policycoreutils-3.1-8

- Fix BuildRequires to libsemanage-devel
Enable gating on tests
2020-11-24 10:47:54 +01:00 · 2020-11-20 15:10:04 +01:00 · 2020-11-20 15:10:04 +01:00 · 2020-11-09 10:52:54 +01:00 · 2020-11-04 20:30:35 +01:00 · 2020-11-03 16:52:33 +01:00
89 changed files with 12408 additions and 305058 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,6 @@
+*.rpm
 .svn
+*.tgz
 policycoreutils-1.17.5.tgz
 policycoreutils-1.17.6.tgz
 policycoreutils-1.17.7.tgz
@ -221,3 +223,102 @@ sepolgen-1.0.22.tgz
 policycoreutils-2.0.82.tgz
 sepolgen-1.0.23.tgz
 policycoreutils-2.0.83.tgz
+/policycoreutils-2.0.84.tgz
+/policycoreutils-2.0.85.tgz
+/policycoreutils-2.0.86.tgz
+/policycoreutils-2.1.4.tgz
+/policycoreutils-2.1.5.tgz
+/sepolgen-1.1.1.tgz
+/sepolgen-1.1.2.tgz
+/policycoreutils-2.1.6.tgz
+/policycoreutils-2.3.tar.gz
+/sepolgen-1.2.1.tar.gz
+/sepolgen-1.2.2.tar.gz
+/policycoreutils-2.4.tar.gz
+/sepolgen-1.2.3-rc1.tar.gz
+/policycoreutils-2.5-rc1.tar.gz
+/policycoreutils-2.5.tar.gz
+/sepolgen-1.2.3.tar.gz
+/policycoreutils-2.6.tar.gz
+/sepolgen-2.6.tar.gz
+/policycoreutils-2.7.tar.gz
+/selinux-python-2.7.tar.gz
+/selinux-gui-2.7.tar.gz
+/selinux-sandbox-2.7.tar.gz
+/selinux-dbus-2.7.tar.gz
+/semodule-utils-2.7.tar.gz
+/restorecond-2.7.tar.gz
+/policycoreutils-2.8-rc1.tar.gz
+/restorecond-2.8-rc1.tar.gz
+/selinux-dbus-2.8-rc1.tar.gz
+/selinux-gui-2.8-rc1.tar.gz
+/selinux-python-2.8-rc1.tar.gz
+/selinux-sandbox-2.8-rc1.tar.gz
+/semodule-utils-2.8-rc1.tar.gz
+/policycoreutils-2.8-rc2.tar.gz
+/restorecond-2.8-rc2.tar.gz
+/selinux-dbus-2.8-rc2.tar.gz
+/selinux-gui-2.8-rc2.tar.gz
+/selinux-python-2.8-rc2.tar.gz
+/selinux-sandbox-2.8-rc2.tar.gz
+/semodule-utils-2.8-rc2.tar.gz
+/policycoreutils-2.8-rc3.tar.gz
+/restorecond-2.8-rc3.tar.gz
+/selinux-dbus-2.8-rc3.tar.gz
+/selinux-gui-2.8-rc3.tar.gz
+/selinux-python-2.8-rc3.tar.gz
+/selinux-sandbox-2.8-rc3.tar.gz
+/semodule-utils-2.8-rc3.tar.gz
+/policycoreutils-2.8.tar.gz
+/restorecond-2.8.tar.gz
+/selinux-dbus-2.8.tar.gz
+/selinux-gui-2.8.tar.gz
+/selinux-python-2.8.tar.gz
+/selinux-sandbox-2.8.tar.gz
+/semodule-utils-2.8.tar.gz
+/gui-po.tgz
+/policycoreutils-po.tgz
+/python-po.tgz
+/sandbox-po.tgz
+/policycoreutils-2.9-rc1.tar.gz
+/selinux-python-2.9-rc1.tar.gz
+/selinux-gui-2.9-rc1.tar.gz
+/selinux-sandbox-2.9-rc1.tar.gz
+/selinux-dbus-2.9-rc1.tar.gz
+/semodule-utils-2.9-rc1.tar.gz
+/restorecond-2.9-rc1.tar.gz
+/policycoreutils-2.9-rc2.tar.gz
+/restorecond-2.9-rc2.tar.gz
+/selinux-dbus-2.9-rc2.tar.gz
+/selinux-gui-2.9-rc2.tar.gz
+/selinux-python-2.9-rc2.tar.gz
+/selinux-sandbox-2.9-rc2.tar.gz
+/semodule-utils-2.9-rc2.tar.gz
+/policycoreutils-2.9.tar.gz
+/restorecond-2.9.tar.gz
+/selinux-dbus-2.9.tar.gz
+/selinux-gui-2.9.tar.gz
+/selinux-python-2.9.tar.gz
+/selinux-sandbox-2.9.tar.gz
+/semodule-utils-2.9.tar.gz
+/policycoreutils-3.0-rc1.tar.gz
+/restorecond-3.0-rc1.tar.gz
+/selinux-dbus-3.0-rc1.tar.gz
+/selinux-gui-3.0-rc1.tar.gz
+/selinux-python-3.0-rc1.tar.gz
+/selinux-sandbox-3.0-rc1.tar.gz
+/semodule-utils-3.0-rc1.tar.gz
+/policycoreutils-3.0.tar.gz
+/restorecond-3.0.tar.gz
+/selinux-dbus-3.0.tar.gz
+/selinux-gui-3.0.tar.gz
+/selinux-python-3.0.tar.gz
+/selinux-sandbox-3.0.tar.gz
+/semodule-utils-3.0.tar.gz
+/policycoreutils-3.1.tar.gz
+/restorecond-3.1.tar.gz
+/selinux-dbus-3.1.tar.gz
+/selinux-gui-3.1.tar.gz
+/selinux-python-3.1.tar.gz
+/selinux-sandbox-3.1.tar.gz
+/semodule-utils-3.1.tar.gz
--- a/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
+++ b/0001-python-audit2allow-add-include-limits.h-to-sepolgen-.patch
@ -0,0 +1,34 @@
+From ccd973f721c48945fc706d8fef6b396580853a9f Mon Sep 17 00:00:00 2001
+From: "W. Michael Petullo" <mike@flyn.org>
+Date: Thu, 16 Jul 2020 15:29:20 -0500
+Subject: [PATCH] python/audit2allow: add #include <limits.h> to
+ sepolgen-ifgen-attr-helper.c
+
+I found that building on OpenWrt/musl failed with:
+
+  sepolgen-ifgen-attr-helper.c:152:16: error: 'PATH_MAX' undeclared ...
+
+Musl is less "generous" than glibc in recursively including header
+files, and I suspect this is the reason for this error. Explicitly
+including limits.h fixes the problem.
+
+Signed-off-by: W. Michael Petullo <mike@flyn.org>
+---
+ python/audit2allow/sepolgen-ifgen-attr-helper.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+index 53f20818722a..f010c9584c1f 100644
+--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
+@@ -28,6 +28,7 @@
+ 
+ #include <selinux/selinux.h>
+ 
+#include <limits.h>
+ #include <stdio.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-- 
+2.29.0
+
--- a/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
+++ b/0002-restorecond-Set-X-GNOME-HiddenUnderSystemd-true-in-r.patch
@ -0,0 +1,26 @@
+From 9e2b8c61bfd275d0f007a736721c557755edf4a0 Mon Sep 17 00:00:00 2001
+From: Laurent Bigonville <bigon@bigon.be>
+Date: Thu, 16 Jul 2020 14:22:13 +0200
+Subject: [PATCH] restorecond: Set X-GNOME-HiddenUnderSystemd=true in
+ restorecond.desktop file
+
+This completely inactivate the .desktop file incase the user session is
+managed by systemd as restorecond also provide a service file
+
+Signed-off-by: Laurent Bigonville <bigon@bigon.be>
+---
+ restorecond/restorecond.desktop | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/restorecond/restorecond.desktop b/restorecond/restorecond.desktop
+index af7286801c24..7df854727a3f 100644
+--- a/restorecond/restorecond.desktop
+++ b/restorecond/restorecond.desktop
+@@ -5,3 +5,4 @@ Comment=Fix file context in owned by the user
+ Type=Application
+ StartupNotify=false
+ X-GNOME-Autostart-enabled=false
+X-GNOME-HiddenUnderSystemd=true
+-- 
+2.29.0
+
--- a/0003-fixfiles-correctly-restore-context-of-mountpoints.patch
+++ b/0003-fixfiles-correctly-restore-context-of-mountpoints.patch
@ -0,0 +1,136 @@
+From ba2d6c10635a021d2b1a5fc2123fde13b04295a5 Mon Sep 17 00:00:00 2001
+From: bauen1 <j2468h@googlemail.com>
+Date: Thu, 6 Aug 2020 16:48:36 +0200
+Subject: [PATCH] fixfiles: correctly restore context of mountpoints
+
+By bind mounting every filesystem we want to relabel we can access all
+files without anything hidden due to active mounts.
+
+This comes at the cost of user experience, because setfiles only
+displays the percentage if no path is given or the path is /
+
+Signed-off-by: Jonathan Hettwer <j2468h@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/scripts/fixfiles   | 29 +++++++++++++++++++++++++----
+ policycoreutils/scripts/fixfiles.8 |  8 ++++++--
+ 2 files changed, 31 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 5d7770348349..30dadb4f4cb6 100755
+--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
+@@ -112,6 +112,7 @@ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+ RESTORE_MODE=""
+BIND_MOUNT_FILESYSTEMS=""
+ SETFILES=/sbin/setfiles
+ RESTORECON=/sbin/restorecon
+ FILESYSTEMSRW=`get_rw_labeled_mounts`
+@@ -243,7 +244,23 @@ case "$RESTORE_MODE" in
+ 	if [ -n "${FILESYSTEMSRW}" ]; then
+ 	    LogReadOnly
+ 	    echo "${OPTION}ing `echo ${FILESYSTEMSRW}`"
+-	    ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+
+	    if [ -z "$BIND_MOUNT_FILESYSTEMS" ]; then
+	        ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} ${FILESYSTEMSRW}
+	    else
+	        # we bind mount so we can fix the labels of files that have already been
+	        # mounted over
+	        for m in `echo $FILESYSTEMSRW`; do
+	            TMP_MOUNT="$(mktemp -d)"
+	            test -z ${TMP_MOUNT+x} && echo "Unable to find temporary directory!" && exit 1
+
+	            mkdir -p "${TMP_MOUNT}${m}" || exit 1
+	            mount --bind "${m}" "${TMP_MOUNT}${m}" || exit 1
+	            ${SETFILES} ${VERBOSE} ${EXCLUDEDIRS} ${FORCEFLAG} $* -q ${FC} -r "${TMP_MOUNT}" "${TMP_MOUNT}${m}"
+	            umount "${TMP_MOUNT}${m}" || exit 1
+	            rm -rf "${TMP_MOUNT}" || echo "Error cleaning up."
+	        done;
+	    fi
+ 	else
+ 	    echo >&2 "fixfiles: No suitable file systems found"
+ 	fi
+@@ -313,6 +330,7 @@ case "$1" in
+ 	> /.autorelabel || exit $?
+ 	[ -z "$FORCEFLAG" ] || echo -n "$FORCEFLAG " >> /.autorelabel
+ 	[ -z "$BOOTTIME" ] || echo -N $BOOTTIME >> /.autorelabel
+	[ -z "$BIND_MOUNT_FILESYSTEMS" ] || echo "-M" >> /.autorelabel
+ 	# Force full relabel if SELinux is not enabled
+ 	selinuxenabled || echo -F > /.autorelabel
+ 	echo "System will relabel on next boot"
+@@ -324,7 +342,7 @@ esac
+ }
+ usage() {
+ 	echo $"""
+-Usage: $0 [-v] [-F] [-f] relabel
+Usage: $0 [-v] [-F] [-M] [-f] relabel
+ or
+ Usage: $0 [-v] [-F] [-B | -N time ] { check | restore | verify }
+ or
+@@ -334,7 +352,7 @@ Usage: $0 [-v] [-F] -R rpmpackage[,rpmpackage...] { check | restore | verify }
+ or
+ Usage: $0 [-v] [-F] -C PREVIOUS_FILECONTEXT { check | restore | verify }
+ or
+-Usage: $0 [-F] [-B] onboot
+Usage: $0 [-F] [-M] [-B] onboot
+ """
+ }
+ 
+@@ -353,7 +371,7 @@ set_restore_mode() {
+ }
+ 
+ # See how we were called.
+-while getopts "N:BC:FfR:l:v" i; do
+while getopts "N:BC:FfR:l:vM" i; do
+     case "$i" in
+ 	B)
+ 		BOOTTIME=`/bin/who -b | awk '{print $3}'`
+@@ -379,6 +397,9 @@ while getopts "N:BC:FfR:l:v" i; do
+ 		echo "Redirecting output to $OPTARG"
+ 		exec >>"$OPTARG" 2>&1
+ 		;;
+	M)
+		BIND_MOUNT_FILESYSTEMS="-M"
+		;;
+ 	F)
+ 		FORCEFLAG="-F"
+ 		;;
+diff --git a/policycoreutils/scripts/fixfiles.8 b/policycoreutils/scripts/fixfiles.8
+index 9f447f03d444..123425308416 100644
+--- a/policycoreutils/scripts/fixfiles.8
+++ b/policycoreutils/scripts/fixfiles.8
+@@ -6,7 +6,7 @@ fixfiles \- fix file SELinux security contexts.
+ .na
+ 
+ .B fixfiles
+-.I [\-v] [\-F] [\-f] relabel
+.I [\-v] [\-F] [-M] [\-f] relabel
+ 
+ .B fixfiles
+ .I [\-v] [\-F] { check | restore | verify } dir/file ...
+@@ -21,7 +21,7 @@ fixfiles \- fix file SELinux security contexts.
+ .I [\-v] [\-F] \-C PREVIOUS_FILECONTEXT  { check | restore | verify }
+ 
+ .B fixfiles
+-.I [-F] [-B] onboot
+.I [-F] [-M] [-B] onboot
+ 
+ .ad
+ 
+@@ -68,6 +68,10 @@ Run a diff on  the PREVIOUS_FILECONTEXT file to the currently installed one, and
+ Only act on files created after the specified date.  Date must be specified in
+ "YYYY\-MM\-DD HH:MM" format.  Date field will be passed to find \-\-newermt command.
+ 
+.TP
+.B \-M
+Bind mount filesystems before relabeling them, this allows fixing the context of files or directories that have been mounted over.
+
+ .TP
+ .B -v
+ Modify verbosity from progress to verbose. (Run restorecon with \-v instead of \-p)
+-- 
+2.29.0
+
--- a/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
+++ b/0004-sepolgen-print-extended-permissions-in-hexadecimal.patch
@ -0,0 +1,112 @@
+From 9e239e55692b578ba546b4dff2b07604a2ca6baa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:33 +0200
+Subject: [PATCH] sepolgen: print extended permissions in hexadecimal
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+All tools like ausearch(8) or sesearch(1) and online documentation[1]
+use hexadecimal values for extended permissions.
+Hence use them, e.g. for audit2allow output, as well.
+
+[1]: https://github.com/strace/strace/blob/master/linux/64/ioctls_inc.h
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/refpolicy.py |  5 ++---
+ python/sepolgen/tests/test_access.py      | 10 +++++-----
+ python/sepolgen/tests/test_refpolicy.py   | 12 ++++++------
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refpolicy.py b/python/sepolgen/src/sepolgen/refpolicy.py
+index 43cecfc77385..747636875ef7 100644
+--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
+@@ -407,10 +407,9 @@ class XpermSet():
+ 
+         # print single value without braces
+         if len(self.ranges) == 1 and self.ranges[0][0] == self.ranges[0][1]:
+-            return compl + str(self.ranges[0][0])
+            return compl + hex(self.ranges[0][0])
+ 
+-        vals = map(lambda x: str(x[0]) if x[0] == x[1] else "%s-%s" % x,
+-                   self.ranges)
+        vals = map(lambda x: hex(x[0]) if x[0] == x[1] else "%s-%s" % (hex(x[0]), hex(x[1]), ), self.ranges)
+ 
+         return "%s{ %s }" % (compl, " ".join(vals))
+ 
+diff --git a/python/sepolgen/tests/test_access.py b/python/sepolgen/tests/test_access.py
+index 73a5407df617..623588e09aeb 100644
+--- a/python/sepolgen/tests/test_access.py
+++ b/python/sepolgen/tests/test_access.py
+@@ -171,7 +171,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def text_merge_xperm2(self):
+         """Test merging AV that does not contain xperms with AV that does"""
+@@ -185,7 +185,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(sorted(list(a.perms)), ["append", "read", "write"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+ 
+     def test_merge_xperm_diff_op(self):
+         """Test merging two AVs that contain xperms with different operation"""
+@@ -203,8 +203,8 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(sorted(list(a.xperms.keys())), ["asdf", "ioctl"])
+-        self.assertEqual(a.xperms["asdf"].to_string(), "23")
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 42 12345 }")
+        self.assertEqual(a.xperms["asdf"].to_string(), "0x17")
+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x2a 0x3039 }")
+                          
+     def test_merge_xperm_same_op(self):
+         """Test merging two AVs that contain xperms with same operation"""
+@@ -222,7 +222,7 @@ class TestAccessVector(unittest.TestCase):
+         a.merge(b)
+         self.assertEqual(list(a.perms), ["read"])
+         self.assertEqual(list(a.xperms.keys()), ["ioctl"])
+-        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 23 42 12345 }")
+        self.assertEqual(a.xperms["ioctl"].to_string(), "{ 0x17 0x2a 0x3039 }")
+ 
+ class TestUtilFunctions(unittest.TestCase):
+     def test_is_idparam(self):
+diff --git a/python/sepolgen/tests/test_refpolicy.py b/python/sepolgen/tests/test_refpolicy.py
+index 4b50c8aada96..c7219fd568e9 100644
+--- a/python/sepolgen/tests/test_refpolicy.py
+++ b/python/sepolgen/tests/test_refpolicy.py
+@@ -90,17 +90,17 @@ class TestXpermSet(unittest.TestCase):
+         a.complement = True
+         self.assertEqual(a.to_string(), "")
+         a.add(1234)
+-        self.assertEqual(a.to_string(), "~ 1234")
+        self.assertEqual(a.to_string(), "~ 0x4d2")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "1234")
+        self.assertEqual(a.to_string(), "0x4d2")
+         a.add(2345)
+-        self.assertEqual(a.to_string(), "{ 1234 2345 }")
+        self.assertEqual(a.to_string(), "{ 0x4d2 0x929 }")
+         a.complement = True
+-        self.assertEqual(a.to_string(), "~ { 1234 2345 }")
+        self.assertEqual(a.to_string(), "~ { 0x4d2 0x929 }")
+         a.add(42,64)
+-        self.assertEqual(a.to_string(), "~ { 42-64 1234 2345 }")
+        self.assertEqual(a.to_string(), "~ { 0x2a-0x40 0x4d2 0x929 }")
+         a.complement = False
+-        self.assertEqual(a.to_string(), "{ 42-64 1234 2345 }")
+        self.assertEqual(a.to_string(), "{ 0x2a-0x40 0x4d2 0x929 }")
+ 
+ class TestSecurityContext(unittest.TestCase):
+     def test_init(self):
+-- 
+2.29.0
+
--- a/0005-sepolgen-sort-extended-rules-like-normal-ones.patch
+++ b/0005-sepolgen-sort-extended-rules-like-normal-ones.patch
@ -0,0 +1,109 @@
+From 2a60de8eca6bd91e276b60441a5dc72d85c6eda3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 19 Aug 2020 17:05:34 +0200
+Subject: [PATCH] sepolgen: sort extended rules like normal ones
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Currently:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+Changed:
+
+    #============= sshd_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t ptmx_t:chr_file ioctl;
+    allowxperm sshd_t ptmx_t:chr_file ioctl { 0x5430-0x5431 0x5441 };
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t sshd_devpts_t:chr_file ioctl;
+    allowxperm sshd_t sshd_devpts_t:chr_file ioctl 0x5401;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow sshd_t user_devpts_t:chr_file ioctl;
+    allowxperm sshd_t user_devpts_t:chr_file ioctl { 0x5401-0x5402 0x540e };
+
+    #============= user_t ==============
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t devtty_t:chr_file ioctl;
+    allowxperm user_t devtty_t:chr_file ioctl 0x4b33;
+
+    #!!!! This avc is allowed in the current policy
+    #!!!! This av rule may have been overridden by an extended permission av rule
+    allow user_t user_devpts_t:chr_file ioctl;
+    allowxperm user_t user_devpts_t:chr_file ioctl { 0x4b33 0x5401 0x5403 0x540a 0x540f-0x5410 0x5413-0x5414 };
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ python/sepolgen/src/sepolgen/output.py | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/output.py b/python/sepolgen/src/sepolgen/output.py
+index 3a21b64c19f7..aeeaafc889e7 100644
+--- a/python/sepolgen/src/sepolgen/output.py
+++ b/python/sepolgen/src/sepolgen/output.py
+@@ -84,7 +84,7 @@ def avrule_cmp(a, b):
+         return ret
+ 
+     # At this point, who cares - just return something
+-    return cmp(len(a.perms), len(b.perms))
+    return 0
+ 
+ # Compare two interface calls
+ def ifcall_cmp(a, b):
+@@ -100,7 +100,7 @@ def rule_cmp(a, b):
+         else:
+             return id_set_cmp([a.args[0]], b.src_types)
+     else:
+-        if isinstance(b, refpolicy.AVRule):
+        if isinstance(b, refpolicy.AVRule) or isinstance(b, refpolicy.AVExtRule):
+             return avrule_cmp(a,b)
+         else:
+             return id_set_cmp(a.src_types, [b.args[0]])
+@@ -130,6 +130,7 @@ def sort_filter(module):
+         # we assume is the first argument for interfaces).
+         rules = []
+         rules.extend(node.avrules())
+        rules.extend(node.avextrules())
+         rules.extend(node.interface_calls())
+         rules.sort(key=util.cmp_to_key(rule_cmp))
+ 
+-- 
+2.29.0
+
--- a/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
+++ b/0006-newrole-support-cross-compilation-with-PAM-and-audit.patch
@ -0,0 +1,32 @@
+From 8bc865e1fe8f6f734b7306441ccbeec3b7c37f97 Mon Sep 17 00:00:00 2001
+From: Dominick Grift <dominick.grift@defensec.nl>
+Date: Tue, 1 Sep 2020 18:16:41 +0200
+Subject: [PATCH] newrole: support cross-compilation with PAM and audit
+
+Compilation of newrole with PAM and audit support currently requires that you have the respective headers installed on the host. Instead make the header location customizable to accomodate cross-compilation.
+
+Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ policycoreutils/newrole/Makefile | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
+index 73ebd413da85..0e7ebce3dd56 100644
+--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
+@@ -5,8 +5,9 @@ BINDIR ?= $(PREFIX)/bin
+ MANDIR ?= $(PREFIX)/share/man
+ ETCDIR ?= /etc
+ LOCALEDIR = $(DESTDIR)$(PREFIX)/share/locale
+-PAMH ?= $(shell test -f /usr/include/security/pam_appl.h && echo y)
+-AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+INCLUDEDIR ?= $(PREFIX)/include
+PAMH ?= $(shell test -f $(INCLUDEDIR)/security/pam_appl.h && echo y)
+AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
+ # Enable capabilities to permit newrole to generate audit records.
+ # This will make newrole a setuid root program.
+ # The capabilities used are: CAP_AUDIT_WRITE.
+-- 
+2.29.0
+
--- a/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
+++ b/0007-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
@ -0,0 +1,26 @@
+From ea624dcc70d93867f23b94c368b8cf102269c13b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 20 Aug 2015 12:58:41 +0200
+Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
+ recent Fedoras
+
+---
+ sandbox/sandboxX.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+index eaa500d08143..4774528027ef 100644
+--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
+@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
+ </openbox_config>
+ EOF
+ 
+-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+     export DISPLAY=:$D
+     cat > ~/seremote << __EOF
+ #!/bin/sh
+-- 
+2.29.0
+
--- a/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+++ b/0008-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
@ -0,0 +1,46 @@
+From 932c1244bc98d3a05a238f3f0b333cf8c429113b Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Mon, 21 Apr 2014 13:54:40 -0400
+Subject: [PATCH] Fix STANDARD_FILE_CONTEXT section in man pages
+
+Signed-off-by: Miroslav Grepl <mgrepl@redhat.com>
+---
+ python/sepolicy/sepolicy/manpage.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index 3e8a3be907e3..a1d70623cff0 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -735,10 +735,13 @@ Default Defined Ports:""")
+ 
+     def _file_context(self):
+         flist = []
+        flist_non_exec = []
+         mpaths = []
+         for f in self.all_file_types:
+             if f.startswith(self.domainname):
+                 flist.append(f)
+                if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+                    flist_non_exec.append(f)
+                 if f in self.fcdict:
+                     mpaths = mpaths + self.fcdict[f]["regex"]
+         if len(mpaths) == 0:
+@@ -797,12 +800,12 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+ SELinux defines the file context types for the %(domainname)s, if you wanted to
+ store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
+ 
+-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
+ .br
+ .B restorecon -R -v /srv/my%(domainname)s_content
+ 
+ Note: SELinux often uses regular expressions to specify labels that match multiple files.
+-""" % {'domainname': self.domainname, "type": flist[0]})
+""" % {'domainname': self.domainname, "type": flist_non_exec[-1]})
+ 
+         self.fd.write(r"""
+ .I The following file types are defined for %(domainname)s:
+-- 
+2.29.0
+
--- a/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
+++ b/0009-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch
@ -0,0 +1,27 @@
+From ae3780eb560fa5f00a3dd591c8233c2a9068a348 Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Mon, 12 May 2014 14:11:22 +0200
+Subject: [PATCH] If there is no executable we don't want to print a part of
+ STANDARD FILE CONTEXT
+
+---
+ python/sepolicy/sepolicy/manpage.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index a1d70623cff0..2d33eabb2536 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -793,7 +793,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+ .PP
+ """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
+ 
+-        self.fd.write(r"""
+        if flist_non_exec:
+                self.fd.write(r"""
+ .PP
+ .B STANDARD FILE CONTEXT
+ 
+-- 
+2.29.0
+
--- a/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
+++ b/0010-Simplication-of-sepolicy-manpage-web-functionality.-.patch
@ -0,0 +1,169 @@
+From 7d21b9f41c4d00f1e0499a64089a5e13a8f636ab Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Thu, 19 Feb 2015 17:45:15 +0100
+Subject: [PATCH] Simplication of sepolicy-manpage web functionality.
+ system_release is no longer hardcoded and it creates only index.html and html
+ man pages in the directory for the system release.
+
+---
+ python/sepolicy/sepolicy/__init__.py | 25 +++--------
+ python/sepolicy/sepolicy/manpage.py  | 65 +++-------------------------
+ 2 files changed, 13 insertions(+), 77 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
+index e4540977d042..ad718797ca68 100644
+--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
+@@ -1208,27 +1208,14 @@ def boolean_desc(boolean):
+ 
+ 
+ def get_os_version():
+-    os_version = ""
+-    pkg_name = "selinux-policy"
+    system_release = ""
+     try:
+-        try:
+-            from commands import getstatusoutput
+-        except ImportError:
+-            from subprocess import getstatusoutput
+-        rc, output = getstatusoutput("rpm -q '%s'" % pkg_name)
+-        if rc == 0:
+-            os_version = output.split(".")[-2]
+-    except:
+-        os_version = ""
+-
+-    if os_version[0:2] == "fc":
+-        os_version = "Fedora" + os_version[2:]
+-    elif os_version[0:2] == "el":
+-        os_version = "RHEL" + os_version[2:]
+-    else:
+-        os_version = ""
+        with open('/etc/system-release') as f:
+            system_release = f.readline()
+    except IOError:
+        system_release = "Misc"
+ 
+-    return os_version
+    return system_release
+ 
+ 
+ def reinit():
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index 2d33eabb2536..acc77f368d95 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -149,10 +149,6 @@ def prettyprint(f, trim):
+ manpage_domains = []
+ manpage_roles = []
+ 
+-fedora_releases = ["Fedora17", "Fedora18"]
+-rhel_releases = ["RHEL6", "RHEL7"]
+-
+-
+ def get_alphabet_manpages(manpage_list):
+     alphabet_manpages = dict.fromkeys(string.ascii_letters, [])
+     for i in string.ascii_letters:
+@@ -182,7 +178,7 @@ def convert_manpage_to_html(html_manpage, manpage):
+ class HTMLManPages:
+ 
+     """
+-            Generate a HHTML Manpages on an given SELinux domains
+            Generate a HTML Manpages on an given SELinux domains
+     """
+ 
+     def __init__(self, manpage_roles, manpage_domains, path, os_version):
+@@ -190,9 +186,9 @@ class HTMLManPages:
+         self.manpage_domains = get_alphabet_manpages(manpage_domains)
+         self.os_version = os_version
+         self.old_path = path + "/"
+-        self.new_path = self.old_path + self.os_version + "/"
+        self.new_path = self.old_path
+ 
+-        if self.os_version in fedora_releases or self.os_version in rhel_releases:
+        if self.os_version:
+             self.__gen_html_manpages()
+         else:
+             print("SELinux HTML man pages can not be generated for this %s" % os_version)
+@@ -201,7 +197,6 @@ class HTMLManPages:
+     def __gen_html_manpages(self):
+         self._write_html_manpage()
+         self._gen_index()
+-        self._gen_body()
+         self._gen_css()
+ 
+     def _write_html_manpage(self):
+@@ -219,67 +214,21 @@ class HTMLManPages:
+                     convert_manpage_to_html((self.new_path + r.rsplit("_selinux", 1)[0] + ".html"), self.old_path + r)
+ 
+     def _gen_index(self):
+-        index = self.old_path + "index.html"
+-        fd = open(index, 'w')
+-        fd.write("""
+-<html>
+-<head>
+-    <link rel=stylesheet type="text/css" href="style.css" title="style">
+-    <title>SELinux man pages online</title>
+-</head>
+-<body>
+-<h1>SELinux man pages</h1>
+-<br></br>
+-Fedora or Red Hat Enterprise Linux Man Pages.</h2>
+-<br></br>
+-<hr>
+-<h3>Fedora</h3>
+-<table><tr>
+-<td valign="middle">
+-</td>
+-</tr></table>
+-<pre>
+-""")
+-        for f in fedora_releases:
+-            fd.write("""
+-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (f, f, f, f))
+-
+-        fd.write("""
+-</pre>
+-<hr>
+-<h3>RHEL</h3>
+-<table><tr>
+-<td valign="middle">
+-</td>
+-</tr></table>
+-<pre>
+-""")
+-        for r in rhel_releases:
+-            fd.write("""
+-<a href=%s/%s.html>%s</a> - SELinux man pages for %s """ % (r, r, r, r))
+-
+-        fd.write("""
+-</pre>
+-	""")
+-        fd.close()
+-        print("%s has been created" % index)
+-
+-    def _gen_body(self):
+         html = self.new_path + self.os_version + ".html"
+         fd = open(html, 'w')
+         fd.write("""
+ <html>
+ <head>
+-	<link rel=stylesheet type="text/css" href="../style.css" title="style">
+-	<title>Linux man-pages online for Fedora18</title>
+	<link rel=stylesheet type="text/css" href="style.css" title="style">
+	<title>SELinux man pages online</title>
+ </head>
+ <body>
+-<h1>SELinux man pages for Fedora18</h1>
+<h1>SELinux man pages for %s</h1>
+ <hr>
+ <table><tr>
+ <td valign="middle">
+ <h3>SELinux roles</h3>
+-""")
+""" % self.os_version)
+         for letter in self.manpage_roles:
+             if len(self.manpage_roles[letter]):
+                 fd.write("""
+-- 
+2.29.0
+
--- a/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
+++ b/0011-We-want-to-remove-the-trailing-newline-for-etc-syste.patch
@ -0,0 +1,26 @@
+From f0f030495dddb2e633403f360fdaaf6951da11ad Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Fri, 20 Feb 2015 16:42:01 +0100
+Subject: [PATCH] We want to remove the trailing newline for
+ /etc/system_release.
+
+---
+ python/sepolicy/sepolicy/__init__.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
+index ad718797ca68..ea05d892bf3b 100644
+--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
+@@ -1211,7 +1211,7 @@ def get_os_version():
+     system_release = ""
+     try:
+         with open('/etc/system-release') as f:
+-            system_release = f.readline()
+            system_release = f.readline().rstrip()
+     except IOError:
+         system_release = "Misc"
+ 
+-- 
+2.29.0
+
--- a/0012-Fix-title-in-manpage.py-to-not-contain-online.patch
+++ b/0012-Fix-title-in-manpage.py-to-not-contain-online.patch
@ -0,0 +1,25 @@
+From 4a18939d21c06d036f1063cbfd2d0b5ae9d0010f Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Fri, 20 Feb 2015 16:42:53 +0100
+Subject: [PATCH] Fix title in manpage.py to not contain 'online'.
+
+---
+ python/sepolicy/sepolicy/manpage.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index acc77f368d95..4aeb3e2e51ba 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -220,7 +220,7 @@ class HTMLManPages:
+ <html>
+ <head>
+ 	<link rel=stylesheet type="text/css" href="style.css" title="style">
+-	<title>SELinux man pages online</title>
+	<title>SELinux man pages</title>
+ </head>
+ <body>
+ <h1>SELinux man pages for %s</h1>
+-- 
+2.29.0
+
--- a/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+++ b/0013-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
@ -0,0 +1,24 @@
+From ffe429b49874175f5ec1156e9c89e75cc67a0ddd Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Fri, 14 Feb 2014 12:32:12 -0500
+Subject: [PATCH] Don't be verbose if you are not on a tty
+
+---
+ policycoreutils/scripts/fixfiles | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
+index 30dadb4f4cb6..e73bb81c3336 100755
+--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
+@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
+ fullFlag=0
+ BOOTTIME=""
+ VERBOSE="-p"
+[ -t 1 ] || VERBOSE=""
+ FORCEFLAG=""
+ RPMFILES=""
+ PREFC=""
+-- 
+2.29.0
+
--- a/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
+++ b/0014-sepolicy-Drop-old-interface-file_type_is_executable-.patch
@ -0,0 +1,63 @@
+From 4a337405da16857dc2a979e4b4963a6fd7b975c6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 27 Feb 2017 17:12:39 +0100
+Subject: [PATCH] sepolicy: Drop old interface file_type_is_executable(f) and
+ file_type_is_entrypoint(f)
+
+- use direct queries
+- load exec_types and entry_types only once
+---
+ python/sepolicy/sepolicy/manpage.py | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index 4aeb3e2e51ba..330b055af214 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -125,8 +125,24 @@ def gen_domains():
+     domains.sort()
+     return domains
+ 
+-types = None
+ 
+exec_types = None
+
+def _gen_exec_types():
+    global exec_types
+    if exec_types is None:
+        exec_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "exec_type"))["types"]
+    return exec_types
+
+entry_types = None
+
+def _gen_entry_types():
+    global entry_types
+    if entry_types is None:
+        entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+    return entry_types
+
+types = None
+ 
+ def _gen_types():
+     global types
+@@ -372,6 +388,8 @@ class ManPage:
+         self.all_file_types = sepolicy.get_all_file_types()
+         self.role_allows = sepolicy.get_all_role_allows()
+         self.types = _gen_types()
+        self.exec_types = _gen_exec_types()
+        self.entry_types = _gen_entry_types()
+ 
+         if self.source_files:
+             self.fcpath = self.root + "file_contexts"
+@@ -689,7 +707,7 @@ Default Defined Ports:""")
+         for f in self.all_file_types:
+             if f.startswith(self.domainname):
+                 flist.append(f)
+-                if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+                if not f in self.exec_types or not f in self.entry_types:
+                     flist_non_exec.append(f)
+                 if f in self.fcdict:
+                     mpaths = mpaths + self.fcdict[f]["regex"]
+-- 
+2.29.0
+
--- a/0015-sepolicy-Another-small-optimization-for-mcs-types.patch
+++ b/0015-sepolicy-Another-small-optimization-for-mcs-types.patch
@ -0,0 +1,53 @@
+From 7c315fff5e7ce74b0598b62d9aa0b21ca6b06b6d Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 28 Feb 2017 21:29:46 +0100
+Subject: [PATCH] sepolicy: Another small optimization for mcs types
+
+---
+ python/sepolicy/sepolicy/manpage.py | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index 330b055af214..f8584436960d 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -142,6 +142,15 @@ def _gen_entry_types():
+         entry_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "entry_type"))["types"]
+     return entry_types
+ 
+mcs_constrained_types = None
+
+def _gen_mcs_constrained_types():
+    global mcs_constrained_types
+    if mcs_constrained_types is None:
+        mcs_constrained_types = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+    return mcs_constrained_types
+
+
+ types = None
+ 
+ def _gen_types():
+@@ -390,6 +399,7 @@ class ManPage:
+         self.types = _gen_types()
+         self.exec_types = _gen_exec_types()
+         self.entry_types = _gen_entry_types()
+        self.mcs_constrained_types = _gen_mcs_constrained_types()
+ 
+         if self.source_files:
+             self.fcpath = self.root + "file_contexts"
+@@ -944,11 +954,7 @@ All executables with the default executable label, usually stored in /usr/bin an
+ %s""" % ", ".join(paths))
+ 
+     def _mcs_types(self):
+-        try:
+-            mcs_constrained_type = next(sepolicy.info(sepolicy.ATTRIBUTE, "mcs_constrained_type"))
+-        except StopIteration:
+-            return
+-        if self.type not in mcs_constrained_type['types']:
+        if self.type not in self.mcs_constrained_types['types']:
+             return
+         self.fd.write ("""
+ .SH "MCS Constrained"
+-- 
+2.29.0
+
--- a/0016-Move-po-translation-files-into-the-right-sub-directo.patch
+++ b/0016-Move-po-translation-files-into-the-right-sub-directo.patch
@ -0,0 +1,515 @@
+From a07e9652785c6196d916dfca3d36c898959406b4 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 6 Aug 2018 13:23:00 +0200
+Subject: [PATCH] Move po/ translation files into the right sub-directories
+
+When policycoreutils was split into policycoreutils/ python/ gui/ and sandbox/
+sub-directories, po/ translation files stayed in policycoreutils/.
+
+This commit split original policycoreutils/po directory into
+policycoreutils/po
+python/po
+gui/po
+sandbox/po
+
+See https://github.com/fedora-selinux/selinux/issues/43
+---
+ gui/Makefile                |  3 ++
+ gui/po/Makefile             | 82 ++++++++++++++++++++++++++++++++++++
+ gui/po/POTFILES             | 17 ++++++++
+ policycoreutils/po/Makefile | 70 ++-----------------------------
+ policycoreutils/po/POTFILES |  9 ++++
+ python/Makefile             |  2 +-
+ python/po/Makefile          | 83 +++++++++++++++++++++++++++++++++++++
+ python/po/POTFILES          | 10 +++++
+ sandbox/Makefile            |  2 +
+ sandbox/po/Makefile         | 82 ++++++++++++++++++++++++++++++++++++
+ sandbox/po/POTFILES         |  1 +
+ 11 files changed, 293 insertions(+), 68 deletions(-)
+ create mode 100644 gui/po/Makefile
+ create mode 100644 gui/po/POTFILES
+ create mode 100644 policycoreutils/po/POTFILES
+ create mode 100644 python/po/Makefile
+ create mode 100644 python/po/POTFILES
+ create mode 100644 sandbox/po/Makefile
+ create mode 100644 sandbox/po/POTFILES
+
+diff --git a/gui/Makefile b/gui/Makefile
+index ca965c942912..5a5bf6dcae19 100644
+--- a/gui/Makefile
+++ b/gui/Makefile
+@@ -22,6 +22,7 @@ system-config-selinux.ui \
+ usersPage.py
+ 
+ all: $(TARGETS) system-config-selinux.py polgengui.py
+	(cd po && $(MAKE) $@)
+ 
+ install: all
+ 	-mkdir -p $(DESTDIR)$(MANDIR)/man8
+@@ -54,6 +55,8 @@ install: all
+ 		install -m 644 sepolicy_$${i}.png $(DESTDIR)$(DATADIR)/icons/hicolor/$${i}x$${i}/apps/sepolicy.png; \
+ 	done
+ 	install -m 644 org.selinux.config.policy $(DESTDIR)$(DATADIR)/polkit-1/actions/
+	(cd po && $(MAKE) $@)
+
+ clean:
+ 
+ indent:
+diff --git a/gui/po/Makefile b/gui/po/Makefile
+new file mode 100644
+index 000000000000..a0f5439f2d1c
+--- /dev/null
+++ b/gui/po/Makefile
+@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE	= gui
+POTFILE		= $(NLSPACKAGE).pot
+INSTALL		= /usr/bin/install -c -p
+INSTALL_DATA	= $(INSTALL) -m 644
+INSTALL_DIR	= /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE	= msgmerge
+MSGMERGE_FLAGS	= -q
+XGETTEXT	= xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT		= msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
+POTFILES  = $(shell cat POTFILES)
+
+#default:: clean
+
+all::  $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+	    rm -f $(NLSPACKAGE).po; \
+	else \
+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
+	fi; \
+
+
+refresh-po: Makefile
+	for cat in $(POFILES); do \
+		lang=`basename $$cat .po`; \
+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+			mv -f $$lang.pot $$lang.po ; \
+			echo "$(MSGMERGE) of $$lang succeeded" ; \
+		else \
+			echo "$(MSGMERGE) of $$lang failed" ; \
+			rm -f $$lang.pot ; \
+		fi \
+	done
+
+clean:
+	@rm -fv *mo *~ .depend
+	@rm -rf tmp
+
+install: $(MOFILES)
+	@for n in $(MOFILES); do \
+	    l=`basename $$n .mo`; \
+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+	done
+
+%.mo: %.po
+	$(MSGFMT) -o $@ $<
+report:
+	@for cat in $(wildcard *.po); do \
+                echo -n "$$cat: "; \
+                msgfmt -v --statistics -o /dev/null $$cat; \
+        done
+
+.PHONY: missing depend
+
+relabel:
+diff --git a/gui/po/POTFILES b/gui/po/POTFILES
+new file mode 100644
+index 000000000000..1795c5c1951b
+--- /dev/null
+++ b/gui/po/POTFILES
+@@ -0,0 +1,17 @@
+../booleansPage.py
+../domainsPage.py
+../fcontextPage.py
+../loginsPage.py
+../modulesPage.py
+../org.selinux.config.policy
+../polgengui.py
+../polgen.ui
+../portsPage.py
+../selinux-polgengui.desktop
+../semanagePage.py
+../sepolicy.desktop
+../statusPage.py
+../system-config-selinux.desktop
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
+diff --git a/policycoreutils/po/Makefile b/policycoreutils/po/Makefile
+index 575e143122e6..18bc1dff8d1f 100644
+--- a/policycoreutils/po/Makefile
+++ b/policycoreutils/po/Makefile
+@@ -3,7 +3,6 @@
+ #
+ 
+ PREFIX ?= /usr
+-TOP	 = ../..
+ 
+ # What is this package?
+ NLSPACKAGE	= policycoreutils
+@@ -32,74 +31,13 @@ USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+ 
+ POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
+ MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
+-POTFILES = \
+-	../run_init/open_init_pty.c \
+-	../run_init/run_init.c \
+-	../semodule_link/semodule_link.c \
+-	../audit2allow/audit2allow \
+-	../semanage/seobject.py \
+-	../setsebool/setsebool.c \
+-	../newrole/newrole.c \
+-	../load_policy/load_policy.c \
+-	../sestatus/sestatus.c \
+-	../semodule/semodule.c \
+-	../setfiles/setfiles.c \
+-	../semodule_package/semodule_package.c \
+-	../semodule_deps/semodule_deps.c \
+-	../semodule_expand/semodule_expand.c \
+-	../scripts/chcat \
+-	../scripts/fixfiles \
+-	../restorecond/stringslist.c \
+-	../restorecond/restorecond.h \
+-	../restorecond/utmpwatcher.h \
+-	../restorecond/stringslist.h \
+-	../restorecond/restorecond.c \
+-	../restorecond/utmpwatcher.c \
+-	../gui/booleansPage.py \
+-	../gui/fcontextPage.py \
+-	../gui/loginsPage.py \
+-	../gui/mappingsPage.py \
+-	../gui/modulesPage.py \
+-	../gui/polgen.glade \
+-	../gui/polgengui.py \
+-	../gui/portsPage.py \
+-	../gui/semanagePage.py \
+-	../gui/statusPage.py \
+-	../gui/system-config-selinux.glade \
+-	../gui/system-config-selinux.py \
+-	../gui/usersPage.py \
+-	../secon/secon.c \
+-	booleans.py \
+-	../sepolicy/sepolicy.py \
+-	../sepolicy/sepolicy/communicate.py \
+-	../sepolicy/sepolicy/__init__.py \
+-	../sepolicy/sepolicy/network.py \
+-	../sepolicy/sepolicy/generate.py \
+-	../sepolicy/sepolicy/sepolicy.glade \
+-	../sepolicy/sepolicy/gui.py \
+-	../sepolicy/sepolicy/manpage.py \
+-	../sepolicy/sepolicy/transition.py \
+-	../sepolicy/sepolicy/templates/executable.py \
+-	../sepolicy/sepolicy/templates/__init__.py \
+-	../sepolicy/sepolicy/templates/network.py \
+-	../sepolicy/sepolicy/templates/rw.py \
+-	../sepolicy/sepolicy/templates/script.py \
+-	../sepolicy/sepolicy/templates/semodule.py \
+-	../sepolicy/sepolicy/templates/tmp.py \
+-	../sepolicy/sepolicy/templates/user.py \
+-	../sepolicy/sepolicy/templates/var_lib.py \
+-	../sepolicy/sepolicy/templates/var_log.py \
+-	../sepolicy/sepolicy/templates/var_run.py \
+-	../sepolicy/sepolicy/templates/var_spool.py
+POTFILES  = $(shell cat POTFILES)
+ 
+ #default:: clean
+ 
+-all::  $(MOFILES)
+all:: $(POTFILE) $(MOFILES)
+ 
+-booleans.py:
+-	sepolicy booleans -a > booleans.py
+-
+-$(POTFILE): $(POTFILES) booleans.py
+$(POTFILE): $(POTFILES)
+ 	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+ 	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+ 	    rm -f $(NLSPACKAGE).po; \
+@@ -107,8 +45,6 @@ $(POTFILE): $(POTFILES) booleans.py
+ 	    mv -f $(NLSPACKAGE).po $(POTFILE); \
+ 	fi; \
+ 
+-update-po: Makefile $(POTFILE) refresh-po
+-	@rm -f booleans.py
+ 
+ refresh-po: Makefile
+ 	for cat in $(POFILES); do \
+diff --git a/policycoreutils/po/POTFILES b/policycoreutils/po/POTFILES
+new file mode 100644
+index 000000000000..12237dc61ee4
+--- /dev/null
+++ b/policycoreutils/po/POTFILES
+@@ -0,0 +1,9 @@
+../run_init/open_init_pty.c
+../run_init/run_init.c
+../setsebool/setsebool.c
+../newrole/newrole.c
+../load_policy/load_policy.c
+../sestatus/sestatus.c
+../semodule/semodule.c
+../setfiles/setfiles.c
+../secon/secon.c
+diff --git a/python/Makefile b/python/Makefile
+index 9b66d52fbd4d..00312dbdb5c6 100644
+--- a/python/Makefile
+++ b/python/Makefile
+@@ -1,4 +1,4 @@
+-SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
+SUBDIRS = sepolicy audit2allow semanage sepolgen chcat po
+ 
+ all install relabel clean indent test:
+ 	@for subdir in $(SUBDIRS); do \
+diff --git a/python/po/Makefile b/python/po/Makefile
+new file mode 100644
+index 000000000000..4e052d5a2bd7
+--- /dev/null
+++ b/python/po/Makefile
+@@ -0,0 +1,83 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE	= python
+POTFILE		= $(NLSPACKAGE).pot
+INSTALL		= /usr/bin/install -c -p
+INSTALL_DATA	= $(INSTALL) -m 644
+INSTALL_DIR	= /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE	= msgmerge
+MSGMERGE_FLAGS	= -q
+XGETTEXT	= xgettext --default-domain=$(NLSPACKAGE)
+MSGFMT		= msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
+POTFILES  = $(shell cat POTFILES)
+
+#default:: clean
+
+all::  $(MOFILES)
+
+$(POTFILE): $(POTFILES) 
+	$(XGETTEXT) -L Python --keyword=_ --keyword=N_ $(POTFILES)
+	$(XGETTEXT) -j --keyword=_ --keyword=N_ ../sepolicy/sepolicy/sepolicy.glade
+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+	    rm -f $(NLSPACKAGE).po; \
+	else \
+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
+	fi; \
+
+
+refresh-po: Makefile
+	for cat in $(POFILES); do \
+		lang=`basename $$cat .po`; \
+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+			mv -f $$lang.pot $$lang.po ; \
+			echo "$(MSGMERGE) of $$lang succeeded" ; \
+		else \
+			echo "$(MSGMERGE) of $$lang failed" ; \
+			rm -f $$lang.pot ; \
+		fi \
+	done
+
+clean:
+	@rm -fv *mo *~ .depend
+	@rm -rf tmp
+
+install: $(MOFILES)
+	@for n in $(MOFILES); do \
+	    l=`basename $$n .mo`; \
+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+	done
+
+%.mo: %.po
+	$(MSGFMT) -o $@ $<
+report:
+	@for cat in $(wildcard *.po); do \
+                echo -n "$$cat: "; \
+                msgfmt -v --statistics -o /dev/null $$cat; \
+        done
+
+.PHONY: missing depend
+
+relabel:
+diff --git a/python/po/POTFILES b/python/po/POTFILES
+new file mode 100644
+index 000000000000..128eb870a69e
+--- /dev/null
+++ b/python/po/POTFILES
+@@ -0,0 +1,10 @@
+../audit2allow/audit2allow
+../chcat/chcat
+../semanage/semanage
+../semanage/seobject.py
+../sepolgen/src/sepolgen/interfaces.py
+../sepolicy/sepolicy/generate.py
+../sepolicy/sepolicy/gui.py
+../sepolicy/sepolicy/__init__.py
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
+diff --git a/sandbox/Makefile b/sandbox/Makefile
+index 9da5e58db9e6..b817824e2102 100644
+--- a/sandbox/Makefile
+++ b/sandbox/Makefile
+@@ -13,6 +13,7 @@ override LDLIBS += -lselinux -lcap-ng
+ SEUNSHARE_OBJS = seunshare.o
+ 
+ all: sandbox seunshare sandboxX.sh start
+	(cd po && $(MAKE) $@)
+ 
+ seunshare: $(SEUNSHARE_OBJS)
+ 
+@@ -39,6 +40,7 @@ install: all
+ 	install -m 755 start $(DESTDIR)$(SHAREDIR)
+ 	-mkdir -p $(DESTDIR)$(SYSCONFDIR)
+ 	install -m 644 sandbox.conf $(DESTDIR)$(SYSCONFDIR)/sandbox
+	(cd po && $(MAKE) $@)
+ 
+ test:
+ 	@$(PYTHON) test_sandbox.py -v
+diff --git a/sandbox/po/Makefile b/sandbox/po/Makefile
+new file mode 100644
+index 000000000000..0556bbe953f0
+--- /dev/null
+++ b/sandbox/po/Makefile
+@@ -0,0 +1,82 @@
+#
+# Makefile for the PO files (translation) catalog
+#
+
+PREFIX ?= /usr
+
+# What is this package?
+NLSPACKAGE	= sandbox
+POTFILE		= $(NLSPACKAGE).pot
+INSTALL		= /usr/bin/install -c -p
+INSTALL_DATA	= $(INSTALL) -m 644
+INSTALL_DIR	= /usr/bin/install -d
+
+# destination directory
+INSTALL_NLS_DIR = $(PREFIX)/share/locale
+
+# PO catalog handling
+MSGMERGE	= msgmerge
+MSGMERGE_FLAGS	= -q
+XGETTEXT	= xgettext -L Python --default-domain=$(NLSPACKAGE)
+MSGFMT		= msgfmt
+
+# All possible linguas
+PO_LINGUAS := $(sort $(patsubst %.po,%,$(wildcard *.po)))
+
+# Only the files matching what the user has set in LINGUAS
+USER_LINGUAS := $(filter $(patsubst %,%%,$(LINGUAS)),$(PO_LINGUAS))
+
+# if no valid LINGUAS, build all languages
+USE_LINGUAS := $(if $(USER_LINGUAS),$(USER_LINGUAS),$(PO_LINGUAS))
+
+POFILES		= $(patsubst %,%.po,$(USE_LINGUAS))
+MOFILES		= $(patsubst %.po,%.mo,$(POFILES))
+POTFILES  = $(shell cat POTFILES)
+
+#default:: clean
+
+all:: $(POTFILE) $(MOFILES)
+
+$(POTFILE): $(POTFILES)
+	$(XGETTEXT) --keyword=_ --keyword=N_ $(POTFILES)
+	@if cmp -s $(NLSPACKAGE).po $(POTFILE); then \
+	    rm -f $(NLSPACKAGE).po; \
+	else \
+	    mv -f $(NLSPACKAGE).po $(POTFILE); \
+	fi; \
+
+
+refresh-po: Makefile
+	for cat in $(POFILES); do \
+		lang=`basename $$cat .po`; \
+		if $(MSGMERGE) $(MSGMERGE_FLAGS) $$lang.po $(POTFILE) > $$lang.pot ; then \
+			mv -f $$lang.pot $$lang.po ; \
+			echo "$(MSGMERGE) of $$lang succeeded" ; \
+		else \
+			echo "$(MSGMERGE) of $$lang failed" ; \
+			rm -f $$lang.pot ; \
+		fi \
+	done
+
+clean:
+	@rm -fv *mo *~ .depend
+	@rm -rf tmp
+
+install: $(MOFILES)
+	@for n in $(MOFILES); do \
+	    l=`basename $$n .mo`; \
+	    $(INSTALL_DIR) $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES; \
+	    $(INSTALL_DATA) --verbose $$n $(DESTDIR)$(INSTALL_NLS_DIR)/$$l/LC_MESSAGES/selinux-$(NLSPACKAGE).mo; \
+	done
+
+%.mo: %.po
+	$(MSGFMT) -o $@ $<
+report:
+	@for cat in $(wildcard *.po); do \
+                echo -n "$$cat: "; \
+                msgfmt -v --statistics -o /dev/null $$cat; \
+        done
+
+.PHONY: missing depend
+
+relabel:
+diff --git a/sandbox/po/POTFILES b/sandbox/po/POTFILES
+new file mode 100644
+index 000000000000..deff3f2f4656
+--- /dev/null
+++ b/sandbox/po/POTFILES
+@@ -0,0 +1 @@
+../sandbox
+-- 
+2.29.0
+
--- a/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
+++ b/0017-Use-correct-gettext-domains-in-python-gui-sandbox.patch
@ -0,0 +1,306 @@
+From eab0fc05a38ab2cd47b3e0ff69981850cc7cd538 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 6 Aug 2018 13:37:07 +0200
+Subject: [PATCH] Use correct gettext domains in python/ gui/ sandbox/
+
+https://github.com/fedora-selinux/selinux/issues/43
+---
+ gui/booleansPage.py                          | 2 +-
+ gui/domainsPage.py                           | 2 +-
+ gui/fcontextPage.py                          | 2 +-
+ gui/loginsPage.py                            | 2 +-
+ gui/modulesPage.py                           | 2 +-
+ gui/polgengui.py                             | 2 +-
+ gui/portsPage.py                             | 2 +-
+ gui/semanagePage.py                          | 2 +-
+ gui/statusPage.py                            | 2 +-
+ gui/system-config-selinux.py                 | 2 +-
+ gui/usersPage.py                             | 2 +-
+ python/chcat/chcat                           | 2 +-
+ python/semanage/semanage                     | 2 +-
+ python/semanage/seobject.py                  | 2 +-
+ python/sepolgen/src/sepolgen/sepolgeni18n.py | 2 +-
+ python/sepolicy/sepolicy.py                  | 2 +-
+ python/sepolicy/sepolicy/__init__.py         | 2 +-
+ python/sepolicy/sepolicy/generate.py         | 2 +-
+ python/sepolicy/sepolicy/gui.py              | 2 +-
+ python/sepolicy/sepolicy/interface.py        | 2 +-
+ sandbox/sandbox                              | 2 +-
+ 21 files changed, 21 insertions(+), 21 deletions(-)
+
+diff --git a/gui/booleansPage.py b/gui/booleansPage.py
+index 7849bea26a06..dd12b6d6ab86 100644
+--- a/gui/booleansPage.py
+++ b/gui/booleansPage.py
+@@ -38,7 +38,7 @@ DISABLED = 2
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/domainsPage.py b/gui/domainsPage.py
+index bad5140d8c59..6bbe4de5884f 100644
+--- a/gui/domainsPage.py
+++ b/gui/domainsPage.py
+@@ -30,7 +30,7 @@ from semanagePage import *
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/fcontextPage.py b/gui/fcontextPage.py
+index 370bbee40786..e424366da26f 100644
+--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
+@@ -47,7 +47,7 @@ class context:
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/loginsPage.py b/gui/loginsPage.py
+index b67eb8bc42af..cbfb0cc23f65 100644
+--- a/gui/loginsPage.py
+++ b/gui/loginsPage.py
+@@ -29,7 +29,7 @@ from semanagePage import *
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/modulesPage.py b/gui/modulesPage.py
+index 0584acf9b3a4..35a0129bab9c 100644
+--- a/gui/modulesPage.py
+++ b/gui/modulesPage.py
+@@ -30,7 +30,7 @@ from semanagePage import *
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/polgengui.py b/gui/polgengui.py
+index d284ded65279..01f541bafae8 100644
+--- a/gui/polgengui.py
+++ b/gui/polgengui.py
+@@ -63,7 +63,7 @@ def get_all_modules():
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/portsPage.py b/gui/portsPage.py
+index 30f58383bc1d..a537ecc8c0a1 100644
+--- a/gui/portsPage.py
+++ b/gui/portsPage.py
+@@ -35,7 +35,7 @@ from semanagePage import *
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/semanagePage.py b/gui/semanagePage.py
+index 4127804fbbee..5361d69c1313 100644
+--- a/gui/semanagePage.py
+++ b/gui/semanagePage.py
+@@ -22,7 +22,7 @@ from gi.repository import Gdk, Gtk
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/statusPage.py b/gui/statusPage.py
+index 766854b19cba..a8f079b9b163 100644
+--- a/gui/statusPage.py
+++ b/gui/statusPage.py
+@@ -35,7 +35,7 @@ RELABELFILE = "/.autorelabel"
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
+index 3f70122b87e8..8c46c987b974 100644
+--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
+@@ -45,7 +45,7 @@ import selinux
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/gui/usersPage.py b/gui/usersPage.py
+index 26794ed5c3f3..d15d4c5a71dd 100644
+--- a/gui/usersPage.py
+++ b/gui/usersPage.py
+@@ -29,7 +29,7 @@ from semanagePage import *
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-gui"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/chcat/chcat b/python/chcat/chcat
+index fdd2e46ee3f9..839ddd3b54b6 100755
+--- a/python/chcat/chcat
+++ b/python/chcat/chcat
+@@ -30,7 +30,7 @@ import getopt
+ import selinux
+ import seobject
+ 
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index b2fabea67a87..3cc30a160a74 100644
+--- a/python/semanage/semanage
+++ b/python/semanage/semanage
+@@ -27,7 +27,7 @@ import traceback
+ import argparse
+ import seobject
+ import sys
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 6a14f7b47dd5..b51a7e3e7ca3 100644
+--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
+@@ -29,7 +29,7 @@ import sys
+ import stat
+ import socket
+ from semanage import *
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ import sepolicy
+ import setools
+ import ipaddress
+diff --git a/python/sepolgen/src/sepolgen/sepolgeni18n.py b/python/sepolgen/src/sepolgen/sepolgeni18n.py
+index 998c4356415c..56ebd807c69c 100644
+--- a/python/sepolgen/src/sepolgen/sepolgeni18n.py
+++ b/python/sepolgen/src/sepolgen/sepolgeni18n.py
+@@ -19,7 +19,7 @@
+ 
+ try: 
+     import gettext
+-    t = gettext.translation( 'yumex' )
+    t = gettext.translation( 'selinux-python' )
+     _ = t.gettext
+ except:
+     def _(str):
+diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
+index 7b2230651099..32956e58f52e 100755
+--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
+@@ -28,7 +28,7 @@ import sepolicy
+ from multiprocessing import Pool
+ from sepolicy import get_os_version, get_conditionals, get_conditionals_format_text
+ import argparse
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
+index ea05d892bf3b..9a9c2ae9f237 100644
+--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
+@@ -13,7 +13,7 @@ import os
+ import re
+ import gzip
+ 
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
+index 4e1ed4e9dc31..43180ca6fda4 100644
+--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
+@@ -48,7 +48,7 @@ import sepolgen.defaults as defaults
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/sepolicy/sepolicy/gui.py b/python/sepolicy/sepolicy/gui.py
+index 1e86422b864a..c9ca158ddd09 100644
+--- a/python/sepolicy/sepolicy/gui.py
+++ b/python/sepolicy/sepolicy/gui.py
+@@ -41,7 +41,7 @@ import os
+ import re
+ import unicodedata
+ 
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/python/sepolicy/sepolicy/interface.py b/python/sepolicy/sepolicy/interface.py
+index bdffb770f364..9d40aea1498d 100644
+--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
+@@ -30,7 +30,7 @@ __all__ = ['get_all_interfaces', 'get_interfaces_from_xml', 'get_admin', 'get_us
+ ##
+ ## I18N
+ ##
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-python"
+ try:
+     import gettext
+     kwargs = {}
+diff --git a/sandbox/sandbox b/sandbox/sandbox
+index ca5f1e030a51..16c43b51eaaa 100644
+--- a/sandbox/sandbox
+++ b/sandbox/sandbox
+@@ -37,7 +37,7 @@ import sepolicy
+ 
+ SEUNSHARE = "/usr/sbin/seunshare"
+ SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
+-PROGNAME = "policycoreutils"
+PROGNAME = "selinux-sandbox"
+ try:
+     import gettext
+     kwargs = {}
+-- 
+2.29.0
+
--- a/0018-Initial-.pot-files-for-gui-python-sandbox.patch
+++ b/0018-Initial-.pot-files-for-gui-python-sandbox.patch
--- a/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
+++ b/0019-policycoreutils-setfiles-Improve-description-of-d-sw.patch
@ -0,0 +1,30 @@
+From 4277ef04de699e1939c95c4813de6a78d1ea1656 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 21 Mar 2018 08:51:31 +0100
+Subject: [PATCH] policycoreutils/setfiles: Improve description of -d switch
+
+The "-q" switch is becoming obsolete (completely unused in fedora) and
+debug output ("-d" switch) makes sense in any scenario. Therefore both
+options can be specified at once.
+
+Resolves: rhbz#1271327
+---
+ policycoreutils/setfiles/setfiles.8 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index e328a5628682..02e0960289d3 100644
+--- a/policycoreutils/setfiles/setfiles.8
+++ b/policycoreutils/setfiles/setfiles.8
+@@ -58,7 +58,7 @@ check the validity of the contexts against the specified binary policy.
+ .TP
+ .B \-d
+ show what specification matched each file (do not abort validation
+-after ABORT_ON_ERRORS errors).
+after ABORT_ON_ERRORS errors). Not affected by "\-q"
+ .TP
+ .BI \-e \ directory
+ directory to exclude (repeat option for more than one directory).
+-- 
+2.29.0
+
--- a/0020-sepolicy-generate-Handle-more-reserved-port-types.patch
+++ b/0020-sepolicy-generate-Handle-more-reserved-port-types.patch
@ -0,0 +1,71 @@
+From fa94b0faf12a79158d971f363e8ec65227d67de3 Mon Sep 17 00:00:00 2001
+From: Masatake YAMATO <yamato@redhat.com>
+Date: Thu, 14 Dec 2017 15:57:58 +0900
+Subject: [PATCH] sepolicy-generate: Handle more reserved port types
+
+Currently only reserved_port_t, port_t and hi_reserved_port_t are
+handled as special when making a ports-dictionary.  However, as fas as
+corenetwork.te.in of serefpolicy, unreserved_port_t and
+ephemeral_port_t should be handled in the same way, too.
+
+(Details) I found the need of this change when I was using
+selinux-polgengui.  Though tcp port 12345, which my application may
+use, was given to the gui, selinux-polgengui generates expected te
+file and sh file which didn't utilize the tcp port.
+
+selinux-polgengui checks whether a port given via gui is already typed
+or not.
+
+If it is already typed, selinux-polgengui generates a te file having
+rules to allow the application to use the port. (A)
+
+If not, it seems for me that selinux-polgengui is designed to generate
+a te file having rules to allow the application to own(?) the port;
+and a sh file having a command line to assign the application own type
+to the port. (B)
+
+As we can see the output of `semanage port -l' some of ports for
+specified purpose have types already.  The important point is that the
+rest of ports also have types already:
+
+    hi_reserved_port_t tcp 512-1023
+    hi_reserved_port_t udp 512-1023
+    unreserved_port_t tcp 1024-32767, 61001-65535
+    unreserved_port_t udp 1024-32767, 61001-65535
+    ephemeral_port_t tcp 32768-61000
+    ephemeral_port_t udp 32768-61000
+
+As my patch shows, the original selinux-polgengui ignored
+hi_reserved_port_t; though hi_reserved_port_t is assigned,
+selinux-polgengui considered ports 512-1023 are not used. As the
+result selinux-polgengui generates file sets of (B).
+
+For the purpose of selinux-polgengui, I think unreserved_port_t and
+ephemeral_port_t are treated as the same as hi_reserved_port_t.
+
+Signed-off-by: Masatake YAMATO <yamato@redhat.com>
+
+Fedora only patch:
+https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redhat.com/
+---
+ python/sepolicy/sepolicy/generate.py | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
+index 43180ca6fda4..d60a08e1d72c 100644
+--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
+@@ -99,7 +99,9 @@ def get_all_ports():
+     for p in sepolicy.info(sepolicy.PORT):
+         if p['type'] == "reserved_port_t" or \
+                 p['type'] == "port_t" or \
+-                p['type'] == "hi_reserved_port_t":
+                p['type'] == "hi_reserved_port_t" or \
+                p['type'] == "ephemeral_port_t" or \
+                p['type'] == "unreserved_port_t":
+             continue
+         dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
+     return dict
+-- 
+2.29.0
+
--- a/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
+++ b/0021-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
@ -0,0 +1,24 @@
+From 122e35c4d11b5b623e8bc463f81c6792385523cb Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 8 Nov 2018 09:20:58 +0100
+Subject: [PATCH] semodule-utils: Fix RESOURCE_LEAK coverity scan defects
+
+---
+ semodule-utils/semodule_package/semodule_package.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/semodule-utils/semodule_package/semodule_package.c b/semodule-utils/semodule_package/semodule_package.c
+index 3515234e36de..7b75b3fd9bb4 100644
+--- a/semodule-utils/semodule_package/semodule_package.c
+++ b/semodule-utils/semodule_package/semodule_package.c
+@@ -74,6 +74,7 @@ static int file_to_data(const char *path, char **data, size_t * len)
+ 	}
+ 	if (!sb.st_size) {
+ 		*len = 0;
+		close(fd);
+ 		return 0;
+ 	}
+ 
+-- 
+2.29.0
+
--- a/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+++ b/0022-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
@ -0,0 +1,74 @@
+From e63814eb18bdbb48a7e6bf79b17d79d6a9ca56d6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 18 Jul 2018 09:09:35 +0200
+Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
+
+---
+ sandbox/sandbox     |  4 ++--
+ sandbox/sandbox.8   |  2 +-
+ sandbox/sandboxX.sh | 14 --------------
+ 3 files changed, 3 insertions(+), 17 deletions(-)
+
+diff --git a/sandbox/sandbox b/sandbox/sandbox
+index 16c43b51eaaa..7709a6585665 100644
+--- a/sandbox/sandbox
+++ b/sandbox/sandbox
+@@ -268,7 +268,7 @@ class Sandbox:
+             copyfile(f, "/tmp", self.__tmpdir)
+             copyfile(f, "/var/tmp", self.__tmpdir)
+ 
+-    def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+    def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
+         execfile = self.__homedir + "/.sandboxrc"
+         fd = open(execfile, "w+")
+         if self.__options.session:
+@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
+ 
+         parser.add_option("-W", "--windowmanager", dest="wm",
+                           type="string",
+-                          default="/usr/bin/openbox",
+                          default="/usr/bin/matchbox-window-manager",
+                           help=_("alternate window manager"))
+ 
+         parser.add_option("-l", "--level", dest="level",
+diff --git a/sandbox/sandbox.8 b/sandbox/sandbox.8
+index d83fee76f335..90ef4951c8c2 100644
+--- a/sandbox/sandbox.8
+++ b/sandbox/sandbox.8
+@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
+ \fB\-W\fR \fB\-\-windowmanager\fR
+ Select alternative window manager to run within 
+ .B sandbox \-X.
+-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
+ .TP
+ \fB\-X\fR 
+ Create an X based Sandbox for gui apps, temporary files for
+diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
+index 4774528027ef..c211ebc14549 100644
+--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
+@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
+ [ -z $2 ] && export DPI="96" || export DPI="$2"
+ trap "exit 0" HUP
+ 
+-mkdir -p ~/.config/openbox
+-cat > ~/.config/openbox/rc.xml << EOF
+-<openbox_config xmlns="http://openbox.org/3.4/rc"
+-		xmlns:xi="http://www.w3.org/2001/XInclude">
+-<applications>
+-  <application class="*">
+-    <decor>no</decor>
+-    <desktop>all</desktop>
+-    <maximized>yes</maximized>
+-  </application>
+-</applications>
+-</openbox_config>
+-EOF
+-
+ (/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+     export DISPLAY=:$D
+     cat > ~/seremote << __EOF
+-- 
+2.29.0
+
--- a/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
+++ b/0023-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
@ -0,0 +1,46 @@
+From b1f380c75f8a4ea7a4062d3735d190a1dcbc3aaa Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 28 Jul 2020 14:37:13 +0200
+Subject: [PATCH] sepolicy: Fix flake8 warnings in Fedora-only code
+
+Fixes:
+$ PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
+Analyzing 187 Python scripts
+./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./installdir/usr/lib/python3.8/site-packages/sepolicy/manpage.py:774:17: E117 over-indented
+./python/sepolicy/build/lib/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./python/sepolicy/build/lib/sepolicy/manpage.py:774:17: E117 over-indented
+./python/sepolicy/sepolicy/manpage.py:720:20: E713 test for membership should be 'not in'
+./python/sepolicy/sepolicy/manpage.py:774:17: E117 over-indented
+The command "PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8" exited with 1.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ python/sepolicy/sepolicy/manpage.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index f8584436960d..6a3e08fca58c 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -717,7 +717,7 @@ Default Defined Ports:""")
+         for f in self.all_file_types:
+             if f.startswith(self.domainname):
+                 flist.append(f)
+-                if not f in self.exec_types or not f in self.entry_types:
+                if f not in self.exec_types or f not in self.entry_types:
+                     flist_non_exec.append(f)
+                 if f in self.fcdict:
+                     mpaths = mpaths + self.fcdict[f]["regex"]
+@@ -771,7 +771,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
+ """ % {'domainname': self.domainname, 'equiv': e, 'alt': e.split('/')[-1]})
+ 
+         if flist_non_exec:
+-                self.fd.write(r"""
+            self.fd.write(r"""
+ .PP
+ .B STANDARD FILE CONTEXT
+ 
+-- 
+2.29.0
+
--- a/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
+++ b/0024-selinux_config-5-add-a-note-that-runtime-disable-is-.patch
@ -0,0 +1,29 @@
+From 99450e5c391f0e5b7da9234588123edca0993794 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:40 +0100
+Subject: [PATCH] selinux_config(5): add a note that runtime disable is
+ deprecated
+
+...and refer to selinux(8), which explains it further.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ policycoreutils/man/man5/selinux_config.5 | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policycoreutils/man/man5/selinux_config.5 b/policycoreutils/man/man5/selinux_config.5
+index 1ffade150128..58b42a0e234d 100644
+--- a/policycoreutils/man/man5/selinux_config.5
+++ b/policycoreutils/man/man5/selinux_config.5
+@@ -48,7 +48,7 @@ SELinux security policy is enforced.
+ .IP \fIpermissive\fR 4
+ SELinux security policy is not enforced but logs the warnings (i.e. the action is allowed to proceed).
+ .IP \fIdisabled\fR
+-SELinux is disabled and no policy is loaded.
+No SELinux policy is loaded.  This option was used to disable SELinux completely, which is now deprecated.  Use the \fBselinux=0\fR kernel boot option instead (see \fBselinux\fR(8)).
+ .RE
+ .sp
+ The entry can be determined using the \fBsestatus\fR(8) command or \fBselinux_getenforcemode\fR(3).
+-- 
+2.29.2
+
--- a/0025-python-sepolicy-allow-to-override-manpage-date.patch
+++ b/0025-python-sepolicy-allow-to-override-manpage-date.patch
@ -0,0 +1,51 @@
+From 794dbdb6b1336cae872f45b5adaa594796e4806b Mon Sep 17 00:00:00 2001
+From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
+Date: Fri, 30 Oct 2020 22:53:09 +0100
+Subject: [PATCH] python/sepolicy: allow to override manpage date
+
+in order to make builds reproducible.
+See https://reproducible-builds.org/ for why this is good
+and https://reproducible-builds.org/specs/source-date-epoch/
+for the definition of this variable.
+
+This patch was done while working on reproducible builds for openSUSE.
+
+Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
+---
+ python/sepolicy/sepolicy/manpage.py | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/python/sepolicy/sepolicy/manpage.py b/python/sepolicy/sepolicy/manpage.py
+index 6a3e08fca58c..c013c0d48502 100755
+--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
+@@ -39,6 +39,8 @@ typealias_types = {
+ equiv_dict = {"smbd": ["samba"], "httpd": ["apache"], "virtd": ["virt", "libvirt"], "named": ["bind"], "fsdaemon": ["smartmon"], "mdadm": ["raid"]}
+ 
+ equiv_dirs = ["/var"]
+man_date = time.strftime("%y-%m-%d", time.gmtime(
+        int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
+ modules_dict = None
+ 
+ 
+@@ -546,7 +548,7 @@ class ManPage:
+ 
+     def _typealias(self,typealias):
+         self.fd.write('.TH  "%(typealias)s_selinux"  "8"  "%(date)s" "%(typealias)s" "SELinux Policy %(typealias)s"'
+-                 % {'typealias':typealias, 'date': time.strftime("%y-%m-%d")})
+                 % {'typealias':typealias, 'date': man_date})
+         self.fd.write(r"""
+ .SH "NAME"
+ %(typealias)s_selinux \- Security Enhanced Linux Policy for the %(typealias)s processes
+@@ -565,7 +567,7 @@ man page for more details.
+ 
+     def _header(self):
+         self.fd.write('.TH  "%(domainname)s_selinux"  "8"  "%(date)s" "%(domainname)s" "SELinux Policy %(domainname)s"'
+-                      % {'domainname': self.domainname, 'date': time.strftime("%y-%m-%d")})
+                      % {'domainname': self.domainname, 'date': man_date})
+         self.fd.write(r"""
+ .SH "NAME"
+ %(domainname)s_selinux \- Security Enhanced Linux Policy for the %(domainname)s processes
+-- 
+2.29.2
+
--- a/21
+++ b/21
@ -1,21 +0,0 @@
-# Makefile for source rpm: policycoreutils
-# $Id$
-NAME := policycoreutils
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)
--- a/README.translations
+++ b/README.translations
@ -0,0 +1,41 @@
+policycoreutils translations currently live in the following locations:
+
+- https://fedora.zanata.org/project/view/selinux
+  - contains translations for both stable (Red Hat Enterprise Linux) and master (Fedora) branches
+  - maintains large number of languages (several of which do not actually contain any translated strings)
+  - updated by community and partially by RH localization effort
+
+- selinux source repository (https://github.com/fedora-selinux/selinux)
+  - is kept up-to-date with fedora.zanata
+
+How to update source files on fedora.zanata:
+  $ git clone git@github.com:fedora-selinux/selinux.git
+  $ cd selinux
+
+  # generate new potfile
+  $ for p in policycoreutils python gui sandbox; do
+    cd $p/po
+    make $p.pot
+    cd -
+    done
+
+  # Push potfiles to zanata
+  $ zanata-cli push --push-type source
+
+How to pull new translations from zanata
+  $ git clone git@github.com:fedora-selinux/selinux.git
+  $ cd selinux
+  # Make sure "zanata.xml" file pointing to corresponding translations branch is present
+  # Optionally update source files on zanata
+  # Pull new translations from zanata
+  $ zanata-cli -e pull --pull-type trans
+
+How to update translations *-po.tgz files
+  $ mkdir zanata
+  $ cd zanata
+  $ zanata-cli -e pull --project-config ../zanata.xml  --pull-type both
+  $ for p in policycoreutils python gui sandbox; do
+    cd $p
+    tar -c -f ../../$p-po.tgz -z .
+    cd -
+    done
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
--- a/make-rhat-patches.sh
+++ b/make-rhat-patches.sh
@ -0,0 +1,40 @@
+#!/bin/bash
+
+POLICYCOREUTILS_VERSION=2.4
+SEPOLGEN_VERSION=1.2.2
+BRANCH=master
+
+REBASEDIR=`mktemp -d rebase.XXXXXX`
+pushd $REBASEDIR
+
+git clone git@github.com:fedora-selinux/selinux.git
+pushd selinux; git checkout $BRANCH; COMMIT=`git rev-parse --verify HEAD`; popd
+
+# prepare policycoreutils-rhat.patch
+tar xfz ../policycoreutils-$POLICYCOREUTILS_VERSION.tar.gz
+pushd policycoreutils-$POLICYCOREUTILS_VERSION
+
+git init; git add .; git commit -m "init"
+cp -r ../selinux/policycoreutils/* .
+git add -A .
+
+git diff --cached --src-prefix=a/policycoreutils-$POLICYCOREUTILS_VERSION/ --dst-prefix=b/policycoreutils-$POLICYCOREUTILS_VERSION/ > ../../policycoreutils-rhat.patch
+
+popd
+
+#prepare sepolgen-rhat.patch
+tar xfz ../sepolgen-$SEPOLGEN_VERSION.tar.gz
+pushd sepolgen-$SEPOLGEN_VERSION
+
+git init; git add .; git commit -m "init"
+cp -r ../selinux/sepolgen/* .
+git add -A .
+
+git diff --cached --src-prefix=a/sepolgen-$SEPOLGEN_VERSION/ --dst-prefix=b/sepolgen-$SEPOLGEN_VERSION/ > ../../sepolgen-rhat.patch
+
+popd
+
+popd
+# echo rm -rf $REBASEDIR
+
+echo policycoreutils-rhat.patch and sepolgen-rhat.patch created from https://github.com/fedora-selinux/selinux/commit/$COMMIT
--- a/policycoreutils-gui.patch
+++ b/policycoreutils-gui.patch
--- a/policycoreutils-po.patch
+++ b/policycoreutils-po.patch
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
--- a/policycoreutils-sepolgen.patch
+++ b/policycoreutils-sepolgen.patch
@ -1,502 +0,0 @@
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/access.py	2010-06-16 08:22:43.000000000 -0400
-@@ -32,6 +32,7 @@
- """
- 
- import refpolicy
-+from selinux import audit2why
- 
- def is_idparam(id):
-     """Determine if an id is a paramater in the form $N, where N is
-@@ -85,6 +86,8 @@
-             self.obj_class = None
-             self.perms = refpolicy.IdSet()
-             self.audit_msgs = []
-+            self.type = audit2why.TERULE
-+            self.bools = []
- 
-         # The direction of the information flow represented by this
-         # access vector - used for matching
-@@ -253,20 +256,22 @@
-         for av in l:
-             self.add_av(AccessVector(av))
- 
-    def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None):
-+    def add(self, src_type, tgt_type, obj_class, perms, audit_msg=None, avc_type=audit2why.TERULE, bools=[]):
-         """Add an access vector to the set.
-         """
-         tgt = self.src.setdefault(src_type, { })
-         cls = tgt.setdefault(tgt_type, { })
-         
-        if cls.has_key(obj_class):
-            access = cls[obj_class]
-+        if cls.has_key((obj_class, avc_type)):
-+            access = cls[obj_class, avc_type]
-         else:
-             access = AccessVector()
-             access.src_type = src_type
-             access.tgt_type = tgt_type
-             access.obj_class = obj_class
-            cls[obj_class] = access
-+            access.bools = bools
-+            access.type = avc_type
-+            cls[obj_class, avc_type] = access
- 
-         access.perms.update(perms)
-         if audit_msg:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/audit.py	2010-06-16 08:22:43.000000000 -0400
-@@ -68,6 +68,17 @@
-                               stdout=subprocess.PIPE).communicate()[0]
-     return output
- 
-+def get_log_msgs():
-+    """Obtain all of the avc and policy load messages from /var/log/messages.
-+
-+    Returns:
-+       string contain all of the audit messages returned by /var/log/messages.
-+    """
-+    import subprocess
-+    output = subprocess.Popen(["/bin/grep", "avc",  "/var/log/messages"],
-+                              stdout=subprocess.PIPE).communicate()[0]
-+    return output
-+
- # Classes representing audit messages
- 
- class AuditMessage:
-@@ -127,6 +138,9 @@
-             if fields[0] == "path":
-                 self.path = fields[1][1:-1]
-                 return
-+import selinux.audit2why as audit2why
-+
-+avcdict = {}
- 
- class AVCMessage(AuditMessage):
-     """AVC message representing an access denial or granted message.
-@@ -167,6 +181,8 @@
-         self.path = ""
-         self.accesses = []
-         self.denial = True
-+        self.type = audit2why.TERULE
-+        self.bools = []
- 
-     def __parse_access(self, recs, start):
-         # This is kind of sucky - the access that is in a space separated
-@@ -226,7 +242,31 @@
- 
-         if not found_src or not found_tgt or not found_class or not found_access:
-             raise ValueError("AVC message in invalid format [%s]\n" % self.message)
-                
-+        self.analyze()
-+
-+    def analyze(self):
-+        tcontext = self.tcontext.to_string()
-+        scontext = self.scontext.to_string()
-+        access_tuple = tuple( self.accesses)
-+        if (scontext, tcontext, self.tclass, access_tuple) in avcdict.keys():
-+            self.type, self.bools = avcdict[(scontext, tcontext, self.tclass, access_tuple)]
-+        else:
-+            self.type, self.bools = audit2why.analyze(scontext, tcontext, self.tclass, self.accesses);
-+            if self.type == audit2why.NOPOLICY:
-+                self.type = audit2why.TERULE
-+            if self.type == audit2why.BADTCON:
-+                raise ValueError("Invalid Target Context %s\n" % tcontext)
-+            if self.type == audit2why.BADSCON:
-+                raise ValueError("Invalid Source Context %s\n" % scontext)
-+            if self.type == audit2why.BADSCON:
-+                raise ValueError("Invalid Type Class %s\n" % self.tclass)
-+            if self.type == audit2why.BADPERM:
-+                raise ValueError("Invalid permission %s\n" % " ".join(self.accesses))
-+            if self.type == audit2why.BADCOMPUTE:
-+                raise ValueError("Error during access vector computation")
-+            
-+            avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.bools)
-+
- class PolicyLoadMessage(AuditMessage):
-     """Audit message indicating that the policy was reloaded."""
-     def __init__(self, message):
-@@ -469,10 +509,10 @@
-             if avc_filter:
-                 if avc_filter.filter(avc):
-                     av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-                               avc.accesses, avc)
-+                               avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
-             else:
-                 av_set.add(avc.scontext.type, avc.tcontext.type, avc.tclass,
-                           avc.accesses, avc)
-+                           avc.accesses, avc, avc_type=avc.type, bools=avc.bools)
-         return av_set
- 
- class AVCTypeFilter:
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/defaults.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py
--- nsasepolgen/src/sepolgen/defaults.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/defaults.py	2010-06-16 08:22:43.000000000 -0400
-@@ -30,6 +30,9 @@
- def interface_info():
-     return data_dir() + "/interface_info"
- 
-+def attribute_info():
-+    return data_dir() + "/attribute_info"
-+
- def refpolicy_devel():
-     return "/usr/share/selinux/devel"
- 
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/interfaces.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py
--- nsasepolgen/src/sepolgen/interfaces.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/interfaces.py	2010-06-16 08:22:43.000000000 -0400
-@@ -29,6 +29,8 @@
- 
- from sepolgeni18n import _
- 
-+import copy
-+
- class Param:
-     """
-     Object representing a paramater for an interface.
-@@ -197,10 +199,48 @@
-                 ret = 1
- 
-     return ret
-            
-+
-+class AttributeVector:
-+    def __init__(self):
-+        self.name = ""
-+        self.access = access.AccessVectorSet()
-+
-+    def add_av(self, av):
-+        self.access.add_av(av)
-+
-+class AttributeSet:
-+    def __init__(self):
-+        self.attributes = { }
-+
-+    def add_attr(self, attr):
-+        self.attributes[attr.name] = attr
-+
-+    def from_file(self, fd):
-+        def parse_attr(line):
-+            fields = line[1:-1].split()
-+            if len(fields) != 2 or fields[0] != "Attribute":
-+                raise SyntaxError("Syntax error Attribute statement %s" % line)
-+            a = AttributeVector()
-+            a.name = fields[1]
-+
-+            return a
-+
-+        a = None
-+        for line in fd:
-+            line = line[:-1]
-+            if line[0] == "[":
-+                if a:
-+                    self.add_attr(a)
-+                a = parse_attr(line)
-+            elif a:
-+                l = line.split(",")
-+                av = access.AccessVector(l)
-+                a.add_av(av)
-+        if a:
-+            self.add_attr(a)
- 
- class InterfaceVector:
-    def __init__(self, interface=None):
-+    def __init__(self, interface=None, attributes={}):
-         # Enabled is a loose concept currently - we are essentially
-         # not enabling interfaces that we can't handle currently.
-         # See InterfaceVector.add_ifv for more information.
-@@ -214,10 +254,10 @@
-         # value: Param object).
-         self.params = { }
-         if interface:
-            self.from_interface(interface)
-+            self.from_interface(interface, attributes)
-         self.expanded = False
- 
-    def from_interface(self, interface):
-+    def from_interface(self, interface, attributes={}):
-         self.name = interface.name
- 
-         # Add allow rules
-@@ -232,6 +272,23 @@
-             for av in avs:
-                 self.add_av(av)
- 
-+        # Add typeattribute access
-+        if attributes != None:
-+            for typeattribute in interface.typeattributes():
-+                for attr in typeattribute.attributes:
-+                    if not attributes.attributes.has_key(attr):
-+                        # print "missing attribute " + attr
-+                        continue
-+                    attr_vec = attributes.attributes[attr]
-+                    for a in attr_vec.access:
-+                        av = copy.copy(a)
-+                        if av.src_type == attr_vec.name:
-+                            av.src_type = typeattribute.type
-+                        if av.tgt_type == attr_vec.name:
-+                            av.tgt_type = typeattribute.type
-+                        self.add_av(av)
-+
-+
-         # Extract paramaters from roles
-         for role in interface.roles():
-             if role_extract_params(role, self.params):
-@@ -346,13 +403,13 @@
-                 l = self.tgt_type_map.setdefault(type, [])
-                 l.append(ifv)
- 
-    def add(self, interface):
-        ifv = InterfaceVector(interface)
-+    def add(self, interface, attributes={}):
-+        ifv = InterfaceVector(interface, attributes)
-         self.add_ifv(ifv)
- 
-    def add_headers(self, headers, output=None):
-+    def add_headers(self, headers, output=None, attributes={}):
-         for i in itertools.chain(headers.interfaces(), headers.templates()):
-            self.add(i)
-+            self.add(i, attributes)
- 
-         self.expand_ifcalls(headers)
-         self.index()
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/matching.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py
--- nsasepolgen/src/sepolgen/matching.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/matching.py	2010-06-16 08:22:43.000000000 -0400
-@@ -50,7 +50,7 @@
-                 return 1
- 
- class MatchList:
-    DEFAULT_THRESHOLD = 120
-+    DEFAULT_THRESHOLD = 150
-     def __init__(self):
-         # Match objects that pass the threshold
-         self.children = []
-@@ -63,14 +63,15 @@
-     def best(self):
-         if len(self.children):
-             return self.children[0]
-        else:
-            return None
-+        if len(self.bastards):
-+            return self.bastards[0]
-+        return None
- 
-     def __len__(self):
-         # Only return the length of the matches so
-         # that this can be used to test if there is
-         # a match.
-        return len(self.children)
-+        return len(self.children) + len(self.bastards)
- 
-     def __iter__(self):
-         return iter(self.children)
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/policygen.py	2010-06-21 10:10:01.000000000 -0400
-@@ -29,6 +29,8 @@
- import access
- import interfaces
- import matching
-+import selinux.audit2why as audit2why
-+from setools import *
- 
- # Constants for the level of explanation from the generation
- # routines
-@@ -77,6 +79,7 @@
- 
-         self.dontaudit = False
- 
-+        self.domains = None
-     def set_gen_refpol(self, if_set=None, perm_maps=None):
-         """Set whether reference policy interfaces are generated.
- 
-@@ -151,8 +154,41 @@
-             rule = refpolicy.AVRule(av)
-             if self.dontaudit:
-                 rule.rule_type = rule.DONTAUDIT
-+            rule.comment = ""
-             if self.explain:
-                rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
-+                rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
-+            if av.type == audit2why.ALLOW:
-+                rule.comment += "#!!!! This avc is allowed in the current policy\n" 
-+            if av.type == audit2why.DONTAUDIT:
-+                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n" 
-+
-+            if av.type == audit2why.BOOLEAN:
-+                if len(av.bools) > 1:
-+                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.bools))
-+                else:
-+                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.bools[0][0]
-+
-+            if av.type == audit2why.CONSTRAINT:
-+                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n" 
-+                rule.comment += "#Contraint rule: "
-+
-+            if av.type == audit2why.TERULE:
-+                if "write" in av.perms:
-+                    if "dir" in av.obj_class or "open" in av.perms:
-+                        if not self.domains:
-+                            self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
-+                        types=[]
-+                        
-+                        try:
-+                            for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
-+                                if i not in self.domains:
-+                                    types.append(i)
-+                            if len(types) == 1:
-+                                rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                            elif len(types) >= 1:
-+                                rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
-+                        except:
-+                            pass
-             self.module.children.append(rule)
- 
- 
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/sepolgen/refparser.py	2010-06-16 08:22:43.000000000 -0400
-@@ -1044,7 +1044,7 @@
-         # of misc_macros. We are just going to pretend that this is an interface
-         # to make the expansion work correctly.
-         can_exec = refpolicy.Interface("can_exec")
-        av = access.AccessVector(["$1","$2","file","execute_no_trans","read",
-+        av = access.AccessVector(["$1","$2","file","execute_no_trans","open", "read",
-                                   "getattr","lock","execute","ioctl"])
- 
-         can_exec.children.append(refpolicy.AVRule(av))
-diff --exclude-from=exclude -N -u -r nsasepolgen/src/share/perm_map policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map
--- nsasepolgen/src/share/perm_map	2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/sepolgen-1.0.23/src/share/perm_map	2010-06-16 08:22:43.000000000 -0400
-@@ -124,7 +124,7 @@
-           quotamod     w           1
-           quotaget     r           1
- 
-class file 20
-+class file 21
-   execute_no_trans     r           1
-         entrypoint     r           1
-            execmod     n           1
-@@ -141,48 +141,50 @@
-             unlink     w           1
-               link     w           1
-             rename     w           5
-           execute     r           100
-+           execute     r           10
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
-class dir 22
-          add_name     w           5
-+class dir 23
-+          add_name     w           1
-        remove_name     w           1
-           reparent     w           1
-             search     r           1
-              rmdir     b           1
-              ioctl     n           1
-              read     r          10
-             write     w          10
-+              read     r           1
-+             write     w           1
-             create     w           1
-           getattr     r           7
-           setattr     w           7
-+           getattr     r           1
-+           setattr     w           1
-               lock     n           1
-       relabelfrom     r           10
-         relabelto     w           10
-+       relabelfrom     r           1
-+         relabelto     w           1
-             append     w           1
-             unlink     w           1
-               link     w           1
-            rename     w           5
-+            rename     w           1
-            execute     r           1
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
- class fd 1
-                use     b           1
- 
-class lnk_file 17
-+class lnk_file 18
-              ioctl     n           1
-              read     r          10
-             write     w          10
-+              read     r           1
-+             write     w           1
-             create     w           1
-           getattr     r           7
-           setattr     w           7
-+           getattr     r           1
-+           setattr     w           1
-               lock     n           1
-       relabelfrom     r           10
-         relabelto     w           10
-+       relabelfrom     r           1
-+         relabelto     w           1
-             append     w           1
-             unlink     w           1
-               link     w           1
-@@ -191,8 +193,9 @@
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
-class chr_file 20
-+class chr_file 21
-   execute_no_trans     r           1
-         entrypoint     r           1
-            execmod     n           1
-@@ -213,8 +216,9 @@
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
-class blk_file 17
-+class blk_file 18
-              ioctl     n           1
-               read     r          10
-              write     w          10
-@@ -232,8 +236,9 @@
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
-class sock_file 17
-+class sock_file 18
-              ioctl     n           1
-               read     r          10
-              write     w          10
-@@ -251,8 +256,9 @@
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
-class fifo_file 17
-+class fifo_file 18
-              ioctl     n           1
-               read     r          10
-              write     w          10
-@@ -270,6 +276,7 @@
-             swapon     b           1
-            quotaon     b           1
-            mounton     b           1
-+	      open     r	   1
- 
- class socket 22
-              ioctl     n           1
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
--- a/73
+++ b/73
@ -0,0 +1,73 @@
+#!/bin/bash
+#
+# Do automatic relabelling
+#
+
+# . /etc/init.d/functions
+
+# If the user has this (or similar) UEFI boot order:
+#
+#             Windows | grub | Linux
+#
+# And decides to boot into grub/Linux, then the reboot at the end of autorelabel
+# would cause the system to boot into Windows again, if the autorelabel was run.
+#
+# This function restores the UEFI boot order, so the user will boot into the
+# previously set (and expected) partition.
+efi_set_boot_next() {
+    # NOTE: The [ -x /usr/sbin/efibootmgr ] test is not sufficent -- it could
+    #       succeed even on system which is not EFI-enabled...
+    if ! efibootmgr > /dev/null 2>&1; then
+        return
+    fi
+
+    # NOTE: It it possible that some other services might be setting the
+    #       'BootNext' item for any reasons, and we shouldn't override it if so.
+    if ! efibootmgr | grep --quiet -e 'BootNext'; then
+        CURRENT_BOOT="$(efibootmgr | grep -e 'BootCurrent' | sed -re 's/(^.+:[[:space:]]*)([[:xdigit:]]+)/\2/')"
+        efibootmgr -n "${CURRENT_BOOT}" > /dev/null 2>&1
+    fi
+}
+
+relabel_selinux() {
+    # if /sbin/init is not labeled correctly this process is running in the
+    # wrong context, so a reboot will be required after relabel
+    AUTORELABEL=
+    . /etc/selinux/config
+    echo "0" > /sys/fs/selinux/enforce
+    [ -x /bin/plymouth ] && plymouth --quit
+
+    if [ "$AUTORELABEL" = "0" ]; then
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required. "
+	echo $"*** /etc/selinux/config indicates you want to manually fix labeling"
+	echo $"*** problems. Dropping you to a shell; the system will reboot"
+	echo $"*** when you leave the shell."
+	sulogin
+
+    else
+	echo
+	echo $"*** Warning -- SELinux ${SELINUXTYPE} policy relabel is required."
+	echo $"*** Relabeling could take a very long time, depending on file"
+	echo $"*** system size and speed of hard drives."
+
+	FORCE=`cat /.autorelabel`
+        [ -x "/usr/sbin/quotaoff" ] && /usr/sbin/quotaoff -aug
+	/sbin/fixfiles $FORCE restore
+    fi
+
+    rm -f  /.autorelabel
+    /usr/lib/dracut/dracut-initramfs-restore
+    efi_set_boot_next
+    if [ -x /usr/bin/grub2-editenv ]; then
+        grub2-editenv - incr boot_indeterminate >/dev/null 2>&1
+    fi
+    sync
+    systemctl --force reboot
+}
+
+# Check to see if a full relabel is needed
+if [ "$READONLY" != "yes" ]; then
+    restorecon $(awk '!/^#/ && $4 !~ /noauto/ && $2 ~ /^\// { print $2 }' /etc/fstab) >/dev/null 2>&1
+    relabel_selinux
+fi
--- a/selinux-autorelabel-generator.sh
+++ b/selinux-autorelabel-generator.sh
@ -0,0 +1,29 @@
+#!/bin/sh
+
+# This systemd.generator(7) detects if SELinux is running and if the
+# user requested an autorelabel, and if so sets the default target to
+# selinux-autorelabel.target, which will cause the filesystem to be
+# relabelled and then the system will reboot again and boot into the
+# real default target.
+
+PATH=/usr/sbin:$PATH
+unitdir=/usr/lib/systemd/system
+
+# If invoked with no arguments (for testing) write to /tmp.
+earlydir="/tmp"
+if [ -n "$2" ]; then
+    earlydir="$2"
+fi
+
+set_target ()
+{
+    ln -sf "$unitdir/selinux-autorelabel.target" "$earlydir/default.target"
+}
+
+if selinuxenabled; then
+    if test -f /.autorelabel; then
+        set_target
+    elif grep -sqE "\bautorelabel\b" /proc/cmdline; then
+        set_target
+    fi
+fi
--- a/selinux-autorelabel-mark.service
+++ b/selinux-autorelabel-mark.service
@ -0,0 +1,18 @@
+[Unit]
+Description=Mark the need to relabel after reboot
+DefaultDependencies=no
+Requires=local-fs.target
+Conflicts=shutdown.target
+After=local-fs.target
+Before=sysinit.target shutdown.target
+ConditionSecurity=!selinux
+ConditionPathIsDirectory=/etc/selinux
+ConditionPathExists=!/.autorelabel
+
+[Service]
+ExecStart=-/bin/touch /.autorelabel
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=sysinit.target
--- a/selinux-autorelabel.service
+++ b/selinux-autorelabel.service
@ -0,0 +1,14 @@
+[Unit]
+Description=Relabel all filesystems
+DefaultDependencies=no
+Conflicts=shutdown.target
+After=sysinit.target
+Before=shutdown.target
+ConditionSecurity=selinux
+
+[Service]
+ExecStart=/usr/libexec/selinux/selinux-autorelabel
+Type=oneshot
+TimeoutSec=0
+RemainAfterExit=yes
+StandardOutput=journal+console
--- a/selinux-autorelabel.target
+++ b/selinux-autorelabel.target
@ -0,0 +1,7 @@
+[Unit]
+Description=Relabel all filesystems and reboot
+DefaultDependencies=no
+Requires=sysinit.target selinux-autorelabel.service
+Conflicts=shutdown.target
+After=sysinit.target selinux-autorelabel.service
+ConditionSecurity=selinux
--- a/selinux-polgengui.console
+++ b/selinux-polgengui.console
@ -1,3 +0,0 @@
-USER=root
-PROGRAM=/usr/share/system-config-selinux/polgengui.py
-SESSION=true
--- a/selinux-polgengui.desktop
+++ b/selinux-polgengui.desktop
@ -1,18 +0,0 @@
-[Desktop Entry]
-Name=SELinux Policy Generation Tool
-Name[ja]="SELinux ポリシー生成ツール"
-Name[nl]="SELinux tactiek generatie gereedschap"
-Name[pl]="Narzędzie tworzenia polityki SELinuksa"
-Name[es]="Herramienta de Generación de Políticas de SELinux"
-Comment=Generate SELinux policy modules
-Comment[ja]="新しいポリシーモジュールの作成"
-Comment[nl]="Maak een SELinux tactiek module aan"
-Comment[pl]="Tworzenie nowych modułów polityki SELinuksa"
-Comment[es]="Generar módulos de política de SELinux"
-StartupNotify=true
-Icon=system-config-selinux
-Exec=/usr/bin/selinux-polgengui
-Type=Application
-Terminal=false
-Categories=System;Security;
-X-Desktop-File-Install-Version=0.2
--- a/sepolicy-help.tgz
+++ b/sepolicy-help.tgz
--- a/sepolicy-icons.tgz
+++ b/sepolicy-icons.tgz
--- a/14
+++ b/14
@ -1,3 +1,11 @@
-49faa2e5f343317bcfcf34d7286f6037  sepolgen-1.0.23.tgz
-85a84b4521dfdde649d0143e15f724f9  policycoreutils-2.0.83.tgz
-59d33101d57378ce69889cc078addf90  policycoreutils_man_ru2.tar.bz2
+SHA512 (policycoreutils-3.1.tar.gz) = 0592f218563a99ba95d2cfd07fdc3761b61c1cc3c01a17ab89ad840169e1a7d4083521d5cacc72d1b76911d516bf592db7a3f90d9ef0cc11ceed007e4580e140
+SHA512 (restorecond-3.1.tar.gz) = cdcf299f48b89a7c641ded9507b9b966bf648497394f8e988a9cb1ceb3224c86369706027f3416a4f9750836f7a8f4580a4b3df76673e03f897b383d7ed0e2c8
+SHA512 (selinux-dbus-3.1.tar.gz) = d5e1715539ec9aeef2285fc141617b7c25f39ddacc3968d2d19722553b97b873632545a2c7002faef44b671604b2cfca52e9624c57cedbae64d616a080cc955f
+SHA512 (selinux-gui-3.1.tar.gz) = c8bd618da3bd1dcc8aeb470e8410765ea7d38e861b0be78aaddaa5384ec3de12d364de1b63e2d9e3262e1179463f0ee78cb60f11ab72c996899bd72af137ae7c
+SHA512 (selinux-python-3.1.tar.gz) = 5dd98f77ae8ea8bac6a89ec7def76e12496b9a9f8c9612c4cc1dac7a8e8c60380a00c857426bfefbcb4273706addd2594e9b467f69408ef284f082a09d45bd49
+SHA512 (selinux-sandbox-3.1.tar.gz) = e9a772c720704de3fc33a70316780d5995442a1e25ba7df6dc68dd7b7a4eb59dfd2b68e4576051053fe81fbea207fcb1648baad3ea2d56d5b3005e9ca4b8ceb7
+SHA512 (semodule-utils-3.1.tar.gz) = b92794bbfbce5834ee7f62fddb40b5506e9291e8fa7c5d669b2e281089b8f8dc40c4522ea287ac5deffdaee751442ba8e691e2ac45fdd378b60d5d6b2527d157
+SHA512 (gui-po.tgz) = 8e0855256b825eea422b8e2b82cc0decf66b902c9930840905c5ad5dda7bef3679943a22db62709907d48f8a331d67edc5efed3e2638b53e379959b14077b4ea
+SHA512 (policycoreutils-po.tgz) = 66b908f7a167225bebded46f9cf92f42eb194daa2a083d48de43c2a5d33fa42724c5add0a9d029ac9d62c500f6f1c8d3bc138dd598b1fd97e609d7cc7160be72
+SHA512 (python-po.tgz) = 7f2a082b77c7b4417d5d3dac35d86dd635635a9c05a80e5f9284d03604e2f2a06ec879fb29b056d1a46d3fc448cd76e6fd25196834c18a161fd6677f2e11b2be
+SHA512 (sandbox-po.tgz) = 3d4b389b56bab1a6dddce9884dcebdefbefd1017fec6d987ac22a0705f409ed56722387aaca8fe7d9c468862136387bc703062e2b6de8fd102e13fed04ce811b
--- a/system-config-selinux.console
+++ b/system-config-selinux.console
@ -1,3 +0,0 @@
-USER=root
-PROGRAM=/usr/share/system-config-selinux/system-config-selinux.py
-SESSION=true
--- a/system-config-selinux.desktop
+++ b/system-config-selinux.desktop
@ -1,18 +0,0 @@
-[Desktop Entry]
-Name=SELinux Management
-Name[jp]="SELinux 管理"
-Name[nl]="SELinux beheer"
-Name[pl]="Zarządzanie SELinuksem"
-Name[es]="Administración de SELinux"
-Comment=Configure SELinux in a graphical setting
-Comment[jp]="グラフィカルな設定画面で SELinux を設定する"
-Comment[nl]="Configureer SELinux in een grafische omgeving"
-Comment[pl]="Konfiguracja SELinuksa w trybie graficznym"
-Comment[es]="Defina SELinux en una configuración de interfaz gráfica"
-StartupNotify=true
-Icon=system-config-selinux
-Exec=/usr/bin/system-config-selinux
-Type=Application
-Terminal=false
-Categories=System;Security;
-X-Desktop-File-Install-Version=0.2
--- a/system-config-selinux.pam
+++ b/system-config-selinux.pam
@ -1,8 +0,0 @@
-#%PAM-1.0
-auth       sufficient	pam_rootok.so
-auth       sufficient   pam_timestamp.so
-auth       include	system-auth
-session	   required	pam_permit.so
-session    optional	pam_xauth.so
-session    optional     pam_timestamp.so
-account    required	pam_permit.so
--- a/tests/CIL-modules-without-compilation/Makefile
+++ b/tests/CIL-modules-without-compilation/Makefile
@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
+#   Description: What the test does
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     What the test does" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHEL6 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/CIL-modules-without-compilation/PURPOSE
+++ b/tests/CIL-modules-without-compilation/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
+Author: Milos Malik <mmalik@redhat.com>
+
+Is it possible to manage policy modules written in CIL without any compilation? Does semanage and semodule understand them?
+
--- a/tests/CIL-modules-without-compilation/runtest.sh
+++ b/tests/CIL-modules-without-compilation/runtest.sh
@ -0,0 +1,73 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/CIL-modules-without-compilation
+#   Description: What the test does
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "echo '()' > empty.cil"
+        rlRun "echo '(())' > invalid.cil"
+    rlPhaseEnd
+
+    rlPhaseStartTest "empty CIL module"
+        rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
+        rlRun "semodule -i empty.cil"
+        rlRun "semodule -lfull | grep '400.*empty.*cil'"
+        rlRun "semodule -r empty"
+        rlRun "semodule -lfull | grep '400.*empty.*cil'" 1
+        rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
+        rlRun "semanage module -a empty.cil"
+        rlRun "semanage module -l | grep 'empty.*400.*cil'"
+        rlRun "semanage module -r empty"
+        rlRun "semanage module -l | grep 'empty.*400.*cil'" 1
+    rlPhaseEnd
+
+    rlPhaseStartTest "invalid CIL module"
+        rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
+        rlRun "semodule -i invalid.cil" 1
+        rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
+        rlRun "semodule -r invalid" 1
+        rlRun "semodule -lfull | grep '400.*invalid.*cil'" 1
+        rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
+        rlRun "semanage module -a invalid.cil" 1
+        rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
+        rlRun "semanage module -r invalid" 1
+        rlRun "semanage module -l | grep 'invalid.*400.*cil'" 1
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f empty.cil invalid.cil"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/linux-system-roles.selinux-tests/Makefile
+++ b/tests/linux-system-roles.selinux-tests/Makefile
@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of selinux-ansible-playbook
+#   Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
+#   Author: Petr Lautrbach <plautrba@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2018 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=linux-system-roles.selinux-tests
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Petr Lautrbach <plautrba@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils ansible git" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/linux-system-roles.selinux-tests/PURPOSE
+++ b/tests/linux-system-roles.selinux-tests/PURPOSE
@ -0,0 +1,4 @@
+PURPOSE of selinux-ansible-playbook
+Author: Petr Lautrbach <plautrba@redhat.com>
+
+Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
--- a/tests/linux-system-roles.selinux-tests/runtest.sh
+++ b/tests/linux-system-roles.selinux-tests/runtest.sh
@ -0,0 +1,57 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Description: Run linux-system-roles.selinux (https://github.com/linux-system-roles/selinux.git) Ansible role tests
+#   Author: Petr Lautrbach <plautrba@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2018 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlAssertRpm "git"
+        rlAssertRpm "ansible"
+
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "git clone https://github.com/linux-system-roles/selinux.git"
+	rlRun "cd selinux/test"
+
+	for ansible_test in test_*.yml; do
+            rlRun "ansible-playbook -i localhost, -c local -v $ansible_test"
+	done
+
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+	rlRun "cd ../../"
+        rlRun "rm -rf selinux"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/load_policy/Makefile
+++ b/tests/load_policy/Makefile
@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/load_policy
+#   Description: Does load_policy work as expected? Does it produce correct audit messages?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/load_policy
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does load_policy work as expected? Does it produce correct audit messages?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        audit policycoreutils selinux-policy-targeted" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/load_policy/PURPOSE
+++ b/tests/load_policy/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/load_policy
+Author: Milos Malik <mmalik@redhat.com>
+
+Does load_policy work as expected? Does it produce correct audit messages?
+
--- a/tests/load_policy/runtest.sh
+++ b/tests/load_policy/runtest.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/load_policy
+#   Description: Does load_policy work as expected? Does it produce correct audit messages?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+if rlIsRHEL 6 ; then
+    SELINUX_FS_MOUNT="/selinux"
+else # RHEL-7 and above
+    SELINUX_FS_MOUNT="/sys/fs/selinux"
+fi
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlRun "ls -l `which load_policy`"
+        BINARY_POLICY=`find /etc/selinux/targeted -type f -name policy.?? | sort -n | tail -n 1`
+        rlRun "ls -l ${BINARY_POLICY}"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "load_policy --xyz 2>&1 | grep \"invalid option\""
+        rlRun "dmesg | grep -i selinux" 0,1
+        rlRun "grep -i selinux /proc/mounts"
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "load_policy -q"
+        rlRun "grep -i selinux /proc/mounts"
+        sleep 1
+        if rlIsRHEL ; then
+            rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
+        fi
+        rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
+        rlRun "umount ${SELINUX_FS_MOUNT}"
+        rlRun "grep -i selinux /proc/mounts" 1
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "load_policy -i ${BINARY_POLICY}"
+        rlRun "grep -i selinux /proc/mounts"
+        sleep 1
+        if rlIsRHEL ; then
+            rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep load_policy"
+        fi
+        rlRun "ausearch -m MAC_POLICY_LOAD -i -ts ${START_DATE_TIME} | grep 'policy loaded'"
+        rlRun "dmesg | grep -i selinux"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/restorecon/Makefile
+++ b/tests/restorecon/Makefile
@ -0,0 +1,70 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/restorecon
+#   Description: does restorecon work correctly ?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/restorecon
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te testpolicy.fc
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh;:
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     does restorecon work correctly ?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        15m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Requires:        grep" >> $(METADATA)
+	@echo "Requires:        e2fsprogs" >> $(METADATA)
+	@echo "Requires:        libselinux" >> $(METADATA)
+	@echo "Requires:        selinux-policy-devel" >> $(METADATA)
+	@echo "Requires:        libselinux-utils" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/restorecon/PURPOSE
+++ b/tests/restorecon/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/restorecon
+Author: Milos Malik <mmalik@redhat.com>
+
+Does restorecon work correctly?
+
--- a/tests/restorecon/runtest.sh
+++ b/tests/restorecon/runtest.sh
@ -0,0 +1,367 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/restorecon
+#   Description: does restorecon work correctly ?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlServiceStop mcstrans mcstransd
+        rlRun "rpm -qf `which restorecon` | grep ${PACKAGE}"
+        rlRun "setenforce 1"
+        rlRun "sestatus"
+        rlRun "setsebool allow_domain_fd_use on"
+    rlPhaseEnd
+
+    rlPhaseStartTest "Functional test"
+
+        TESTDIR="/opt/restorecon_testdir"
+        DIRS="correct.dir incorrect1.dir incorrect2.dir customizable.dir"
+        FILES="correct.file incorrect.file customizable.file"
+
+        rlRun "make -f /usr/share/selinux/devel/Makefile"
+        rlRun "semodule -i testpolicy.pp"
+
+        rlFileBackup /etc/selinux/targeted/contexts/customizable_types
+        rlRun "echo 'customizable_t' >> /etc/selinux/targeted/contexts/customizable_types"
+
+        # Here is the testing dirs and files structure
+        # all the files have initial context corresponding to their names
+
+        # ./
+        # correct.file
+        # incorrect.file
+        # customizable.file
+
+        # correct.dir/
+        #     correct.file
+        #     incorrect.file
+        #     customizable.file
+
+        # incorrect1.dir/
+        #     correct.file
+        #     incorrect.file
+        #     customizable.file
+
+        # incorrect2.dir/
+        #     correct.file
+        #     incorrect.file
+        #     customizable.file
+
+        # customizable.dir/
+        #     correct.file
+        #     incorrect.file
+        #     customizable.file
+
+        # Function to set initial contexts
+        function set_contexts {
+            # Set the intended contexts
+            rlLog "Setting initial contexts of testing dirs..."
+            restorecon -R $TESTDIR
+            for ITEM in `find . -name 'incorrect*'`; do
+                chcon -t incorrect_t $ITEM
+            done
+            for ITEM in `find . -name 'customizable*'`; do
+                chcon -t customizable_t $ITEM
+            done
+        }
+
+        # Check that files in dir $1 have the initial contexts
+        function check_initial_contexts {
+            if echo $1 | grep -q 'incorrect.dir'; then 
+                rlRun "ls -ladZ $1 | grep :incorrect_t"
+            elif echo $1 | grep -q 'correct.dir'; then
+                rlRun "ls -ladZ $1 | grep :correct_t"
+            elif echo $1 | grep -q 'customizable.dir'; then
+                rlRun "ls -ladZ $1 | grep :customizable_t"
+            fi
+            rlRun "ls -ladZ $1/* | grep '\<correct.file' | grep ':correct_t'"
+            rlRun "ls -ladZ $1/* | grep '\<incorrect.file' | grep ':incorrect_t'"
+            rlRun "ls -ladZ $1/* | grep '\<customizable.file' | grep ':customizable_t'"
+        }
+
+        # Check that files matching with $2 in dir $1 have context $3
+        function check_contexts {
+            COMMAND="find $1 -name '$2'"
+            for ITEM in `eval $COMMAND`; do
+                rlRun "ls -ladZ $ITEM | grep :$3";
+            done
+        }
+
+        # Create the testing dirs and files
+        rlRun "mkdir -p $TESTDIR"
+        rlRun "pushd $TESTDIR"
+        rlRun "mkdir $DIRS"
+        rlRun "touch $FILES"
+        for DIR in $DIRS; do
+            rlRun "pushd $DIR"
+            rlRun "touch $FILES"
+            rlRun "popd"
+        done
+
+        set_contexts
+
+        echo
+        rlLog "Checking initial contexts of testing dirs..."
+        # Check the contexts are set properly
+        check_initial_contexts '.'
+        check_initial_contexts 'incorrect1.dir'
+        check_initial_contexts 'incorrect2.dir'
+        check_initial_contexts 'correct.dir'
+        check_initial_contexts 'customizable.dir'
+        check_contexts '.' 'incorrect*' 'incorrect_t'
+        check_contexts '.' 'correct*' 'correct_t'
+        check_contexts '.' 'customizable*' 'customizable_t'
+
+        # -e directory
+        #     exclude a directory (repeat the option to exclude more than one directory).
+
+        echo
+        rlLog "-e directory"
+        set_contexts
+        rlRun "restorecon -RF -e $TESTDIR/incorrect2.dir $TESTDIR"
+        for ITEM in `ls *.file`; do rlRun "ls -ladZ $ITEM | grep correct_t"; done
+        check_contexts 'incorrect1.dir' '*' 'correct_t'
+        check_contexts 'customizable.dir' '*' 'correct_t'
+        check_initial_contexts 'incorrect2.dir'
+        rlRun "ls -ladZ incorrect2.dir | grep incorrect_t"
+
+        # -f infilename
+        #     infilename contains a list of files to be processed. Use - for stdin.
+
+        echo
+        rlLog "-f filename"
+        set_contexts
+        rlRun "cat > ../file_list <<EOF
+./customizable.file
+./customizable.dir
+./correct.dir/customizable.file
+./incorrect1.dir/customizable.file
+./incorrect2.dir/customizable.file
+./customizable.dir/customizable.file
+EOF"
+        if rlIsRHEL 5; then chcon -t file_t ../file_list ;fi
+        rlRun "restorecon -F -f ../file_list"
+        check_contexts '.' 'incorrect*' 'incorrect_t'
+        check_contexts '.' 'correct*' 'correct_t'
+        check_contexts '.' 'customizable*' 'correct_t'
+        rlRun "rm -f ../file_list"
+
+
+        echo
+        rlLog "-f -       Input from stdin"
+        set_contexts
+        rlRun "echo -e 'incorrect2.dir\ncustomizable.file\nincorrect.file' | restorecon -f -"
+        check_initial_contexts 'incorrect1.dir'
+        check_initial_contexts 'correct.dir'
+        check_initial_contexts 'customizable.dir'
+        check_contexts 'incorrect2' '*' 'correct_t'
+        rlRun "ls -ladZ customizable.file | grep customizable_t"
+        rlRun "ls -ladZ incorrect.file | grep :correct_t"
+
+        # -F  Force reset of context to match file_context for customizable files, and
+        #     the default file context, changing the user, role, range portion as well
+        #     as the type.
+
+        echo
+        rlLog "-F     Force reset of customizable types"
+        set_contexts
+        rlRun "restorecon -RF $TESTDIR"
+        check_contexts '.' '*' 'correct_t'
+
+    # This feature is from RHEL6 further
+    if ! rlIsRHEL; then
+        echo
+        rlLog "-F     Force reset of the whole context"
+        set_contexts
+        chcon -u staff_u *.file
+        rlRun "ls -laZ correct.file | grep staff_u"
+        rlRun "ls -laZ incorrect.file | grep staff_u"
+        rlRun "ls -laZ customizable.file | grep staff_u"
+        rlRun "restorecon -R $TESTDIR"
+        rlRun "ls -laZ correct.file | grep staff_u"
+        rlRun "ls -laZ incorrect.file | grep staff_u"
+        rlRun "ls -laZ customizable.file | grep staff_u"
+        rlRun "restorecon -RF $TESTDIR"
+        rlRun "ls -laZ correct.file | grep system_u"
+        rlRun "ls -laZ incorrect.file | grep system_u"
+        rlRun "ls -laZ customizable.file | grep system_u"
+    fi
+ 
+        # -i  ignore files that do not exist.
+
+        rlRun "restorecon non-existent-file" 1-255
+        rlRun "restorecon -i non-existent-file"
+
+        # -n  don't change any file labels (passive check).
+
+        echo
+        rlLog "-n      dry-run"
+        set_contexts
+        rlRun "restorecon -RF -n $TESTDIR"
+        check_contexts '.' 'incorrect*' 'incorrect_t'
+        check_contexts '.' 'correct*' 'correct_t'
+        check_contexts '.' 'customizable*' 'customizable_t'
+
+        # -o outfilename
+        #     Deprecated,  SELinux  policy will probably block this access.  Use shell
+        #     redirection to save list of files with incorrect context in filename.
+
+        #  ----not tested yet 
+
+        # -R, -r change  files  and directories file labels recursively (descend directo‐
+        #     ries).
+        #     Note: restorecon reports warnings on paths without default  labels  only
+        #     if called non-recursively or in verbose mode.
+
+        set_contexts
+        rlRun "restorecon -R $TESTDIR"
+        check_contexts '.' '*corr*' 'correct_t'
+        check_contexts '.' 'customizable*' 'customizable_t'
+
+        #     ...by default it does not operate recursively on directories
+
+        set_contexts
+        rlRun "restorecon $TESTDIR"
+        check_initial_contexts 'incorrect1.dir'
+        check_initial_contexts 'incorrect2.dir'
+        check_initial_contexts 'correct.dir'
+        check_initial_contexts 'customizable.dir'
+        rlRun "ls -ladZ customizable.file | grep customizable_t"
+        rlRun "ls -ladZ incorrect.file | grep :incorrect_t"
+        rlRun "ls -ladZ correct.file | grep :correct_t"
+
+        # -v show changes in file labels, if type or role are going to be changed.
+
+        #  ----not tested yet 
+
+    # -0 option is not present in RHEL5
+    if ! rlIsRHEL 5; then
+        # -0 the  separator  for  the input items is assumed to be the null character
+        #     (instead of the white space).  The quotes and the  backslash  characters
+        #     are  also  treated as normal characters that can form valid input.  This
+        #     option finally also disables the end of file string,  which  is  treated
+        #     like  any  other  argument.  Useful when input items might contain white
+        #     space, quote marks or backslashes.  The -print0 option of GNU find  pro‐
+        #     duces input suitable for this mode.
+
+        echo
+        rlLog "-0"
+        set_contexts
+        rlRun "find . -print0 | restorecon -f - -0"
+        check_contexts '.' '*corr*' 'correct_t'
+        check_contexts '.' 'customizable*' 'customizable_t'
+
+        echo
+        rlLog "-0   with  -F"
+        set_contexts
+        rlRun "find . -print0 | restorecon -F -f - -0"
+        check_contexts '.' '*' 'correct_t'
+
+    fi
+
+        # If a file object does not have a context, restorecon will write the default
+        # context to the file object's extended attributes.
+
+        #  ----not tested yet 
+
+
+        # Cleanup
+
+        rlRun "popd"
+        rlRun "rm -rf /opt/restorecon_testdir"
+        rlFileRestore
+        rlRun "semodule -r testpolicy"
+    rlPhaseEnd
+
+    # This is RFE from RHEL6 and further versions
+    if ! rlIsRHEL 5;then
+    rlPhaseStartTest
+        # META-Fixed-In: policycoreutils-2.0.83-19.14.el6
+        rlRun "pushd /root"
+        rlRun "touch test-file"
+        rlRun "mkdir test-dir"
+        for ITEM in "test-file" "test-dir" ; do
+            rlRun "chcon -u staff_u -t shadow_t -l s0:c1 ${ITEM}"
+            rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:shadow_t:s0:c1"
+            rlRun "restorecon -v ${ITEM}" 0,1
+            rlRun "ls -dZ ${ITEM} | grep staff_u:object_r:admin_home_t:s0:c1"
+            rlRun "restorecon -F -v ${ITEM}" 0,1
+            rlRun "ls -dZ ${ITEM} | grep system_u:object_r:admin_home_t:s0"
+        done
+        rlRun "rm -rf test-dir"
+        rlRun "rm -f test-file"
+        rlRun "popd"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest
+        # META-Fixed-In: policycoreutils-2.0.83-19.16.el6
+        rlRun "pushd /root"
+        rlRun "touch test-file"
+        rlRun "mkdir test-dir"
+        for ITEM in "test-file" "test-dir" ; do
+            rlRun "chcon -t tmp_t ${ITEM}"
+            rlRun "ls -dZ ${ITEM}"
+            rlRun "chattr +i ${ITEM}"
+            rlRun "restorecon -v ${ITEM}" 1-255
+            rlRun "chattr -i ${ITEM}"
+            rlRun "ls -dZ ${ITEM}"
+            rlRun "restorecon -v ${ITEM}"
+            rlRun "ls -dZ ${ITEM}"
+        done
+        rlRun "rm -rf test-dir"
+        rlRun "rm -f test-file"
+        rlRun "popd"
+    rlPhaseEnd
+
+    # The bug was closed as NEXTRELEASE for RHEL5
+    if ! rlIsRHEL 5; then
+    rlPhaseStartTest
+        rlRun "touch ~/test-file"
+        rlRun "restorecon -vF ~/test-file"
+        rlRun "restorecon -vF ~/test-file | grep \"reset.*context\"" 1
+        rlRun "rm -f ~/test-file"
+
+        rlRun "mkdir ~/test-dir"
+        rlRun "restorecon -vF ~/test-dir"
+        rlRun "restorecon -vF ~/test-dir | grep \"reset.*context\"" 1
+        rlRun "rm -rf ~/test-dir"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartCleanup
+        rlServiceRestore mcstrans mcstransd
+    rlPhaseEnd
+    rlJournalPrintText
+rlJournalEnd
+
--- a/tests/restorecon/testpolicy.fc
+++ b/tests/restorecon/testpolicy.fc
@ -0,0 +1,2 @@
+/opt/restorecon_testdir(/.*)?	system_u:object_r:correct_t:s0
+
--- a/tests/restorecon/testpolicy.te
+++ b/tests/restorecon/testpolicy.te
@ -0,0 +1,19 @@
+policy_module(testpolicy, 1.0)
+
+require {
+    attribute domain;
+    type fs_t;
+}
+
+type correct_t;
+files_type(correct_t)
+type incorrect_t;
+files_type(incorrect_t)
+type customizable_t;
+files_type(customizable_t)
+
+
+#allow domain correct_t:dir relabelto;
+#allow correct_t fs_t:filesystem associate;
+
+
--- a/tests/semanage-interface/Makefile
+++ b/tests/semanage-interface/Makefile
@ -0,0 +1,65 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Regression/semanage-interface
+#   Description: Does semanage interface ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Regression/semanage-interface
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+	test -x runtest.sh || chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does semanage interface ... work correctly?" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        20m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils policycoreutils-python-utils grep selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/semanage-interface/PURPOSE
+++ b/tests/semanage-interface/PURPOSE
@ -0,0 +1,4 @@
+PURPOSE of /CoreOS/policycoreutils/Regression/semanage-interface
+Description: Does semanage interface ... work correctly?
+Author: Milos Malik <mmalik@redhat.com>
+
--- a/tests/semanage-interface/runtest.sh
+++ b/tests/semanage-interface/runtest.sh
@ -0,0 +1,69 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Regression/semanage-interface
+#   Description: Does semanage interface ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "semanage interface --help" 0,1
+        for POLICY_TYPE in minimum mls targeted ; do
+            if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
+                continue
+            fi
+            rlRun "semanage interface -l -S ${POLICY_TYPE}"
+        done
+        if ! rlIsRHEL 5; then
+          rlRun "semanage interface -l -S unknown 2>&1 | grep \"store cannot be accessed\""
+        fi
+        rlRun "semanage interface -a -t xyz_t xyz 2>&1 | grep -i -e 'not defined' -e 'error' -e 'could not'"
+        rlRun "semanage interface -m xyz" 1,2
+        rlRun "semanage interface -d xyz" 1
+        rlRun "semanage interface -a -t netif_t xyz"
+        if rlIsRHEL 5 6; then
+            rlRun "semanage interface -m -r s0 xyz"
+        else
+            rlRun "semanage interface -m -t netif_t -r s0 xyz"
+        fi
+        rlRun "semanage interface -l | grep \"xyz.*:netif_t:s0\""
+        rlRun "semanage interface -d xyz"
+        rlRun "semanage interface -l | grep xyz" 1
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/semanage-login/Makefile
+++ b/tests/semanage-login/Makefile
@ -0,0 +1,65 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Regression/semanage-login
+#   Description: Does semanage login ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Regression/semanage-login
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+	test -x runtest.sh || chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does semanage login ... work correctly?" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils policycoreutils-python-utils grep shadow-utils selinux-policy-minimum selinux-policy-mls selinux-policy-targeted" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/semanage-login/PURPOSE
+++ b/tests/semanage-login/PURPOSE
@ -0,0 +1,4 @@
+PURPOSE of /CoreOS/policycoreutils/Regression/semanage-login
+Description: Does semanage login ... work correctly?
+Author: Milos Malik <mmalik@redhat.com>
+
--- a/tests/semanage-login/runtest.sh
+++ b/tests/semanage-login/runtest.sh
@ -0,0 +1,67 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Regression/semanage-login
+#   Description: Does semanage login ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "semanage login --help" 0,1
+        for POLICY_TYPE in minimum mls targeted ; do
+            if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
+                continue
+            fi
+            rlRun "semanage login -l -S ${POLICY_TYPE}"
+        done
+        if ! rlIsRHEL 5; then
+          rlRun "semanage login -l -S unknown 2>&1 | grep \"store cannot be accessed\""
+        fi
+        rlRun "semanage login -a -s xyz_u xyz 2>&1 | grep -i -e 'does not exist' -e 'mapping.*invalid' -e 'could not query'"
+        rlRun "semanage login -m xyz" 1
+        rlRun "semanage login -d xyz" 1
+        rlRun "useradd xyz"
+        rlRun "semanage login -a -s user_u xyz"
+        rlRun "semanage login -m -r s0 xyz"
+        rlRun "semanage login -l | grep \"xyz.*user_u.*s0\""
+        rlRun "semanage login -d xyz"
+        rlRun "semanage login -l | grep xyz" 1
+        rlRun "userdel -rf xyz"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/semanage-permissive-d-problems/Makefile
+++ b/tests/semanage-permissive-d-problems/Makefile
@ -0,0 +1,70 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
+#   Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh; :
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     semanage permissive -d accepts more than domain types, its behavior is not reliable" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        20m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils-python-utils" >> $(METADATA)
+	@echo "Requires:        policycoreutils-devel" >> $(METADATA)
+	@echo "Requires:        selinux-policy-devel" >> $(METADATA)
+	@echo "Requires:        grep" >> $(METADATA)
+	@echo "Requires:        coreutils" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELServer5 -RHELClient5" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/semanage-permissive-d-problems/PURPOSE
+++ b/tests/semanage-permissive-d-problems/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
+Author: Milos Malik <mmalik@redhat.com>
+
+Does semanage permissive work correctly?
+
--- a/tests/semanage-permissive-d-problems/runtest.sh
+++ b/tests/semanage-permissive-d-problems/runtest.sh
@ -0,0 +1,93 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Regression/semanage-permissive-d-problems
+#   Description: semanage permissive -d accepts more than domain types, its behavior is not reliable
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlRun "rpm -qf /usr/sbin/semanage"
+        OUTPUT_FILE=`mktemp`
+        rlRun "sestatus"
+    rlPhaseEnd
+
+    if selinuxenabled ; then
+        rlPhaseStartTest
+            if rlIsRHEL 7 ; then
+                rlFileBackup /usr/share/selinux/default/Makefile
+                rlRun "rm -rf /usr/share/selinux/default/Makefile"
+            fi
+            rlRun "semanage permissive -l | grep fenced" 1
+            rlRun "semanage permissive -a fenced_t"
+            rlRun "semanage permissive -l | grep fenced"
+            rlRun "semanage permissive -d fenced_t"
+            rlRun "semanage permissive -l | grep fenced" 1
+            if rlIsRHEL 7 ; then
+                rlFileRestore
+            fi
+        rlPhaseEnd
+
+        rlPhaseStartTest
+            rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
+            rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
+            rlRun "semanage permissive -a ypbind_t"
+            rlRun "semanage permissive -a ypserv_t"
+            rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
+            rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
+            rlRun "semanage permissive -d yp" 1-255
+            rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
+            rlRun "wc -l < ${OUTPUT_FILE} | grep ^2$"
+            rlRun "semanage permissive -d ypbind_t"
+            rlRun "semanage permissive -d ypserv_t"
+            rlRun "semanage permissive -l 2>&1 | grep -e ypserv_t -e ypbind_t | tee ${OUTPUT_FILE}"
+            rlRun "wc -l < ${OUTPUT_FILE} | grep ^0$"
+        rlPhaseEnd
+
+        rlPhaseStartTest
+            rlRun -s "semanage permissive -d" 1
+            rlAssertNotGrep 'traceback' $rlRun_LOG -iEq
+            rlAssertGrep 'error: the following argument is required: type' $rlRun_LOG -iEq
+            rm -f $rlRun_LOG
+        rlPhaseEnd
+    else
+        rlPhaseStartTest
+            rlRun "semanage permissive -l >& ${OUTPUT_FILE}" 0,1
+            rlRun "grep -C 32 -i -e exception -e traceback -e error ${OUTPUT_FILE}" 1
+        rlPhaseEnd
+    fi
+
+    rlPhaseStartCleanup
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/semanage-port-add-delete-problems/Makefile
+++ b/tests/semanage-port-add-delete-problems/Makefile
@ -0,0 +1,71 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
+#   Description: semanage accepts invalid port numbers and then cannot delete them
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh;:
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     semanage accepts invalid port numbers and then cannot delete them" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        15m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils-python-utils" >> $(METADATA)
+	@echo "Requires:        setools-console" >> $(METADATA)
+	@echo "Requires:        libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux-utils" >> $(METADATA)
+	@echo "Requires:        coreutils" >> $(METADATA)
+	@echo "Requires:        grep" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/semanage-port-add-delete-problems/PURPOSE
+++ b/tests/semanage-port-add-delete-problems/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
+Author: Milos Malik <mmalik@redhat.com>
+
+semanage accepts invalid port numbers and then cannot delete them
+
--- a/tests/semanage-port-add-delete-problems/runtest.sh
+++ b/tests/semanage-port-add-delete-problems/runtest.sh
@ -0,0 +1,137 @@
+#!/bin/bash
+# vim: dict=/usr/share/rhts-library/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Regression/semanage-port-add-delete-problems
+#   Description: semanage accepts invalid port numbers and then cannot delete them
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2009 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+PORT_NAME="ldap_port_t"
+BAD_PORT_NUMBER="123456"
+GOOD_PORT_NUMBER="1389"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlRun "rpm -qf /usr/sbin/semanage"
+        rlRun "rpm -qf /usr/bin/seinfo"
+        OUTPUT_FILE=`mktemp`
+        rlRun "setenforce 1"
+        rlRun "sestatus"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "semanage port -l | grep ${PORT_NAME}"
+
+        rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
+        rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
+        rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
+        rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${BAD_PORT_NUMBER}" 1
+        rlRun "semanage port -l | grep ${PORT_NAME} | tee -a ${OUTPUT_FILE}"
+        #rlRun "sort ${OUTPUT_FILE} | uniq | wc -l | grep '^2$'"
+
+        rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
+        rlRun "semanage port -a -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
+        rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}"
+        rlRun "semanage port -d -t ${PORT_NAME} -p tcp ${GOOD_PORT_NUMBER}"
+        rlRun "semanage port -l | grep ${PORT_NAME} | grep ${GOOD_PORT_NUMBER}" 1
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "semanage port -a -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
+        rlRun "semanage port -l | grep syslogd_port_t"
+        rlRun "semanage port -d -t syslogd_port_t -p tcp 60514-60516 2>&1 | grep -i traceback" 1
+    rlPhaseEnd
+
+    if rlIsRHEL ; then
+    rlPhaseStartTest
+        rlRun "ps -efZ | grep -v grep | grep \"auditd_t.*auditd\""
+        if rlIsRHEL 5 6; then
+            PORT_TYPE="syslogd_port_t"
+        else
+            PORT_TYPE="commplex_link_port_t"
+        fi
+
+        # adding a port number to a type
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "semanage port -a -p tcp -t $PORT_TYPE 5005"
+        sleep 2
+
+        # Check for user_avc
+        rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
+        LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
+        rlRun "cat ${OUTPUT_FILE}"
+        rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
+
+        # deleting a port number from a type
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "semanage port -d -p tcp -t $PORT_TYPE 5005"
+        sleep 2
+
+        # Check for user_avc
+        rlRun "ausearch -m user_avc -ts ${START_DATE_TIME} > ${OUTPUT_FILE}" 0,1
+        LINE_COUNT=`wc -l < ${OUTPUT_FILE}`
+        rlRun "cat ${OUTPUT_FILE}"
+        rlAssert0 "number of lines in ${OUTPUT_FILE} should be 0" ${LINE_COUNT}
+    rlPhaseEnd
+    fi
+
+    if ! rlIsRHEL 5 ; then
+    rlPhaseStartTest
+        rlRun "seinfo --portcon | grep :hi_reserved_port_t:"
+        rlRun "seinfo --portcon | grep :reserved_port_t:"
+        rlRun "semanage port -l | grep ^hi_reserved_port_t"
+        rlRun "semanage port -l | grep ^reserved_port_t"
+        if ! rlIsRHEL 6 ; then
+            rlRun "seinfo --portcon | grep :unreserved_port_t:"
+            rlRun "semanage port -l | grep ^unreserved_port_t"
+        fi
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "manipulation with hard-wired ports"
+        rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
+        rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
+        rlRun "semanage port -a -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "port .* already defined" ${OUTPUT_FILE} -i
+        rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
+        rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
+        rlRun "semanage port -d -t smtp_port_t -p tcp 25 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "port .* is defined in policy.*cannot be deleted" ${OUTPUT_FILE} -i
+        rlRun "semanage port -l | grep 'smtp_port_t.*tcp.*25'"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/semanage-user/Makefile
+++ b/tests/semanage-user/Makefile
@ -0,0 +1,65 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Regression/semanage-user
+#   Description: Does semanage user ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Regression/semanage-user
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE testpolicy.te
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+	test -x runtest.sh || chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does semanage user ... work correctly?" >> $(METADATA)
+	@echo "Type:            Regression" >> $(METADATA)
+	@echo "TestTime:        20m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils policycoreutils-python-utils grep selinux-policy-devel selinux-policy-minimum selinux-policy-mls selinux-policy-targeted selinux-policy-devel" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/semanage-user/PURPOSE
+++ b/tests/semanage-user/PURPOSE
@ -0,0 +1,4 @@
+PURPOSE of /CoreOS/policycoreutils/Regression/semanage-user
+Description: Does semanage user ... work correctly?
+Author: Milos Malik <mmalik@redhat.com>
+
--- a/tests/semanage-user/runtest.sh
+++ b/tests/semanage-user/runtest.sh
@ -0,0 +1,76 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Regression/semanage-user
+#   Description: Does semanage user ... work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlRun "make -f /usr/share/selinux/devel/Makefile"
+        rlRun "ls -l testpolicy.pp"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        if rlIsRHEL 5 6; then
+            rlRun "semanage user --help" 1
+        else
+            rlRun "semanage user --help" 0
+            # semanage: list option can not be used with --level ("semanage user -l")
+            rlRun "semanage user --help | grep fcontext" 1
+        fi
+        for POLICY_TYPE in minimum mls targeted ; do
+            if [ ! -d /etc/selinux/${POLICY_TYPE} ] ; then
+                continue
+            fi
+            rlRun "semanage user -l -S ${POLICY_TYPE}"
+        done
+        if ! rlIsRHEL 5; then
+          rlRun "semanage user -l -S unknown 2>&1 | grep \"store cannot be accessed\""
+        fi
+        rlRun "semanage user -a -P user -R xyz_r xyz_u 2>&1 | grep -i -e 'undefined' -e 'error' -e 'could not'"
+        rlRun "semanage user -m xyz_u" 1
+        rlRun "semanage user -d xyz_u" 1
+        rlRun "semodule -i testpolicy.pp"
+        rlRun "semanage user -a -P user -R xyz_r xyz_u"
+        rlRun "semanage user -m -r s0 xyz_u"
+        rlRun "semanage user -l | grep \"xyz_u.*s0.*s0.*xyz_r\""
+        rlRun "semanage user -d xyz_u"
+        rlRun "semanage user -l | grep xyz_u" 1
+        rlRun "semodule -r testpolicy"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -rf tmp testpolicy.{fc,if,pp}"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/semanage-user/testpolicy.te
+++ b/tests/semanage-user/testpolicy.te
@ -0,0 +1,11 @@
+module testpolicy 1.0;
+
+type xyz_t;
+role xyz_r;
+
+require {
+  type xyz_t;
+}
+
+role xyz_r types xyz_t;
+
--- a/tests/sepolicy-generate/Makefile
+++ b/tests/sepolicy-generate/Makefile
@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/sepolicy-generate
+#   Description: sepolicy generate sanity test
+#   Author: Michal Trunecka <mtruneck@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/sepolicy-generate
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Michal Trunecka <mtruneck@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     sepolicy generate sanity test" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        115m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils policycoreutils-devel rpm-build" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHEL5 -RHEL6" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/sepolicy-generate/PURPOSE
+++ b/tests/sepolicy-generate/PURPOSE
@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/sepolicy-generate
+Description: sepolicy generate sanity test
+Author: Michal Trunecka <mtruneck@redhat.com>
--- a/tests/sepolicy-generate/runtest.sh
+++ b/tests/sepolicy-generate/runtest.sh
@ -0,0 +1,115 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/sepolicy-generate
+#   Description: sepolicy generate sanity test
+#   Author: Michal Trunecka <mtruneck@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="policycoreutils"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlRun "rlCheckRequirements ${PACKAGES[*]}" || rlDie "cannot continue"
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "mkdir mypolicy"
+        rlRun "sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home"
+        rlRun "grep 'manage_dirs_pattern(httpd_sys_script_t' mypolicy/testpolicy.te"
+        rlRun "rm -rf mypolicy"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "mkdir mypolicy"
+        rlRun "touch /usr/bin/testpolicy"
+      for VARIANT in " -n testpolicy --admin_user -r webadm_r" \
+                     " --application /usr/bin/testpolicy " \
+                     " -n testpolicy --confined_admin -a firewalld " \
+                     " -n testpolicy --confined_admin " \
+                     " -n testpolicy --customize -d httpd_t -a firewalld " \
+                     " -n testpolicy --customize -d httpd_t" \
+                     " --dbus /usr/bin/testpolicy " \
+                     " -n testpolicy --desktop_user " \
+                     " --inetd /usr/bin/testpolicy " \
+                     " --init /usr/bin/testpolicy " \
+                     " -n testpolicy --newtype -t newtype_var_log_t " \
+                     " -n testpolicy --newtype -t newtype_unit_file_t " \
+                     " -n testpolicy --newtype -t newtype_var_run_t " \
+                     " -n testpolicy --newtype -t newtype_var_cache_t " \
+                     " -n testpolicy --newtype -t newtype_tmp_t " \
+                     " -n testpolicy --newtype -t newtype_port_t " \
+                     " -n testpolicy --newtype -t newtype_var_spool_t " \
+                     " -n testpolicy --newtype -t newtype_var_lib_t " \
+                     " -n testpolicy --sandbox " \
+                     " -n testpolicy --term_user " \
+                     " -n testpolicy --x_user "
+#                     " --cgi /usr/bin/testpolicy "
+        do
+            rlRun "sepolicy generate -p mypolicy $VARIANT"
+            rlRun "cat mypolicy/testpolicy.te"
+            rlRun "cat mypolicy/testpolicy.if"
+            rlRun "cat mypolicy/testpolicy.fc"
+          if echo "$VARIANT" | grep -q newtype; then
+            rlAssertNotExists "mypolicy/testpolicy.sh"
+            rlAssertNotExists "mypolicy/testpolicy.spec"
+          else
+            rlRun "mypolicy/testpolicy.sh"
+            rlRun "semodule -l | grep  testpolicy"
+            rlRun "semanage user -d testpolicy_u" 0-255
+            rlRun "semodule -r testpolicy"
+          fi
+
+            rlRun "rm -rf mypolicy/*"
+            rlRun "sleep 1"
+
+          if ! echo "$VARIANT" | grep -q newtype; then
+            rlRun "sepolicy generate -p mypolicy -w /home  $VARIANT"
+            rlRun "cat mypolicy/testpolicy.te"
+            rlRun "cat mypolicy/testpolicy.if"
+            rlRun "cat mypolicy/testpolicy.fc"
+
+            rlRun "mypolicy/testpolicy.sh"
+            rlRun "semodule -l | grep  testpolicy"
+            rlRun "semanage user -d testpolicy_u" 0-255
+            rlRun "semodule -r testpolicy"
+
+            rlRun "rm -rf mypolicy/*"
+            rlRun "sleep 1"
+          fi
+        done
+        rlRun "rm -rf mypolicy"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
--- a/tests/sestatus/Makefile
+++ b/tests/sestatus/Makefile
@ -0,0 +1,67 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/sestatus
+#   Description: tests everything about sestatus
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/sestatus
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     tests everything about sestatus" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        policycoreutils" >> $(METADATA)
+	@echo "Requires:        grep" >> $(METADATA)
+	@echo "Requires:        man" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/sestatus/PURPOSE
+++ b/tests/sestatus/PURPOSE
@ -0,0 +1,4 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/sestatus
+Description: tests everything about sestatus
+Author: Milos Malik <mmalik@redhat.com>
+
--- a/tests/sestatus/runtest.sh
+++ b/tests/sestatus/runtest.sh
@ -0,0 +1,114 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/sestatus
+#   Description: tests everything about sestatus
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+
+PACKAGE="policycoreutils"
+if rlIsRHEL 5 6 ; then
+    SELINUX_FS_MOUNT="/selinux"
+else # RHEL-7 and above
+    SELINUX_FS_MOUNT="/sys/fs/selinux"
+fi
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlFileBackup /etc/sestatus.conf
+        rlRun "mount | grep -i selinux" 0,1
+        OUTPUT_FILE=`mktemp`
+    rlPhaseEnd
+
+    rlPhaseStartTest "basic use"
+        rlRun "sestatus"
+        rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "policy booleans" ${OUTPUT_FILE} -i
+        rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "process contexts" ${OUTPUT_FILE} -i
+        rlAssertGrep "file contexts" ${OUTPUT_FILE} -i
+        rlAssertGrep "current context" ${OUTPUT_FILE} -i
+        rlAssertGrep "init context" ${OUTPUT_FILE} -i
+        rlAssertGrep "controlling term" ${OUTPUT_FILE} -i
+        rlRun "sestatus --xyz 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "invalid option" ${OUTPUT_FILE} -i
+    rlPhaseEnd
+
+    rlPhaseStartTest "extreme cases"
+        # pretend that the config file contains an invalid section
+        rlRun "sed -i 's/files/xyz/' /etc/sestatus.conf"
+        rlRun "sestatus -v 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "line not in a section" ${OUTPUT_FILE} -i
+        rlRun "rm -f /etc/sestatus.conf"
+        rlRun "mkdir /etc/sestatus.conf" # intentionally replaced a file with a directory
+        rlRun "sestatus -v"
+        # pretend that the config file is missing
+        rlRun "rm -rf /etc/sestatus.conf"
+        for OPTION in "-bv" "-v" ; do
+            rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
+            rlAssertGrep "unable to open /etc/sestatus.conf" ${OUTPUT_FILE} -i
+        done
+        rlFileRestore
+        # pretend that SELinux is disabled
+        rlRun "umount ${SELINUX_FS_MOUNT}"
+        for OPTION in "" "-b" "-v" "-bv" ; do
+            rlRun "sestatus ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
+            rlAssertGrep "selinux status.*disabled" ${OUTPUT_FILE} -i
+        done
+        rlRun "mount -t selinuxfs none ${SELINUX_FS_MOUNT}"
+        # pretend that no booleans are defined
+        rlRun "mkdir ./booleans"
+        rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
+        rlRun "sestatus -b 2>&1 | tee ${OUTPUT_FILE}"
+        rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
+        rlAssertNotGrep "booleans" ${OUTPUT_FILE} -i
+        rlRun "rmdir ./booleans"
+    rlPhaseEnd
+
+    # This bug is not worth fixing in RHEL-5
+    if ! rlIsRHEL 5 ; then
+    rlPhaseStartTest
+        rlRun "rpm -ql ${PACKAGE} | grep /usr/sbin/sestatus"
+        rlRun "rpm -ql ${PACKAGE} | grep /usr/share/man/man8/sestatus.8"
+        for OPTION in b v ; do
+            rlRun "sestatus --help 2>&1 | grep -- -${OPTION}"
+            rlRun "man sestatus | col -b | grep -- -${OPTION}"
+        done
+        if ! rlIsRHEL 6 ; then
+            rlRun "man -w sestatus.conf"
+        fi
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartCleanup
+        rlFileRestore
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/setsebool/Makefile
+++ b/tests/setsebool/Makefile
@ -0,0 +1,65 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/policycoreutils/Sanity/setsebool
+#   Description: does setsebool work correctly ?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/policycoreutils/Sanity/setsebool
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	chmod a+x runtest.sh
+	chcon -t bin_t runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     does setsebool work correctly ?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        45m" >> $(METADATA)
+	@echo "RunFor:          policycoreutils" >> $(METADATA)
+	@echo "Requires:        audit policycoreutils libselinux-utils shadow-utils grep" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+
--- a/tests/setsebool/PURPOSE
+++ b/tests/setsebool/PURPOSE
@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/policycoreutils/Sanity/setsebool
+Author: Milos Malik <mmalik@redhat.com>
+
+Does setsebool work as expected? Does it produce correct audit messages?
+
--- a/tests/setsebool/runtest.sh
+++ b/tests/setsebool/runtest.sh
@ -0,0 +1,151 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/policycoreutils/Sanity/setsebool
+#   Description: does setsebool work correctly ?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2011 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include rhts environment
+. /usr/bin/rhts-environment.sh
+. /usr/share/beakerlib/beakerlib.sh
+
+PACKAGE="policycoreutils"
+USER_NAME="user${RANDOM}"
+USER_SECRET="s3kr3t${RANDOM}"
+BOOLEAN="ftpd_connect_db"
+if rlIsRHEL 5 6 ; then
+    SELINUX_FS_MOUNT="/selinux"
+else # RHEL-7 and above
+    SELINUX_FS_MOUNT="/sys/fs/selinux"
+fi
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        OUTPUT_FILE=`mktemp`
+        chcon -t tmp_t ${OUTPUT_FILE}
+
+        rlRun "useradd ${USER_NAME}"
+        rlRun "echo ${USER_SECRET} | passwd --stdin ${USER_NAME}"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        for OPTION in "" "-P" ; do
+            for OPERATOR in " " "=" ; do
+                for VALUE in 0 1 false true off on ; do
+                    rlRun "setsebool ${OPTION} ${BOOLEAN}${OPERATOR}${VALUE} | grep -i -e illegal -e usage -e invalid" 1
+                    if [ ${VALUE} == "0" -o ${VALUE} == "false" ] ; then
+                        SHOWN_VALUE="off"
+                    elif [ ${VALUE} == "1" -o ${VALUE} == "true" ] ; then
+                        SHOWN_VALUE="on"
+                    else
+                        SHOWN_VALUE=${VALUE}
+                    fi
+                    rlRun "getsebool -a | grep \"^${BOOLEAN}.*${SHOWN_VALUE}\""
+                done
+            done
+        done
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "setsebool" 1
+        rlRun "setsebool xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
+        rlRun "setsebool xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
+        rlRun "setsebool xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
+        if ! rlIsRHEL 5 6 ; then
+            rlRun "setsebool -N 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
+            rlRun "setsebool -P 2>&1 | tee /dev/stderr | grep -i \"boolean.*required\""
+        fi
+        rlRun "setsebool -P xyz=1 2>&1 | tee /dev/stderr | grep -i -e \"invalid boolean\" -e \"not found\" -e \"not defined\""
+        rlRun "setsebool -P xyz=-1 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
+        rlRun "setsebool -P xyz=2 2>&1 | tee /dev/stderr | grep -i \"illegal value\""
+    rlPhaseEnd
+
+    if ! rlIsRHEL 5 6 ; then
+    rlPhaseStartTest
+        rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "try as root" ${OUTPUT_FILE} -i
+        rlRun "su -l -c '/usr/sbin/setsebool allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "try as root" ${OUTPUT_FILE} -i
+        rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 0' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "try as root" ${OUTPUT_FILE} -i
+        rlRun "su -l -c '/usr/sbin/setsebool -P allow_ypbind 1' ${USER_NAME} 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "try as root" ${OUTPUT_FILE} -i
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        for OPTION in "" "-P" ; do
+            rlRun "getsebool allow_ypbind | grep nis_enabled"
+            rlRun "setsebool ${OPTION} allow_ypbind on"
+            rlRun "getsebool allow_ypbind | grep \"nis_enabled.*on\""
+            rlRun "setsebool ${OPTION} allow_ypbind off"
+            rlRun "getsebool allow_ypbind | grep \"nis_enabled.*off\""
+        done
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        # https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
+        for LINE in `cat /etc/selinux/*/booleans.subs_dist | sort | uniq | tr -s ' ' | tr ' ' ':'` ; do
+            OLD_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 1`
+            NEW_BOOLEAN_NAME=`echo ${LINE} | cut -d : -f 2`
+            rlRun "getsebool ${OLD_BOOLEAN_NAME} 2>&1 | tee ${OUTPUT_FILE}"
+            rlRun "getsebool ${NEW_BOOLEAN_NAME} 2>&1 | tee -a ${OUTPUT_FILE}"
+            rlRun "uniq -c ${OUTPUT_FILE} | grep '2 '"
+        done
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "audit messages"
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "setsebool ${BOOLEAN} on"
+        rlRun "setsebool ${BOOLEAN} off"
+        rlRun "setsebool ${BOOLEAN} on"
+        sleep 1
+        rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=1 old_val=0\""
+        rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=MAC_CONFIG_CHANGE.*bool=${BOOLEAN} val=0 old_val=1\""
+        if rlIsRHEL ; then
+            rlRun "ausearch -m MAC_CONFIG_CHANGE -i -ts ${START_DATE_TIME} | grep \"type=SYSCALL.*comm=setsebool\""
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "extreme cases"
+        # pretend that no booleans are defined
+        rlRun "mkdir ./booleans"
+        rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
+        rlRun "setsebool ${BOOLEAN} on 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
+        rlRun "setsebool ${BOOLEAN} off 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "could not change active booleans" ${OUTPUT_FILE} -i
+        rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
+        rlRun "rmdir ./booleans"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "userdel -rf ${USER_NAME}"
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,23 @@
+---
+# Tests to run in a classic environment
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+      fmf_filter: "tier: 1 | component: policycoreutils & tags: generic, fedora"
+
+# Tests for atomic host
+- hosts: localhost
+  tags:
+  - atomic
+  # no compatible tests
+
+# Tests for docker container
+- hosts: localhost
+  tags:
+  - container
+  # no compatible tests
--- a/zanata.xml
+++ b/zanata.xml
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<config xmlns="http://zanata.org/namespace/config/">
+  <url>https://fedora.zanata.org/</url>
+  <project>selinux</project>
+  <project-version>master</project-version>
+  <project-type>gettext</project-type>
+
+</config>
				`@ -0,0 +1,2 @@`
				`/opt/restorecon_testdir(/.*)? system_u:object_r:correct_t:s0`