libsepol: bump to 2.7, setools: bump to 4.1.1

The reason for combining these patches is because the
old version of setools is not compatible iwth libsepol 2.7.  If a user where
to do a git pull on a patch that only updates libsepol or setools, the build
would fail to compile.

setools has been completely rewritten in python instead of C.

The current version of setools includes a few programs that require
python-qt5 or python-networkx to run, however the package does not
check to see if these exist when compiling, and will install the scripts
to the target directory even if they don't exist.

In the case of python-networkx, this package is not available on Buildroot.
The scripts that require them are: sedta and seinfoflow.
In the case of python-qt5, qpol is the script that requires it.

Some setools.mk notes to get the package to compile:

- Convert the package .mk to use python-package instead of autotools-package.

- setup.py hard codes base_lib_dirs to point to several host directories.
  To fix this, sed is used before compiling to point the base_lib_dirs to
  the staging directory.

- setup.py also includes the "Werror" flag, however compilers before gcc6
  cause a few autogenerated variables to not be initialized before use,
  causing the build to fail.
  To fix this, a patch is provided that removes the Werror flag.

- Remove sedta and seinfoflow from the target system after install.  These
  packages rely on the package python-networkx which is not available in
  buildroot.

- Remove the installed apol package and the setoolsgui directory from the
  target directory if python-qt5 is not selected.

Other changes:
- Removed all patches, as they are not compatible with the new version of
  setools.

- Add COPYING, COPYING.GPL, and COPYING.LGPL to setools.hash

Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>

package/libsepol/0001-support-static-only.patch

@@ -1,4 +1,7 @@
-Add support for static-only build
+From 2140db697c7f1da2a0a3f7bbcb14c1a0dade84e5 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:28:12 -0400
+Subject: [PATCH] Add support for static-only build
 
 Instead of unconditionally building shared libraries, this patch
 improves the libsepol build system with a "STATIC" variable, which
@@ -7,30 +10,30 @@ libraries. It allows to support cases where the target architecture
 does not have support for shared libraries.
 
 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
-
-Index: b/src/Makefile
-===================================================================
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ src/Makefile | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
 
 diff --git a/src/Makefile b/src/Makefile
-index db6c2ba..0006285 100644
+index 819d261..040921d 100644
 --- a/src/Makefile
 +++ b/src/Makefile
-@@ -30,8 +30,12 @@ LOBJS += $(sort $(patsubst %.c,%.lo,$(wildcard $(CILDIR)/src/*.c) $(CIL_GENERATE
- override CFLAGS += -I$(CILDIR)/include
+@@ -40,7 +40,12 @@ LDFLAGS += -undefined dynamic_lookup
+ LN=gln
  endif
  
+-all: $(LIBA) $(LIBSO) $(LIBPC)
 +ALL_TARGETS = $(LIBA) $(LIBPC)
 +ifeq ($(STATIC),)
 +ALL_TARGETS += $(LIBSO)
 +endif
-
--all: $(LIBA) $(LIBSO) $(LIBPC)
++
 +all: $(ALL_TARGETS)
  
-
+ 
  $(LIBA):  $(OBJS)
-@@ -66,11 +70,13 @@
+@@ -82,11 +87,13 @@ endif
  install: all
  	test -d $(LIBDIR) || install -m 755 -d $(LIBDIR)
  	install -m 644 $(LIBA) $(LIBDIR)
@@ -41,8 +44,11 @@ index db6c2ba..0006285 100644
 +ifeq ($(STATIC),)
 +	test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
 +	install -m 755 $(LIBSO) $(SHLIBDIR)
- 	ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+ 	$(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
 +endif
  
  relabel:
  	/sbin/restorecon $(SHLIBDIR)/$(LIBSO)
+-- 
+2.13.6
+

package/libsepol/0003-revert-ln-relative.patch

@@ -1,4 +1,7 @@
-Makefile: revert libsepol: use ln --relative to create .so symlinks
+From 16b2b0e21e10727065042a1baabd1a887757c65c Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Mon, 9 Oct 2017 16:29:36 -0400
+Subject: [PATCH] Makefile: revert libsepol: use ln --relative to create .so symlinks
 
 This reverts 71393a181d63c9baae5fe8dcaeb9411d1f253998
 
@@ -9,16 +12,23 @@ they are maintained (up to 10 years in some cases?).
 For the sake of Buildroot, revert the upstream patch.
 
 Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
+---
+ src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff -durN a/src/Makefile b/src/Makefile
+diff --git a/src/Makefile b/src/Makefile
+index 040921d..e811c9e 100644
 --- a/src/Makefile
 +++ b/src/Makefile
-@@ -77,7 +77,7 @@
+@@ -92,7 +92,7 @@ install: all
  ifeq ($(STATIC),)
  	test -d $(SHLIBDIR) || install -m 755 -d $(SHLIBDIR)
  	install -m 755 $(LIBSO) $(SHLIBDIR)
--	ln -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
+-	$(LN) -sf --relative $(SHLIBDIR)/$(LIBSO) $(LIBDIR)/$(TARGET)
 +	cd $(LIBDIR) && ln -sf ../../`basename $(SHLIBDIR)`/$(LIBSO) $(TARGET)
  endif
  
  relabel:
+-- 
+2.13.6
+

package/libsepol/libsepol.hash

@@ -1,2 +1,2 @@
-# From https://github.com/SELinuxProject/selinux/wiki/Releases
-sha256 d856d6506054f52abeaa3543ea2f2344595a3dc05d0d873ed7f724f7a16b1874  libsepol-2.6.tar.gz
+# From: https://github.com/SELinuxProject/selinux/wiki/Releases
+sha256 d69d3bd8ec901a3bd5adf2be2fb47fb1a685ed73066ab482e7e505371a48f9e7  libsepol-2.7.tar.gz

package/libsepol/libsepol.mk

@@ -4,8 +4,8 @@
 #
 ################################################################################
 
-LIBSEPOL_VERSION = 2.6
-LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20161014
+LIBSEPOL_VERSION = 2.7
+LIBSEPOL_SITE = https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20170804
 LIBSEPOL_LICENSE = LGPL-2.1+
 LIBSEPOL_LICENSE_FILES = COPYING
 

package/setools/0001-cross-compile-fixes.patch

@@ -1,125 +0,0 @@
-Correct build issues to enable cross compiling.  These changes require the
-package to be auto reconfigured.
-
-These updates were not upsteamed as the 3.3.x version has stablized and they
-were only taking bug fixes.  Also the 4.0 preview has completely reworked
-the build infrastructure which will require this to be revisited.
-
-Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
-
-diff -urN a/configure.ac b/configure.ac
---- a/configure.ac	2013-01-16 10:36:24.000000000 -0600
-+++ b/configure.ac	2013-07-12 08:22:10.380255248 -0500
-@@ -448,8 +448,9 @@
-               sepol_srcdir="")
- if test "x${sepol_srcdir}" = "x"; then
-    sepol_srcdir=${sepol_devel_libdir}
--   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
--      AC_MSG_ERROR([make sure libsepol-static is installed]))
-+   if test ! -f ${sepol_srcdir}/libsepol.a; then
-+      AC_MSG_ERROR([could not find precompiled libsepol.a])
-+   fi
- else
-    AC_MSG_CHECKING([for compatible sepol source tree])
-    sepol_version=${sepol_srcdir}/VERSION
-@@ -484,8 +485,9 @@
-    AC_CHECK_HEADER([sepol/policydb/policydb.h], , AC_MSG_ERROR([could not find sepol source tree]))
-    CFLAGS="${sepol_src_save_CFLAGS}"
-    CPPFLAGS="${sepol_src_save_CPPFLAGS}"
--   AC_CHECK_FILE([${sepol_srcdir}/libsepol.a],,
--      AC_MSG_ERROR([could not find precompiled libsepol.a]))
-+   if test ! -f ${sepol_srcdir}/libsepol.a; then
-+      AC_MSG_ERROR([could not find precompiled libsepol.a])
-+   fi
-    sepol_devel_incdir="${sepol_srcdir}/../include"
- fi
- SELINUX_CFLAGS="-I${sepol_devel_incdir} -I${selinux_devel_incdir}"
-@@ -578,12 +580,13 @@
-                          [AC_LANG_SOURCE([
- #include <sepol/policydb/expand.h>
- int main () {
--  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0);
-+  return expand_module_avrules(NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 0);
- }])],
-                          AC_MSG_RESULT([yes]),
-                          AC_MSG_ERROR([this version of libsepol is incompatible with SETools]))
-     fi
-     sepol_new_expand_boolmap="yes"
-+    sepol_new_user_role_mapping="yes"
- else
-     sepol_new_expand_boolmap="no"
- fi
-@@ -607,7 +610,8 @@
-     exit(EXIT_FAILURE);
- }])],
-     sepol_policy_version_max=`cat conftest.data`,
--    AC_MSG_FAILURE([could not determine maximum libsepol policy version]))
-+    AC_MSG_FAILURE([could not determine maximum libsepol policy version]),
-+    sepol_policy_version_max="26")
- AC_DEFINE_UNQUOTED(SEPOL_POLICY_VERSION_MAX, ${sepol_policy_version_max}, [maximum policy version supported by libsepol])
- CFLAGS="${sepol_save_CFLAGS}"
- CPPFLAGS="${sepol_save_CPPFLAGS}"
-@@ -631,7 +635,7 @@
-     changequote([,])dnl
-     selinux_save_CFLAGS="${CFLAGS}"
-     CFLAGS="${SELINUX_CFLAGS} ${SELINUX_LIB_FLAG} -lselinux -lsepol ${CFLAGS}"
--    gcc ${CFLAGS} -o conftest conftest.c >&5
-+    ${CC} ${CFLAGS} -o conftest conftest.c >&5
-     selinux_policy_dir=`./conftest`
-     AC_MSG_RESULT(${selinux_policy_dir})
-     CFLAGS="${selinux_save_CFLAGS}"
-diff -urN a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
---- a/libqpol/src/policy_define.c	2013-01-16 10:36:24.000000000 -0600
-+++ b/libqpol/src/policy_define.c	2013-07-12 08:22:10.380255248 -0500
-@@ -2135,7 +2135,7 @@
- #ifdef HAVE_SEPOL_ROLE_ATTRS
- 	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
- #elif HAVE_SEPOL_USER_ROLE_MAPPING
--	if (role_set_expand(&roles, &e_roles, policydbp, NULL))
-+	if (role_set_expand(&roles, &e_roles, policydbp, NULL, NULL))
- #else
- 	if (role_set_expand(&roles, &e_roles, policydbp))
- #endif
-diff -urN a/m4/ac_python_devel.m4 b/m4/ac_python_devel.m4
---- a/m4/ac_python_devel.m4	2013-01-16 10:36:22.000000000 -0600
-+++ b/m4/ac_python_devel.m4	2013-07-12 08:22:10.380255248 -0500
-@@ -234,7 +234,7 @@
- 	AC_MSG_CHECKING([consistency of all components of python development environment])
- 	AC_LANG_PUSH([C])
- 	# save current global flags
--	LIBS="$ac_save_LIBS $PYTHON_LDFLAGS"
-+	LIBS="$ac_save_LIBS $PYTHON_EXTRA_LIBS $PYTHON_LDFLAGS"
- 	CPPFLAGS="$ac_save_CPPFLAGS $PYTHON_CPPFLAGS"
- 	AC_TRY_LINK([
- 		#include <Python.h>
-diff -urN a/python/setools/Makefile.am b/python/setools/Makefile.am
---- a/python/setools/Makefile.am	2013-01-16 10:36:22.000000000 -0600
-+++ b/python/setools/Makefile.am	2013-07-12 08:22:19.200251011 -0500
-@@ -22,13 +22,13 @@
- python-build: sesearch.c seinfo.c
- 	@mkdir -p setools
- 	@cp __init__.py setools
--	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" INCLUDES="$(QPOL_CFLAGS) $(APOL_CFLAGS)" $(PYTHON) setup.py build
-+	LIBS="$(QPOL_LIB_FLAG) $(APOL_LIB_FLAG)" LIBDIRS="$(PYTHON_LDFLAGS)" INCLUDES="$(PYTHON_CPPFLAGS) $(QPOL_CFLAGS) $(APOL_CFLAGS)" CC="$(CC)" CFLAGS="$(CFLAGS)" LDSHARED="$(CC) -shared" LDFLAGS="$(LDFLAGS)" $(PYTHON) setup.py build_ext
- 
- install-exec-hook:
--	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
-+	$(PYTHON) setup.py install `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
- 
- uninstall-hook: 
--	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
-+	$(PYTHON) setup.py uninstall `test -n "$(DESTDIR)" && echo --prefix=$(DESTDIR)/usr`
- 
- clean-local:
- 	$(PYTHON) setup.py clean -a 
---- a/python/setools/setup.py	2013-01-16 10:36:22.000000000 -0600
-+++ b/python/setools/setup.py	2013-09-04 09:17:48.452916991 -0500
-@@ -8,7 +8,7 @@
- try:
-     inc=os.getenv("INCLUDES").split(" ")    
-     INCLUDES=map(lambda x: x[2:], inc)
--    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split())
-+    LIBDIRS=map(lambda x: "/".join(x.split("/")[:-1]), os.getenv("LIBS").split()) + map(lambda x: x[2:], os.getenv("LIBDIRS").split())
- except:
-     INCLUDES=""
-     LIBDIRS=""

package/setools/0001-remove-werror-flag-from-setup.patch

@@ -0,0 +1,29 @@
+From b2fe84bfd00117d4897f1f2e8f83d3410eb188b8 Mon Sep 17 00:00:00 2001
+From: Adam Duskett <Adamduskett@outlook.com>
+Date: Thu, 12 Oct 2017 22:04:58 -0400
+Subject: [PATCH] remove werror flag from setup
+
+Compilers older than gcc6 will generate uninitialized variable warnings which
+will cause compiling to fail.
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ setup.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 2ca44c9..9319bf6 100644
+--- a/setup.py
++++ b/setup.py
+@@ -146,7 +146,7 @@ ext_py_mods = [Extension('setools.policyrep._qpol',
+                           'libqpol/policy_scan.c',
+                           'libqpol/xen_query.c'],
+                          include_dirs=include_dirs,
+-                         extra_compile_args=['-Werror', '-Wextra',
++                         extra_compile_args=['-Wextra',
+                                              '-Waggregate-return',
+                                              '-Wfloat-equal',
+                                              '-Wformat', '-Wformat=2',
+-- 
+2.13.6
+

package/setools/0002-Do-not-export-use-setools.InfoFlowAnalysis-and-setoo.patch

@@ -0,0 +1,142 @@
+From 2512c3ba608077db3a5e0286b976fadc8a04a5c4 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 23 Feb 2017 08:17:07 +0100
+Subject: [PATCH] Do not export/use setools.InfoFlowAnalysis and
+ setools.DomainTransitionAnalysis
+
+dta and infoflow modules require networkx which brings lot of dependencies.
+These dependencies are not necessary for setools module itself as it's
+used in policycoreutils.
+
+Therefore it's better to use setools.infoflow.InfoFlowAnalysis and
+setools.dta.DomainTransitionAnalysis and let the package containing
+sedta and seinfoflow to require python3-networkx
+
+Signed-off-by: Adam Duskett <Adamduskett@outlook.com>
+---
+ sedta                       | 3 ++-
+ seinfoflow                  | 3 ++-
+ setools/__init__.py         | 4 ++--
+ setoolsgui/apol/dta.py      | 2 +-
+ setoolsgui/apol/infoflow.py | 2 +-
+ tests/dta.py                | 3 ++-
+ tests/infoflow.py           | 3 ++-
+ 7 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/sedta b/sedta
+index 1c76ebb..255ad49 100755
+--- a/sedta
++++ b/sedta
+@@ -23,6 +23,7 @@ import argparse
+ import logging
+ 
+ import setools
++import setools.dta
+ 
+ 
+ def print_transition(trans):
+@@ -111,7 +112,7 @@ else:
+ 
+ try:
+     p = setools.SELinuxPolicy(args.policy)
+-    g = setools.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
++    g = setools.dta.DomainTransitionAnalysis(p, reverse=args.reverse, exclude=args.exclude)
+ 
+     if args.shortest_path or args.all_paths:
+         if args.shortest_path:
+diff --git a/seinfoflow b/seinfoflow
+index b287921..d53bdef 100755
+--- a/seinfoflow
++++ b/seinfoflow
+@@ -19,6 +19,7 @@
+ 
+ from __future__ import print_function
+ import setools
++import setools.infoflow
+ import argparse
+ import sys
+ import logging
+@@ -79,7 +80,7 @@ else:
+ try:
+     p = setools.SELinuxPolicy(args.policy)
+     m = setools.PermissionMap(args.map)
+-    g = setools.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
++    g = setools.infoflow.InfoFlowAnalysis(p, m, min_weight=args.min_weight, exclude=args.exclude)
+ 
+     if args.shortest_path or args.all_paths:
+         if args.shortest_path:
+diff --git a/setools/__init__.py b/setools/__init__.py
+index a84c846..a53c5a7 100644
+--- a/setools/__init__.py
++++ b/setools/__init__.py
+@@ -74,11 +74,11 @@ from .pcideviceconquery import PcideviceconQuery
+ from .devicetreeconquery import DevicetreeconQuery
+ 
+ # Information Flow Analysis
+-from .infoflow import InfoFlowAnalysis
++# from .infoflow import InfoFlowAnalysis
+ from .permmap import PermissionMap
+ 
+ # Domain Transition Analysis
+-from .dta import DomainTransitionAnalysis
++# from .dta import DomainTransitionAnalysis
+ 
+ # Policy difference
+ from .diff import PolicyDifference
+diff --git a/setoolsgui/apol/dta.py b/setoolsgui/apol/dta.py
+index 0aaf13f..5b1ea20 100644
+--- a/setoolsgui/apol/dta.py
++++ b/setoolsgui/apol/dta.py
+@@ -23,7 +23,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
+ from PyQt5.QtGui import QPalette, QTextCursor
+ from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
+                             QTreeWidgetItem
+-from setools import DomainTransitionAnalysis
++from setools.dta import DomainTransitionAnalysis
+ 
+ from ..logtosignal import LogHandlerToSignal
+ from .analysistab import AnalysisTab
+diff --git a/setoolsgui/apol/infoflow.py b/setoolsgui/apol/infoflow.py
+index 1ae16de..fdf8f7b 100644
+--- a/setoolsgui/apol/infoflow.py
++++ b/setoolsgui/apol/infoflow.py
+@@ -25,7 +25,7 @@ from PyQt5.QtCore import pyqtSignal, Qt, QStringListModel, QThread
+ from PyQt5.QtGui import QPalette, QTextCursor
+ from PyQt5.QtWidgets import QCompleter, QHeaderView, QMessageBox, QProgressDialog, \
+                             QTreeWidgetItem
+-from setools import InfoFlowAnalysis
++from setools.infoflow import InfoFlowAnalysis
+ from setools.exception import UnmappedClass, UnmappedPermission
+ 
+ from ..logtosignal import LogHandlerToSignal
+diff --git a/tests/dta.py b/tests/dta.py
+index 32b9271..2bdd052 100644
+--- a/tests/dta.py
++++ b/tests/dta.py
+@@ -17,7 +17,8 @@
+ #
+ import unittest
+ 
+-from setools import SELinuxPolicy, DomainTransitionAnalysis
++from setools import SELinuxPolicy
++from setools.dta import DomainTransitionAnalysis
+ from setools import TERuletype as TERT
+ from setools.policyrep.exception import InvalidType
+ from setools.policyrep.typeattr import Type
+diff --git a/tests/infoflow.py b/tests/infoflow.py
+index 7751dda..a21c683 100644
+--- a/tests/infoflow.py
++++ b/tests/infoflow.py
+@@ -17,7 +17,8 @@
+ #
+ import unittest
+ 
+-from setools import SELinuxPolicy, InfoFlowAnalysis
++from setools import SELinuxPolicy
++from setools.infoflow import InfoFlowAnalysis
+ from setools import TERuletype as TERT
+ from setools.permmap import PermissionMap
+ from setools.policyrep.exception import InvalidType
+-- 
+2.9.3
+

package/setools/0002-move-python-check.patch

@@ -1,25 +0,0 @@
-Correct a build issue that occurs when python is not found
-in the path. This check should only be done if swig-python
-option is selected.
-
-Signed-off-by Clayton Shotwell <clshotwe@rockwellcollins.com>
-
---- a/configure.ac	2015-05-15 12:28:07.566060349 -0500
-+++ b/configure.ac	2015-05-28 15:07:25.357072800 -0500
-@@ -217,8 +217,6 @@
-    do_swigify=yes
- fi
- 
--AM_PATH_PYTHON(2.7)
--
- AC_ARG_ENABLE(swig-python,
-               AC_HELP_STRING([--enable-swig-python],
-                              [build SWIG interfaces for Python]),
-@@ -227,6 +225,7 @@
-    if test ${do_swigify} = no; then
-       AC_PROG_SWIG(2.0.0)
-    fi
-+   AM_PATH_PYTHON(2.7)
-    SWIG_PYTHON
-    do_swigify_python=yes
-    do_swigify=yes

package/setools/0003-setools-Update-for-2015-02-02-Userspace-release.patch

@@ -1,90 +0,0 @@
-setools: Add patch to support 2.4 toolstack.
-Signed-off-by: Philip Tricca <flihp@twobit.us>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
-URL: https://github.com/flihp/meta-selinux/commit/e09eaef7a9acb552a4a5e1f90117154ae06b6fda
-
-Signed-off-by: Adam Duskett <Aduskett@gmail.com>
-
-diff --git a/libqpol/src/policy_define.c b/libqpol/src/policy_define.c
-index fad6b60..231962f 100644
---- a/libqpol/src/policy_define.c
-+++ b/libqpol/src/policy_define.c
-@@ -1449,7 +1449,7 @@ int define_compute_type_helper(int which, avrule_t ** rule)
- 				return -1;
- 			}
- 			class_perm_node_init(perm);
--			perm->class = i + 1;
-+			perm->tclass = i + 1;
- 			perm->data = datum->s.value;
- 			perm->next = avrule->perms;
- 			avrule->perms = perm;
-@@ -1699,7 +1699,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
- 			goto out;
- 		}
- 		class_perm_node_init(cur_perms);
--		cur_perms->class = i + 1;
-+		cur_perms->tclass = i + 1;
- 		if (!perms)
- 			perms = cur_perms;
- 		if (tail)
-diff --git a/libqpol/src/policy_extend.c b/libqpol/src/policy_extend.c
-index 5325a87..1417271 100644
---- a/libqpol/src/policy_extend.c
-+++ b/libqpol/src/policy_extend.c
-@@ -843,7 +843,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
- 			for (class_node = rule->perms; class_node; class_node = class_node->next) {
- 				key.rule_type = rule->specified;
- 				key.source_val = key.target_val = i + 1;
--				key.class_val = class_node->class;
-+				key.class_val = class_node->tclass;
- 				key.cond = cond;
- 				if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
- 					goto err;
-@@ -856,7 +856,7 @@ static int qpol_syn_rule_table_insert_sepol_avrule(qpol_policy_t * policy, qpol_
- 				key.rule_type = rule->specified;
- 				key.source_val = i + 1;
- 				key.target_val = j + 1;
--				key.class_val = class_node->class;
-+				key.class_val = class_node->tclass;
- 				key.cond = cond;
- 				if (qpol_syn_rule_table_insert_entry(policy, table, &key, new_rule))
- 					goto err;
-diff --git a/libqpol/src/syn_rule_query.c b/libqpol/src/syn_rule_query.c
-index 3e63204..d7578f1 100644
---- a/libqpol/src/syn_rule_query.c
-+++ b/libqpol/src/syn_rule_query.c
-@@ -67,7 +67,7 @@ static void *syn_rule_class_state_get_cur(const qpol_iterator_t * iter)
- 		return NULL;
- 	}
-
--	return db->class_val_to_struct[srcs->cur->class - 1];
-+	return db->class_val_to_struct[srcs->cur->tclass - 1];
- }
-
- static int syn_rule_class_state_next(qpol_iterator_t * iter)
-@@ -465,10 +465,10 @@ int qpol_syn_avrule_get_perm_iter(const qpol_policy_t * policy, const qpol_syn_a
- 	}
-
- 	for (node = internal_rule->perms; node; node = node->next) {
--		for (i = 0; i < db->class_val_to_struct[node->class - 1]->permissions.nprim; i++) {
-+		for (i = 0; i < db->class_val_to_struct[node->tclass - 1]->permissions.nprim; i++) {
- 			if (!(node->data & (1 << i)))
- 				continue;
--			tmp = sepol_av_to_string(db, node->class, (sepol_access_vector_t) (1 << i));
-+			tmp = sepol_av_to_string(db, node->tclass, (sepol_access_vector_t) (1 << i));
- 			if (tmp) {
- 				tmp++; /* remove prepended space */
- 				for (cur = 0; cur < perm_list_sz; cur++)
-diff --git a/secmds/replcon.cc b/secmds/replcon.cc
-index 34f7c1a..307c39f 100644
---- a/secmds/replcon.cc
-+++ b/secmds/replcon.cc
-@@ -60,7 +60,7 @@ static struct option const longopts[] = {
- 	{NULL, 0, NULL, 0}
- };
-
--extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
-+extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
-
- /**
-  * As that setools must work with older libselinux versions that may

package/setools/Config.in

@@ -1,36 +1,27 @@
 config BR2_PACKAGE_SETOOLS
 	bool "setools"
-	depends on BR2_TOOLCHAIN_HAS_THREADS
+	depends on !BR2_arc # arc: libselinux not available
 	depends on !BR2_STATIC_LIBS
-	depends on BR2_INSTALL_LIBSTDCPP
+	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on BR2_USE_WCHAR
 	depends on BR2_TOOLCHAIN_USES_GLIBC # libselinux
-	# bfin: infamous _ symbol prefix issue
-	# nios2: triggers some toolchain issue "No symbol version
-	# section for versioned symbol"
-	# arc: libselinux not available
-	depends on !BR2_nios2 && !BR2_bfin && !BR2_arc
+	depends on BR2_USE_MMU
+	select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON
+	select BR2_PACKAGE_PYTHON_ENUM34 if !BR2_PACKAGE_PYTHON3
+	select BR2_PACKAGE_PYTHON_SETUPTOOLS
 	select BR2_PACKAGE_LIBSELINUX
-	select BR2_PACKAGE_SQLITE
-	select BR2_PACKAGE_LIBXML2
-	select BR2_PACKAGE_BZIP2
 	help
 	  SETools is an open source project designed to facilitate
 	  SELinux policy analysis. The primary tools are:
-	   * apol - analyze a SELinux policy.
-	   * seaudit - analyze audit messages from SELinux.
-	   * seaudit-report - generate highly-customized audit log
-	     reports.
-	   * sechecker - command line tool for performing modular
-	     checks on an SELinux policy.
+	   * apol - analyze a SELinux policy. (requires python-qt5)
 	   * sediff - semantic policy difference tool for SELinux.
-	   * secmds - command-line tools to analyze and search SELinux
-	     policy.
+	   * sedta - Perform domain transition analyses
+	   * sesearch - Search rules (allow, type_transition, etc.)
 
-	  https://github.com/TresysTechnology/setools3/wiki
+	  https://github.com/TresysTechnology/setools
 
 comment "setools needs a glibc toolchain w/ threads, C++, wchar, dynamic library"
-	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS \
-		|| !BR2_USE_WCHAR || !BR2_INSTALL_LIBSTDCPP \
-		|| !BR2_TOOLCHAIN_USES_GLIBC
-	depends on !BR2_nios2 && !BR2_bfin && !BR2_arc
+	depends on BR2_USE_MMU && !BR2_arc
+	depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS || \
+		!BR2_USE_WCHAR || !BR2_TOOLCHAIN_USES_GLIBC || \
+		!BR2_INSTALL_LIBSTDCPP

package/setools/setools.hash

@@ -1,4 +1,7 @@
 # From https://github.com/TresysTechnology/setools3/wiki/Download
-md5	d68d0d4e4da0f01da0f208782ff04b91	setools-3.3.8.tar.bz2
+md5	d68d0d4e4da0f01da0f208782ff04b91	setools-4.1.1.tar.bz2
 # Locally computed
-sha256	44387ecc9a231ec536a937783440cd8960a72c51f14bffc1604b7525e341e999	setools-3.3.8.tar.bz2
+sha256	46a927ea2b163cbe1d35cc35da43e45853e13720c7e02d4cf75a498783c19610 setools-4.1.1.tar.gz
+sha256  2f7547e10f76a382c24c053595f38a5cc6dda9347f508f254ca490e0046a9624 COPYING
+sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING.GPL
+sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LGPL

package/setools/setools.mk

@@ -4,81 +4,67 @@
 #
 ################################################################################
 
-SETOOLS_VERSION = 3.3.8
-SETOOLS_SOURCE = setools-$(SETOOLS_VERSION).tar.bz2
-SETOOLS_SITE = https://raw.githubusercontent.com/wiki/TresysTechnology/setools3/files/dists/setools-$(SETOOLS_VERSION)
-SETOOLS_DEPENDENCIES = libselinux libsepol sqlite libxml2 bzip2 host-bison host-flex
+SETOOLS_VERSION = 4.1.1
+SETOOLS_SITE = $(call github,TresysTechnology,setools,$(SETOOLS_VERSION))
+SETOOLS_DEPENDENCIES = libselinux libsepol python-setuptools host-bison host-flex host-swig
 SETOOLS_INSTALL_STAGING = YES
 SETOOLS_LICENSE = GPL-2.0+, LGPL-2.1+
 SETOOLS_LICENSE_FILES = COPYING COPYING.GPL COPYING.LGPL
+SETOOLS_SETUP_TYPE = setuptools
+HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol
 
-# configure.ac is patched by the cross compile patch,
-# so autoreconf is necessary
-SETOOLS_AUTORECONF = YES
-
-# Notes: Need "disable-selinux-check" so the configure does not check to see
-#        if host has selinux enabled.
-#        No python support as only the libraries and commandline tools are
-#        installed on target
-SETOOLS_CONF_OPTS = \
-	--disable-debug \
-	--disable-gui \
-	--disable-bwidget-check \
-	--disable-selinux-check \
-	--disable-swig-java \
-	--disable-swig-python \
-	--disable-swig-tcl \
-	--with-sepol-devel="$(STAGING_DIR)/usr" \
-	--with-selinux-devel="$(STAGING_DIR)/usr"
-
-ifeq ($(BR2_sparc64):$(BR2_STATIC_LIBS),y:)
-SETOOLS_CONF_ENV += CFLAGS="$(TARGET_CFLAGS) -fPIC"
-endif
-
-HOST_SETOOLS_DEPENDENCIES = host-libselinux host-libsepol host-sqlite \
-	host-libxml2 host-bzip2 host-bison
 
 ifeq ($(BR2_PACKAGE_PYTHON3),y)
-HOST_SETOOLS_PYTHON_VERSION=$(PYTHON3_VERSION_MAJOR)
-HOST_SETOOLS_DEPENDENCIES += host-python3
-HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON3_VERSION)
+SETOOLS_PYLIBVER = python$(PYTHON3_VERSION_MAJOR)
 else
-HOST_SETOOLS_PYTHON_VERSION=$(PYTHON_VERSION_MAJOR)
-HOST_SETOOLS_DEPENDENCIES += host-python
-HOST_SETOOLS_CONF_ENV += am_cv_python_version=$(PYTHON_VERSION)
+SETOOLS_PYLIBVER = python$(PYTHON_VERSION_MAJOR)
+SETOOLS_DEPENDENCIES += python-enum34
 endif
 
-HOST_SETOOLS_PYTHON_SITE_PACKAGES = $(HOST_DIR)/lib/python$(HOST_SETOOLS_PYTHON_VERSION)/site-packages
-HOST_SETOOLS_PYTHON_INCLUDES = $(HOST_DIR)/include/python$(HOST_SETOOLS_PYTHON_VERSION)
-HOST_SETOOLS_PYTHON_LIB = -lpython$(HOST_SETOOLS_PYTHON_VERSION)
+define SETOOLS_FIX_SETUP
+	# By default, setup.py will look for libsepol.a in the host machines
+	# /usr/lib directory. This needs to be changed to the staging directory.
+	$(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(STAGING_DIR)/lib']@g" \
+		$(@D)/setup.py
+endef
+SETOOLS_POST_PATCH_HOOKS += SETOOLS_FIX_SETUP
 
-# Notes: Need "disable-selinux-check" so the configure does not check to see
-#        if host has selinux enabled.
-#        Host builds with python support to enable tools for offline target
-#        policy analysis
-HOST_SETOOLS_CONF_OPTS = \
-	--disable-debug \
-	--disable-gui \
-	--disable-bwidget-check \
-	--disable-selinux-check \
-	--disable-swig-java \
-	--disable-swig-python \
-	--disable-swig-tcl \
-	--with-sepol-devel="$(HOST_DIR)" \
-	--with-selinux-devel="$(HOST_DIR)" \
-	PYTHON_LDFLAGS="-L$(HOST_DIR)/lib/" \
-	PYTHON_CPPFLAGS="-I$(HOST_SETOOLS_PYTHON_INCLUDES)" \
-	PYTHON_SITE_PKG="$(HOST_SETOOLS_PYTHON_SITE_PACKAGES)" \
-	PYTHON_EXTRA_LIBS="-lpthread -ldl -lutil $(HOST_SETOOLS_PYTHON_LIB)"
+define HOST_SETOOLS_FIX_SETUP
+	# By default, setup.py will look for libsepol.a in the host machines
+	# /usr/lib directory. This needs to be changed to the host directory.
+	$(SED) "s@base_lib_dirs =.*@base_lib_dirs = ['$(HOST_DIR)/lib']@g" \
+		$(@D)/setup.py
+endef
+HOST_SETOOLS_POST_PATCH_HOOKS += HOST_SETOOLS_FIX_SETUP
+
+# sedta and seinfoflow depend on python-networkx. This package is not
+# available in buildroot.
+define SETOOLS_REMOVE_BROKEN_SCRIPTS
+	$(RM) $(TARGET_DIR)/usr/bin/sedta
+	$(RM) $(TARGET_DIR)/usr/bin/seinfoflow
+endef
+SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_BROKEN_SCRIPTS
+
+# apol requires pyqt5. However, the setools installation
+# process will install apol even if pyqt5 is missing.
+# Remove these scripts from the target it pyqt5 is not selected.
+ifeq ($(BR2_PACKAGE_PYTHON_PYQT5),)
+define SETOOLS_REMOVE_QT_SCRIPTS
+	$(RM) $(TARGET_DIR)/usr/bin/apol
+	$(RM) -r $(TARGET_DIR)/lib/$(SETOOLS_PYLIBVER)/site-packages/setoolsgui/
+endef
+SETOOLS_POST_INSTALL_TARGET_HOOKS += SETOOLS_REMOVE_QT_SCRIPTS
+endif
 
-HOST_SETOOLS_CONF_ENV += \
-	am_cv_pathless_PYTHON=python \
-	ac_cv_path_PYTHON=$(HOST_DIR)/bin/python \
-	am_cv_python_platform=linux2 \
-	am_cv_python_version=$(HOST_SETOOLS_PYTHON_VERSION) \
-	am_cv_python_pythondir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \
-	am_cv_python_pyexecdir=$(HOST_SETOOLS_PYTHON_SITE_PACKAGES) \
-	am_cv_python_includes=-I$(HOST_SETOOLS_PYTHON_INCLUDES)
+# sedta and seinfoflow depend on python-networkx. This package is not
+# available in buildroot. pyqt5 is not a host-package, remove apol
+# from the host directory as well.
+define HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS
+	$(RM) $(HOST_DIR)/bin/sedta
+	$(RM) $(HOST_DIR)/bin/seinfoflow
+	$(RM) $(HOST_DIR)/bin/apol
+endef
+HOST_SETOOLS_POST_INSTALL_HOOKS += HOST_SETOOLS_REMOVE_BROKEN_SCRIPTS
 
-$(eval $(autotools-package))
-$(eval $(host-autotools-package))
+$(eval $(python-package))
+$(eval $(host-python-package))