py b/gui/booleansPage.py
-index 7849bea26a06..dd12b6d6ab86 100644
+index 7849bea2..dd12b6d6 100644
 --- a/gui/booleansPage.py
 +++ b/gui/booleansPage.py
 @@ -38,7 +38,7 @@ DISABLED = 2
@@ -42,7 +42,7 @@ index 7849bea26a06..dd12b6d6ab86 100644
      import gettext
      kwargs = {}
 diff --git a/gui/domainsPage.py b/gui/domainsPage.py
-index bad5140d8c59..6bbe4de5884f 100644
+index bad5140d..6bbe4de5 100644
 --- a/gui/domainsPage.py
 +++ b/gui/domainsPage.py
 @@ -30,7 +30,7 @@ from semanagePage import *
@@ -55,7 +55,7 @@ index bad5140d8c59..6bbe4de5884f 100644
      import gettext
      kwargs = {}
 diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
-index 370bbee40786..e424366da26f 100644
+index 370bbee4..e424366d 100644
 --- a/gui/fcontextPage.py
 +++ b/gui/fcontextPage.py
 @@ -47,7 +47,7 @@ class context:
@@ -68,7 +68,7 @@ index 370bbee40786..e424366da26f 100644
      import gettext
      kwargs = {}
 diff --git a/gui/loginsPage.py b/gui/loginsPage.py
-index b67eb8bc42af..cbfb0cc23f65 100644
+index b67eb8bc..cbfb0cc2 100644
 --- a/gui/loginsPage.py
 +++ b/gui/loginsPage.py
 @@ -29,7 +29,7 @@ from semanagePage import *
@@ -81,7 +81,7 @@ index b67eb8bc42af..cbfb0cc23f65 100644
      import gettext
      kwargs = {}
 diff --git a/gui/modulesPage.py b/gui/modulesPage.py
-index 0584acf9b3a4..35a0129bab9c 100644
+index cb856b2d..26ac5404 100644
 --- a/gui/modulesPage.py
 +++ b/gui/modulesPage.py
 @@ -30,7 +30,7 @@ from semanagePage import *
@@ -94,7 +94,7 @@ index 0584acf9b3a4..35a0129bab9c 100644
      import gettext
      kwargs = {}
 diff --git a/gui/polgengui.py b/gui/polgengui.py
-index d284ded65279..01f541bafae8 100644
+index b1cc9937..46a1bd2c 100644
 --- a/gui/polgengui.py
 +++ b/gui/polgengui.py
 @@ -63,7 +63,7 @@ def get_all_modules():
@@ -107,7 +107,7 @@ index d284ded65279..01f541bafae8 100644
      import gettext
      kwargs = {}
 diff --git a/gui/portsPage.py b/gui/portsPage.py
-index 30f58383bc1d..a537ecc8c0a1 100644
+index 30f58383..a537ecc8 100644
 --- a/gui/portsPage.py
 +++ b/gui/portsPage.py
 @@ -35,7 +35,7 @@ from semanagePage import *
@@ -120,7 +120,7 @@ index 30f58383bc1d..a537ecc8c0a1 100644
      import gettext
      kwargs = {}
 diff --git a/gui/semanagePage.py b/gui/semanagePage.py
-index 4127804fbbee..5361d69c1313 100644
+index 4127804f..5361d69c 100644
 --- a/gui/semanagePage.py
 +++ b/gui/semanagePage.py
 @@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
@@ -133,7 +133,7 @@ index 4127804fbbee..5361d69c1313 100644
      import gettext
      kwargs = {}
 diff --git a/gui/statusPage.py b/gui/statusPage.py
-index 766854b19cba..a8f079b9b163 100644
+index 766854b1..a8f079b9 100644
 --- a/gui/statusPage.py
 +++ b/gui/statusPage.py
 @@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
@@ -146,7 +146,7 @@ index 766854b19cba..a8f079b9b163 100644
      import gettext
      kwargs = {}
 diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
-index 3f70122b87e8..8c46c987b974 100644
+index c42301b6..1e0d5eb1 100644
 --- a/gui/system-config-selinux.py
 +++ b/gui/system-config-selinux.py
 @@ -45,7 +45,7 @@ import selinux
@@ -159,7 +159,7 @@ index 3f70122b87e8..8c46c987b974 100644
      import gettext
      kwargs = {}
 diff --git a/gui/usersPage.py b/gui/usersPage.py
-index 26794ed5c3f3..d15d4c5a71dd 100644
+index 26794ed5..d15d4c5a 100644
 --- a/gui/usersPage.py
 +++ b/gui/usersPage.py
 @@ -29,7 +29,7 @@ from semanagePage import *
@@ -172,7 +172,7 @@ index 26794ed5c3f3..d15d4c5a71dd 100644
      import gettext
      kwargs = {}
 diff --git a/python/chcat/chcat b/python/chcat/chcat
-index fdd2e46ee3f9..839ddd3b54b6 100755
+index ba398684..df2509f2 100755
 --- a/python/chcat/chcat
 +++ b/python/chcat/chcat
 @@ -30,7 +30,7 @@ import getopt
@@ -185,7 +185,7 @@ index fdd2e46ee3f9..839ddd3b54b6 100755
      import gettext
      kwargs = {}
 diff --git a/python/semanage/semanage b/python/semanage/semanage
-index b2fabea67a87..3cc30a160a74 100644
+index 144cc000..56db3e0d 100644
 --- a/python/semanage/semanage
 +++ b/python/semanage/semanage
 @@ -27,7 +27,7 @@ import traceback
@@ -198,7 +198,7 @@ index b2fabea67a87..3cc30a160a74 100644
      import gettext
      kwargs = {}
 diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
-index 6a14f7b47dd5..b51a7e3e7ca3 100644
+index 13fdf531..b90b1070 100644
 --- a/python/semanage/seobject.py
 +++ b/python/semanage/seobject.py
 @@ -29,7 +29,7 @@ import sys
@@ -209,9 +209,9 @@ index 6a14f7b47dd5..b51a7e3e7ca3 100644
 +PROGNAME = "selinux-python"
  import sepolicy
  import setools
- import ipaddress
+ from IPy import IP
 diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
-index 998c4356415c..56ebd807c69c 100644
+index 998c4356..56ebd807 100644
 --- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
 +++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
 @@ -19,7 +19,7 @@
@@ -224,11 +224,11 @@ index 998c4356415c..56ebd807c69c 100644
  except:
      def _(str):
 diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
-index 7b2230651099..32956e58f52e 100755
+index 1934cd86..8bd6a579 100755
 --- a/python/sepolicy/sepolicy.py
 +++ b/python/sepolicy/sepolicy.py
-@@ -28,7 +28,7 @@ import sepolicy
- from multiprocessing import Pool
+@@ -27,7 +27,7 @@ import selinux
+ import sepolicy
  from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
  import argparse
 -PROGNAME = "policycoreutils"
@@ -237,7 +237,7 @@ index 7b2230651099..32956e58f52e 100755
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
-index ea05d892bf3b..9a9c2ae9f237 100644
+index 0c66f4d5..b6ca57c3 100644
 --- a/python/sepolicy/sepolicy/__init__.py
 +++ b/python/sepolicy/sepolicy/__init__.py
 @@ -13,7 +13,7 @@ import os
@@ -250,10 +250,10 @@ index ea05d892bf3b..9a9c2ae9f237 100644
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 4e1ed4e9dc31..43180ca6fda4 100644
+index 019e7836..7175d36b 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
-@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults
+@@ -49,7 +49,7 @@ import sepolgen.defaults as defaults
  ##
  ## I18N
  ##
@@ -263,7 +263,7 @@ index 4e1ed4e9dc31..43180ca6fda4 100644
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
-index 1e86422b864a..c9ca158ddd09 100644
+index 00fd7a11..805cee67 100644
 --- a/python/sepolicy/sepolicy/gui.py
 +++ b/python/sepolicy/sepolicy/gui.py
 @@ -41,7 +41,7 @@ import os
@@ -276,7 +276,7 @@ index 1e86422b864a..c9ca158ddd09 100644
      import gettext
      kwargs = {}
 diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
-index bdffb770f364..9d40aea1498d 100644
+index 583091ae..e2b8d23b 100644
 --- a/python/sepolicy/sepolicy/interface.py
 +++ b/python/sepolicy/sepolicy/interface.py
 @@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
@@ -289,7 +289,7 @@ index bdffb770f364..9d40aea1498d 100644
      import gettext
      kwargs = {}
 diff --git a/sandbox/sandbox b/sandbox/sandbox
-index ca5f1e030a51..16c43b51eaaa 100644
+index 1dec07ac..a12403b3 100644
 --- a/sandbox/sandbox
 +++ b/sandbox/sandbox
 @@ -37,7 +37,7 @@ import sepolicy
@@ -302,5 +302,5 @@ index ca5f1e030a51..16c43b51eaaa 100644
      import gettext
      kwargs = {}
 -- 
-2.29.0
+2.22.0
 

0014-Initial-.pot-files-for-gui-python-sandbox.patch

@@ -1,4 +1,4 @@
-From ffca591cb3055c4962cdc968662bd52bb876e640 Mon Sep 17 00:00:00 2001
+From c8c59758d2fb7f6cbe368c9ff8f356ea7acebb4b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 6 Aug 2018 14:23:19 +0200
 Subject: [PATCH] Initial .pot files for gui/ python/ sandbox/
@@ -15,7 +15,7 @@ https://github.com/fedora-selinux/selinux/issues/43
 
 diff --git a/gui/po/gui.pot b/gui/po/gui.pot
 new file mode 100644
-index 000000000000..1663b4caa7c3
+index 00000000..1663b4ca
 --- /dev/null
 +++ b/gui/po/gui.pot
 @@ -0,0 +1,964 @@
@@ -985,7 +985,7 @@ index 000000000000..1663b4caa7c3
 +msgstr ""
 diff --git a/python/po/python.pot b/python/po/python.pot
 new file mode 100644
-index 000000000000..a279b0e8d540
+index 00000000..a279b0e8
 --- /dev/null
 +++ b/python/po/python.pot
 @@ -0,0 +1,3375 @@
@@ -4366,7 +4366,7 @@ index 000000000000..a279b0e8d540
 +msgstr ""
 diff --git a/sandbox/po/sandbox.pot b/sandbox/po/sandbox.pot
 new file mode 100644
-index 000000000000..328b4f0159d3
+index 00000000..328b4f01
 --- /dev/null
 +++ b/sandbox/po/sandbox.pot
 @@ -0,0 +1,157 @@
@@ -4528,5 +4528,5 @@ index 000000000000..328b4f0159d3
 +msgid "Invalid value %s"
 +msgstr ""
 -- 
-2.29.0
+2.22.0
 

0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch

@@ -1,4 +1,4 @@
-From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
+From c8fbb8042852c18775c001999ce949e9b591e381 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 21 Mar 2018 08:51:31 +0100
 Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
@@ -13,10 +13,10 @@ Resolves: rhbz#1271327
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
-index e328a5628682..02e0960289d3 100644
+index ccaaf4de..a8a76c86 100644
 --- a/policycoreutils/setfiles/setfiles.8
 +++ b/policycoreutils/setfiles/setfiles.8
-@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
+@@ -57,7 +57,7 @@ check the validity of the contexts against the specified binary policy.
  .TP
  .B \-d
  show what specification matched each file (do not abort validation
@@ -26,5 +26,5 @@ index e328a5628682..02e0960289d3 100644
  .BI \-e \ directory
  directory to exclude (repeat option for more than one directory).
 -- 
-2.29.0
+2.22.0
 

0017-sepolicy-generate-Handle-more-reserved-port-types.patch

@@ -1,4 +1,4 @@
-From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
+From 3073efc112929b535f3a832c6f99e0dbe3af29ca Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -52,10 +52,10 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 43180ca6fda4..d60a08e1d72c 100644
+index 7175d36b..93caedee 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
-@@ -99,7 +99,9 @@ def get_all_ports():
+@@ -100,7 +100,9 @@ def get_all_ports():
      for p in sepolicy.info(sepolicy.PORT):
          if p['type'] == "reserved_port_t" or \
                  p['type'] == "port_t" or \
@@ -67,5 +67,5 @@ index 43180ca6fda4..d60a08e1d72c 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.29.0
+2.22.0
 

0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch

@@ -1,4 +1,4 @@
-From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
+From f8602180d042e95947fe0bbd35d261771b347705 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 8 Nov 2018 09:20:58 +0100
 Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
@@ -8,7 +8,7 @@ Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
  1 file changed, 1 insertion(+)
 
 diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
-index 3515234e36de..7b75b3fd9bb4 100644
+index 3515234e..7b75b3fd 100644
 --- a/semodule-utils/semodule_package/semodule_package.c
 +++ b/semodule-utils/semodule_package/semodule_package.c
 @@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
@@ -20,5 +20,5 @@ index 3515234e36de..7b75b3fd9bb4 100644
  	}
  
 -- 
-2.29.0
+2.22.0
 

0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch

@@ -1,4 +1,4 @@
-From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
+From 89895635ae012d1864a03700054ecc723973b5c0 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -10,7 +10,7 @@ Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
  3 files changed, 3 insertions(+), 17 deletions(-)
 
 diff --git a/sandbox/sandbox b/sandbox/sandbox
-index 16c43b51eaaa..7709a6585665 100644
+index a12403b3..707959a6 100644
 --- a/sandbox/sandbox
 +++ b/sandbox/sandbox
 @@ -268,7 +268,7 @@ class Sandbox:
@@ -32,7 +32,7 @@ index 16c43b51eaaa..7709a6585665 100644
  
          parser.add_option("-l", "--level", dest="level",
 diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
-index d83fee76f335..90ef4951c8c2 100644
+index d83fee76..90ef4951 100644
 --- a/sandbox/sandbox.8
 +++ b/sandbox/sandbox.8
 @@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
@@ -45,7 +45,7 @@ index d83fee76f335..90ef4951c8c2 100644
  \fB\-X\fR 
  Create an X based Sandbox for gui apps, temporary files for
 diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
-index 4774528027ef..c211ebc14549 100644
+index 47745280..c211ebc1 100644
 --- a/sandbox/sandboxX.sh
 +++ b/sandbox/sandboxX.sh
 @@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
@@ -70,5 +70,5 @@ index 4774528027ef..c211ebc14549 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 -- 
-2.29.0
+2.22.0
 

0020-python-Use-ipaddress-instead-of-IPy.patch

@@ -0,0 +1,45 @@
+From b2512e2a92a33360639a3459039cdf2e685655a8 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 3 Dec 2018 14:40:09 +0100
+Subject: [PATCH] python: Use ipaddress instead of IPy
+
+ipaddress module was added in python 3.3 and this allows us to drop python3-IPy
+---
+ python/semanage/seobject.py | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index b90b1070..58497e3b 100644
+--- a/python/semanage/seobject.py
++++ b/python/semanage/seobject.py
+@@ -32,7 +32,7 @@ from semanage import *
+ PROGNAME = "selinux-python"
+ import sepolicy
+ import setools
+-from IPy import IP
++import ipaddress
+ 
+ try:
+     import gettext
+@@ -1851,13 +1851,13 @@ class nodeRecords(semanageRecords):
+ 
+         # verify valid comination
+         if len(mask) == 0 or mask[0] == "/":
+-            i = IP(addr + mask)
+-            newaddr = i.strNormal(0)
+-            newmask = str(i.netmask())
+-            if newmask == "0.0.0.0" and i.version() == 6:
++            i = ipaddress.ip_network(addr + mask)
++            newaddr = str(i.network_address)
++            newmask = str(i.netmask)
++            if newmask == "0.0.0.0" and i.version == 6:
+                 newmask = "::"
+ 
+-            protocol = "ipv%d" % i.version()
++            protocol = "ipv%d" % i.version
+ 
+         try:
+             newprotocol = self.protocol.index(protocol)
+-- 
+2.22.0
+

0021-python-semanage-Do-not-traceback-when-the-default-po.patch

@@ -0,0 +1,93 @@
+From e9b08da87ed222059c1f1f0c0de7cc760f485552 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 4 Apr 2019 23:02:56 +0200
+Subject: [PATCH] python/semanage: Do not traceback when the default policy is
+ not available
+
+"import seobject" causes "import sepolicy" which crashes when the system policy
+is not available. It's better to provide an error message instead.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ python/semanage/semanage | 37 +++++++++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 16 deletions(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 56db3e0d..4c766ae3 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -25,7 +25,6 @@
+ 
+ import traceback
+ import argparse
+-import seobject
+ import sys
+ PROGNAME = "selinux-python"
+ try:
+@@ -129,21 +128,6 @@ class SetImportFile(argparse.Action):
+                 sys.exit(1)
+         setattr(namespace, self.dest, values)
+ 
+-# define dictonary for seobject OBEJCTS
+-object_dict = {
+-    'login': seobject.loginRecords,
+-    'user': seobject.seluserRecords,
+-    'port': seobject.portRecords,
+-    'module': seobject.moduleRecords,
+-    'interface': seobject.interfaceRecords,
+-    'node': seobject.nodeRecords,
+-    'fcontext': seobject.fcontextRecords,
+-    'boolean': seobject.booleanRecords,
+-    'permissive': seobject.permissiveRecords,
+-    'dontaudit': seobject.dontauditClass,
+-    'ibpkey': seobject.ibpkeyRecords,
+-    'ibendport': seobject.ibendportRecords
+-}
+ 
+ def generate_custom_usage(usage_text, usage_dict):
+     # generate custom usage from given text and dictonary
+@@ -608,6 +592,7 @@ def setupInterfaceParser(subparsers):
+ 
+ 
+ def handleModule(args):
++    import seobject
+     OBJECT = seobject.moduleRecords(args)
+     if args.action_add:
+         OBJECT.add(args.action_add[0], args.priority)
+@@ -846,6 +831,7 @@ def mkargv(line):
+ 
+ 
+ def handleImport(args):
++    import seobject
+     trans = seobject.semanageRecords(args)
+     trans.start()
+ 
+@@ -887,6 +873,25 @@ def createCommandParser():
+     #To add a new subcommand define the parser for it in a function above and call it here.
+     subparsers = commandParser.add_subparsers(dest='subcommand')
+     subparsers.required = True
++
++    import seobject
++    # define dictonary for seobject OBEJCTS
++    global object_dict
++    object_dict = {
++        'login': seobject.loginRecords,
++        'user': seobject.seluserRecords,
++        'port': seobject.portRecords,
++        'module': seobject.moduleRecords,
++        'interface': seobject.interfaceRecords,
++        'node': seobject.nodeRecords,
++        'fcontext': seobject.fcontextRecords,
++        'boolean': seobject.booleanRecords,
++        'permissive': seobject.permissiveRecords,
++        'dontaudit': seobject.dontauditClass,
++        'ibpkey': seobject.ibpkeyRecords,
++        'ibendport': seobject.ibendportRecords
++    }
++
+     setupImportParser(subparsers)
+     setupExportParser(subparsers)
+     setupLoginParser(subparsers)
+-- 
+2.22.0
+

0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch

@@ -0,0 +1,108 @@
+From d3f8b2c3cd9e044aba909f63a2ca78f53db11fe0 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 2 Jul 2019 17:11:32 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Fix [-B] [-F] onboot
+
+Commit 6e289bb7bf3d ("policycoreutils: fixfiles: remove bad modes of "relabel"
+command") added "$RESTORE_MODE" != DEFAULT test when onboot is used. It makes
+`fixfiles -B onboot` to show usage instead of updating /.autorelabel
+
+The code is restructured to handle -B for different modes correctly.
+
+Fixes:
+    # fixfiles -B onboot
+    Usage: /usr/sbin/fixfiles [-v] [-F] [-f] relabel
+    ...
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 29 +++++++++++++++--------------
+ 1 file changed, 15 insertions(+), 14 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 53d28c7b..9dd44213 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -112,7 +112,7 @@ VERBOSE="-p"
+ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+-RESTORE_MODE="DEFAULT"
++RESTORE_MODE=""
+ SETFILES=/sbin/setfiles
+ RESTORECON=/sbin/restorecon
+ FILESYSTEMSRW=`get_rw_labeled_mounts`
+@@ -214,16 +214,17 @@ restore () {
+ OPTION=$1
+ shift
+ 
+-case "$RESTORE_MODE" in
+-    PREFC)
+-	diff_filecontext $*
+-	return
+-    ;;
+-    BOOTTIME)
++# [-B | -N time ]
++if [ -z "$BOOTTIME" ]; then
+ 	newer $BOOTTIME $*
+ 	return
+-    ;;
+-esac
++fi
++
++# -C PREVIOUS_FILECONTEXT
++if [ "$RESTORE_MODE" == PREFC ]; then
++	diff_filecontext $*
++	return
++fi
+ 
+ [ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon
+ 
+@@ -239,7 +240,7 @@ case "$RESTORE_MODE" in
+     FILEPATH)
+ 	${RESTORECON} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -R -- "$FILEPATH"
+     ;;
+-    DEFAULT)
++    *)
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+ 	    LogReadOnly
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+@@ -272,7 +273,7 @@ fullrelabel() {
+ 
+ 
+ relabel() {
+-    if [ "$RESTORE_MODE" != DEFAULT ]; then
++    if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
+ 	usage
+ 	exit 1
+     fi
+@@ -306,7 +307,7 @@ case "$1" in
+     verify) restore Verify -n;;
+     relabel) relabel;;
+     onboot)
+-	if [ "$RESTORE_MODE" != DEFAULT ]; then
++	if [ -n "$RESTORE_MODE" -a "$RESTORE_MODE" != DEFAULT ]; then
+ 	    usage
+ 	    exit 1
+ 	fi
+@@ -344,7 +345,7 @@ if [ $# -eq 0 ]; then
+ fi
+ 
+ set_restore_mode() {
+-	if [ "$RESTORE_MODE" != DEFAULT ]; then
++	if [ -n "$RESTORE_MODE" ]; then
+ 		# can't specify two different modes
+ 		usage
+ 		exit 1
+@@ -357,7 +358,7 @@ while getopts "N:BC:FfR:l:v" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+-		set_restore_mode BOOTTIME
++		set_restore_mode DEFAULT
+ 		;;
+ 	N)
+ 		BOOTTIME=$OPTARG
+-- 
+2.22.0
+

0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch

@@ -0,0 +1,33 @@
+From 105eeda97b0f35773bc32222d0802de4d0b5a8e9 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 2 Jul 2019 17:12:07 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Force full relabel when SELinux is
+ disabled
+
+The previous check used getfilecon to check whether / slash contains a label,
+but getfilecon fails only when SELinux is disabled. Therefore it's better to
+check this using selinuxenabled.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 9dd44213..a9d27d13 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -314,8 +314,8 @@ case "$1" in
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+ 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+-	# Force full relabel if / does not have a label on it
+-	getfilecon / > /dev/null 2>&1  || echo -F >/.autorelabel
++	# Force full relabel if SELinux is not enabled
++	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+ 	;;
+     *)
+-- 
+2.22.0
+

0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch

@@ -1,46 +0,0 @@
-From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Tue, 28 Jul 2020 14:37:13 +0200
-Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
-
-Fixes:
-$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
-Analyzing 187 Python scripts
-./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
-./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
-./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
-./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
-./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
-./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
-The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- python/sepolicy/sepolicy/manpage.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index f8584436960d..6a3e08fca58c 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -717,7 +717,7 @@ Default Defined Ports:""")
-         for f in self.all_file_types:
-             if f.startswith(self.domainname):
-                 flist.append(f)
--                if not f in self.exec_types or not f in self.entry_types:
-+                if f not in self.exec_types or f not in self.entry_types:
-                     flist_non_exec.append(f)
-                 if f in self.fcdict:
-                     mpaths = mpaths + self.fcdict[f]["regex"]
-@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
- """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
- 
-         if flist_non_exec:
--                self.fd.write(r"""
-+            self.fd.write(r"""
- .PP
- .B STANDARD FILE CONTEXT
- 
--- 
-2.29.0
-

0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch

@@ -0,0 +1,32 @@
+From e240bf9a547374dff8e7998b0bedce1d523b3dd4 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 21 Aug 2019 17:43:25 +0200
+Subject: [PATCH] policycoreutils/fixfiles: Fix unbound variable problem
+
+Fix a typo introduced in commit d3f8b2c3cd909 ("policycoreutils/fixfiles: Fix
+[-B] [-F] onboot"), which broke  "fixfiles relabel":
+
+    #fixfiles relabel
+    /sbin/fixfiles: line 151: $1: unbound variable
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ policycoreutils/scripts/fixfiles | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index a9d27d13..df0042aa 100755
+--- a/policycoreutils/scripts/fixfiles
++++ b/policycoreutils/scripts/fixfiles
+@@ -215,7 +215,7 @@ OPTION=$1
+ shift
+ 
+ # [-B | -N time ]
+-if [ -z "$BOOTTIME" ]; then
++if [ -n "$BOOTTIME" ]; then
+ 	newer $BOOTTIME $*
+ 	return
+ fi
+-- 
+2.23.0
+

0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch

@@ -1,29 +0,0 @@
-From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
-From: Ondrej Mosnacek <omosnace@redhat.com>
-Date: Wed, 11 Nov 2020 17:23:40 +0100
-Subject: [PATCH] selinux_config(5): add a note that runtime disable is
- deprecated
-
-...and refer to selinux(8), which explains it further.
-
-Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
----
- policycoreutils/man/man5/selinux_config.5 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
-index 1ffade150128..58b42a0e234d 100644
---- a/policycoreutils/man/man5/selinux_config.5
-+++ b/policycoreutils/man/man5/selinux_config.5
-@@ -48,7 +48,7 @@ SELinux security policy is enforced.
- .IP \fIpermissive\fR 4
- SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
- .IP \fIdisabled\fR
--SELinux is disabled and no policy is loaded.
-+No SELinux policy is loaded.  This option was used to disable SELinux completely, which is now deprecated.  Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
- .RE
- .sp
- The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
--- 
-2.29.2
-

0025-gui-Fix-remove-module-in-system-config-selinux.patch

@@ -0,0 +1,38 @@
+From eed9aca2fa1b5668b9ddca10cfe96695fa7d2b9f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 29 Aug 2019 08:58:20 +0200
+Subject: [PATCH] gui: Fix remove module in system-config-selinux
+
+When a user tried to remove a policy module with priority other than 400 via
+GUI, it failed with a message:
+
+libsemanage.semanage_direct_remove_key: Unable to remove module somemodule at priority 400. (No such file or directory).
+
+This is fixed by calling "semodule -x PRIORITY -r NAME" instead of
+"semodule -r NAME".
+
+From Jono Hein <fredwacko40@hotmail.com>
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ gui/modulesPage.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gui/modulesPage.py b/gui/modulesPage.py
+index 26ac5404..35a0129b 100644
+--- a/gui/modulesPage.py
++++ b/gui/modulesPage.py
+@@ -125,9 +125,10 @@ class modulesPage(semanagePage):
+     def delete(self):
+         store, iter = self.view.get_selection().get_selected()
+         module = store.get_value(iter, 0)
++        priority = store.get_value(iter, 1)
+         try:
+             self.wait()
+-            status, output = getstatusoutput("semodule -r %s" % module)
++            status, output = getstatusoutput("semodule -X %s -r %s" % (priority, module))
+             self.ready()
+             if status != 0:
+                 self.error(output)
+-- 
+2.23.0
+

0025-python-sepolicy-allow-to-override-manpage-date.patch

@@ -1,51 +0,0 @@
-From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Fri, 30 Oct 2020 22:53:09 +0100
-Subject: [PATCH] python/sepolicy: allow to override manpage date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good
-and https://reproducible-builds.org/specs/source-date-epoch/
-for the definition of this variable.
-
-This patch was done while working on reproducible builds for openSUSE.
-
-Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
----
- python/sepolicy/sepolicy/manpage.py | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
-index 6a3e08fca58c..c013c0d48502 100755
---- a/python/sepolicy/sepolicy/manpage.py
-+++ b/python/sepolicy/sepolicy/manpage.py
-@@ -39,6 +39,8 @@ typealias_types = {
- equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
- 
- equiv_dirs = ["/var"]
-+man_date = time.strftime("%y-%m-%d", time.gmtime(
-+        int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
- modules_dict = None
- 
- 
-@@ -546,7 +548,7 @@ class ManPage:
- 
-     def _typealias(self,typealias):
-         self.fd.write('.TH  "%(typealias)s_selinux"  "8"  "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
--                 % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
-+                 % {'typealias':typealias, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
-@@ -565,7 +567,7 @@ man page for more details.
- 
-     def _header(self):
-         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
--                      % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
-+                      % {'domainname': self.domainname, 'date': man_date})
-         self.fd.write(r"""
- .SH "NAME"
- %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
--- 
-2.29.2
-

0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch

@@ -0,0 +1,30 @@
+From 4b1ede292c0de742b6fed12881c5916f3a6bc38b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 3 Sep 2019 15:17:27 +0200
+Subject: [PATCH] python/semanage: Do not use default s0 range in "semanage
+ login -a"
+
+Using the "s0" default means that new login mappings are always added with "s0"
+range instead of the range of SELinux user.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ python/semanage/semanage | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index 4c766ae3..fa78afce 100644
+--- a/python/semanage/semanage
++++ b/python/semanage/semanage
+@@ -221,7 +221,7 @@ def parser_add_level(parser, name):
+ 
+ 
+ def parser_add_range(parser, name):
+-    parser.add_argument('-r', '--range', default="s0",
++    parser.add_argument('-r', '--range', default='',
+                         help=_('''
+ MLS/MCS Security Range (MLS/MCS Systems only)
+ SELinux Range  for SELinux login mapping
+-- 
+2.23.0
+

gating.yaml

@@ -1,16 +0,0 @@
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_testing
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-
---- !Policy
-product_versions:
-  - fedora-*
-decision_context: bodhi_update_push_stable
-subject_type: koji_build
-rules:
-  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
-

policycoreutils.spec

@@ -1,7 +1,8 @@
 %global libauditver     3.0
-%global libsepolver     3.1-5
-%global libsemanagever  3.1-5
-%global libselinuxver   3.1-5
+%global libsepolver     2.9-1
+%global libsemanagever  2.9-1
+%global libselinuxver   2.9-1
+%global sepolgenver     2.9
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -10,17 +11,17 @@
 
 Summary: SELinux policy core utilities
 Name:    policycoreutils
-Version: 3.1
-Release: 8%{?dist}
+Version: 2.9
+Release: 6%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/policycoreutils-3.1.tar.gz
-Source1: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-python-3.1.tar.gz
-Source2: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-gui-3.1.tar.gz
-Source3: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-sandbox-3.1.tar.gz
-Source4: https://github.com/SELinuxProject/selinux/releases/download/20200710/selinux-dbus-3.1.tar.gz
-Source5: https://github.com/SELinuxProject/selinux/releases/download/20200710/semodule-utils-3.1.tar.gz
-Source6: https://github.com/SELinuxProject/selinux/releases/download/20200710/restorecond-3.1.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
+Source1: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-python-2.9.tar.gz
+Source2: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-gui-2.9.tar.gz
+Source3: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-sandbox-2.9.tar.gz
+Source4: https://github.com/SELinuxProject/selinux/releases/download/20190315/selinux-dbus-2.9.tar.gz
+Source5: https://github.com/SELinuxProject/selinux/releases/download/20190315/semodule-utils-2.9.tar.gz
+Source6: https://github.com/SELinuxProject/selinux/releases/download/20190315/restorecond-2.9.tar.gz
 URL:     https://github.com/SELinuxProject/selinux
 Source13: system-config-selinux.png
 Source14: sepolicy-icons.tgz
@@ -34,35 +35,35 @@ Source21: python-po.tgz
 Source22: gui-po.tgz
 Source23: sandbox-po.tgz
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 20200710 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 20190315 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
-# Patch list start
-Patch0001: 0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
-Patch0002: 0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
-Patch0003: 0003-fixfiles-correctly-restore-context-of-mountpoints.patch
-Patch0004: 0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
-Patch0005: 0005-sepolgen-sort-extended-rules-like-normal-ones.patch
-Patch0006: 0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
-Patch0007: 0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
-Patch0008: 0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
-Patch0009: 0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
-Patch0010: 0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
-Patch0011: 0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
-Patch0012: 0012-Fix-title-in-manpage.py-to-not-contain-online.patch
-Patch0013: 0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
-Patch0014: 0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
-Patch0015: 0015-sepolicy-Another-small-optimization-for-mcs-types.patch
-Patch0016: 0016-Move-po-translation-files-into-the-right-sub-directo.patch
-Patch0017: 0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
-Patch0018: 0018-Initial-.pot-files-for-gui-python-sandbox.patch
-Patch0019: 0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
-Patch0020: 0020-sepolicy-generate-Handle-more-reserved-port-types.patch
-Patch0021: 0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
-Patch0022: 0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
-Patch0023: 0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
-Patch0024: 0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
-Patch0025: 0025-python-sepolicy-allow-to-override-manpage-date.patch
-# Patch list end
+Patch0001: 0001-gui-Install-polgengui.py-to-usr-bin-selinux-polgengu.patch
+Patch0002: 0002-gui-Install-.desktop-files-to-usr-share-applications.patch
+Patch0003: 0003-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+Patch0004: 0004-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch0005: 0005-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+Patch0006: 0006-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+Patch0007: 0007-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+Patch0008: 0008-Fix-title-in-manpage.py-to-not-contain-online.patch
+Patch0009: 0009-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+Patch0010: 0010-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+Patch0011: 0011-sepolicy-Another-small-optimization-for-mcs-types.patch
+Patch0012: 0012-Move-po-translation-files-into-the-right-sub-directo.patch
+Patch0013: 0013-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+Patch0014: 0014-Initial-.pot-files-for-gui-python-sandbox.patch
+# this is too big and it's covered by sources 20 - 23
+# Patch0015: 0015-Update-.po-files-from-fedora.zanata.org.patch
+Patch0016: 0016-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+Patch0017: 0017-sepolicy-generate-Handle-more-reserved-port-types.patch
+Patch0018: 0018-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+Patch0019: 0019-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+Patch0020: 0020-python-Use-ipaddress-instead-of-IPy.patch
+Patch0021: 0021-python-semanage-Do-not-traceback-when-the-default-po.patch
+Patch0022: 0022-policycoreutils-fixfiles-Fix-B-F-onboot.patch
+Patch0023: 0023-policycoreutils-fixfiles-Force-full-relabel-when-SEL.patch
+Patch0024: 0024-policycoreutils-fixfiles-Fix-unbound-variable-proble.patch
+Patch0025: 0025-gui-Fix-remove-module-in-system-config-selinux.patch
+Patch0026: 0026-python-semanage-Do-not-use-default-s0-range-in-seman.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -71,12 +72,12 @@ Conflicts: initscripts < 9.66
 Provides: /sbin/fixfiles
 Provides: /sbin/restorecon
 
-BuildRequires: gcc make
-BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
+BuildRequires: gcc
+BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver}  libcap-devel audit-libs-devel >=  %{libauditver} gettext
 BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
 BuildRequires: python3-devel
 BuildRequires: systemd
-BuildRequires: git-core
+BuildRequires: git
 Requires: util-linux grep gawk diffutils rpm sed
 Requires: libsepol >= %{libsepolver} coreutils libselinux-utils >=  %{libselinuxver}
 
@@ -148,19 +149,19 @@ mkdir -p %{buildroot}%{_mandir}/man5
 mkdir -p %{buildroot}%{_mandir}/man8
 %{__mkdir} -p %{buildroot}/%{_usr}/share/doc/%{name}/
 
-%make_install -C policycoreutils LSPP_PRIV=y SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C policycoreutils LSPP_PRIV=y  DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" SEMODULE_PATH="/usr/sbin" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C python PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C python PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C gui PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C gui PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C sandbox PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C sandbox PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C dbus PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C dbus PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C semodule-utils PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C semodule-utils PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
-%make_install -C restorecond PYTHON=%{__python3} SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a"
+make -C restorecond PYTHON=%{__python3} DESTDIR="%{buildroot}" SBINDIR="%{_sbindir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" install
 
 # Fix perms on newrole so that objcopy can process it
 chmod 0755 %{buildroot}%{_bindir}/newrole
@@ -228,6 +229,7 @@ an SELinux environment.
 %files python-utils
 %{_sbindir}/semanage
 %{_bindir}/chcat
+%{_bindir}/sandbox
 %{_bindir}/audit2allow
 %{_bindir}/audit2why
 %{_mandir}/man1/audit2allow.1*
@@ -237,6 +239,8 @@ an SELinux environment.
 %{_sysconfdir}/dbus-1/system.d/org.selinux.conf
 %{_mandir}/man8/chcat.8*
 %{_mandir}/ru/man8/chcat.8*
+%{_mandir}/man8/sandbox.8*
+%{_mandir}/ru/man8/sandbox.8*
 %{_mandir}/man8/semanage*.8*
 %{_mandir}/ru/man8/semanage*.8*
 %{_datadir}/bash-completion/completions/semanage
@@ -245,7 +249,6 @@ an SELinux environment.
 Summary:    SELinux policy core DBUS api
 Requires:   python3-policycoreutils = %{version}-%{release}
 Requires:   python3-slip-dbus
-Requires:   python3-gobject-base
 BuildArch:  noarch
 
 %description dbus
@@ -273,7 +276,7 @@ Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
 # no python3-audit-libs yet
 Requires:audit-libs-python3 >=  %{libauditver}
 Requires: checkpolicy
-Requires: python3-setools >= 4.4.0
+Requires: python3-setools >= 4.1.1
 BuildArch: noarch
 
 %description -n python3-policycoreutils
@@ -348,11 +351,8 @@ sandboxes
 %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
 %{_mandir}/man8/seunshare.8*
 %{_mandir}/ru/man8/seunshare.8*
-%{_bindir}/sandbox
 %{_mandir}/man5/sandbox.5*
 %{_mandir}/ru/man5/sandbox.5*
-%{_mandir}/man8/sandbox.8*
-%{_mandir}/ru/man8/sandbox.8*
 
 %package newrole
 Summary: The newrole application for RBAC/MLS
@@ -476,7 +476,6 @@ The policycoreutils-restorecond package contains the restorecond service.
 %files restorecond
 %{_sbindir}/restorecond
 %{_unitdir}/restorecond.service
-%{_userunitdir}/restorecond_user.service
 %config(noreplace) %{_sysconfdir}/selinux/restorecond.conf
 %config(noreplace) %{_sysconfdir}/selinux/restorecond_user.conf
 %{_sysconfdir}/xdg/autostart/restorecond.desktop
@@ -539,60 +538,15 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
-* Tue Nov 24 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-8
-- Fix BuildRequires to libsemanage-devel
-
-* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-7
-- python/sepolicy: allow to override manpage date
-- selinux_config(5): add a note that runtime disable is deprecated
-
-* Mon Nov  9 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-6
-- Require latest setools
-
-* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
-- Build with libsepol.so.1 and libsemanage.so.2
-- Set X-GNOME-HiddenUnderSystemd=true in restorecond.desktop file
-- fixfiles: correctly restore context of mountpoints
-- sepolgen: print extended permissions in hexadecimal
-
-* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-4
-- Second attempt - Rebuilt for
-  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Tue Jul 14 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
-- Use make macros
-- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
-- SELinux userspace 3.1 release
-
-* Mon Jun  1 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
-- policycoreutils-dbus requires python3-gobject-base
-
-* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-3
-- Rebuilt for Python 3.9
-
-* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
-- SELinux userspace 3.0 release
-
-* Wed Sep  4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-7
+* Wed Sep  4 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
 - semanage: Do not use default s0 range in "semanage login -a" (#1312283)
 
-* Thu Aug 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-6
+* Thu Aug 29 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
 - gui: Fix remove module in system-config-selinux (#1740936)
 
-* Fri Aug 23 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
+* Fri Aug 23 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-4
 - fixfiles: Fix unbound variable problem
 
-* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-4
-- Rebuilt for Python 3.8
-
 * Mon Aug  5 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
 - Drop python2-policycoreutils
 - Update ru man page translations

selinux-autorelabel.service

@@ -11,4 +11,4 @@ ExecStart=/usr/libexec/selinux/selinux-autorelabel
 Type=oneshot
 TimeoutSec=0
 RemainAfterExit=yes
-StandardOutput=journal+console
+StandardInput=tty

sources

@@ -1,10 +1,10 @@
-SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
-SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
-SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
-SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
-SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
-SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
-SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
+SHA512 (policycoreutils-2.9.tar.gz) = d8356115671ba66de05f1c13193ab47fab69cc4d09603a92171ed40afafc084dd191591bf336b7d722de637378ad09622ebb6eca85c06063ca9ddd6db10e02a2
+SHA512 (restorecond-2.9.tar.gz) = 6de9dd4c6b8e5d8275221aba5df27437998f635cfe83a5da75de479e260ceea884a36253eb873a8d71e1a77ed67544d8657fb75fe409af1f630052ce73ec5d8a
+SHA512 (selinux-dbus-2.9.tar.gz) = f7a9ab2975eb97ff389a78ddaa2fcf3cd1c5fe590abdbe6aa0aa0c3f0c3a96cc0f34ce54b14e0348b46c1de9257ebe5288e16d585c96a9d8149d969788af359e
+SHA512 (selinux-gui-2.9.tar.gz) = b6e1847c9f2668670cbe9c2fc65e18001eb03e1d73af049ad6520af486950cf657885a9fb71ad9679c0060fb3ee7dd166d4354e863ad517a9f3aee93587ea57e
+SHA512 (selinux-python-2.9.tar.gz) = 1138661128635004fec04dc5e39f035680b5f21beb1b79f3328690a1b93a3984d522a02724af793340112a5e647d363dda8a7d3536de959b34ffd69aa396254d
+SHA512 (selinux-sandbox-2.9.tar.gz) = 429994f6140d7ba03b023681d04b365af837e23c5d64e998f849febe08872549bffc0bc490717d6f500332845ec849483ba0d3dfffa77e02b6a2cd2f631c9f1f
+SHA512 (semodule-utils-2.9.tar.gz) = 688f1fcb34042b837019302debda76847691657709130b99bf937a85774a0ae69d789ee82b0633a4d2dc661dc6d0a1706a878ac681317df2abe68418bec3f952
 SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
 SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
 SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be