diff --git a/.gitignore b/.gitignore
index c78337d..de90a81 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libselinux-2.8.tar.gz
+SOURCES/libselinux-2.9.tar.gz
diff --git a/.libselinux.metadata b/.libselinux.metadata
index 89ceb8a..16a9b42 100644
--- a/.libselinux.metadata
+++ b/.libselinux.metadata
@@ -1 +1 @@
-d45f2db91dbec82ef5a153aca247acc04234e8af SOURCES/libselinux-2.8.tar.gz
+c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz
diff --git a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
new file mode 100644
index 0000000..f68a699
--- /dev/null
+++ b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
@@ -0,0 +1,31 @@
+From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 16 Jul 2014 08:28:03 +0200
+Subject: [PATCH 1/5] Fix selinux man page to refer seinfo and sesearch tools.
+
+---
+ libselinux/man/man8/selinux.8 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index e37aee68..bf23b655 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ .BR sepolicy (8),
+ .BR system-config-selinux (8),
+ .BR togglesebool (8),
+-.BR restorecon (8),
+ .BR fixfiles (8),
++.BR restorecon (8),
+ .BR setfiles (8),
+ .BR semanage (8),
+ .BR sepolicy (8)
++.BR seinfo (8),
++.BR sesearch (8)
+
+ Every confined service on the system has a man page in the following format:
+ .br
+--
+2.21.0
+
diff --git a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
new file mode 100644
index 0000000..7a0a001
--- /dev/null
+++ b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
@@ -0,0 +1,214 @@
+From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Mon, 23 Dec 2013 09:50:54 -0500
+Subject: [PATCH 2/5] Verify context input to funtions to make sure the context
+ field is not null.
+
+Return errno EINVAL, to prevent segfault.
+
+Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
+
+FIXME: use __attribute__(nonnull (arg-index, ...))
+---
+ libselinux/src/avc_sidtab.c | 5 +++++
+ libselinux/src/canonicalize_context.c | 5 +++++
+ libselinux/src/check_context.c | 5 +++++
+ libselinux/src/compute_av.c | 5 +++++
+ libselinux/src/compute_create.c | 5 +++++
+ libselinux/src/compute_member.c | 5 +++++
+ libselinux/src/compute_relabel.c | 5 +++++
+ libselinux/src/compute_user.c | 5 +++++
+ libselinux/src/fsetfilecon.c | 8 ++++++--
+ libselinux/src/lsetfilecon.c | 9 +++++++--
+ libselinux/src/setfilecon.c | 8 ++++++--
+ 11 files changed, 59 insertions(+), 6 deletions(-)
+
+diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
+index 9669264d..c7754305 100644
+--- a/libselinux/src/avc_sidtab.c
++++ b/libselinux/src/avc_sidtab.c
+@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
+ int hvalue, rc = 0;
+ struct sidtab_node *cur;
+
++ if (! ctx) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ *sid = NULL;
+ hvalue = sidtab_hash(ctx);
+
+diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
+index ba4c9a2c..c8158725 100644
+--- a/libselinux/src/canonicalize_context.c
++++ b/libselinux/src/canonicalize_context.c
+@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
+ size_t size;
+ int fd, ret;
+
++ if (! con) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
+index 8a7997f0..5be84348 100644
+--- a/libselinux/src/check_context.c
++++ b/libselinux/src/check_context.c
+@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
+ char path[PATH_MAX];
+ int fd, ret;
+
++ if (! con) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ if (!selinux_mnt) {
+ errno = ENOENT;
+ return -1;
+diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
+index a47cffe9..6d285a2e 100644
+--- a/libselinux/src/compute_av.c
++++ b/libselinux/src/compute_av.c
+@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/access", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
+index 0975aeac..3e6a48c1 100644
+--- a/libselinux/src/compute_create.c
++++ b/libselinux/src/compute_create.c
+@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/create", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
+index 4e2d221e..d1dd9772 100644
+--- a/libselinux/src/compute_member.c
++++ b/libselinux/src/compute_member.c
+@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/member", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
+index 49f77ef3..c3db7c0a 100644
+--- a/libselinux/src/compute_relabel.c
++++ b/libselinux/src/compute_relabel.c
+@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
+ return -1;
+ }
+
++ if ((! scon) || (! tcon)) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 7b881215..401fd107 100644
+--- a/libselinux/src/compute_user.c
++++ b/libselinux/src/compute_user.c
+@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
+ return -1;
+ }
+
++ if (! scon) {
++ errno=EINVAL;
++ return -1;
++ }
++
+ snprintf(path, sizeof path, "%s/user", selinux_mnt);
+ fd = open(path, O_RDWR | O_CLOEXEC);
+ if (fd < 0)
+diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
+index 52707d05..0cbe12d8 100644
+--- a/libselinux/src/fsetfilecon.c
++++ b/libselinux/src/fsetfilecon.c
+@@ -9,8 +9,12 @@
+
+ int fsetfilecon_raw(int fd, const char * context)
+ {
+- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ char * ccontext = NULL;
+ int err = errno;
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index 1d3b28a1..ea6d70b7 100644
+--- a/libselinux/src/lsetfilecon.c
++++ b/libselinux/src/lsetfilecon.c
+@@ -9,8 +9,13 @@
+
+ int lsetfilecon_raw(const char *path, const char * context)
+ {
+- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++
++ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ char * ccontext = NULL;
+ int err = errno;
+diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
+index d05969c6..3f0200e8 100644
+--- a/libselinux/src/setfilecon.c
++++ b/libselinux/src/setfilecon.c
+@@ -9,8 +9,12 @@
+
+ int setfilecon_raw(const char *path, const char * context)
+ {
+- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+- 0);
++ int rc;
++ if (! context) {
++ errno=EINVAL;
++ return -1;
++ }
++ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ if (rc < 0 && errno == ENOTSUP) {
+ char * ccontext = NULL;
+ int err = errno;
+--
+2.21.0
+
diff --git a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
new file mode 100644
index 0000000..0c8d92c
--- /dev/null
+++ b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
@@ -0,0 +1,39 @@
+From 431f72836d6c02450725cf6ffb1c7223b9fa6acc Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 11 Mar 2019 15:26:43 +0100
+Subject: [PATCH 3/5] libselinux: Allow to override OVERRIDE_GETTID from
+ command line
+
+$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
+
+Drop this as soon as glibc-2.30 will become real 2.30 version, see
+https://bugzilla.redhat.com/show_bug.cgi?id=1685594
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/procattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
+index c6799ef2..cbb6824e 100644
+--- a/libselinux/src/procattr.c
++++ b/libselinux/src/procattr.c
+@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
+
+ /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
+ * has a definition for it */
++#ifndef OVERRIDE_GETTID
+ #ifdef __BIONIC__
+ #define OVERRIDE_GETTID 0
+ #elif !defined(__GLIBC_PREREQ)
+@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
+ #else
+ #define OVERRIDE_GETTID 0
+ #endif
++#endif
+
+ #if OVERRIDE_GETTID
+ static pid_t gettid(void)
+--
+2.21.0
+
diff --git a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
new file mode 100644
index 0000000..c0d7f6a
--- /dev/null
+++ b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
@@ -0,0 +1,55 @@
+From dca54ca1a8ab0b256e7834f7f5e97375427fbfd9 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 27 Feb 2019 09:37:17 +0100
+Subject: [PATCH 4/5] Bring some old permission and flask constants back to
+ Python bindings
+
+---
+ libselinux/src/selinuxswig.i | 4 ++++
+ libselinux/src/selinuxswig_python.i | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
+index dbdb4c3d..9c5b9263 100644
+--- a/libselinux/src/selinuxswig.i
++++ b/libselinux/src/selinuxswig.i
+@@ -5,7 +5,9 @@
+ %module selinux
+ %{
+ #include "../include/selinux/avc.h"
++ #include "../include/selinux/av_permissions.h"
+ #include "../include/selinux/context.h"
++ #include "../include/selinux/flask.h"
+ #include "../include/selinux/get_context_list.h"
+ #include "../include/selinux/get_default_type.h"
+ #include "../include/selinux/label.h"
+@@ -58,7 +60,9 @@
+ %ignore avc_netlink_check_nb;
+
+ %include "../include/selinux/avc.h"
++%include "../include/selinux/av_permissions.h"
+ %include "../include/selinux/context.h"
++%include "../include/selinux/flask.h"
+ %include "../include/selinux/get_context_list.h"
+ %include "../include/selinux/get_default_type.h"
+ %include "../include/selinux/label.h"
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 4c73bf92..6eaab081 100644
+--- a/libselinux/src/selinuxswig_python.i
++++ b/libselinux/src/selinuxswig_python.i
+@@ -1,10 +1,11 @@
+ /* Author: James Athey
+ */
+
+-/* Never build rpm_execcon interface */
++/* Never build rpm_execcon interface unless you need to have ACG compatibility
+ #ifndef DISABLE_RPM
+ #define DISABLE_RPM
+ #endif
++*/
+
+ %module selinux
+ %{
+--
+2.21.0
+
diff --git a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
new file mode 100644
index 0000000..721e127
--- /dev/null
+++ b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
@@ -0,0 +1,32 @@
+From 8384ffa7a371c8845c145951363da5d978ab98b5 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 28 Feb 2017 16:12:43 +0100
+Subject: [PATCH 5/5] libselinux: add missing av_permission values
+
+Add missing av_permission values to av_permissions.h for the sake of
+completeness (this interface is obsolete - these values are now
+obtained at runtime).
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/include/selinux/av_permissions.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
+index c1269af9..631f0276 100644
+--- a/libselinux/include/selinux/av_permissions.h
++++ b/libselinux/include/selinux/av_permissions.h
+@@ -876,6 +876,8 @@
+ #define NSCD__SHMEMHOST 0x00000080UL
+ #define NSCD__GETSERV 0x00000100UL
+ #define NSCD__SHMEMSERV 0x00000200UL
++#define NSCD__GETNETGRP 0x00000400UL
++#define NSCD__SHMEMNETGRP 0x00000800UL
+ #define ASSOCIATION__SENDTO 0x00000001UL
+ #define ASSOCIATION__RECVFROM 0x00000002UL
+ #define ASSOCIATION__SETCONTEXT 0x00000004UL
+--
+2.21.0
+
diff --git a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
new file mode 100644
index 0000000..d239d93
--- /dev/null
+++ b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
@@ -0,0 +1,177 @@
+From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 16 May 2019 15:01:59 +0200
+Subject: [PATCH 6/6] libselinux: Use Python distutils to install SELinux
+ python bindings
+
+SWIG-4.0 changed its behavior so that it uses: from . import _selinux which
+looks for _selinux module in the same directory as where __init__.py is -
+$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
+$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
+of _selinux.so").
+
+In order to prevent such breakage in future use Python's distutils instead of
+building and installing python bindings manually in Makefile.
+
+Fixes:
+>>> import selinux
+Traceback (most recent call last):
+ File "<stdin>", line 1, in <module>
+ File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
+ from . import _selinux
+ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
+>>>
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/.gitignore | 2 +-
+ libselinux/src/Makefile | 37 ++++++++-----------------------------
+ libselinux/src/setup.py | 24 ++++++++++++++++++++++++
+ 3 files changed, 33 insertions(+), 30 deletions(-)
+ create mode 100644 libselinux/src/setup.py
+
+diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
+index 4dcc3b3b..428afe5a 100644
+--- a/libselinux/src/.gitignore
++++ b/libselinux/src/.gitignore
+@@ -1,4 +1,4 @@
+ selinux.py
+-selinuxswig_wrap.c
++selinuxswig_python_wrap.c
+ selinuxswig_python_exception.i
+ selinuxswig_ruby_wrap.c
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index e9ed0383..826c830c 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -36,7 +36,7 @@ TARGET=libselinux.so
+ LIBPC=libselinux.pc
+ SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
+ SWIGRUBYIF= selinuxswig_ruby.i
+-SWIGCOUT= selinuxswig_wrap.c
++SWIGCOUT= selinuxswig_python_wrap.c
+ SWIGPYOUT= selinux.py
+ SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
+ SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
+@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
+ LDLIBS_LIBSEPOLA := -l:libsepol.a
+ endif
+
+-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
++GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
+ SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
+
+ MAX_STACK_SIZE=32768
+@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+ endif
+
+-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
+-
+ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+
+-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
++pywrap: all selinuxswig_python_exception.i
++ CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+
+ rubywrap: all $(SWIGRUBYSO)
+
+-$(SWIGLOBJ): $(SWIGCOUT)
+- $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ $(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+
+-$(SWIGSO): $(SWIGLOBJ)
+- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
+-
+ $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+ $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
+
+@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
+ selinuxswig_python_exception.i: ../include/selinux/selinux.h
+ bash -e exception.sh > $@ || (rm -f $@ ; false)
+
+-$(AUDIT2WHYLOBJ): audit2why.c
+- $(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
+- $(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
+-
+ %.o: %.c policy.h
+ $(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
+
+ %.lo: %.c policy.h
+ $(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
+
+-$(SWIGCOUT): $(SWIGIF)
+- $(SWIG) $<
+-
+-$(SWIGPYOUT): $(SWIGCOUT)
+-
+ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
+ $(SWIGRUBY) $<
+
+-swigify: $(SWIGIF)
+- $(SWIG) $<
+-
+ install: all
+ test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
+ install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
+@@ -194,10 +173,8 @@ install: all
+ ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+
+ install-pywrap: pywrap
+- test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
+- install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+- install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
+- install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
++ $(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
++ install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+
+ install-rubywrap: rubywrap
+ test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL)
+@@ -208,6 +185,8 @@ relabel:
+
+ clean-pywrap:
+ -rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
++ $(PYTHON) setup.py clean
++ -rm -rf build *~ \#* *pyc .#*
+
+ clean-rubywrap:
+ -rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
+diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
+new file mode 100644
+index 00000000..b12e7869
+--- /dev/null
++++ b/libselinux/src/setup.py
+@@ -0,0 +1,24 @@
++#!/usr/bin/python3
++
++from distutils.core import Extension, setup
++
++setup(
++ name="selinux",
++ version="2.9",
++ description="SELinux python 3 bindings",
++ author="SELinux Project",
++ author_email="selinux@vger.kernel.org",
++ ext_modules=[
++ Extension('selinux._selinux',
++ sources=['selinuxswig_python.i'],
++ include_dirs=['../include'],
++ library_dirs=['.'],
++ libraries=['selinux']),
++ Extension('selinux.audit2why',
++ sources=['audit2why.c'],
++ include_dirs=['../include'],
++ library_dirs=['.'],
++ libraries=['selinux'],
++ extra_link_args=['-l:libsepol.a'])
++ ],
++)
+--
+2.22.0
+
diff --git a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
new file mode 100644
index 0000000..044ffac
--- /dev/null
+++ b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
@@ -0,0 +1,44 @@
+From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 27 Jun 2019 11:17:13 +0200
+Subject: [PATCH 7/7] libselinux: Do not use SWIG_CFLAGS when Python bindings
+ are built
+
+Fixes:
+https://rpmdiff.engineering.redhat.com/run/410372/7/
+
+Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
+Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage. Run with -v to list.
+' on x86_64
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/Makefile | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 826c830c..f64f23a8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
+
+ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
+
+-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
+- -Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+-
+ RANLIB ?= ranlib
+
+ ARCH := $(patsubst i%86,i386,$(shell uname -m))
+@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+
+ pywrap: all selinuxswig_python_exception.i
+- CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
++ $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+
+ rubywrap: all $(SWIGRUBYSO)
+
+--
+2.22.0
+
diff --git a/SOURCES/libselinux-fedora.patch b/SOURCES/libselinux-fedora.patch
deleted file mode 100644
index 32075a7..0000000
--- a/SOURCES/libselinux-fedora.patch
+++ /dev/null
@@ -1,450 +0,0 @@
-diff --git libselinux-2.8/man/man3/selinux_boolean_sub.3 libselinux-2.8/man/man3/selinux_boolean_sub.3
-index 308c268..a29a38d 100644
---- libselinux-2.8/man/man3/selinux_boolean_sub.3
-+++ libselinux-2.8/man/man3/selinux_boolean_sub.3
-@@ -1,6 +1,6 @@
- .TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation"
- .SH "NAME"
--selinux_boolean_sub \-
-+selinux_boolean_sub \- Search the translated name for a boolean_name record
- .
- .SH "SYNOPSIS"
- .B #include <selinux/selinux.h>
-@@ -12,7 +12,7 @@ selinux_boolean_sub \-
- searches the
- .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist
- file
--for a maching boolean_name record. If the record exists the boolean substitution name is returned. If not
-+for a matching boolean_name record. If the record exists the boolean substitution name is returned. If not
- .BR \%selinux_boolean_sub ()
- returns the original
- .IR \%boolean_name .
-diff --git libselinux-2.8/man/man3/selinux_restorecon_xattr.3 libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-index 7280c95..516d266 100644
---- libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-+++ libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-@@ -119,7 +119,7 @@ By default
- .BR selinux_restorecon_xattr (3)
- will use the default set of specfiles described in
- .BR files_contexts (5)
--to calculate the initial SHA1 digest to be used for comparision.
-+to calculate the initial SHA1 digest to be used for comparison.
- To change this default behavior
- .BR selabel_open (3)
- must be called specifying the required
-diff --git libselinux-2.8/man/man5/selabel_file.5 libselinux-2.8/man/man5/selabel_file.5
-index e738824..e97bd82 100644
---- libselinux-2.8/man/man5/selabel_file.5
-+++ libselinux-2.8/man/man5/selabel_file.5
-@@ -92,7 +92,7 @@ The optional local and distribution substitution files that perform any path ali
- .RE
- .sp
- The default file context series of files are:
--.RS
-+.RS 6
- .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts
- .br
- .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local
-diff --git libselinux-2.8/man/man8/selinux.8 libselinux-2.8/man/man8/selinux.8
-index e37aee6..bf23b65 100644
---- libselinux-2.8/man/man8/selinux.8
-+++ libselinux-2.8/man/man8/selinux.8
-@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
- .BR sepolicy (8),
- .BR system-config-selinux (8),
- .BR togglesebool (8),
--.BR restorecon (8),
- .BR fixfiles (8),
-+.BR restorecon (8),
- .BR setfiles (8),
- .BR semanage (8),
- .BR sepolicy (8)
-+.BR seinfo (8),
-+.BR sesearch (8)
-
- Every confined service on the system has a man page in the following format:
- .br
-diff --git libselinux-2.8/src/audit2why.c libselinux-2.8/src/audit2why.c
-index 0331fdf..5a1e69a 100644
---- libselinux-2.8/src/audit2why.c
-+++ libselinux-2.8/src/audit2why.c
-@@ -354,7 +354,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
- /* iterate over items of the list, grabbing strings, and parsing
- for numbers */
- for (i=0; i<numlines; i++){
-- char *permstr;
-+ const char *permstr;
-
- /* grab the string object from the next element of the list */
- strObj = PyList_GetItem(listObj, i); /* Can't fail */
-diff --git libselinux-2.8/src/avc_sidtab.c libselinux-2.8/src/avc_sidtab.c
-index 9669264..c775430 100644
---- libselinux-2.8/src/avc_sidtab.c
-+++ libselinux-2.8/src/avc_sidtab.c
-@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
- int hvalue, rc = 0;
- struct sidtab_node *cur;
-
-+ if (! ctx) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- *sid = NULL;
- hvalue = sidtab_hash(ctx);
-
-diff --git libselinux-2.8/src/booleans.c libselinux-2.8/src/booleans.c
-index b3ea362..a6d46fe 100644
---- libselinux-2.8/src/booleans.c
-+++ libselinux-2.8/src/booleans.c
-@@ -55,6 +55,7 @@ int security_get_boolean_names(char ***names, int *len)
- snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
- *len = scandir(path, &namelist, &filename_select, alphasort);
- if (*len <= 0) {
-+ errno = ENOENT;
- return -1;
- }
-
-diff --git libselinux-2.8/src/canonicalize_context.c libselinux-2.8/src/canonicalize_context.c
-index ba4c9a2..c815872 100644
---- libselinux-2.8/src/canonicalize_context.c
-+++ libselinux-2.8/src/canonicalize_context.c
-@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
- size_t size;
- int fd, ret;
-
-+ if (! con) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- if (!selinux_mnt) {
- errno = ENOENT;
- return -1;
-diff --git libselinux-2.8/src/checkAccess.c libselinux-2.8/src/checkAccess.c
-index 8de5747..16bfcfb 100644
---- libselinux-2.8/src/checkAccess.c
-+++ libselinux-2.8/src/checkAccess.c
-@@ -89,8 +89,10 @@ int selinux_check_passwd_access(access_vector_t requested)
- int retval;
-
- passwd_class = string_to_security_class("passwd");
-- if (passwd_class == 0)
-+ if (passwd_class == 0) {
-+ freecon(user_context);
- return 0;
-+ }
-
- retval = security_compute_av_raw(user_context,
- user_context,
-diff --git libselinux-2.8/src/check_context.c libselinux-2.8/src/check_context.c
-index 8a7997f..5be8434 100644
---- libselinux-2.8/src/check_context.c
-+++ libselinux-2.8/src/check_context.c
-@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
- char path[PATH_MAX];
- int fd, ret;
-
-+ if (! con) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- if (!selinux_mnt) {
- errno = ENOENT;
- return -1;
-diff --git libselinux-2.8/src/compute_av.c libselinux-2.8/src/compute_av.c
-index 1d05e7b..d9095cc 100644
---- libselinux-2.8/src/compute_av.c
-+++ libselinux-2.8/src/compute_av.c
-@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon,
- return -1;
- }
-
-+ if ((! scon) || (! tcon)) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- snprintf(path, sizeof path, "%s/access", selinux_mnt);
- fd = open(path, O_RDWR | O_CLOEXEC);
- if (fd < 0)
-diff --git libselinux-2.8/src/compute_create.c libselinux-2.8/src/compute_create.c
-index 0975aea..3e6a48c 100644
---- libselinux-2.8/src/compute_create.c
-+++ libselinux-2.8/src/compute_create.c
-@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
- return -1;
- }
-
-+ if ((! scon) || (! tcon)) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- snprintf(path, sizeof path, "%s/create", selinux_mnt);
- fd = open(path, O_RDWR | O_CLOEXEC);
- if (fd < 0)
-diff --git libselinux-2.8/src/compute_member.c libselinux-2.8/src/compute_member.c
-index 4e2d221..d1dd977 100644
---- libselinux-2.8/src/compute_member.c
-+++ libselinux-2.8/src/compute_member.c
-@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
- return -1;
- }
-
-+ if ((! scon) || (! tcon)) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- snprintf(path, sizeof path, "%s/member", selinux_mnt);
- fd = open(path, O_RDWR | O_CLOEXEC);
- if (fd < 0)
-diff --git libselinux-2.8/src/compute_relabel.c libselinux-2.8/src/compute_relabel.c
-index 49f77ef..c3db7c0 100644
---- libselinux-2.8/src/compute_relabel.c
-+++ libselinux-2.8/src/compute_relabel.c
-@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
- return -1;
- }
-
-+ if ((! scon) || (! tcon)) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
- fd = open(path, O_RDWR | O_CLOEXEC);
- if (fd < 0)
-diff --git libselinux-2.8/src/compute_user.c libselinux-2.8/src/compute_user.c
-index 7b88121..401fd10 100644
---- libselinux-2.8/src/compute_user.c
-+++ libselinux-2.8/src/compute_user.c
-@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
- return -1;
- }
-
-+ if (! scon) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
- snprintf(path, sizeof path, "%s/user", selinux_mnt);
- fd = open(path, O_RDWR | O_CLOEXEC);
- if (fd < 0)
-diff --git libselinux-2.8/src/fsetfilecon.c libselinux-2.8/src/fsetfilecon.c
-index 52707d0..0cbe12d 100644
---- libselinux-2.8/src/fsetfilecon.c
-+++ libselinux-2.8/src/fsetfilecon.c
-@@ -9,8 +9,12 @@
-
- int fsetfilecon_raw(int fd, const char * context)
- {
-- int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-- 0);
-+ int rc;
-+ if (! context) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+ rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- if (rc < 0 && errno == ENOTSUP) {
- char * ccontext = NULL;
- int err = errno;
-diff --git libselinux-2.8/src/label_db.c libselinux-2.8/src/label_db.c
-index c46d0a1..fa481e0 100644
---- libselinux-2.8/src/label_db.c
-+++ libselinux-2.8/src/label_db.c
-@@ -283,10 +283,12 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
- }
- if (fstat(fileno(filp), &sb) < 0) {
- free(catalog);
-+ fclose(filp);
- return NULL;
- }
- if (!S_ISREG(sb.st_mode)) {
- free(catalog);
-+ fclose(filp);
- errno = EINVAL;
- return NULL;
- }
-@@ -340,6 +342,7 @@ out_error:
- free(spec->lr.ctx_trans);
- }
- free(catalog);
-+ fclose(filp);
-
- return NULL;
- }
-diff --git libselinux-2.8/src/label_file.c libselinux-2.8/src/label_file.c
-index 560d8c3..21c8d36 100644
---- libselinux-2.8/src/label_file.c
-+++ libselinux-2.8/src/label_file.c
-@@ -317,8 +317,10 @@ end_arch_check:
- goto out;
- }
- rc = next_entry(str_buf, mmap_area, entry_len);
-- if (rc < 0)
-+ if (rc < 0) {
-+ free(str_buf);
- goto out;
-+ }
-
- if (str_buf[entry_len - 1] != '\0') {
- free(str_buf);
-diff --git libselinux-2.8/src/load_policy.c libselinux-2.8/src/load_policy.c
-index e9f1264..20052be 100644
---- libselinux-2.8/src/load_policy.c
-+++ libselinux-2.8/src/load_policy.c
-@@ -262,8 +262,10 @@ checkbool:
- rc = security_get_boolean_names(&names, &len);
- if (!rc) {
- values = malloc(sizeof(int) * len);
-- if (!values)
-+ if (!values) {
-+ free(names);
- goto unmap;
-+ }
- for (i = 0; i < len; i++)
- values[i] =
- security_get_boolean_active(names[i]);
-diff --git libselinux-2.8/src/lsetfilecon.c libselinux-2.8/src/lsetfilecon.c
-index 1d3b28a..ea6d70b 100644
---- libselinux-2.8/src/lsetfilecon.c
-+++ libselinux-2.8/src/lsetfilecon.c
-@@ -9,8 +9,13 @@
-
- int lsetfilecon_raw(const char *path, const char * context)
- {
-- int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-- 0);
-+ int rc;
-+ if (! context) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+
-+ rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- if (rc < 0 && errno == ENOTSUP) {
- char * ccontext = NULL;
- int err = errno;
-diff --git libselinux-2.8/src/selinux_config.c libselinux-2.8/src/selinux_config.c
-index 292728f..b06cb63 100644
---- libselinux-2.8/src/selinux_config.c
-+++ libselinux-2.8/src/selinux_config.c
-@@ -177,8 +177,7 @@ static void init_selinux_config(void)
-
- if (!strncasecmp(buf_p, SELINUXTYPETAG,
- sizeof(SELINUXTYPETAG) - 1)) {
-- selinux_policytype = type =
-- strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
-+ type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
- if (!type)
- return;
- end = type + strlen(type) - 1;
-@@ -187,6 +186,11 @@ static void init_selinux_config(void)
- *end = 0;
- end--;
- }
-+ if (setpolicytype(type) != 0) {
-+ free(type);
-+ return;
-+ }
-+ free(type);
- continue;
- } else if (!strncmp(buf_p, SETLOCALDEFS,
- sizeof(SETLOCALDEFS) - 1)) {
-@@ -212,13 +216,10 @@ static void init_selinux_config(void)
- fclose(fp);
- }
-
-- if (!type) {
-- selinux_policytype = type = strdup(SELINUXDEFAULT);
-- if (!type)
-- return;
-- }
-+ if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0)
-+ return;
-
-- if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1)
-+ if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1)
- return;
-
- for (i = 0; i < NEL; i++)
-diff --git libselinux-2.8/src/selinux_restorecon.c libselinux-2.8/src/selinux_restorecon.c
-index ced4115..8fa4875 100644
---- libselinux-2.8/src/selinux_restorecon.c
-+++ libselinux-2.8/src/selinux_restorecon.c
-@@ -350,12 +350,19 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- new_entry->next = NULL;
-
- new_entry->directory = strdup(directory);
-- if (!new_entry->directory)
-+ if (!new_entry->directory) {
-+ free(new_entry);
-+ free(sha1_buf);
- goto oom;
-+ }
-
- new_entry->digest = strdup(sha1_buf);
-- if (!new_entry->digest)
-+ if (!new_entry->digest) {
-+ free(new_entry->directory);
-+ free(new_entry);
-+ free(sha1_buf);
- goto oom;
-+ }
-
- new_entry->result = digest_result;
-
-@@ -671,8 +678,8 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
- selinux_log(SELINUX_INFO,
- "%s not reset as customized by admin to %s\n",
- pathname, curcon);
-- goto out;
- }
-+ goto out;
- }
-
- if (!flags->set_specctx && curcon) {
-@@ -849,6 +856,7 @@ int selinux_restorecon(const char *pathname_orig,
-
- if (lstat(pathname, &sb) < 0) {
- if (flags.ignore_noent && errno == ENOENT) {
-+ free(xattr_value);
- free(pathdnamer);
- free(pathname);
- return 0;
-diff --git libselinux-2.8/src/setfilecon.c libselinux-2.8/src/setfilecon.c
-index d05969c..3f0200e 100644
---- libselinux-2.8/src/setfilecon.c
-+++ libselinux-2.8/src/setfilecon.c
-@@ -9,8 +9,12 @@
-
- int setfilecon_raw(const char *path, const char * context)
- {
-- int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-- 0);
-+ int rc;
-+ if (! context) {
-+ errno=EINVAL;
-+ return -1;
-+ }
-+ rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- if (rc < 0 && errno == ENOTSUP) {
- char * ccontext = NULL;
- int err = errno;
-diff --git libselinux-2.8/utils/matchpathcon.c libselinux-2.8/utils/matchpathcon.c
-index 67e4a43..9756d7d 100644
---- libselinux-2.8/utils/matchpathcon.c
-+++ libselinux-2.8/utils/matchpathcon.c
-@@ -14,7 +14,7 @@
- static __attribute__ ((__noreturn__)) void usage(const char *progname)
- {
- fprintf(stderr,
-- "usage: %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
-+ "usage: %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
- progname);
- exit(1);
- }
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
index e0e45b2..2a1eff5 100644
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@@ -5,23 +5,28 @@
%global ruby_inc %(pkg-config --cflags ruby)
%endif
-%define libsepolver 2.8-2
+%define libsepolver 2.9-1
+%define libselinuxrelease 2.1
Summary: SELinux library and simple utilities
Name: libselinux
-Version: 2.8
-Release: 6%{?dist}
+Version: 2.9
+Release: %{libselinuxrelease}%{?dist}
License: Public Domain
# https://github.com/SELinuxProject/selinux/wiki/Releases
-Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-2.8.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz
Source1: selinuxconlist.8
Source2: selinuxdefcon.8
Url: https://github.com/SELinuxProject/selinux/wiki
-# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
-# run:
-# $ VERSION=2.8 ./make-fedora-selinux-patch.sh libselinux
-# HEAD 06620610bbe23bc88adebd38c007fa5f2e95e079
-Patch1: libselinux-fedora.patch
+# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
+Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
+Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
+Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
+Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
+
BuildRequires: gcc
%if 0%{?with_ruby}
BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@@ -52,7 +57,7 @@ process and file security contexts and to obtain security policy
decisions. Required for any applications that use the SELinux API.
%package utils
-Summary: SELinux libselinux utilies
+Summary: SELinux libselinux utilities
Requires: %{name}%{?_isa} = %{version}-%{release}
%description utils
@@ -65,7 +70,7 @@ Provides: python2-%{name} = %{version}-%{release}
Provides: python2-%{name}%{?_isa} = %{version}-%{release}
Obsoletes: %{name}-python < %{version}-%{release}
Summary: SELinux python bindings for libselinux
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease}
%description -n libselinux-python
The libselinux-python package contains the python bindings for developing
@@ -114,13 +119,14 @@ The libselinux-static package contains the static libraries
needed for developing SELinux applications.
%prep
-%autosetup -p 1 -n libselinux-%{version}
+%autosetup -p 2 -n libselinux-%{version}
%build
-export LDFLAGS="%{?__global_ldflags}"
-export DISABLE_RPM="y"
+export DISABLE_RPM="n"
export USE_PCRE2="y"
+%set_build_flags
+
# To support building the Python wrapper against multiple Python runtimes
# Define a function, for how to perform a "build" of the python wrapper against
# a specific runtime:
@@ -130,13 +136,13 @@ BuildPythonWrapper() {
# Perform the build from the upstream Makefile:
make \
PYTHON=$BinaryName \
- LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \
+ LIBDIR="%{_libdir}" %{?_smp_mflags} \
pywrap
}
make clean
-make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} swigify
-make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} all
+make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
+make LIBDIR="%{_libdir}" %{?_smp_mflags} all
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
@@ -145,7 +151,7 @@ BuildPythonWrapper %{__python2}
BuildPythonWrapper %{__python3}
%if 0%{?with_ruby}
-make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="-g %{optflags}" %{?_smp_mflags} rubywrap
+make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
%endif
%install
@@ -154,7 +160,7 @@ InstallPythonWrapper() {
make \
PYTHON=$BinaryName \
- LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \
+ LIBDIR="%{_libdir}" %{?_smp_mflags} \
LIBSEPOLA="%{_libdir}/libsepol.a" \
pywrap
@@ -178,8 +184,10 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli
%if 0%{?with_python2}
export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
InstallPythonWrapper %{__python2}
+mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
%endif
InstallPythonWrapper %{__python3}
+mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/
%if 0%{?with_ruby}
make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
@@ -215,7 +223,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%license LICENSE
%{_libdir}/libselinux.so.*
%dir %{_rundir}/setrans/
-%{_sbindir}/sefcontext_compile
%{_tmpfilesdir}/libselinux.conf
%files utils
@@ -223,6 +230,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{_sbindir}/getenforce
%{_sbindir}/getsebool
%{_sbindir}/matchpathcon
+%{_sbindir}/sefcontext_compile
%{_sbindir}/selinuxconlist
%{_sbindir}/selinuxdefcon
%{_sbindir}/selinuxexeccon
@@ -235,6 +243,8 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%{_sbindir}/selinux_check_access
%{_mandir}/man5/*
%{_mandir}/man8/*
+%{_mandir}/ru/man5/*
+%{_mandir}/ru/man8/*
%files devel
%{_libdir}/libselinux.so
@@ -249,11 +259,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%files -n libselinux-python
%{python2_sitearch}/selinux/
%{python2_sitearch}/_selinux.so
+%{python2_sitearch}/selinux-%{version}-*
%endif
%files -n python3-libselinux
%{python3_sitearch}/selinux/
%{python3_sitearch}/_selinux.*.so
+%{python3_sitearch}/selinux-%{version}-*
%if 0%{?with_ruby}
%files ruby
@@ -261,6 +273,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
%endif
%changelog
+* Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
+- Use Python distutils to install SELinux python bindings (#1719771)
+- Move sefcontext_compile to -utils package (#1612518)
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
* Tue Nov 6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
- Fix RESOURCE_LEAK coverity scan defects