public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/policycoreutils] rawhide: SELinux userspace 3.11 release
@ 2026-07-01 20:00 Petr Lautrbach
  0 siblings, 0 replies; only message in thread
From: Petr Lautrbach @ 2026-07-01 20:00 UTC (permalink / raw)
  To: git-commits

A new commit has been pushed.

Repo   : rpms/policycoreutils
Branch : rawhide
Commit : 117d3bf1b1824a64a2e204880c1e7d748f48332b
Author : Petr Lautrbach <lautrbach@redhat.com>
Date   : 2026-07-01T21:56:45+02:00
Stats  : +49/-1680 in 27 file(s)
URL    : https://src.fedoraproject.org/rpms/policycoreutils/c/117d3bf1b1824a64a2e204880c1e7d748f48332b?branch=rawhide

Log:
SELinux userspace 3.11 release

---
diff --git a/.gitignore b/.gitignore
index f241d8b..061b9cd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -370,3 +370,5 @@ policycoreutils-2.0.83.tgz
 /selinux-3.10-rc2.tar.gz
 /selinux-3.10.tar.gz
 /selinux-3.10.tar.gz.asc
+/selinux-3.11.tar.gz
+/selinux-3.11.tar.gz.asc

diff --git a/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
index e5b471a..7c75a87 100644
--- a/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
+++ b/0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
@@ -1,4 +1,4 @@
-From a85ac04b18f82017291fc236662235e213d61ad3 Mon Sep 17 00:00:00 2001
+From e559f98a6d73a623ff735cab43d45b5c98403970 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Fri, 14 Feb 2014 12:32:12 -0500
 Subject: [PATCH] Don't be verbose if you are not on a tty
@@ -21,5 +21,5 @@ index b7cd765c15e4..f2518e96e34c 100755
  THREADS=""
  RPMFILES=""
 -- 
-2.52.0
+2.54.0
 

diff --git a/0002-sepolicy-generate-Handle-more-reserved-port-types.patch b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch
index 50f7951..12678fd 100644
--- a/0002-sepolicy-generate-Handle-more-reserved-port-types.patch
+++ b/0002-sepolicy-generate-Handle-more-reserved-port-types.patch
@@ -1,4 +1,4 @@
-From 131d84005e7d14a75fb8eb3d7580f3e4001c4bc3 Mon Sep 17 00:00:00 2001
+From 6be99263017c169d0f0bc1ed247e22a696583bad Mon Sep 17 00:00:00 2001
 From: Masatake YAMATO <yamato@redhat.com>
 Date: Thu, 14 Dec 2017 15:57:58 +0900
 Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index 780a56b28ec4..cde6a840e452 100644
+index 0edda54ad5a1..02d9066c8a42 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
 @@ -100,7 +100,9 @@ def get_all_ports():
@@ -68,5 +68,5 @@ index 780a56b28ec4..cde6a840e452 100644
          dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
      return dict
 -- 
-2.52.0
+2.54.0
 

diff --git a/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
index 0c2608f..4842166 100644
--- a/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
+++ b/0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
@@ -1,4 +1,4 @@
-From 740ef2e87ee34612ac62c60a70fc155e8c69f6fe Mon Sep 17 00:00:00 2001
+From 211d44c2e7b629f3ac073147a4c31449bcbe4478 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 18 Jul 2018 09:09:35 +0200
 Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@@ -11,10 +11,10 @@ Content-type: text/plain
  3 files changed, 3 insertions(+), 17 deletions(-)
 
 diff --git a/sandbox/sandbox b/sandbox/sandbox
-index e3fd6119ed4d..e01425f0c637 100644
+index 4e7d56fdedfd..5f79c5367bda 100644
 --- a/sandbox/sandbox
 +++ b/sandbox/sandbox
-@@ -270,7 +270,7 @@ class Sandbox:
+@@ -266,7 +266,7 @@ class Sandbox:
              copyfile(f, "/tmp", self.__tmpdir)
              copyfile(f, "/var/tmp", self.__tmpdir)
  
@@ -23,7 +23,7 @@ index e3fd6119ed4d..e01425f0c637 100644
          execfile = self.__homedir + "/.sandboxrc"
          fd = open(execfile, "w+")
          if self.__options.session:
-@@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -366,7 +366,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
  
          parser.add_option("-W", "--windowmanager", dest="wm",
                            type="string",
@@ -71,5 +71,5 @@ index 28169182ce42..e2a7ad9b2ac7 100644
      if [ -z "$WAYLAND_DISPLAY" ]; then
          DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
 -- 
-2.52.0
+2.54.0
 

diff --git a/0004-Use-SHA-2-instead-of-SHA-1.patch b/0004-Use-SHA-2-instead-of-SHA-1.patch
index c3b5fe6..9013a73 100644
--- a/0004-Use-SHA-2-instead-of-SHA-1.patch
+++ b/0004-Use-SHA-2-instead-of-SHA-1.patch
@@ -1,4 +1,4 @@
-From dcf1b282d45d326b24ee8b723e94848647440afd Mon Sep 17 00:00:00 2001
+From cbaf1040c655bd544eedca3b8e070720dfc3b2be Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Fri, 30 Jul 2021 14:14:37 +0200
 Subject: [PATCH] Use SHA-2 instead of SHA-1
@@ -13,7 +13,7 @@ The use of SHA-1 in RHEL9 is deprecated
  4 files changed, 20 insertions(+), 20 deletions(-)
 
 diff --git a/policycoreutils/setfiles/restorecon.8 b/policycoreutils/setfiles/restorecon.8
-index 1134420e0e28..77dd05421d11 100644
+index b7ff9715a49b..66b9c800dc73 100644
 --- a/policycoreutils/setfiles/restorecon.8
 +++ b/policycoreutils/setfiles/restorecon.8
 @@ -103,14 +103,14 @@ display usage information and exit.
@@ -34,7 +34,7 @@ index 1134420e0e28..77dd05421d11 100644
  enable usage of the
  .IR security.sehash
  extended attribute.
-@@ -208,7 +208,7 @@ the
+@@ -211,7 +211,7 @@ the
  .B \-D
  option to
  .B restorecon
@@ -43,7 +43,7 @@ index 1134420e0e28..77dd05421d11 100644
  attribute named
  .IR security.sehash
  on each directory specified in
-@@ -225,7 +225,7 @@ for further details.
+@@ -228,7 +228,7 @@ for further details.
  .sp
  The
  .B \-I
@@ -90,7 +90,7 @@ index 51d12a4dbb80..09bfd8c40ab4 100644
  .I security.sehash
  directory digest entries, and is shown for reference only).
 diff --git a/policycoreutils/setfiles/restorecon_xattr.c b/policycoreutils/setfiles/restorecon_xattr.c
-index 31fb82fd2099..bc22d3fd4560 100644
+index e8604ec63c29..738319edb4a4 100644
 --- a/policycoreutils/setfiles/restorecon_xattr.c
 +++ b/policycoreutils/setfiles/restorecon_xattr.c
 @@ -38,7 +38,7 @@ int main(int argc, char **argv)
@@ -102,7 +102,7 @@ index 31fb82fd2099..bc22d3fd4560 100644
  	unsigned char *fc_digest = NULL;
  	size_t i, fc_digest_len = 0, num_specfiles;
  
-@@ -133,8 +133,8 @@ int main(int argc, char **argv)
+@@ -134,8 +134,8 @@ int main(int argc, char **argv)
  			exit(-1);
  		}
  
@@ -110,9 +110,9 @@ index 31fb82fd2099..bc22d3fd4560 100644
 -		if (!sha1_buf) {
 +		sha256_buf = malloc(fc_digest_len * 2 + 1);
 +		if (!sha256_buf) {
- 			fprintf(stderr,
- 				"Error allocating digest buffer: %s\n",
- 							    strerror(errno));
+ 			fprintf(stderr, "Error allocating digest buffer: %s\n",
+ 				strerror(errno));
+ 			selabel_close(hnd);
 @@ -143,16 +143,16 @@ int main(int argc, char **argv)
  		}
  
@@ -174,5 +174,5 @@ index d43e4ad20f54..458f3f9f1693 100644
  and provided the
  .B \-n
 -- 
-2.52.0
+2.54.0
 

diff --git a/0005-python-sepolicy-Fix-spec-file-dependencies.patch b/0005-python-sepolicy-Fix-spec-file-dependencies.patch
index a37e0b3..5128d5b 100644
--- a/0005-python-sepolicy-Fix-spec-file-dependencies.patch
+++ b/0005-python-sepolicy-Fix-spec-file-dependencies.patch
@@ -1,4 +1,4 @@
-From 4837592b04e7fc85a3063eb169c3bb3c7ce58c73 Mon Sep 17 00:00:00 2001
+From 33b90b3f2e7904c37003e525cb0a5459dea3db38 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Tue, 30 May 2023 09:07:28 +0200
 Subject: [PATCH] python/sepolicy: Fix spec file dependencies
@@ -44,5 +44,5 @@ index 433c298a17e0..a6d4508bb670 100644
  
  mid_section="""\
 -- 
-2.52.0
+2.54.0
 

diff --git a/0006-sepolicy-Fix-detection-of-writeable-locations.patch b/0006-sepolicy-Fix-detection-of-writeable-locations.patch
index 26a0024..1a8cc9c 100644
--- a/0006-sepolicy-Fix-detection-of-writeable-locations.patch
+++ b/0006-sepolicy-Fix-detection-of-writeable-locations.patch
@@ -1,4 +1,4 @@
-From 9f2811d24a705b6fb4c1c0339dfe9bd30909228b Mon Sep 17 00:00:00 2001
+From b5d8719fdcaa7a7209bacb6e0d2f57f0f428706d Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <lautrbach@redhat.com>
 Date: Mon, 5 May 2025 18:28:40 +0200
 Subject: [PATCH] sepolicy: Fix detection of writeable locations
@@ -26,17 +26,20 @@ Fixes:
 
 Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
 ---
- python/sepolicy/sepolicy/generate.py | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
+ python/sepolicy/sepolicy/generate.py | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
 
 diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
-index cde6a840e452..9b360e96c9d1 100644
+index 02d9066c8a42..9b360e96c9d1 100644
 --- a/python/sepolicy/sepolicy/generate.py
 +++ b/python/sepolicy/sepolicy/generate.py
-@@ -1324,15 +1324,15 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1324,18 +1324,15 @@ allow %s_t %s_t:%s_socket name_%s;
          import dnf
  
          with dnf.Base() as base:
+-            if base.conf.substitutions.get('releasever') is None:
+-                base.conf.substitutions['releasever'] = ''
+-
 +            base.conf.substitutions.update_from_etc('/')
              base.read_all_repos()
              base.fill_sack(load_system_repo=True)
@@ -52,7 +55,7 @@ index cde6a840e452..9b360e96c9d1 100644
                  self.rpms.append(pkg.name)
                  for fname in pkg.files:
                      for b in self.DEFAULT_DIRS:
-@@ -1345,7 +1345,7 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1348,7 +1345,7 @@ allow %s_t %s_t:%s_socket name_%s;
                                  self.add_dir(fname)
                  sq = query.available()
                  sq = sq.filter(provides=pkg.source_name)
@@ -62,5 +65,5 @@ index cde6a840e452..9b360e96c9d1 100644
                          for b in self.DEFAULT_DIRS:
                              if b == "/etc":
 -- 
-2.52.0
+2.54.0
 

diff --git a/0007-restorecond-Add-F-for-run-in-foreground.patch b/0007-restorecond-Add-F-for-run-in-foreground.patch
deleted file mode 100644
index 83c7b22..0000000
--- a/0007-restorecond-Add-F-for-run-in-foreground.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 9f80476c48e1d0ee6106102f6746fcb0da016213 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <lautrbach@redhat.com>
-Date: Thu, 2 Apr 2026 17:17:12 +0200
-Subject: [PATCH] restorecond: Add -F for run in foreground
-Content-type: text/plain
-
-Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
----
- restorecond/restorecond.8 |  5 ++++-
- restorecond/restorecond.c | 13 ++++++++-----
- 2 files changed, 12 insertions(+), 6 deletions(-)
-
-diff --git a/restorecond/restorecond.8 b/restorecond/restorecond.8
-index bf8ec87562f8..bb99b24a2d69 100644
---- a/restorecond/restorecond.8
-+++ b/restorecond/restorecond.8
-@@ -3,7 +3,7 @@
- restorecond \- daemon that watches for file creation and then sets the default SELinux file context
- 
- .SH "SYNOPSIS"
--.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-u] [\-v]
-+.B restorecond  [\-d] [-h] [\-f restorecond_file ] [\-F] [\-u] [\-v]
- .P
- 
- .SH "DESCRIPTION"
-@@ -26,6 +26,9 @@ Print usage statement.
- .B \-f restorecond_file
- Use alternative restorecond.conf file.
- .TP
-+.B \-F
-+Run in foreground, do not become a daemon.
-+.TP
- .B \-u
- Turns on user mode.  Runs restorecond in the user session and reads /etc/selinux/restorecond_user.conf.  Uses dbus to make sure only one restorecond is running per user session.
- .TP
-diff --git a/restorecond/restorecond.c b/restorecond/restorecond.c
-index d5f70fc2e2c1..36f82ae5e9cb 100644
---- a/restorecond/restorecond.c
-+++ b/restorecond/restorecond.c
-@@ -76,6 +76,7 @@ int debug_mode = 0;
- int terminate = 0;
- int master_wd = -1;
- int run_as_user = 0;
-+int foreground_mode = 0;
- 
- static void done(void) {
- 	watch_list_free(master_fd);
-@@ -124,7 +125,7 @@ static void term_handler(int s __attribute__ ((unused)))
- 
- static void usage(char *program)
- {
--	printf("%s [-d] [-f restorecond_file ] [-u] [-v] \n", program);
-+	printf("%s [-d] [-f restorecond_file ] [-F] [-n] [-u] [-v] \n", program);
- }
- 
- void exitApp(const char *msg)
-@@ -165,7 +166,7 @@ int main(int argc, char **argv)
- 	sigaction(SIGTERM, &sa, NULL);
- 
- 	atexit( done );
--	while ((opt = getopt(argc, argv, "hdf:uv")) > 0) {
-+	while ((opt = getopt(argc, argv, "hdf:Fuv")) > 0) {
- 		switch (opt) {
- 		case 'd':
- 			debug_mode = 1;
-@@ -173,6 +174,9 @@ int main(int argc, char **argv)
- 		case 'f':
- 			watch_file = optarg;
- 			break;
-+		case 'F':
-+			foreground_mode = 1;
-+			break;
- 		case 'u':
- 			run_as_user = 1;
- 			break;
-@@ -209,13 +213,12 @@ int main(int argc, char **argv)
- 
- 	read_config(master_fd, watch_file);
- 
--	if (!debug_mode) {
-+	if (!debug_mode && !foreground_mode) {
- 		if (daemon(0, 0) < 0)
- 			exitApp("daemon");
-+		write_pid_file();
- 	}
- 
--	write_pid_file();
--
- 	while (watch(master_fd, watch_file) == 0) {
- 	}
- 
--- 
-2.53.0
-

diff --git a/0008-restorecond.service-Use-Type-simple.patch b/0008-restorecond.service-Use-Type-simple.patch
deleted file mode 100644
index 39cf250..0000000
--- a/0008-restorecond.service-Use-Type-simple.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 3f04fb1172c94a98e5a4dc0e1f69172e3acbc7d7 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <lautrbach@redhat.com>
-Date: Thu, 2 Apr 2026 17:19:05 +0200
-Subject: [PATCH] restorecond.service: Use Type=simple
-Content-type: text/plain
-
-There's a race condition when daemon() in parent process immediately
-exits while pid file is not created or updated. Using Type=forking it
-can confuse systemd which tries to open non-existing pid file. It's
-better to run restocond in foreground and use Type=simple
-
-Fixes:
-
-    openat(80</run>, "restorecond.pid", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = -1 ENOENT (No such file or directory) <0.000006>
-
-Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
----
- restorecond/restorecond.service | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/restorecond/restorecond.service b/restorecond/restorecond.service
-index 0e4ea72d08ae..56f970707d93 100644
---- a/restorecond/restorecond.service
-+++ b/restorecond/restorecond.service
-@@ -5,9 +5,8 @@ ConditionPathExists=/etc/selinux/restorecond.conf
- ConditionSecurity=selinux
- 
- [Service]
--Type=forking
--ExecStart=/usr/sbin/restorecond
--PIDFile=/run/restorecond.pid
-+Type=simple
-+ExecStart=/usr/sbin/restorecond -F
- 
- [Install]
- WantedBy=multi-user.target
--- 
-2.53.0
-

diff --git a/0009-seunshare-guard-fallible-function-calls-by-checking-.patch b/0009-seunshare-guard-fallible-function-calls-by-checking-.patch
deleted file mode 100644
index 028d2bd..0000000
--- a/0009-seunshare-guard-fallible-function-calls-by-checking-.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 0edfc7cd42fdded9c697370d6932eecad2aa7449 Mon Sep 17 00:00:00 2001
-From: Rahul Sandhu <nvraxn@posteo.uk>
-Date: Tue, 14 Apr 2026 18:40:00 +0000
-Subject: [PATCH] seunshare: guard fallible function calls by checking retval
-Content-type: text/plain
-
-seunshare currently segfaults is passed --kill and an invalid context
-via -Z.
-
-Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>
-Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 26 +++++++++++++++++++-------
- 1 file changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 2512a18c7b52..e89a9fecf9f6 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -679,9 +679,19 @@ killall (const char *execcon)
- 		return -1;
- 	}
- 	pids = 0;
--	context_t con;
--	con = context_new(execcon);
--	const char *mcs = context_range_get(con);
-+	context_t con = context_new(execcon);
-+	if (!con) {
-+		free(pid_table);
-+		(void)closedir(dir);
-+		return -1;
-+	}
-+	const char *const mcs = context_range_get(con);
-+	if (!mcs) {
-+		context_free(con);
-+		free(pid_table);
-+		(void)closedir(dir);
-+		return -1;
-+	}
- 	printf("mcs=%s\n", mcs);
- 	while ((de = readdir (dir)) != NULL) {
- 		if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
-@@ -708,11 +718,13 @@ killall (const char *execcon)
- 		if (getpidcon(id, &scon) == 0) {
- 
- 			context_t pidcon = context_new(scon);
--			/* Attempt to kill remaining processes */
--			if (strcmp(context_range_get(pidcon), mcs) == 0)
--				kill(id, SIGKILL);
-+			if (pidcon) {
-+				/* Attempt to kill remaining processes */
-+				if (strcmp(context_range_get(pidcon), mcs) == 0)
-+					kill(id, SIGKILL);
- 
--			context_free(pidcon);
-+				context_free(pidcon);
-+			}
- 			freecon(scon);
- 		}
- 		running++;
--- 
-2.54.0
-

diff --git a/0010-sandbox-seunshare-pass-O_NOFOLLOW-to-openat.patch b/0010-sandbox-seunshare-pass-O_NOFOLLOW-to-openat.patch
deleted file mode 100644
index 2191dec..0000000
--- a/0010-sandbox-seunshare-pass-O_NOFOLLOW-to-openat.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 8d2c7360f5749b3ccacd348c495399f24318d7b4 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Tue, 12 May 2026 14:34:02 -0400
-Subject: [PATCH] sandbox/seunshare: pass O_NOFOLLOW to openat()
-Content-type: text/plain
-
-We do not want to follow symlinks here.
-
-Acked-by: James Carter <jwcart2@gmail.com>
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index e89a9fecf9f6..a1900eaa7600 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -428,7 +428,7 @@ static bool rm_rf(int targetfd, const char *path) {
- 	}
- 
- 	if (S_ISDIR(statbuf.st_mode)) {
--		const int newfd = openat(targetfd, path, O_RDONLY | O_DIRECTORY | O_CLOEXEC);
-+		const int newfd = openat(targetfd, path, O_RDONLY | O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
- 		if (newfd < 0) {
- 			perror("openat");
- 			return false;
--- 
-2.54.0
-

diff --git a/0011-sandbox-seunshare-switch-seunshare_mount_file-to-use.patch b/0011-sandbox-seunshare-switch-seunshare_mount_file-to-use.patch
deleted file mode 100644
index b437195..0000000
--- a/0011-sandbox-seunshare-switch-seunshare_mount_file-to-use.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From e964a574c2ca8ec1bcd3172dc185ada8044dceee Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Tue, 12 May 2026 15:26:31 -0400
-Subject: [PATCH] sandbox/seunshare: switch seunshare_mount_file() to use
- open()
-Content-type: text/plain
-
-seunshare_mount_file() currently uses fopen() to create the dst
-if it doesn't already exist. Switch to using open() with
-explicitly specified flags including O_NOFOLLOW and an explicitly
-specified mode for the new file.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Petr Lautrbach <lautrbach@redhat.com>
----
- sandbox/seunshare.c | 14 ++++++++------
- 1 file changed, 8 insertions(+), 6 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index a1900eaa7600..17a727e78b5f 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -304,18 +304,20 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
-  */
- static int seunshare_mount_file(const char *src, const char *dst)
- {
--	int flags = 0;
--
- 	if (verbose)
- 		printf(_("Mounting %s on %s\n"), src, dst);
- 
- 	if (access(dst, F_OK) == -1) {
--		 FILE *fptr;
--         fptr = fopen(dst, "w");
--		 fclose(fptr);
-+		int fd = open(dst, O_WRONLY | O_CREAT | O_NOFOLLOW | O_CLOEXEC, 0600);
-+		if (fd < 0) {
-+			fprintf(stderr, _("Failed to create mount point %s: %m\n"), dst);
-+			return -1;
-+		}
-+		close(fd);
- 	}
-+
- 	/* mount file */
--	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
-+	if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
- 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
- 		return -1;
- 	}
--- 
-2.54.0
-

diff --git a/0012-sandbox-seunshare-fix-error-checking-for-setfsuid.patch b/0012-sandbox-seunshare-fix-error-checking-for-setfsuid.patch
deleted file mode 100644
index 02d93e0..0000000
--- a/0012-sandbox-seunshare-fix-error-checking-for-setfsuid.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9c5320c6d4a1eb91b57e4e12737882ef131c2faa Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Tue, 12 May 2026 15:35:53 -0400
-Subject: [PATCH] sandbox/seunshare: fix error checking for setfsuid()
-Content-type: text/plain
-
-setfsuid() doesn't reliably set errno or return anything indicating
-an error.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Petr Lautrbach <lautrbach@redhat.com>
----
- sandbox/seunshare.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 17a727e78b5f..b9c85bf20f85 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -858,8 +858,8 @@ int main(int argc, char **argv) {
- 	/* Changing fsuid is usually required when user-specified directory is
- 	 * on an NFS mount.  It's also desired to avoid leaking info about
- 	 * existence of the files not accessible to the user. */
--	if (((uid_t)setfsuid(uid) != 0)   && (errno != 0)) {
--		fprintf(stderr, _("Error: unable to setfsuid %m\n"));
-+	if ((uid_t)setfsuid(uid) != 0) {
-+		fprintf(stderr, _("Error: unable to setfsuid\n"));
- 
- 		return -1;
- 	}
--- 
-2.54.0
-

diff --git a/0013-sandbox-seunshare-remount-tmp-and-var-tmp-with-the-p.patch b/0013-sandbox-seunshare-remount-tmp-and-var-tmp-with-the-p.patch
deleted file mode 100644
index ade7f30..0000000
--- a/0013-sandbox-seunshare-remount-tmp-and-var-tmp-with-the-p.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From f78708ea5d6d3d6da4fa20527b459fa55075d8a6 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Tue, 12 May 2026 16:06:05 -0400
-Subject: [PATCH] sandbox/seunshare: remount /tmp and /var/tmp with the proper
- flags
-Content-type: text/plain
-
-mount(2) with MS_BIND ignores any nosuid/nodev/noexec flags, so
-seunshare_mount() was never setting those on the /tmp and
-/var/tmp mounts. Fix seunshare_mount() to remount them
-with those flags after the bind mount, which does
-set them properly.
-
-Test:
-mkdir tmp
-seunshare -t tmp /bin/bash
-cp /bin/bash /tmp
-/tmp/bash
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
-Acked-by: Petr Lautrbach <lautrbach@redhat.com>
----
- sandbox/seunshare.c | 21 ++++++++++++++++-----
- 1 file changed, 16 insertions(+), 5 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index b9c85bf20f85..985e0cfba199 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -260,26 +260,32 @@ static int verify_shell(const char *shell_name)
-  */
- static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
- {
--	int flags = 0;
-+	int bind_flags = MS_BIND;
-+	int sec_flags = 0;
- 	int is_tmp = 0;
- 
- 	if (verbose)
- 		printf(_("Mounting %s on %s\n"), src, dst);
- 
- 	if (strcmp("/tmp", dst) == 0) {
--		flags = flags | MS_NODEV | MS_NOSUID | MS_NOEXEC;
-+		sec_flags = MS_NODEV | MS_NOSUID | MS_NOEXEC;
- 		is_tmp = 1;
- 	}
- 
- 	if (strncmp("/run/user", dst, 9) == 0) {
--		flags = flags | MS_REC;
-+		bind_flags |= MS_REC;
- 	}
- 
- 	/* mount directory */
--	if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
-+	if (mount(src, dst, NULL, bind_flags, NULL) < 0) {
- 		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
- 		return -1;
- 	}
-+	/* remount with security flags, ignored on original bind mount */
-+	if (sec_flags && mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
-+		fprintf(stderr, _("Failed to remount %s: %m\n"), dst);
-+		return -1;
-+	}
- 
- 	/* verify whether we mounted what we expected to mount */
- 	if (verify_directory(dst, src_st, NULL) < 0) return -1;
-@@ -289,10 +295,15 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
- 		if (verbose)
- 			printf(_("Mounting /tmp on /var/tmp\n"));
- 
--		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND | flags, NULL) < 0) {
-+		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND, NULL) < 0) {
- 			fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
- 			return -1;
- 		}
-+		/* remount with security flags, ignored on original bind mount */
-+		if (mount(NULL, "/var/tmp", NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
-+			fprintf(stderr, _("Failed to remount /var/tmp: %m\n"));
-+			return -1;
-+		}
- 	}
- 
- 	return 0;
--- 
-2.54.0
-

diff --git a/0014-sandbox-seunshare-prevent-rsync-from-interpreting-pa.patch b/0014-sandbox-seunshare-prevent-rsync-from-interpreting-pa.patch
deleted file mode 100644
index cffb736..0000000
--- a/0014-sandbox-seunshare-prevent-rsync-from-interpreting-pa.patch
+++ /dev/null
@@ -1,75 +0,0 @@
-From dd620e8af44e1cb59d70837e80a5d55a8d3e789f Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 09:47:50 -0400
-Subject: [PATCH] sandbox/seunshare: prevent rsync from interpreting paths as
- options
-Content-type: text/plain
-
-Insert a "--" after all legitimate options before any glob or
-pathnames to prevent rsync from interpreting them as options.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 16 +++++++++-------
- 1 file changed, 9 insertions(+), 7 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 985e0cfba199..a48c88036088 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -391,8 +391,8 @@ static int rsynccmd(const char * src, const char *dst, char ***cmd) {
- 
- 	free(buf); buf = NULL;
- 
--	/* rsync  -trlHDq + <glob list> + dst + NULL */
--	*cmd = calloc(2 + fglob.gl_pathc + 2, sizeof(char *));
-+	/* rsync -trlHDq -- <glob list> dst NULL */
-+	*cmd = calloc(3 + fglob.gl_pathc + 2, sizeof(char *));
- 	if (! *cmd) {
- 		fprintf(stderr, _("Out of memory\n"));
- 		return -1;
-@@ -401,8 +401,9 @@ static int rsynccmd(const char * src, const char *dst, char ***cmd) {
- 	args = *cmd;
- 	strdup_or_err(args, 0, "/usr/bin/rsync");
- 	strdup_or_err(args, 1, "-trlHDq");
-+	strdup_or_err(args, 2, "--");
- 
--	for ( i=0, index = 2; i < fglob.gl_pathc; i++) {
-+	for ( i=0, index = 3; i < fglob.gl_pathc; i++) {
- 		const char *path = fglob.gl_pathv[i];
- 		if (bad_path(path)) continue;
- 		strdup_or_err(args, index, path);
-@@ -495,7 +496,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
- 
- 	/* rsync files back */
- 	if (copy_content) {
--		args = calloc(7, sizeof(char *));
-+		args = calloc(8, sizeof(char *));
- 		if (! args) {
- 			fprintf(stderr, _("Out of memory\n"));
- 			return 1;
-@@ -505,17 +506,18 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
- 		strdup_or_err(args, 1, "--exclude=.X11-unix");
- 		strdup_or_err(args, 2, "-utrlHDq");
- 		strdup_or_err(args, 3, "--delete");
--		if (asprintf(&args[4], "%s/", tmpdir) == -1) {
-+		strdup_or_err(args, 4, "--");
-+		if (asprintf(&args[5], "%s/", tmpdir) == -1) {
- 			fprintf(stderr, _("Out of memory\n"));
- 			free_args(args);
- 			return 1;
- 		}
--		if (asprintf(&args[5], "%s/", src) == -1) {
-+		if (asprintf(&args[6], "%s/", src) == -1) {
- 			fprintf(stderr, _("Out of memory\n"));
- 			free_args(args);
- 			return 1;
- 		}
--		args[6] = NULL;
-+		args[7] = NULL;
- 
- 		if (spawn_command(args, pwd->pw_uid) != 0) {
- 			fprintf(stderr, _("Failed to copy files from the runtime temporary directory\n"));
--- 
-2.54.0
-

diff --git a/0015-sandbox-seunshare-fix-getopt-flags.patch b/0015-sandbox-seunshare-fix-getopt-flags.patch
deleted file mode 100644
index 93e5a23..0000000
--- a/0015-sandbox-seunshare-fix-getopt-flags.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 9c29653dc6b0f4e9a74cd119d60a84ed8c4a6ec6 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 09:59:08 -0400
-Subject: [PATCH] sandbox/seunshare: fix getopt flags
-Content-type: text/plain
-
--k, -v, and -C do NOT accept an argument, and the optstring
-was not correct.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index a48c88036088..0dfc5cb2b820 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -776,10 +776,10 @@ int main(int argc, char **argv) {
- 		{"homedir", 1, 0, 'h'},
- 		{"tmpdir", 1, 0, 't'},
- 		{"runuserdir", 1, 0, 'r'},
--		{"kill", 1, 0, 'k'},
--		{"verbose", 1, 0, 'v'},
-+		{"kill", 0, 0, 'k'},
-+		{"verbose", 0, 0, 'v'},
- 		{"context", 1, 0, 'Z'},
--		{"capabilities", 1, 0, 'C'},
-+		{"capabilities", 0, 0, 'C'},
- 		{"wayland", 1, 0, 'W'},
- 		{"pipewire", 1, 0, 'P'},
- 		{NULL, 0, 0, 0}
-@@ -811,7 +811,7 @@ int main(int argc, char **argv) {
- 	}
- 
- 	while (1) {
--		clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL);
-+		clflag = getopt_long(argc, argv, "Ckvh:r:t:W:P:Z:", long_options, NULL);
- 		if (clflag == -1)
- 			break;
- 
--- 
-2.54.0
-

diff --git a/0016-sandbox-seunshare-prevent-path-traversal-via-W-P.patch b/0016-sandbox-seunshare-prevent-path-traversal-via-W-P.patch
deleted file mode 100644
index 94c6a72..0000000
--- a/0016-sandbox-seunshare-prevent-path-traversal-via-W-P.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 5da4d90480164c13a5bc8f8c820e701790499ecc Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 10:13:17 -0400
-Subject: [PATCH] sandbox/seunshare: prevent path traversal via -W/-P
-Content-type: text/plain
-
-The -W/-P options specify the wayland or pipewire socket name respectively.
-The option argument is then concatenated with the runuserdir to create
-a pathname. We don't want to allow it to be used to construct arbitrary
-paths outside of the runuserdir. Also, check and handle
-errors when bind mounting the pipewire socket file.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 9 ++++++++-
- 1 file changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 0dfc5cb2b820..945a3b21c1cc 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -849,6 +849,12 @@ int main(int argc, char **argv) {
- 		}
- 	}
- 
-+	if ((wayland_display && (strchr(wayland_display, '/') || strstr(wayland_display, ".."))) ||
-+		(pipewire_socket && (strchr(pipewire_socket, '/') || strstr(pipewire_socket, "..")))) {
-+		fprintf(stderr, _("Error: -W/-P must be a socket name, not a path\n"));
-+		return -1;
-+	}
-+
- 	if (! homedir_s && ! tmpdir_s) {
- 		fprintf(stderr, _("Error: tmpdir and/or homedir required\n %s\n"), USAGE_STRING);
- 		return -1;
-@@ -990,7 +996,8 @@ int main(int argc, char **argv) {
- 					perror(_("Out of memory"));
- 					goto childerr;
- 				}
--				seunshare_mount_file(pipewire_path, pipewire_path_s);
-+				if (seunshare_mount_file(pipewire_path, pipewire_path_s) == -1)
-+					goto childerr;
- 			}
- 		}
- 
--- 
-2.54.0
-

diff --git a/0017-sandbox-seunshare-verify-RUNTIME_DIR-before-use.patch b/0017-sandbox-seunshare-verify-RUNTIME_DIR-before-use.patch
deleted file mode 100644
index ed46220..0000000
--- a/0017-sandbox-seunshare-verify-RUNTIME_DIR-before-use.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From cceeb1def62ef78fed802684e9500cfa1aefa6b3 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 10:30:20 -0400
-Subject: [PATCH] sandbox/seunshare: verify RUNTIME_DIR before use
-Content-type: text/plain
-
-RUNTIME_DIR can be inherited from XDG_RUNTIME_DIR or set to a default
-path. Regardless, we should verify it the same way as the other
-user-supplied directories before first use.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 945a3b21c1cc..89180d0aa1ed 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -964,6 +964,15 @@ int main(int argc, char **argv) {
- 			}
- 		}
- 
-+		if (runuserdir_s) {
-+			struct stat sb;
-+
-+			if (verify_directory(RUNTIME_DIR, NULL, &sb) < 0 ||
-+				check_owner_uid(uid, RUNTIME_DIR, &sb) < 0)
-+				goto childerr;
-+
-+		}
-+
- 		if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
- 			if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) {
- 				perror(_("Out of memory"));
--- 
-2.54.0
-

diff --git a/0018-sandbox-seunshare-drop-unused-runuserdir_r.patch b/0018-sandbox-seunshare-drop-unused-runuserdir_r.patch
deleted file mode 100644
index 507db08..0000000
--- a/0018-sandbox-seunshare-drop-unused-runuserdir_r.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From c2f54aff134bcba8ae9701d26d7711530d72be76 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 10:37:56 -0400
-Subject: [PATCH] sandbox/seunshare: drop unused runuserdir_r
-Content-type: text/plain
-
-runuserdir_r is created but never used nor deleted. Get rid of it.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 8 --------
- 1 file changed, 8 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 89180d0aa1ed..2eef0e2f800e 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -763,14 +763,12 @@ int main(int argc, char **argv) {
- 	char *tmpdir_s = NULL;	/* tmpdir spec'd by user in argv[] */
- 	char *tmpdir_r = NULL;	/* tmpdir created by seunshare */
- 	char *runuserdir_s = NULL;	/* /var/run/user/UID spec'd by user in argv[] */
--	char *runuserdir_r = NULL;	/* /var/run/user/UID created by seunshare */
- 
- 	struct stat st_curhomedir;
- 	struct stat st_homedir;
- 	struct stat st_tmpdir_s;
- 	struct stat st_tmpdir_r;
- 	struct stat st_runuserdir_s;
--	struct stat st_runuserdir_r;
- 
- 	const struct option long_options[] = {
- 		{"homedir", 1, 0, 'h'},
-@@ -902,12 +900,6 @@ int main(int argc, char **argv) {
- 		fprintf(stderr, _("Failed to create runtime temporary directory\n"));
- 		return -1;
- 	}
--	/* create runtime runuserdir */
--	if (runuserdir_s && (runuserdir_r = create_tmpdir(runuserdir_s, &st_runuserdir_s,
--						  &st_runuserdir_r, pwd, execcon)) == NULL) {
--		fprintf(stderr, _("Failed to create runtime $XDG_RUNTIME_DIR directory\n"));
--		return -1;
--	}
- 
- 	/* spawn child process */
- 	child = fork();
--- 
-2.54.0
-

diff --git a/0019-sandbox-seunshare-fix-killall-realloc-and-missing-ty.patch b/0019-sandbox-seunshare-fix-killall-realloc-and-missing-ty.patch
deleted file mode 100644
index aab56f7..0000000
--- a/0019-sandbox-seunshare-fix-killall-realloc-and-missing-ty.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 47a8bd5d29455f1b8496a2bc7ba95f3f535c2ba7 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Wed, 13 May 2026 12:21:47 -0400
-Subject: [PATCH] sandbox/seunshare: fix killall() realloc and missing type
- comparison
-Content-type: text/plain
-
-The killall() realloc() can produce an integer overflow.
-Check and handle this correctly.
-
-The killall() logic also only compares the MCS category set when
-deciding whether to kill the process. We should at least also compare
-the type to avoid incorrectly killing an unrelated process with
-the same category set (e.g. if multiple applications are independently
-assigning category sets on the same system). Check the type as well.
-
-killall() still seems error prone and I couldn't find any actual users
-of the -k/--kill option for seunshare. Can we just drop this?
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 26 +++++++++++++++++++-------
- 1 file changed, 19 insertions(+), 7 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 2eef0e2f800e..e20c0f8723aa 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -680,8 +680,8 @@ killall (const char *execcon)
- 	char *scon;
- 	struct dirent *de;
- 	pid_t *pid_table, pid, self;
--	int i;
--	int pids, max_pids;
-+	unsigned int i;
-+	unsigned int pids, max_pids;
- 	int running = 0;
- 	self = getpid();
- 	if (!(dir = opendir(PROC_BASE))) {
-@@ -701,26 +701,34 @@ killall (const char *execcon)
- 		return -1;
- 	}
- 	const char *const mcs = context_range_get(con);
--	if (!mcs) {
-+	const char *const type = context_type_get(con);
-+	if (!mcs || !type) {
- 		context_free(con);
- 		free(pid_table);
- 		(void)closedir(dir);
- 		return -1;
- 	}
--	printf("mcs=%s\n", mcs);
-+	if (verbose)
-+		printf("mcs=%s type=%s\n", mcs, type);
- 	while ((de = readdir (dir)) != NULL) {
- 		if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
- 			continue;
- 
- 		if (pids == max_pids) {
--			pid_t *new_pid_table = realloc(pid_table, 2*pids*sizeof(pid_t));
-+			max_pids *= 2;
-+			if (max_pids <= pids)
-+			{
-+				free(pid_table);
-+				(void)closedir(dir);
-+				return -1;
-+			}
-+			pid_t *new_pid_table = reallocarray(pid_table, max_pids, sizeof(pid_t));
- 			if (!new_pid_table) {
- 				free(pid_table);
- 				(void)closedir(dir);
- 				return -1;
- 			}
- 			pid_table = new_pid_table;
--			max_pids *= 2;
- 		}
- 		pid_table[pids++] = pid;
- 	}
-@@ -734,8 +742,12 @@ killall (const char *execcon)
- 
- 			context_t pidcon = context_new(scon);
- 			if (pidcon) {
-+				const char *const pmcs = context_range_get(pidcon);
-+				const char *const ptype = context_type_get(pidcon);
-+
- 				/* Attempt to kill remaining processes */
--				if (strcmp(context_range_get(pidcon), mcs) == 0)
-+				if (pmcs && ptype && !strcmp(pmcs, mcs) &&
-+					!strcmp(ptype, type))
- 					kill(id, SIGKILL);
- 
- 				context_free(pidcon);
--- 
-2.54.0
-

diff --git a/0020-sandbox-seunshare-rewrite-to-pin-directories-before-.patch b/0020-sandbox-seunshare-rewrite-to-pin-directories-before-.patch
deleted file mode 100644
index 56b8e6d..0000000
--- a/0020-sandbox-seunshare-rewrite-to-pin-directories-before-.patch
+++ /dev/null
@@ -1,606 +0,0 @@
-From 9c44bb929a7937897a787790ece679464345c5d9 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Thu, 14 May 2026 10:32:13 -0400
-Subject: [PATCH] sandbox/seunshare: rewrite to pin directories before use
-Content-type: text/plain
-
-To fully eliminate TOCTOU issues in seunshare, we need to pin the
-directories and pass them via /proc/self/fd/N to mount(2).
-This is complicated further by the unsharing of the mount namespace
-in the child process and the need to remount in order to apply
-nosuid/nodev/noexec flags. Do the best we can with the legacy
-mount(2) API for compatibility on old kernels and revisit if/when
-we make kernels with the new mount API the minimum required for
-SELinux userspace.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 406 ++++++++++++++++++++++++++------------------
- 1 file changed, 241 insertions(+), 165 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index e20c0f8723aa..611bfe80d030 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -197,35 +197,33 @@ static int check_owner_gid(gid_t gid, const char *file, struct stat *st) {
- 	return 0;
- }
- 
--#define equal_stats(one,two) \
--	((one)->st_dev == (two)->st_dev && (one)->st_ino == (two)->st_ino && \
--	 (one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \
--	 (one)->st_mode == (two)->st_mode)
--
- /**
-- * Sanity check specified directory.  Store stat info for future comparison, or
-- * compare with previously saved info to detect replaced directories.
-- * Note: This function does not perform owner checks.
-+ * Open directory with O_DIRECTORY|O_NOFOLLOW and return its fd
-+ * and fstat() results. The returned fd and its /proc/self/fd/N
-+ * path can be used for all subsequent operations on the directory.
-+ * NB Any non-final components in the @dir pathname are resolved
-+ * as usual but will be checked against the fsuid of the caller.
-  */
--static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) {
-+static int pin_dir(const char *dir, struct stat *st_out)
-+{
-+	int fd;
- 	struct stat sb;
- 
--	if (st_out == NULL) st_out = &sb;
--
--	if (lstat(dir, st_out) == -1) {
--		fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
-+	fd = open(dir, O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_CLOEXEC);
-+	if (fd < 0) {
-+		fprintf(stderr, _("Failed to open %s: %m\n"), dir);
- 		return -1;
- 	}
--	if (! S_ISDIR(st_out->st_mode)) {
--		fprintf(stderr, _("Error: %s is not a directory: %s\n"), dir, strerror(errno));
--		return -1;
--	}
--	if (st_in && !equal_stats(st_in, st_out)) {
--		fprintf(stderr, _("Error: %s was replaced by a different directory\n"), dir);
-+
-+	if (fstat(fd, &sb) < 0) {
-+		fprintf(stderr, _("Failed to stat %s: %m\n"), dir);
-+		close(fd);
- 		return -1;
- 	}
- 
--	return 0;
-+	if (st_out)
-+		*st_out = sb;
-+	return fd;
- }
- 
- /**
-@@ -256,85 +254,90 @@ static int verify_shell(const char *shell_name)
- }
- 
- /**
-- * Mount directory and check that we mounted the right directory.
-+ * Bind-mount directory @src (using @src_fd) on directory @dst (using @dst_fd),
-+ * applying @bind_flags for the initial bind mount and @sec_flags if
-+ * non-zero via remount.
-  */
--static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
-+static int seunshare_mount(const char *src, int src_fd,
-+			   const char *dst, int dst_fd,
-+			   int bind_flags, int sec_flags)
- {
--	int bind_flags = MS_BIND;
--	int sec_flags = 0;
--	int is_tmp = 0;
-+	char srcprocfd[32], dstprocfd[32];
-+
-+	bind_flags |= MS_BIND;
- 
- 	if (verbose)
- 		printf(_("Mounting %s on %s\n"), src, dst);
- 
--	if (strcmp("/tmp", dst) == 0) {
--		sec_flags = MS_NODEV | MS_NOSUID | MS_NOEXEC;
--		is_tmp = 1;
--	}
-+	snprintf(srcprocfd, sizeof(srcprocfd), "/proc/self/fd/%d", src_fd);
-+	snprintf(dstprocfd, sizeof(dstprocfd), "/proc/self/fd/%d", dst_fd);
- 
--	if (strncmp("/run/user", dst, 9) == 0) {
--		bind_flags |= MS_REC;
--	}
--
--	/* mount directory */
--	if (mount(src, dst, NULL, bind_flags, NULL) < 0) {
--		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
-+	/* bind mount directory */
-+	if (mount(srcprocfd, dstprocfd, NULL, bind_flags, NULL) < 0) {
-+		fprintf(stderr, _("Failed to mount %s on %s: %m\n"), src, dst);
- 		return -1;
- 	}
--	/* remount with security flags, ignored on original bind mount */
--	if (sec_flags && mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
-+
-+	/*
-+	 * Remount with security flags set - requires use of dst path again.
-+	 * Revisit when we migrate to open_tree()/move_mount().
-+	 */
-+	if (sec_flags &&
-+	    mount(NULL, dst, NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
- 		fprintf(stderr, _("Failed to remount %s: %m\n"), dst);
- 		return -1;
- 	}
- 
--	/* verify whether we mounted what we expected to mount */
--	if (verify_directory(dst, src_st, NULL) < 0) return -1;
--
--	/* bind mount /tmp on /var/tmp too */
--	if (is_tmp) {
--		if (verbose)
--			printf(_("Mounting /tmp on /var/tmp\n"));
--
--		if (mount("/tmp", "/var/tmp",  NULL, MS_BIND, NULL) < 0) {
--			fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
--			return -1;
--		}
--		/* remount with security flags, ignored on original bind mount */
--		if (mount(NULL, "/var/tmp", NULL, MS_BIND | MS_REMOUNT | sec_flags, NULL) < 0) {
--			fprintf(stderr, _("Failed to remount /var/tmp: %m\n"));
--			return -1;
--		}
--	}
--
- 	return 0;
--
- }
- 
- /**
-- * Mount directory and check that we mounted the right directory.
-+ * Bind-mount a file named @src_name in directory @src_dirfd on
-+ * a file named @dst_name in directory @dst_dirfd, creating @dst_name
-+ * if it doesn't already exist.
-  */
--static int seunshare_mount_file(const char *src, const char *dst)
-+static int seunshare_mount_file(int src_dirfd, const char *src_name,
-+				int dst_dirfd, const char *dst_name)
- {
-+	char srcprocfd[32], dstprocfd[32];
-+	int src_fd = -1, dst_fd = -1, rc = -1;
-+
- 	if (verbose)
--		printf(_("Mounting %s on %s\n"), src, dst);
-+		printf(_("Mounting %s on %s\n"), src_name, dst_name);
- 
--	if (access(dst, F_OK) == -1) {
--		int fd = open(dst, O_WRONLY | O_CREAT | O_NOFOLLOW | O_CLOEXEC, 0600);
--		if (fd < 0) {
--			fprintf(stderr, _("Failed to create mount point %s: %m\n"), dst);
--			return -1;
--		}
--		close(fd);
-+	src_fd = openat(src_dirfd, src_name, O_PATH | O_NOFOLLOW | O_CLOEXEC);
-+	if (src_fd < 0) {
-+		fprintf(stderr, _("Failed to open %s: %m\n"), src_name);
-+		goto out;
- 	}
- 
--	/* mount file */
--	if (mount(src, dst, NULL, MS_BIND, NULL) < 0) {
--		fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
--		return -1;
-+	dst_fd = openat(dst_dirfd, dst_name, O_PATH | O_NOFOLLOW | O_CLOEXEC);
-+	if (dst_fd < 0 && errno == ENOENT)
-+		dst_fd = openat(dst_dirfd, dst_name,
-+				O_WRONLY | O_CREAT | O_EXCL | O_NOFOLLOW |
-+				O_CLOEXEC, 0600);
-+	if (dst_fd < 0) {
-+		fprintf(stderr, _("Failed to open/create %s: %m\n"), dst_name);
-+		goto out;
- 	}
- 
--	return 0;
-+	snprintf(srcprocfd, sizeof(srcprocfd), "/proc/self/fd/%d", src_fd);
-+	snprintf(dstprocfd, sizeof(dstprocfd), "/proc/self/fd/%d", dst_fd);
- 
-+	/* mount file */
-+	if (mount(srcprocfd, dstprocfd, NULL, MS_BIND, NULL) < 0) {
-+		fprintf(stderr, _("Failed to mount %s on %s: %m\n"), src_name,
-+			dst_name);
-+		goto out;
-+	}
-+
-+	rc = 0;
-+out:
-+	if (src_fd >= 0)
-+		close(src_fd);
-+	if (dst_fd >= 0)
-+		close(dst_fd);
-+	return rc;
- }
- 
- /*
-@@ -556,7 +559,8 @@ err:
-  * to clean it up.
-  */
- static char *create_tmpdir(const char *src, struct stat *src_st,
--	struct stat *out_st, struct passwd *pwd, const char *execcon)
-+			struct stat *out_st, struct passwd *pwd,
-+			const char *execcon)
- {
- 	char *tmpdir = NULL;
- 	char **cmd = NULL;
-@@ -564,29 +568,23 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 	struct stat tmp_st;
- 	char *con = NULL;
- 
--	/* get selinux context */
-+	/* get selinux context of source directory */
- 	if (execcon) {
- 		if ((uid_t)setfsuid(pwd->pw_uid) != 0)
- 			goto err;
--
--		if ((fd_s = open(src, O_RDONLY)) < 0) {
--			fprintf(stderr, _("Failed to open directory %s: %s\n"), src, strerror(errno));
--			goto err;
--		}
--		if (fstat(fd_s, &tmp_st) == -1) {
--			fprintf(stderr, _("Failed to stat directory %s: %s\n"), src, strerror(errno));
-+		if ((fd_s = pin_dir(src, &tmp_st)) < 0)
- 			goto err;
--		}
--		if (!equal_stats(src_st, &tmp_st)) {
--			fprintf(stderr, _("Error: %s was replaced by a different directory\n"), src);
-+		if (tmp_st.st_dev != src_st->st_dev ||
-+		    tmp_st.st_ino != src_st->st_ino) {
-+			fprintf(stderr,
-+				_("%s was replaced by a different directory\n"),
-+				src);
- 			goto err;
- 		}
- 		if (fgetfilecon(fd_s, &con) == -1) {
--			fprintf(stderr, _("Failed to get context of the directory %s: %s\n"), src, strerror(errno));
-+			fprintf(stderr, _("Failed to get context of the directory %s: %m\n"), src);
- 			goto err;
- 		}
--
--		/* ok to not reach this if there is an error */
- 		if ((uid_t)setfsuid(0) != pwd->pw_uid)
- 			goto err;
- 	}
-@@ -602,9 +600,9 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 	}
- 
- 	/* temporary directory must be owned by root:user */
--	if (verify_directory(tmpdir, NULL, out_st) < 0) {
-+	fd_t = pin_dir(tmpdir, out_st);
-+	if (fd_t < 0)
- 		goto err;
--	}
- 
- 	if (check_owner_uid(0, tmpdir, out_st) < 0)
- 		goto err;
-@@ -613,18 +611,6 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 		goto err;
- 
- 	/* change permissions of the temporary directory */
--	if ((fd_t = open(tmpdir, O_RDONLY)) < 0) {
--		fprintf(stderr, _("Failed to open directory %s: %s\n"), tmpdir, strerror(errno));
--		goto err;
--	}
--	if (fstat(fd_t, &tmp_st) == -1) {
--		fprintf(stderr, _("Failed to stat directory %s: %s\n"), tmpdir, strerror(errno));
--		goto err;
--	}
--	if (!equal_stats(out_st, &tmp_st)) {
--		fprintf(stderr, _("Error: %s was replaced by a different directory\n"), tmpdir);
--		goto err;
--	}
- 	if (fchmod(fd_t, 01770) == -1) {
- 		fprintf(stderr, _("Unable to change mode on %s: %s\n"), tmpdir, strerror(errno));
- 		goto err;
-@@ -664,10 +650,10 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- err:
- 	free(tmpdir); tmpdir = NULL;
- good:
--	free_args(cmd);
--	freecon(con); con = NULL;
- 	if (fd_t >= 0) close(fd_t);
- 	if (fd_s >= 0) close(fd_s);
-+	free_args(cmd);
-+	freecon(con); con = NULL;
- 	return tmpdir;
- }
- 
-@@ -776,12 +762,13 @@ int main(int argc, char **argv) {
- 	char *tmpdir_r = NULL;	/* tmpdir created by seunshare */
- 	char *runuserdir_s = NULL;	/* /var/run/user/UID spec'd by user in argv[] */
- 
--	struct stat st_curhomedir;
- 	struct stat st_homedir;
- 	struct stat st_tmpdir_s;
- 	struct stat st_tmpdir_r;
- 	struct stat st_runuserdir_s;
- 
-+	int fd;
-+
- 	const struct option long_options[] = {
- 		{"homedir", 1, 0, 'h'},
- 		{"tmpdir", 1, 0, 't'},
-@@ -893,24 +880,49 @@ int main(int argc, char **argv) {
- 		return -1;
- 	}
- 
--	/* verify homedir and tmpdir */
--	if (homedir_s && (
--		verify_directory(homedir_s, NULL, &st_homedir) < 0 ||
--		check_owner_uid(uid, homedir_s, &st_homedir))) return -1;
--	if (tmpdir_s && (
--		verify_directory(tmpdir_s, NULL, &st_tmpdir_s) < 0 ||
--		check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))) return -1;
--	if (runuserdir_s && (
--		verify_directory(runuserdir_s, NULL, &st_runuserdir_s) < 0 ||
--		check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))) return -1;
-+	/*
-+	 * Perform early validation of the caller-provided directories so we
-+	 * can fail fast, but we unfortunately have to redo this after
-+	 * unsharing the mount namespace in the child so that it can use
-+	 * the descriptors for subsequent mount(2) calls. Otherwise,
-+	 * they end up with a different mount namespace and mount(2) fails
-+	 * with errno EINVAL.
-+	 */
-+	if (homedir_s) {
-+		fd = pin_dir(homedir_s, &st_homedir);
-+		if (fd < 0)
-+			return -1;
-+		if (check_owner_uid(uid, homedir_s, &st_homedir))
-+			return -1;
-+		close(fd);
-+	}
-+	if (tmpdir_s) {
-+		fd = pin_dir(tmpdir_s, &st_tmpdir_s);
-+		if (fd < 0)
-+			return -1;
-+		if (check_owner_uid(uid, tmpdir_s, &st_tmpdir_s))
-+			return -1;
-+		close(fd);
-+	}
-+	if (runuserdir_s) {
-+		fd = pin_dir(runuserdir_s, &st_runuserdir_s);
-+		if (fd < 0)
-+			return -1;
-+		if (check_owner_uid(uid, runuserdir_s, &st_runuserdir_s))
-+			return -1;
-+		close(fd);
-+	}
- 
- 	if ((uid_t)setfsuid(0) != uid) return -1;
- 
- 	/* create runtime tmpdir */
--	if (tmpdir_s && (tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s,
--						  &st_tmpdir_r, pwd, execcon)) == NULL) {
--		fprintf(stderr, _("Failed to create runtime temporary directory\n"));
--		return -1;
-+	if (tmpdir_s) {
-+		tmpdir_r = create_tmpdir(tmpdir_s, &st_tmpdir_s, &st_tmpdir_r,
-+					 pwd, execcon);
-+		if (!tmpdir_r) {
-+			fprintf(stderr, _("Failed to create runtime temporary directory\n"));
-+			return -1;
-+		}
- 	}
- 
- 	/* spawn child process */
-@@ -927,11 +939,10 @@ int main(int argc, char **argv) {
- 		char *XDG_SESSION_TYPE = NULL;
- 		int rc = -1;
- 		char *resolved_path = NULL;
--		char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */
--		char *wayland_path = NULL; /* /run/user/UID/wayland-0 */
--		char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */
--		char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */
--
-+		int fd_homedir_s = -1, fd_curhomedir = -1;
-+		int fd_runuserdir_s = -1, fd_runtime_dir = -1;
-+		int fd_tmpdir_r = -1, fd_tmp = -1, fd_var_tmp = -1;
-+		struct stat sb;
- 
- 		if (unshare(CLONE_NEWNS) < 0) {
- 			perror(_("Failed to unshare"));
-@@ -941,19 +952,67 @@ int main(int argc, char **argv) {
- 		/* Remount / as SLAVE so that nothing mounted in the namespace 
- 		   shows up in the parent */
- 		if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
--			perror(_("Failed to make / a SLAVE mountpoint\n"));
-+
- 			goto childerr;
- 		}
- 
- 		/* assume fsuid==ruid after this point */
- 		if ((uid_t)setfsuid(uid) != 0) goto childerr;
- 
-+		/*
-+		 * Now we can pin the source directories in this namespace
-+		 * for later use by mount(2). We recheck that each
-+		 * directory is the same inode and still has the
-+		 * expected ownership as the early validation.
-+		 */
-+		if (homedir_s) {
-+			fd_homedir_s = pin_dir(homedir_s, &sb);
-+			if (fd_homedir_s < 0)
-+				goto childerr;
-+			if (sb.st_dev != st_homedir.st_dev ||
-+				sb.st_ino != st_homedir.st_ino)
-+				goto childerr;
-+			if (check_owner_uid(uid, homedir_s, &sb))
-+				goto childerr;
-+		}
-+		/*
-+		 * NB We don't need to re-pin tmpdir_s, just tmpdir_r,
-+		 * since the child never uses tmpdir_s.
-+		 */
-+		if (tmpdir_r) {
-+			fd_tmpdir_r = pin_dir(tmpdir_r, &sb);
-+			if (fd < 0)
-+				goto childerr;
-+			/*
-+			 * tmpdir_r checks differ in that it is
-+			 * root-owned and we also want to validate
-+			 * that the mode is still correct.
-+			 */
-+			if (sb.st_dev != st_tmpdir_r.st_dev ||
-+				sb.st_ino != st_tmpdir_r.st_ino ||
-+				sb.st_mode != st_tmpdir_r.st_mode)
-+				goto childerr;
-+			if (check_owner_uid(0, tmpdir_r, &sb))
-+				goto childerr;
-+		}
-+		if (runuserdir_s) {
-+			fd_runuserdir_s = pin_dir(runuserdir_s, &sb);
-+			if (fd_runuserdir_s < 0)
-+				goto childerr;
-+			if (sb.st_dev != st_runuserdir_s.st_dev ||
-+				sb.st_ino != st_runuserdir_s.st_ino)
-+				goto childerr;
-+			if (check_owner_uid(uid, runuserdir_s, &sb))
-+				goto childerr;
-+		}
-+
- 		resolved_path = realpath(pwd->pw_dir,NULL);
- 		if (! resolved_path) goto childerr;
- 
--		if (verify_directory(resolved_path, NULL, &st_curhomedir) < 0)
-+		fd_curhomedir = pin_dir(resolved_path, &sb);
-+		if (fd_curhomedir < 0)
- 			goto childerr;
--		if (check_owner_uid(uid, resolved_path, &st_curhomedir) < 0)
-+		if (check_owner_uid(uid, resolved_path, &sb) < 0)
- 			goto childerr;
- 
- 		if ((RUNTIME_DIR = getenv("XDG_RUNTIME_DIR")) != NULL) {
-@@ -969,12 +1028,11 @@ int main(int argc, char **argv) {
- 		}
- 
- 		if (runuserdir_s) {
--			struct stat sb;
--
--			if (verify_directory(RUNTIME_DIR, NULL, &sb) < 0 ||
--				check_owner_uid(uid, RUNTIME_DIR, &sb) < 0)
-+			fd_runtime_dir = pin_dir(RUNTIME_DIR, &sb);
-+			if (fd_runtime_dir < 0)
-+				goto childerr;
-+			if (check_owner_uid(uid, RUNTIME_DIR, &sb) < 0)
- 				goto childerr;
--
- 		}
- 
- 		if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
-@@ -985,42 +1043,57 @@ int main(int argc, char **argv) {
- 		}
- 
- 		if (runuserdir_s && (wayland_display || pipewire_socket)) {
--			if (wayland_display) {
--				if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) {
--					perror(_("Out of memory"));
-+			if (wayland_display &&
-+			    seunshare_mount_file(fd_runtime_dir,
-+					    wayland_display,
-+					    fd_runuserdir_s,
-+					    wayland_display) == -1)
- 					goto childerr;
--				}
- 
--				if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) {
--					perror(_("Out of memory"));
--					goto childerr;
--				}
-+			if (pipewire_socket &&
-+			    seunshare_mount_file(fd_runtime_dir,
-+					    "pipewire-0",
-+					    fd_runuserdir_s,
-+					    pipewire_socket) == -1)
-+				goto childerr;
-+		}
- 
--				if (seunshare_mount_file(wayland_path, wayland_path_s) == -1)
--					goto childerr;
-+		/* mount homedir, runuserdir and tmpdir, in this order */
-+		if (runuserdir_s &&
-+			seunshare_mount(runuserdir_s, fd_runuserdir_s,
-+					RUNTIME_DIR, fd_runtime_dir,
-+					MS_REC, 0) != 0)
-+			goto childerr;
-+		if (homedir_s &&
-+			seunshare_mount(homedir_s, fd_homedir_s,
-+					resolved_path, fd_curhomedir,
-+					0, 0) != 0)
-+			goto childerr;
-+		if (tmpdir_s) {
-+			fd_tmp = open("/tmp", O_RDONLY | O_DIRECTORY |
-+				      O_NOFOLLOW | O_CLOEXEC);
-+			if (fd_tmp < 0) {
-+				perror(_("Failed to open /tmp"));
-+				goto childerr;
- 			}
- 
--			if (pipewire_socket) {
--				if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) {
--					perror(_("Out of memory"));
--					goto childerr;
--				}
--				if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) {
--					perror(_("Out of memory"));
--					goto childerr;
--				}
--				if (seunshare_mount_file(pipewire_path, pipewire_path_s) == -1)
--					goto childerr;
-+			if (seunshare_mount(tmpdir_r, fd_tmpdir_r,
-+					    "/tmp", fd_tmp, 0,
-+					    MS_NODEV|MS_NOSUID|MS_NOEXEC) < 0)
-+				goto childerr;
-+
-+			fd_var_tmp = open("/var/tmp", O_RDONLY | O_DIRECTORY |
-+					O_NOFOLLOW | O_CLOEXEC);
-+			if (fd_var_tmp < 0) {
-+				perror(_("Failed to open /var/tmp"));
-+				goto childerr;
- 			}
--		}
- 
--		/* mount homedir, runuserdir and tmpdir, in this order */
--		if (runuserdir_s &&	seunshare_mount(runuserdir_s, RUNTIME_DIR,
--			&st_runuserdir_s) != 0) goto childerr;
--		if (homedir_s && seunshare_mount(homedir_s, resolved_path,
--			&st_homedir) != 0) goto childerr;
--		if (tmpdir_s &&	seunshare_mount(tmpdir_r, "/tmp",
--			&st_tmpdir_r) != 0) goto childerr;
-+			if (seunshare_mount("/tmp", fd_tmpdir_r,
-+					"/var/tmp", fd_var_tmp, 0,
-+					MS_NODEV|MS_NOSUID|MS_NOEXEC) < 0)
-+				goto childerr;
-+		}
- 
- 		if (drop_privs(uid) != 0) goto childerr;
- 
-@@ -1101,11 +1174,14 @@ int main(int argc, char **argv) {
- 		execv(argv[optind], argv + optind);
- 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
- childerr:
-+		if (fd_homedir_s >= 0) close(fd_homedir_s);
-+		if (fd_curhomedir >= 0) close(fd_curhomedir);
-+		if (fd_runuserdir_s >= 0) close(fd_runuserdir_s);
-+		if (fd_runtime_dir >= 0) close(fd_runtime_dir);
-+		if (fd_tmpdir_r >= 0) close(fd_tmpdir_r);
-+		if (fd_tmp >= 0) close(fd_tmp);
-+		if (fd_var_tmp >= 0) close(fd_var_tmp);
- 		free(resolved_path);
--		free(wayland_path);
--		free(wayland_path_s);
--		free(pipewire_path);
--		free(pipewire_path_s);
- 		free(display);
- 		free(LANG);
- 		free(RUNTIME_DIR);
--- 
-2.54.0
-

diff --git a/0021-sandbox-seunshare-fully-check-setfsuid-calls.patch b/0021-sandbox-seunshare-fully-check-setfsuid-calls.patch
deleted file mode 100644
index 2c7d50b..0000000
--- a/0021-sandbox-seunshare-fully-check-setfsuid-calls.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From 59cfed3bf23511f792bde3085759ab44ed643a4a Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Thu, 14 May 2026 11:03:40 -0400
-Subject: [PATCH] sandbox/seunshare: fully check setfsuid() calls
-Content-type: text/plain
-
-setfsuid() returns the old fsuid value and doesn't always
-set errno. The existing code was checking that it did
-successfully return the old fsuid value but not explicitly
-checking that the new one was set, which can be done by
-a second call to setfsuid() with -1 and checking its
-return value. Add a wrapper for setfsuid() and use it
-throughout to ensure complete checking.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 60 ++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 48 insertions(+), 12 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 611bfe80d030..98fcef326853 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -486,6 +486,44 @@ static bool rm_rf(int targetfd, const char *path) {
- 	return true;
- }
- 
-+/*
-+ * setfsuid() returns the previous fsuid value,
-+ * and does not reliably set errno on errors.
-+ * Let's do better.
-+ */
-+static int setfsuid_checked(uid_t old, uid_t new)
-+{
-+	int rc;
-+
-+	rc = setfsuid(new);
-+	if ((uid_t)rc != old) {
-+		int save_errno = errno;
-+		fprintf(stderr,
-+			"setfsuid(%u): Returned unexpected old uid %u\n",
-+			new, (uid_t)rc);
-+		if (save_errno)
-+			errno = save_errno;
-+		else
-+			errno = EPERM;
-+		return -1;
-+	}
-+
-+	rc = setfsuid(-1);
-+	if ((uid_t)rc != new) {
-+		int save_errno = errno;
-+		fprintf(stderr,
-+			"setfsuid(%u): Produced unexpected new uid %u\n",
-+			new,(uid_t)rc);
-+		if (save_errno)
-+			errno = save_errno;
-+		else
-+			errno = EPERM;
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
- /**
-  * Clean up runtime temporary directory.  Returns 0 if no problem was detected,
-  * >0 if some error was detected, but errors here are treated as non-fatal and
-@@ -529,10 +567,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
- 		free_args(args);
- 	}
- 
--	if ((uid_t)setfsuid(0) != 0) {
--		/* setfsuid does not return error, but this check makes code checkers happy */
-+	if (setfsuid_checked(0, 0) < 0)
- 		rc++;
--	}
- 
- 	/* Recursively remove the runtime temp directory.  */
- 	if (!rm_rf(AT_FDCWD, tmpdir)) {
-@@ -540,7 +576,7 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
- 		rc++;
- 	}
- 
--	if ((uid_t)setfsuid(pwd->pw_uid) != 0) {
-+	if (setfsuid_checked(0, pwd->pw_uid) < 0) {
- 		fprintf(stderr, _("unable to switch back to user after clearing tmp dir\n"));
- 		rc++;
- 	}
-@@ -570,7 +606,7 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 
- 	/* get selinux context of source directory */
- 	if (execcon) {
--		if ((uid_t)setfsuid(pwd->pw_uid) != 0)
-+		if (setfsuid_checked(0, pwd->pw_uid))
- 			goto err;
- 		if ((fd_s = pin_dir(src, &tmp_st)) < 0)
- 			goto err;
-@@ -585,7 +621,7 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 			fprintf(stderr, _("Failed to get context of the directory %s: %m\n"), src);
- 			goto err;
- 		}
--		if ((uid_t)setfsuid(0) != pwd->pw_uid)
-+		if (setfsuid_checked(pwd->pw_uid, 0) < 0)
- 			goto err;
- 	}
- 
-@@ -629,7 +665,7 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 		}
- 	}
- 
--	if ((uid_t)setfsuid(pwd->pw_uid) != 0)
-+	if (setfsuid_checked(0, pwd->pw_uid) < 0)
- 		goto err;
- 
- 	if (rsynccmd(src, tmpdir, &cmd) < 0) {
-@@ -637,7 +673,7 @@ static char *create_tmpdir(const char *src, struct stat *src_st,
- 	}
- 
- 	/* ok to not reach this if there is an error */
--	if ((uid_t)setfsuid(0) != pwd->pw_uid)
-+	if (setfsuid_checked(pwd->pw_uid, 0) < 0)
- 		goto err;
- 
- 	if (spawn_command(cmd, pwd->pw_uid) != 0) {
-@@ -874,9 +910,8 @@ int main(int argc, char **argv) {
- 	/* Changing fsuid is usually required when user-specified directory is
- 	 * on an NFS mount.  It's also desired to avoid leaking info about
- 	 * existence of the files not accessible to the user. */
--	if ((uid_t)setfsuid(uid) != 0) {
-+	if (setfsuid_checked(0, uid) < 0) {
- 		fprintf(stderr, _("Error: unable to setfsuid\n"));
--
- 		return -1;
- 	}
- 
-@@ -913,7 +948,8 @@ int main(int argc, char **argv) {
- 		close(fd);
- 	}
- 
--	if ((uid_t)setfsuid(0) != uid) return -1;
-+	if (setfsuid_checked(uid, 0) < 0)
-+		return -1;
- 
- 	/* create runtime tmpdir */
- 	if (tmpdir_s) {
-@@ -957,7 +993,7 @@ int main(int argc, char **argv) {
- 		}
- 
- 		/* assume fsuid==ruid after this point */
--		if ((uid_t)setfsuid(uid) != 0) goto childerr;
-+		if (setfsuid_checked(0, uid) < 0) goto childerr;
- 
- 		/*
- 		 * Now we can pin the source directories in this namespace
--- 
-2.54.0
-

diff --git a/0022-sandbox-seunshare-check-owner-in-seunshare_mount_fil.patch b/0022-sandbox-seunshare-check-owner-in-seunshare_mount_fil.patch
deleted file mode 100644
index 95aed7c..0000000
--- a/0022-sandbox-seunshare-check-owner-in-seunshare_mount_fil.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 8a3de70622d252f1ee070d6d9e9b019b9a6edd08 Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Fri, 15 May 2026 11:11:43 -0400
-Subject: [PATCH] sandbox/seunshare: check owner in seunshare_mount_file()
-Content-type: text/plain
-
-We currently apply an owner check on directories prior to
-calling seunshare_mount() on them. Do the same for
-seunshare_mount_file(), but this has to be done inside
-of the function since we do not open the source and
-destination files until then.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 23 ++++++++++++++++++++---
- 1 file changed, 20 insertions(+), 3 deletions(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 98fcef326853..3afe1554ae56 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -296,11 +296,12 @@ static int seunshare_mount(const char *src, int src_fd,
-  * a file named @dst_name in directory @dst_dirfd, creating @dst_name
-  * if it doesn't already exist.
-  */
--static int seunshare_mount_file(int src_dirfd, const char *src_name,
-+static int seunshare_mount_file(uid_t uid, int src_dirfd, const char *src_name,
- 				int dst_dirfd, const char *dst_name)
- {
- 	char srcprocfd[32], dstprocfd[32];
- 	int src_fd = -1, dst_fd = -1, rc = -1;
-+	struct stat sb;
- 
- 	if (verbose)
- 		printf(_("Mounting %s on %s\n"), src_name, dst_name);
-@@ -311,6 +312,14 @@ static int seunshare_mount_file(int src_dirfd, const char *src_name,
- 		goto out;
- 	}
- 
-+	if (fstat(src_fd, &sb) < 0) {
-+		fprintf(stderr, _("Failed to stat %s: %m\n"), src_name);
-+		goto out;
-+
-+	}
-+	if (check_owner_uid(uid, src_name, &sb))
-+		goto out;
-+
- 	dst_fd = openat(dst_dirfd, dst_name, O_PATH | O_NOFOLLOW | O_CLOEXEC);
- 	if (dst_fd < 0 && errno == ENOENT)
- 		dst_fd = openat(dst_dirfd, dst_name,
-@@ -321,6 +330,14 @@ static int seunshare_mount_file(int src_dirfd, const char *src_name,
- 		goto out;
- 	}
- 
-+	if (fstat(dst_fd, &sb) < 0) {
-+		fprintf(stderr, _("Failed to stat %s: %m\n"), dst_name);
-+		goto out;
-+
-+	}
-+	if (check_owner_uid(uid, dst_name, &sb))
-+		goto out;
-+
- 	snprintf(srcprocfd, sizeof(srcprocfd), "/proc/self/fd/%d", src_fd);
- 	snprintf(dstprocfd, sizeof(dstprocfd), "/proc/self/fd/%d", dst_fd);
- 
-@@ -1080,14 +1097,14 @@ int main(int argc, char **argv) {
- 
- 		if (runuserdir_s && (wayland_display || pipewire_socket)) {
- 			if (wayland_display &&
--			    seunshare_mount_file(fd_runtime_dir,
-+				seunshare_mount_file(uid, fd_runtime_dir,
- 					    wayland_display,
- 					    fd_runuserdir_s,
- 					    wayland_display) == -1)
- 					goto childerr;
- 
- 			if (pipewire_socket &&
--			    seunshare_mount_file(fd_runtime_dir,
-+				seunshare_mount_file(uid, fd_runtime_dir,
- 					    "pipewire-0",
- 					    fd_runuserdir_s,
- 					    pipewire_socket) == -1)
--- 
-2.54.0
-

diff --git a/0023-sandbox-seunshare-fix-fd_tmpdir_r-check.patch b/0023-sandbox-seunshare-fix-fd_tmpdir_r-check.patch
deleted file mode 100644
index f14c4a2..0000000
--- a/0023-sandbox-seunshare-fix-fd_tmpdir_r-check.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From d99b5a313a2790b1ca703023112f548cbe65617a Mon Sep 17 00:00:00 2001
-From: Stephen Smalley <stephen.smalley.work@gmail.com>
-Date: Tue, 19 May 2026 08:13:40 -0400
-Subject: [PATCH] sandbox/seunshare: fix fd_tmpdir_r check
-Content-type: text/plain
-
-Check fd_tmpdir_r not fd for a failed pin_dir() here.
-
-Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
----
- sandbox/seunshare.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
-index 3afe1554ae56..7a4233fbee00 100644
---- a/sandbox/seunshare.c
-+++ b/sandbox/seunshare.c
-@@ -1034,7 +1034,7 @@ int main(int argc, char **argv) {
- 		 */
- 		if (tmpdir_r) {
- 			fd_tmpdir_r = pin_dir(tmpdir_r, &sb);
--			if (fd < 0)
-+			if (fd_tmpdir_r < 0)
- 				goto childerr;
- 			/*
- 			 * tmpdir_r checks differ in that it is
--- 
-2.54.0
-

diff --git a/changelog b/changelog
index cc642c6..1cc9746 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+* Wed Jul 01 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.11-1
+- SELinux userspace 3.11 release
+
+* Wed Jun 03 2026 Python Maint <python-maint@redhat.com>
+- Rebuilt for Python 3.15
+
 * Mon May 25 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.10-4
 - Several sandbox and seunshare security improvements
 

diff --git a/policycoreutils.spec b/policycoreutils.spec
index 4ae9264..dc81e45 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -1,7 +1,7 @@
 %global libauditver     4.0
-%global libsepolver     3.10-1
-%global libsemanagever  3.10-1
-%global libselinuxver   3.10-1
+%global libsepolver     3.11-1
+%global libsemanagever  3.11-1
+%global libselinuxver   3.11-1
 
 %global generatorsdir %{_prefix}/lib/systemd/system-generators
 
@@ -10,13 +10,13 @@
 
 Summary: SELinux policy core utilities
 Name:    policycoreutils
-Version: 3.10
-Release: 5%{?dist}
+Version: 3.11
+Release: 1%{?dist}
 License: GPL-2.0-or-later
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz
 Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-%{version}.tar.gz.asc
-Source2: https://github.com/perfinion.gpg
+Source2: https://github.com/bachradsusi.gpg
 Source3: changelog
 Source4: macros
 URL:     https://github.com/SELinuxProject/selinux
@@ -37,7 +37,7 @@ Source22: selinux-gui.zip
 # wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
 Source23: selinux-sandbox.zip
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 3.10 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.11 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
 Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
@@ -46,23 +46,6 @@ Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
 Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
 Patch0006: 0006-sepolicy-Fix-detection-of-writeable-locations.patch
-Patch0007: 0007-restorecond-Add-F-for-run-in-foreground.patch
-Patch0008: 0008-restorecond.service-Use-Type-simple.patch
-Patch0009: 0009-seunshare-guard-fallible-function-calls-by-checking-.patch
-Patch0010: 0010-sandbox-seunshare-pass-O_NOFOLLOW-to-openat.patch
-Patch0011: 0011-sandbox-seunshare-switch-seunshare_mount_file-to-use.patch
-Patch0012: 0012-sandbox-seunshare-fix-error-checking-for-setfsuid.patch
-Patch0013: 0013-sandbox-seunshare-remount-tmp-and-var-tmp-with-the-p.patch
-Patch0014: 0014-sandbox-seunshare-prevent-rsync-from-interpreting-pa.patch
-Patch0015: 0015-sandbox-seunshare-fix-getopt-flags.patch
-Patch0016: 0016-sandbox-seunshare-prevent-path-traversal-via-W-P.patch
-Patch0017: 0017-sandbox-seunshare-verify-RUNTIME_DIR-before-use.patch
-Patch0018: 0018-sandbox-seunshare-drop-unused-runuserdir_r.patch
-Patch0019: 0019-sandbox-seunshare-fix-killall-realloc-and-missing-ty.patch
-Patch0020: 0020-sandbox-seunshare-rewrite-to-pin-directories-before-.patch
-Patch0021: 0021-sandbox-seunshare-fully-check-setfsuid-calls.patch
-Patch0022: 0022-sandbox-seunshare-check-owner-in-seunshare_mount_fil.patch
-Patch0023: 0023-sandbox-seunshare-fix-fd_tmpdir_r-check.patch
 # Patch list end
 
 # gen_changelog
@@ -481,7 +464,4 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
-* Wed Jun 03 2026 Python Maint <python-maint@redhat.com>
-- Rebuilt for Python 3.15
-
 %add_changelog %SOURCE3

diff --git a/sources b/sources
index 55752eb..6175871 100644
--- a/sources
+++ b/sources
@@ -2,5 +2,5 @@ SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428
 SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
 SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
 SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
-SHA512 (selinux-3.10.tar.gz) = 40ada85709ad23c368579bc661661ac77f4ada6d9a65243bc25de8e46202baed264d1b49de1765d5dd21ebc8d94d872b86d2b0e7b56a7269f1942d609ff7278e
-SHA512 (selinux-3.10.tar.gz.asc) = 5efaecb97be2da435c7ece88e213dd753a4c6ee6f6a2726f25b82b0e30c77a5136efb593fb9590c0395f0c63e9536abf407dcec95b3d62027defbeafaa5d4b91
+SHA512 (selinux-3.11.tar.gz) = 67a460e0ee8c652ee88b1defb56ae2cb9d46c45a3a92d4add631cb7073377a846f31901a8fa659a664e7c3190531f58d774c99321d7870b542a99e033a16df32
+SHA512 (selinux-3.11.tar.gz.asc) = 866acdc35ff2e6450cefe1a5350c537aa5877c1ee6c39b985e3bfde8f12558b9df890450ce34b8463590abe54033052474267453d6820675f9b1d0e36dd43fcf

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2026-07-01 20:00 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-01 20:00 [rpms/policycoreutils] rawhide: SELinux userspace 3.11 release Petr Lautrbach

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox