policycoreutils: Revert "restorecon: only update type by default"

This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c. 96cedb will cause wrong security contexts for /dev/ while using MLS type of old refpolicy, so revert it. This patch should be dropped while refpolicy is upreved to 2.20120725+. Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-05-24 14:45:58 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-05-28 10:43:37 +0800
commit: ef33cdb47fbdda3cd4c05bccba096923709a9bca (patch)
tree: f69490b1ff5b24e953e2a9d4ceb5ced009342279
parent: 4e6f390d830aa0d0c7d9d4cc12de93c94d0cb2ec (diff)
download: meta-selinux-ef33cdb47fbdda3cd4c05bccba096923709a9bca.tar.gz
2 files changed, 319 insertions, 1 deletions
diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch
new file mode 100644
index 0000000..dd7f97c
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch
@@ -0,0 +1,315 @@
+From 0fa419825539f172e1097d685e92c7d1a5826f23 Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Fri, 24 May 2013 14:31:10 +0800
+Subject: [PATCH] policycoreutils: Revert "restorecon: only update type by default"
+This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
+96cedb will cause wrong security contexts for /dev/ while using
+MLS type of old refpolicy, so revert it.
+This patch should be dropped while refpolicy is upreved to 2.20120725+.
+Upstream-Status: Inappropriate [for old refpolicy]
+---
+ setfiles/restore.c    | 113 +++++++++++++++-------------------
+ setfiles/restorecon.8 |  12 ++--
+ setfiles/setfiles.8   |  19 +++---
+ 3 files changed, 61 insertions(+), 83 deletions(-)
+diff --git a/setfiles/restore.c b/setfiles/restore.c
+index 4c62b41..2acec8e 100644
+--- a/setfiles/restore.c
+++ b/setfiles/restore.c
+@@ -1,6 +1,5 @@
+ #include "restore.h"
+ #include <glob.h>
+-#include <selinux/context.h>
+ 
+ #define SKIP -2
+ #define ERR -1
+@@ -34,6 +33,7 @@ struct edir {
+ 
+ static file_spec_t *fl_head;
+ static int filespec_add(ino_t ino, const security_context_t con, const char *file);
+static int only_changed_user(const char *a, const char *b);
+ struct restore_opts *r_opts = NULL;
+ static void filespec_destroy(void);
+ static void filespec_eval(void);
+@@ -104,7 +104,8 @@ static int restore(FTSENT *ftsent)
+ {
+        char *my_file = strdupa(ftsent->fts_path);
+        int ret = -1;
+-       security_context_t curcon = NULL, newcon = NULL;
+       char *context, *newcon;
+       int user_only_changed = 0;
+ 
+        if (match(my_file, ftsent->fts_statp, &newcon) < 0)
+                /* Check for no matching specification. */
+@@ -138,105 +139,74 @@ static int restore(FTSENT *ftsent)
+                printf("%s:  %s matched by %s\n", r_opts->progname, my_file, newcon);
+        }
+ 
+-       /*
+-        * Do not relabel if their is no default specification for this file
+-        */
+-
+-       if (strcmp(newcon, "<<none>>") == 0) {
+-               goto out;
+-       }
+-
+        /* Get the current context of the file. */
+-       ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
+       ret = lgetfilecon_raw(ftsent->fts_accpath, &context);
+        if (ret < 0) {
+                if (errno == ENODATA) {
+-                       curcon = NULL;
+                       context = NULL;
+                } else {
+                        fprintf(stderr, "%s get context on %s failed: '%s'\n",
+                                r_opts->progname, my_file, strerror(errno));
+                        goto err;
+                }
+-       }
+-
+               user_only_changed = 0;
+       } else
+               user_only_changed = only_changed_user(context, newcon);
+        /* lgetfilecon returns number of characters and ret needs to be reset
+         * to 0.
+         */
+        ret = 0;
+ 
+        /*
+-        * Do not relabel the file if the file is already labeled according to
+-        * the specification.
+        * Do not relabel the file if the matching specification is 
+        * <<none>> or the file is already labeled according to the 
+        * specification.
+         */
+-       if (curcon && (strcmp(curcon, newcon) == 0)) {
+       if ((strcmp(newcon, "<<none>>") == 0) ||
+           (context && (strcmp(context, newcon) == 0))) {
+               freecon(context);
+                goto out;
+        }
+ 
+-       if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) {
+       if (!r_opts->force && context && (is_context_customizable(context) > 0)) {
+                if (r_opts->verbose > 1) {
+                        fprintf(stderr,
+                                "%s: %s not reset customized by admin to %s\n",
+-                               r_opts->progname, my_file, curcon);
+                               r_opts->progname, my_file, context);
+                }
+               freecon(context);
+                goto out;
+        }
+ 
+-       /*
+-        *  Do not change label unless this is a force or the type is different
+-        */
+-       if (!r_opts->force && curcon) {
+-               int types_differ = 0;
+-               context_t cona;
+-               context_t conb;
+-               int err = 0;
+-               cona = context_new(curcon);
+-               if (! cona) {
+-                       goto out;
+-               }
+-               conb = context_new(newcon);
+-               if (! conb) {
+-                       context_free(cona);
+-                       goto out;
+-               }
+-
+-               types_differ = strcmp(context_type_get(cona), context_type_get(conb));
+-               if (types_differ) {
+-                       err |= context_user_set(conb, context_user_get(cona));
+-                       err |= context_role_set(conb, context_role_get(cona));
+-                       err |= context_range_set(conb, context_range_get(cona));
+-                       if (!err) {
+-                               freecon(newcon);
+-                               newcon = strdup(context_str(conb));
+-                       }
+-               }
+-               context_free(cona);
+-               context_free(conb);
+-
+-               if (!types_differ || err) {
+-                       goto out;
+-               }
+-       }
+-
+        if (r_opts->verbose) {
+-               printf("%s reset %s context %s->%s\n",
+-                      r_opts->progname, my_file, curcon ?: "", newcon);
+               /* If we're just doing "-v", trim out any relabels where
+                * the user has r_opts->changed but the role and type are the
+                * same.  For "-vv", emit everything. */
+               if (r_opts->verbose > 1 || !user_only_changed) {
+                       printf("%s reset %s context %s->%s\n",
+                              r_opts->progname, my_file, context ?: "", newcon);
+               }
+        }
+ 
+-       if (r_opts->logging && r_opts->change) {
+-               if (curcon)
+       if (r_opts->logging && !user_only_changed) {
+               if (context)
+                        syslog(LOG_INFO, "relabeling %s from %s to %s\n",
+-                              my_file, curcon, newcon);
+                              my_file, context, newcon);
+                else
+                        syslog(LOG_INFO, "labeling %s to %s\n",
+                               my_file, newcon);
+        }
+ 
+-       if (r_opts->outfile)
+       if (r_opts->outfile && !user_only_changed)
+                fprintf(r_opts->outfile, "%s\n", my_file);
+ 
+       if (context)
+               freecon(context);
+
+        /*
+         * Do not relabel the file if -n was used.
+         */
+-       if (!r_opts->change)
+       if (!r_opts->change || user_only_changed)
+                goto out;
+ 
+        /*
+@@ -250,15 +220,12 @@ static int restore(FTSENT *ftsent)
+        }
+        ret = 0;
+ out:
+-       freecon(curcon);
+        freecon(newcon);
+        return ret;
+ skip:
+-       freecon(curcon);
+        freecon(newcon);
+        return SKIP;
+ err:
+-       freecon(curcon);
+        freecon(newcon);
+        return ERR;
+ }
+@@ -479,6 +446,22 @@ int add_exclude(const char *directory)
+        return 0;
+ }
+ 
+/* Compare two contexts to see if their differences are "significant",
+ * or whether the only difference is in the user. */
+static int only_changed_user(const char *a, const char *b)
+{
+       char *rest_a, *rest_b;  /* Rest of the context after the user */
+       if (r_opts->force)
+               return 0;
+       if (!a || !b)
+               return 0;
+       rest_a = strchr(a, ':');
+       rest_b = strchr(b, ':');
+       if (!rest_a || !rest_b)
+               return 0;
+       return (strcmp(rest_a, rest_b) == 0);
+}
+
+ /*
+  * Evaluate the association hash table distribution.
+  */
+diff --git a/setfiles/restorecon.8 b/setfiles/restorecon.8
+index ffbb9d1..f765000 100644
+--- a/setfiles/restorecon.8
+++ b/setfiles/restorecon.8
+@@ -21,11 +21,6 @@ It can also be run at any other time to correct inconsistent labels, to add
+ support for newly-installed policy or, by using the \-n option, to passively
+ check whether the file contexts are all set as specified by the active policy
+ (default behavior) or by some other policy (see the \-c option).
+-.P
+-If a file object does not have a context, restorecon will write the default
+-context to the file object's extended attributes. If a file object has a
+-context, restorecon will only modify the type portion of the security context.
+-The -F option will force a replacement of the entire context.
+ 
+ .SH "OPTIONS"
+ .TP
+@@ -36,8 +31,8 @@ exclude a directory (repeat the option to exclude more than one directory).
+ infilename contains a list of files to be processed. Use \- for stdin.
+ .TP
+ .B \-F
+-Force reset of context to match file_context for customizable files, and the
+-default file context, changing the user, role, range portion as well as the type.
+force reset of context to match file_context for customizable files, or the
+user section, if it has changed.
+ .TP
+ .B \-h, \-?
+ display usage information and exit.
+@@ -63,6 +58,9 @@ change files and directories file labels recursively (descend directories).
+ .B \-v
+ show changes in file labels, if type or role are going to be changed.
+ .TP 
+.B \-vv
+show changes in file labels, if type, role or user are going to be changed.
+.TP 
+ .B \-0
+ the separator for the input items is assumed to be the null character
+ (instead of the white space).  The quotes and the backslash characters are
+diff --git a/setfiles/setfiles.8 b/setfiles/setfiles.8
+index 7ff54f9..bcec84c 100644
+--- a/setfiles/setfiles.8
+++ b/setfiles/setfiles.8
+@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
+ 
+ .SH "SYNOPSIS"
+ .B setfiles
+-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
+ .SH "DESCRIPTION"
+ This manual page describes the
+ .BR setfiles
+@@ -19,13 +19,9 @@ It can also be run at any other time to correct inconsistent labels, to add
+ support for newly-installed policy or, by using the \-n option, to passively
+ check whether the file contexts are all set as specified by the active policy
+ (default behavior) or by some other policy (see the \-c option).
+-.P
+-If a file object does not have a context, setfiles will write the default
+-context to the file object's extended attributes. If a file object has a
+-context, setfiles will only modify the type portion of the security context.
+-The -F option will force a replacement of the entire context.
+
+ .SH "OPTIONS"
+-.TP
+.TP 
+ .B \-c
+ check the validity of the contexts against the specified binary policy.
+ .TP
+@@ -40,9 +36,7 @@ directory to exclude (repeat option for more than one directory).
+ take a list of files to be processed from an input file.
+ .TP
+ .B \-F
+-Force reset of context to match file_context for customizable files, and the
+-default file context, changing the user, role, range portion as well as the
+-type.
+force reset of context to match file_context for customizable files.
+ .TP
+ .B \-h, \-?
+ display usage information and exit.
+@@ -73,7 +67,10 @@ take a list of files from standard input instead of using a pathname from the
+ command line (equivalent to \-f \-).
+ .TP
+ .B \-v
+-show changes in file labels.
+show changes in file labels, if type or role are going to be changed.
+.TP 
+.B \-vv
+show changes in file labels, if type, role or user are going to be changed.
+ .TP 
+ .B \-W
+ display warnings about entries that had no matching files.
+-- 
+1.8.1.2
diff --git a/recipes-security/selinux/policycoreutils_2.1.13.bb b/recipes-security/selinux/policycoreutils_2.1.13.bb
index b5ef344..c514567 100644
--- a/recipes-security/selinux/policycoreutils_2.1.13.bb
+++ b/recipes-security/selinux/policycoreutils_2.1.13.bb
@@ -1,4 +1,4 @@
-PR = "r0"
+PR = "r1"
 include selinux_20120924.inc
 include ${BPN}.inc
@@ -8,3 +8,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
 SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d"
 SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584"
+SRC_URI += "\
+        file://policycoreutils-revert-restorecon-update-type.patch \
+        "
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-05-24 14:45:58 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-05-28 10:43:37 +0800
commit	ef33cdb47fbdda3cd4c05bccba096923709a9bca (patch)
tree	f69490b1ff5b24e953e2a9d4ceb5ced009342279
parent	4e6f390d830aa0d0c7d9d4cc12de93c94d0cb2ec (diff)
download	meta-selinux-ef33cdb47fbdda3cd4c05bccba096923709a9bca.tar.gz

diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch new file mode 100644 index 0000000..dd7f97c --- /dev/null +++ b/recipes-security/selinux/policycoreutils/policycoreutils-revert-restorecon-update-type.patch
@@ -0,0 +1,315 @@
		1	From 0fa419825539f172e1097d685e92c7d1a5826f23 Mon Sep 17 00:00:00 2001
		2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
		3	Date: Fri, 24 May 2013 14:31:10 +0800
		4	Subject: [PATCH] policycoreutils: Revert "restorecon: only update type by default"
		5
		6	This reverts uprev commit 96cedba3e59aa474f0f040da5108a17bba45ce6c.
		7
		8	96cedb will cause wrong security contexts for /dev/ while using
		9	MLS type of old refpolicy, so revert it.
		10
		11	This patch should be dropped while refpolicy is upreved to 2.20120725+.
		12
		13	Upstream-Status: Inappropriate [for old refpolicy]
		14
		15	---
		16	setfiles/restore.c \| 113 +++++++++++++++-------------------
		17	setfiles/restorecon.8 \| 12 ++--
		18	setfiles/setfiles.8 \| 19 +++---
		19	3 files changed, 61 insertions(+), 83 deletions(-)
		20
		21	diff --git a/setfiles/restore.c b/setfiles/restore.c
		22	index 4c62b41..2acec8e 100644
		23	--- a/setfiles/restore.c
		24	+++ b/setfiles/restore.c
		25	@@ -1,6 +1,5 @@
		26	#include "restore.h"
		27	#include <glob.h>
		28	-#include <selinux/context.h>
		29
		30	#define SKIP -2
		31	#define ERR -1
		32	@@ -34,6 +33,7 @@ struct edir {
		33
		34	static file_spec_t *fl_head;
		35	static int filespec_add(ino_t ino, const security_context_t con, const char *file);
		36	+static int only_changed_user(const char a, const char b);
		37	struct restore_opts *r_opts = NULL;
		38	static void filespec_destroy(void);
		39	static void filespec_eval(void);
		40	@@ -104,7 +104,8 @@ static int restore(FTSENT *ftsent)
		41	{
		42	char *my_file = strdupa(ftsent->fts_path);
		43	int ret = -1;
		44	- security_context_t curcon = NULL, newcon = NULL;
		45	+ char context, newcon;
		46	+ int user_only_changed = 0;
		47
		48	if (match(my_file, ftsent->fts_statp, &newcon) < 0)
		49	/* Check for no matching specification. */
		50	@@ -138,105 +139,74 @@ static int restore(FTSENT *ftsent)
		51	printf("%s: %s matched by %s\n", r_opts->progname, my_file, newcon);
		52	}
		53
		54	- /*
		55	- * Do not relabel if their is no default specification for this file
		56	- */
		57	-
		58	- if (strcmp(newcon, "<<none>>") == 0) {
		59	- goto out;
		60	- }
		61	-
		62	/* Get the current context of the file. */
		63	- ret = lgetfilecon_raw(ftsent->fts_accpath, &curcon);
		64	+ ret = lgetfilecon_raw(ftsent->fts_accpath, &context);
		65	if (ret < 0) {
		66	if (errno == ENODATA) {
		67	- curcon = NULL;
		68	+ context = NULL;
		69	} else {
		70	fprintf(stderr, "%s get context on %s failed: '%s'\n",
		71	r_opts->progname, my_file, strerror(errno));
		72	goto err;
		73	}
		74	- }
		75	-
		76	+ user_only_changed = 0;
		77	+ } else
		78	+ user_only_changed = only_changed_user(context, newcon);
		79	/* lgetfilecon returns number of characters and ret needs to be reset
		80	* to 0.
		81	*/
		82	ret = 0;
		83
		84	/*
		85	- * Do not relabel the file if the file is already labeled according to
		86	- * the specification.
		87	+ * Do not relabel the file if the matching specification is
		88	+ * <<none>> or the file is already labeled according to the
		89	+ * specification.
		90	*/
		91	- if (curcon && (strcmp(curcon, newcon) == 0)) {
		92	+ if ((strcmp(newcon, "<<none>>") == 0) \|\|
		93	+ (context && (strcmp(context, newcon) == 0))) {
		94	+ freecon(context);
		95	goto out;
		96	}
		97
		98	- if (!r_opts->force && curcon && (is_context_customizable(curcon) > 0)) {
		99	+ if (!r_opts->force && context && (is_context_customizable(context) > 0)) {
		100	if (r_opts->verbose > 1) {
		101	fprintf(stderr,
		102	"%s: %s not reset customized by admin to %s\n",
		103	- r_opts->progname, my_file, curcon);
		104	+ r_opts->progname, my_file, context);
		105	}
		106	+ freecon(context);
		107	goto out;
		108	}
		109
		110	- /*
		111	- * Do not change label unless this is a force or the type is different
		112	- */
		113	- if (!r_opts->force && curcon) {
		114	- int types_differ = 0;
		115	- context_t cona;
		116	- context_t conb;
		117	- int err = 0;
		118	- cona = context_new(curcon);
		119	- if (! cona) {
		120	- goto out;
		121	- }
		122	- conb = context_new(newcon);
		123	- if (! conb) {
		124	- context_free(cona);
		125	- goto out;
		126	- }
		127	-
		128	- types_differ = strcmp(context_type_get(cona), context_type_get(conb));
		129	- if (types_differ) {
		130	- err \|= context_user_set(conb, context_user_get(cona));
		131	- err \|= context_role_set(conb, context_role_get(cona));
		132	- err \|= context_range_set(conb, context_range_get(cona));
		133	- if (!err) {
		134	- freecon(newcon);
		135	- newcon = strdup(context_str(conb));
		136	- }
		137	- }
		138	- context_free(cona);
		139	- context_free(conb);
		140	-
		141	- if (!types_differ \|\| err) {
		142	- goto out;
		143	- }
		144	- }
		145	-
		146	if (r_opts->verbose) {
		147	- printf("%s reset %s context %s->%s\n",
		148	- r_opts->progname, my_file, curcon ?: "", newcon);
		149	+ /* If we're just doing "-v", trim out any relabels where
		150	+ * the user has r_opts->changed but the role and type are the
		151	+ * same. For "-vv", emit everything. */
		152	+ if (r_opts->verbose > 1 \|\| !user_only_changed) {
		153	+ printf("%s reset %s context %s->%s\n",
		154	+ r_opts->progname, my_file, context ?: "", newcon);
		155	+ }
		156	}
		157
		158	- if (r_opts->logging && r_opts->change) {
		159	- if (curcon)
		160	+ if (r_opts->logging && !user_only_changed) {
		161	+ if (context)
		162	syslog(LOG_INFO, "relabeling %s from %s to %s\n",
		163	- my_file, curcon, newcon);
		164	+ my_file, context, newcon);
		165	else
		166	syslog(LOG_INFO, "labeling %s to %s\n",
		167	my_file, newcon);
		168	}
		169
		170	- if (r_opts->outfile)
		171	+ if (r_opts->outfile && !user_only_changed)
		172	fprintf(r_opts->outfile, "%s\n", my_file);
		173
		174	+ if (context)
		175	+ freecon(context);
		176	+
		177	/*
		178	* Do not relabel the file if -n was used.
		179	*/
		180	- if (!r_opts->change)
		181	+ if (!r_opts->change \|\| user_only_changed)
		182	goto out;
		183
		184	/*
		185	@@ -250,15 +220,12 @@ static int restore(FTSENT *ftsent)
		186	}
		187	ret = 0;
		188	out:
		189	- freecon(curcon);
		190	freecon(newcon);
		191	return ret;
		192	skip:
		193	- freecon(curcon);
		194	freecon(newcon);
		195	return SKIP;
		196	err:
		197	- freecon(curcon);
		198	freecon(newcon);
		199	return ERR;
		200	}
		201	@@ -479,6 +446,22 @@ int add_exclude(const char *directory)
		202	return 0;
		203	}
		204
		205	+/* Compare two contexts to see if their differences are "significant",
		206	+ * or whether the only difference is in the user. */
		207	+static int only_changed_user(const char a, const char b)
		208	+{
		209	+ char rest_a, rest_b; /* Rest of the context after the user */
		210	+ if (r_opts->force)
		211	+ return 0;
		212	+ if (!a \|\| !b)
		213	+ return 0;
		214	+ rest_a = strchr(a, ':');
		215	+ rest_b = strchr(b, ':');
		216	+ if (!rest_a \|\| !rest_b)
		217	+ return 0;
		218	+ return (strcmp(rest_a, rest_b) == 0);
		219	+}
		220	+
		221	/*
		222	* Evaluate the association hash table distribution.
		223	*/
		224	diff --git a/setfiles/restorecon.8 b/setfiles/restorecon.8
		225	index ffbb9d1..f765000 100644
		226	--- a/setfiles/restorecon.8
		227	+++ b/setfiles/restorecon.8
		228	@@ -21,11 +21,6 @@ It can also be run at any other time to correct inconsistent labels, to add
		229	support for newly-installed policy or, by using the \-n option, to passively
		230	check whether the file contexts are all set as specified by the active policy
		231	(default behavior) or by some other policy (see the \-c option).
		232	-.P
		233	-If a file object does not have a context, restorecon will write the default
		234	-context to the file object's extended attributes. If a file object has a
		235	-context, restorecon will only modify the type portion of the security context.
		236	-The -F option will force a replacement of the entire context.
		237
		238	.SH "OPTIONS"
		239	.TP
		240	@@ -36,8 +31,8 @@ exclude a directory (repeat the option to exclude more than one directory).
		241	infilename contains a list of files to be processed. Use \- for stdin.
		242	.TP
		243	.B \-F
		244	-Force reset of context to match file_context for customizable files, and the
		245	-default file context, changing the user, role, range portion as well as the type.
		246	+force reset of context to match file_context for customizable files, or the
		247	+user section, if it has changed.
		248	.TP
		249	.B \-h, \-?
		250	display usage information and exit.
		251	@@ -63,6 +58,9 @@ change files and directories file labels recursively (descend directories).
		252	.B \-v
		253	show changes in file labels, if type or role are going to be changed.
		254	.TP
		255	+.B \-vv
		256	+show changes in file labels, if type, role or user are going to be changed.
		257	+.TP
		258	.B \-0
		259	the separator for the input items is assumed to be the null character
		260	(instead of the white space). The quotes and the backslash characters are
		261	diff --git a/setfiles/setfiles.8 b/setfiles/setfiles.8
		262	index 7ff54f9..bcec84c 100644
		263	--- a/setfiles/setfiles.8
		264	+++ b/setfiles/setfiles.8
		265	@@ -4,7 +4,7 @@ setfiles \- set SELinux file security contexts.
		266
		267	.SH "SYNOPSIS"
		268	.B setfiles
		269	-.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-W] [\-F] spec_file pathname...
		270	+.I [\-c policy] [\-d] [\-l] [\-n] [\-e directory] [\-o filename] [\-q] [\-s] [\-v] [\-vv] [\-W] [\-F] spec_file pathname...
		271	.SH "DESCRIPTION"
		272	This manual page describes the
		273	.BR setfiles
		274	@@ -19,13 +19,9 @@ It can also be run at any other time to correct inconsistent labels, to add
		275	support for newly-installed policy or, by using the \-n option, to passively
		276	check whether the file contexts are all set as specified by the active policy
		277	(default behavior) or by some other policy (see the \-c option).
		278	-.P
		279	-If a file object does not have a context, setfiles will write the default
		280	-context to the file object's extended attributes. If a file object has a
		281	-context, setfiles will only modify the type portion of the security context.
		282	-The -F option will force a replacement of the entire context.
		283	+
		284	.SH "OPTIONS"
		285	-.TP
		286	+.TP
		287	.B \-c
		288	check the validity of the contexts against the specified binary policy.
		289	.TP
		290	@@ -40,9 +36,7 @@ directory to exclude (repeat option for more than one directory).
		291	take a list of files to be processed from an input file.
		292	.TP
		293	.B \-F
		294	-Force reset of context to match file_context for customizable files, and the
		295	-default file context, changing the user, role, range portion as well as the
		296	-type.
		297	+force reset of context to match file_context for customizable files.
		298	.TP
		299	.B \-h, \-?
		300	display usage information and exit.
		301	@@ -73,7 +67,10 @@ take a list of files from standard input instead of using a pathname from the
		302	command line (equivalent to \-f \-).
		303	.TP
		304	.B \-v
		305	-show changes in file labels.
		306	+show changes in file labels, if type or role are going to be changed.
		307	+.TP
		308	+.B \-vv
		309	+show changes in file labels, if type, role or user are going to be changed.
		310	.TP
		311	.B \-W
		312	display warnings about entries that had no matching files.
		313	--
		314	1.8.1.2
		315


diff --git a/recipes-security/selinux/policycoreutils_2.1.13.bb b/recipes-security/selinux/policycoreutils_2.1.13.bb index b5ef344..c514567 100644 --- a/recipes-security/selinux/policycoreutils_2.1.13.bb +++ b/recipes-security/selinux/policycoreutils_2.1.13.bb
@@ -1,4 +1,4 @@
1	PR = "r0"	1	PR = "r1"
2		2
3	include selinux_20120924.inc	3	include selinux_20120924.inc
4	include ${BPN}.inc	4	include ${BPN}.inc
@@ -8,3 +8,6 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=393a5ca445f6965873eca0259a17f833"
8	SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d"	8	SRC_URI[md5sum] = "97c0b828599fe608f37894989820d71d"
9	SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584"	9	SRC_URI[sha256sum] = "34040f06f3111d9ee957576e4095841d35b9ca9141ee8d80aab036cbefb28584"
10		10
		11	SRC_URI += "\
		12	file://policycoreutils-revert-restorecon-update-type.patch \
		13	"