Merge remote-tracking branch 'aosp/upstream-master' into mymerge

Followed the following steps:
  # In repo client
  cd external/selinux
  repo sync .
  repo start mymerge .
  git merge aosp/upstream-master --no-ff # resolve any conflicts
  repo upload .

Test: device boots and no obvious problems.
Change-Id: I6beff804808e92d1002ead226c7d5c702f373cdc

.travis.yml

@@ -11,21 +11,20 @@ compiler:
 env:
   matrix:
     # Test the last version of Python and Ruby together, with some linkers
-    - PYVER=python3.7 RUBYLIBVER=2.5.1
-    - PYVER=python3.7 RUBYLIBVER=2.5.1 TEST_FLAGS_OVERRIDE=1
-    - PYVER=python3.7 RUBYLIBVER=2.5.1 LINKER=gold
-    - PYVER=python3.7 RUBYLIBVER=2.5.1 LINKER=bfd
+    - PYVER=python3.7 RUBYLIBVER=2.6
+    - PYVER=python3.7 RUBYLIBVER=2.6 TEST_FLAGS_OVERRIDE=1
+    - PYVER=python3.7 RUBYLIBVER=2.6 LINKER=gold
+    - PYVER=python3.7 RUBYLIBVER=2.6 LINKER=bfd
 
     # Test several Python versions
-    - PYVER=python2.7 RUBYLIBVER=2.5.1
-    - PYVER=python3.5 RUBYLIBVER=2.5.1
-    - PYVER=python3.6 RUBYLIBVER=2.5.1
-    # pypy2.7 seems not to be available in Travis-CI Xenial template yet.
-    # https://github.com/travis-ci/travis-ci/issues/9542
-    #- PYVER=pypy RUBYLIBVER=2.5.1
-    - PYVER=pypy3.5 RUBYLIBVER=2.5.1
+    - PYVER=python2.7 RUBYLIBVER=2.6
+    - PYVER=python3.5 RUBYLIBVER=2.6
+    - PYVER=python3.6 RUBYLIBVER=2.6
+    - PYVER=pypy2.7-6.0 RUBYLIBVER=2.6
+    - PYVER=pypy3.5-6.0 RUBYLIBVER=2.6
 
-    # Test several Ruby versions
+    # Test several Ruby versions (http://rubies.travis-ci.org/)
+    - PYVER=python3.7 RUBYLIBVER=2.5.1
     - PYVER=python3.7 RUBYLIBVER=2.4
     - PYVER=python3.7 RUBYLIBVER=2.3
     - PYVER=python3.7 RUBYLIBVER=2.2
@@ -33,9 +32,9 @@ env:
 matrix:
   exclude:
     - compiler: clang
-      env: PYVER=python3.7 RUBYLIBVER=2.5.1 LINKER=gold
+      env: PYVER=python3.7 RUBYLIBVER=2.6 LINKER=gold
     - compiler: clang
-      env: PYVER=python3.7 RUBYLIBVER=2.5.1 LINKER=bfd
+      env: PYVER=python3.7 RUBYLIBVER=2.6 LINKER=bfd
 
 # Use Travis-CI Ubuntu 16.04 Xenial Xerus infrastructure, "full image" variant
 sudo: required
@@ -64,14 +63,16 @@ addons:
     - xmlto
 
 install:
-  # Download refpolicy Makefile for sepolgen tests
-  - sudo mkdir -p /usr/share/selinux/default
-  - sudo curl --retry 10 -o /usr/share/selinux/default/Makefile 'https://raw.githubusercontent.com/SELinuxProject/refpolicy/RELEASE_2_20180114/support/Makefile.devel'
-  - sudo sed "s,^PREFIX :=.*,PREFIX := $TRAVIS_BUILD_DIR/installdir/usr," -i /usr/share/selinux/default/Makefile
-  - sudo mkdir -p /usr/share/selinux/refpolicy/include
-  - sudo curl --retry 10 -o /usr/share/selinux/refpolicy/include/build.conf 'https://raw.githubusercontent.com/SELinuxProject/refpolicy/RELEASE_2_20180114/build.conf'
+  # Download and install refpolicy headers for sepolgen tests
+  - curl --location --retry 10 -o "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2" https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20180701/refpolicy-2.20180701.tar.bz2
+  - tar -C "$TRAVIS_BUILD_DIR" -xvjf "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2"
+  # Make refpolicy Makefile use the new toolchain when building modules
+  - sed -e "s,^PREFIX :=.*,PREFIX := \$(DESTDIR)/usr," -i "$TRAVIS_BUILD_DIR/refpolicy/support/Makefile.devel"
+  - sudo make -C "$TRAVIS_BUILD_DIR/refpolicy" install-headers
+  - sudo rm -rf "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2" "$TRAVIS_BUILD_DIR/refpolicy"
   - sudo mkdir -p /etc/selinux
   - echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config
+  - echo 'SELINUX_DEVEL_PATH = /usr/share/selinux/refpolicy' | sudo tee /etc/selinux/sepolgen.conf
 
   # Make sepolgen tests work without really installing anything in the real root (doing this would conflict with Ubuntu packages)
   - sed -e "s,\"\(/usr/bin/[cs]\),\"$TRAVIS_BUILD_DIR/installdir\1," -i python/sepolgen/src/sepolgen/module.py
@@ -96,8 +97,12 @@ before_script:
   - export PYTHON="$VIRTUAL_ENV/bin/python"
   # Use the header files in /opt/python/... for Python because the virtualenvs do not provide Python.h
   - export PKG_CONFIG_PATH="/opt/python/$($PYTHON -c 'import sys;print("%d.%d.%d" % sys.version_info[:3])')/lib/pkgconfig"
-  # PyPy does not provide a config file for pkg-config nor a pypy-c.so
-  - if echo "$PYVER" | grep -q pypy ; then export PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include PYLIBS= ; fi
+  # PyPy does not provide a config file for pkg-config
+  # libpypy-c.so is provided in bin/libpypy-c.so for PyPy and bin/libpypy3-c.so for PyPy3
+  - if echo "$PYVER" | grep -q pypy ; then
+        export PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include ;
+        export PYLIBS="$($PYTHON -c 'import sys;print("-L%s/bin -l%s" % (sys.prefix, "pypy-c" if sys.version_info < (3,) else "pypy3-c"))')" ;
+    fi
 
   # Find the Ruby executable with version $RUBYLIBVER
   - rvm reinstall ruby-$RUBYLIBVER --binary
@@ -124,10 +129,7 @@ script:
   - make all $EXPLICIT_MAKE_VARS -k
 
   # Set up environment variables for the tests
-  - export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
-  - export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
-  - export PYTHONPATH="$DESTDIR$($PYTHON -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
-  - export RUBYLIB="$DESTDIR/$($RUBY -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$($RUBY -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
+  - . ./scripts/env_use_destdir
 
   # Show variables (to help debugging issues)
   - echo "$LD_LIBRARY_PATH"

checkpolicy/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

dbus/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

gui/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

libselinux/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

libselinux/src/Makefile

@@ -165,7 +165,7 @@ $(AUDIT2WHYLOBJ): audit2why.c
 	$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
 
 $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
-	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
 
 %.o:  %.c policy.h
 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<

libselinux/src/audit2why.map

@@ -0,0 +1,6 @@
+AUDIT2WHY_2.9 {
+  global:
+    initaudit2why;
+    PyInit_audit2why;
+  local: *;
+};

libselinux/src/selinux_restorecon.c

@@ -881,7 +881,7 @@ int selinux_restorecon(const char *pathname_orig,
 		setrestoreconlast = false;
 
 	/* Ignore restoreconlast on in-memory filesystems */
-	if (statfs(pathname, &sfsb) == 0) {
+	if (setrestoreconlast && statfs(pathname, &sfsb) == 0) {
 		if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC)
 			setrestoreconlast = false;
 	}

libsemanage/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

libsemanage/src/boolean_record.c

@@ -6,7 +6,9 @@
  * Implements: record_key_t (Database Record Key)
  */
 
+#include <string.h>
 #include <sepol/boolean_record.h>
+#include "handle_internal.h"
 
 typedef sepol_bool_t semanage_bool_t;
 typedef sepol_bool_key_t semanage_bool_key_t;
@@ -84,10 +86,58 @@ hidden_def(semanage_bool_get_name)
 int semanage_bool_set_name(semanage_handle_t * handle,
 			   semanage_bool_t * boolean, const char *name)
 {
-	int rc;
-	char *subname = selinux_boolean_sub(name);
+	int rc = -1;
+	const char *prefix = semanage_root();
+	const char *storename = handle->conf->store_path;
+	const char *selinux_root = selinux_policy_root();
+	char *oldroot;
+	char *olddir;
+	char *subname = NULL;
+	char *newroot = NULL;
+	char *end;
+
+	if (!selinux_root)
+		return -1;
+
+	oldroot = strdup(selinux_root);
+	if (!oldroot)
+		return -1;
+	olddir = strdup(oldroot);
+	if (!olddir)
+		goto out;
+	end = strrchr(olddir, '/');
+	if (!end)
+		goto out;
+	end++;
+	*end = '\0';
+	rc = asprintf(&newroot, "%s%s%s", prefix, olddir, storename);
+	if (rc < 0)
+		goto out;
+
+	if (strcmp(oldroot, newroot)) {
+		rc = selinux_set_policy_root(newroot);
+		if (rc)
+			goto out;
+	}
+
+	subname = selinux_boolean_sub(name);
+	if (!subname) {
+		rc = -1;
+		goto out;
+	}
+
+	if (strcmp(oldroot, newroot)) {
+		rc = selinux_set_policy_root(oldroot);
+		if (rc)
+			goto out;
+	}
+
 	rc = sepol_bool_set_name(handle->sepolh, boolean, subname);
+out:
 	free(subname);
+	free(oldroot);
+	free(olddir);
+	free(newroot);
 	return rc;
 }
 

libsemanage/src/handle.c

@@ -58,6 +58,8 @@ const char * semanage_root(void)
 	return private_semanage_root;
 }
 
+hidden_def(semanage_root);
+
 semanage_handle_t *semanage_handle_create(void)
 {
 	semanage_handle_t *sh = NULL;

libsemanage/src/handle_internal.h

@@ -5,8 +5,9 @@
 #include "dso.h"
 
 hidden_proto(semanage_begin_transaction)
-    hidden_proto(semanage_handle_destroy)
-    hidden_proto(semanage_reload_policy)
-    hidden_proto(semanage_access_check)
-    hidden_proto(semanage_set_root)
+hidden_proto(semanage_handle_destroy)
+hidden_proto(semanage_reload_policy)
+hidden_proto(semanage_access_check)
+hidden_proto(semanage_set_root)
+hidden_proto(semanage_root)
 #endif

libsepol/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

mcstrans/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

policycoreutils/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

policycoreutils/setsebool/setsebool.c

@@ -18,7 +18,7 @@
 #include <errno.h>
 
 int permanent = 0;
-int reload = 1;
+int no_reload = 0;
 int verbose = 0;
 
 int setbool(char **list, size_t start, size_t end);
@@ -38,11 +38,6 @@ int main(int argc, char **argv)
 	if (argc < 2)
 		usage();
 
-	if (is_selinux_enabled() <= 0) {
-		fputs("setsebool:  SELinux is disabled.\n", stderr);
-		return 1;
-	}
-
 	while (1) {
 		clflag = getopt(argc, argv, "PNV");
 		if (clflag == -1)
@@ -53,7 +48,7 @@ int main(int argc, char **argv)
 			permanent = 1;
 			break;
 		case 'N':
-			reload = 0;
+			no_reload = 1;
 			break;
 		case 'V':
 			verbose = 1;
@@ -130,6 +125,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
 	semanage_bool_key_t *bool_key = NULL;
 	int managed;
 	int result;
+	int enabled = is_selinux_enabled();
 
 	handle = semanage_handle_create();
 	if (handle == NULL) {
@@ -191,7 +187,7 @@ static int semanage_set_boolean_list(size_t boolcnt,
 						  boolean) < 0)
 			goto err;
 
-		if (semanage_bool_set_active(handle, bool_key, boolean) < 0) {
+		if (enabled && semanage_bool_set_active(handle, bool_key, boolean) < 0) {
 			fprintf(stderr, "Failed to change boolean %s: %m\n",
 				boollist[j].name);
 			goto err;
@@ -202,7 +198,8 @@ static int semanage_set_boolean_list(size_t boolcnt,
 		boolean = NULL;
 	}
 
-	semanage_set_reload(handle, reload);
+	if (no_reload)
+		semanage_set_reload(handle, 0);
 	if (semanage_commit(handle) < 0)
 		goto err;
 

python/Makefile

@@ -1,8 +1,6 @@
 SUBDIRS = sepolicy audit2allow semanage sepolgen chcat
 
-all install relabel clean indent:
+all install relabel clean indent test:
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
 	done
-
-test:

python/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

python/audit2allow/.gitignore

@@ -1 +1,2 @@
 sepolgen-ifgen-attr-helper
+test_dummy_policy

python/audit2allow/Makefile

@@ -1,4 +1,5 @@
 PYTHON ?= python
+SECILC ?= secilc
 
 # Installation directories.
 PREFIX ?= /usr
@@ -22,9 +23,12 @@ sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o $(LIBSEPOLA)
 audit2why:
 	ln -sf audit2allow audit2why
 
-test: all
+test: all test_dummy_policy
 	@$(PYTHON) test_audit2allow.py -v
 
+test_dummy_policy: test_dummy_policy.cil
+	$(SECILC) -o $@ -f /dev/null $<
+
 install: all
 	-mkdir -p $(DESTDIR)$(BINDIR)
 	install -m 755 audit2allow $(DESTDIR)$(BINDIR)
@@ -36,7 +40,7 @@ install: all
 	install -m 644 audit2why.1 $(DESTDIR)$(MANDIR)/man1/
 
 clean:
-	rm -f *~ *.o sepolgen-ifgen-attr-helper
+	rm -f *~ *.o sepolgen-ifgen-attr-helper test_dummy_policy
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])

python/audit2allow/sepolgen-ifgen

@@ -56,6 +56,8 @@ def parse_options():
                       help="print debuging output")
     parser.add_option("-d", "--debug", action="store_true", default=False,
                       help="extra debugging output")
+    parser.add_option("--attr-helper", default=ATTR_HELPER,
+                      help="path to sepolgen-ifgen-attr-helper")
     parser.add_option("--no_attrs", action="store_true", default=False,
                       help="do not retrieve attribute access from kernel policy")
     options, args = parser.parse_args()
@@ -77,7 +79,7 @@ def get_policy():
     return None
 
 
-def get_attrs(policy_path):
+def get_attrs(policy_path, attr_helper):
     try:
         if not policy_path:
             policy_path = get_policy()
@@ -93,7 +95,7 @@ def get_attrs(policy_path):
         return None
 
     fd = open("/dev/null", "w")
-    ret = subprocess.Popen([ATTR_HELPER, policy_path, outfile.name], stdout=fd).wait()
+    ret = subprocess.Popen([attr_helper, policy_path, outfile.name], stdout=fd).wait()
     fd.close()
     if ret != 0:
         sys.stderr.write("could not run attribute helper\n")
@@ -127,7 +129,7 @@ def main():
     # Get the attibutes from the binary
     attrs = None
     if not options.no_attrs:
-        attrs = get_attrs(options.policy_path)
+        attrs = get_attrs(options.policy_path, options.attr_helper)
         if attrs is None:
             return 1
 

python/audit2allow/test_audit2allow.py

@@ -1,6 +1,7 @@
 import unittest
 import os
-import shutil
+import os.path
+import sys
 from tempfile import mkdtemp
 from subprocess import Popen, PIPE
 
@@ -25,15 +26,22 @@ class Audit2allowTests(unittest.TestCase):
 
     def test_sepolgen_ifgen(self):
         "Verify sepolgen-ifgen works"
-        p = Popen(['sudo', 'sepolgen-ifgen'], stdout=PIPE)
+        temp_directory = mkdtemp(suffix='audit2allow_test')
+        output_file = os.path.join(temp_directory, 'interface_info')
+        p = Popen([
+            sys.executable, './sepolgen-ifgen', '-p', 'test_dummy_policy', '-o', output_file,
+            '--attr-helper', './sepolgen-ifgen-attr-helper'
+            ], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)
         self.assertSuccess("sepolgen-ifgen", p.returncode, err)
+        os.unlink(output_file)
+        os.rmdir(temp_directory)
 
     def test_audit2allow(self):
         "Verify audit2allow works"
-        p = Popen(['python', './audit2allow', "-i", "test.log"], stdout=PIPE)
+        p = Popen([sys.executable, './audit2allow', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)
@@ -41,7 +49,7 @@ class Audit2allowTests(unittest.TestCase):
 
     def test_audit2why(self):
         "Verify audit2why works"
-        p = Popen(['python', './audit2why', "-i", "test.log"], stdout=PIPE)
+        p = Popen([sys.executable, './audit2why', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)
@@ -49,12 +57,13 @@ class Audit2allowTests(unittest.TestCase):
 
     def test_xperms(self):
         "Verify that xperms generation works"
-        p = Popen(['python', './audit2allow', "-x", "-i", "test.log"], stdout=PIPE)
+        p = Popen([sys.executable, './audit2allow', '-x', '-p', 'test_dummy_policy', '-i', 'test.log'], stdout=PIPE)
         out, err = p.communicate()
         if err:
             print(out, err)
         self.assertTrue(b"allowxperm" in out)
         self.assertSuccess("xperms", p.returncode, err)
 
+
 if __name__ == "__main__":
     unittest.main()

python/audit2allow/test_dummy_policy.cil

@@ -0,0 +1,75 @@
+; This is a dummy policy which main aim is to be compatible with test.log
+
+; Define one category and one sensitivity in order to make things work
+(mls true)
+(category c0)
+(categoryorder (c0))
+(sensitivity s0)
+(sensitivityorder (s0))
+(sensitivitycategory s0 (c0))
+
+; Define some users and roles
+(user system_u)
+(user root)
+(user unconfined_u)
+(role system_r)
+(role unconfined_r)
+(userrole root system_r)
+(userrole system_u system_r)
+(userrole unconfined_u unconfined_r)
+(userlevel system_u (s0))
+(userlevel root (s0))
+(userlevel unconfined_u (s0))
+(userrange system_u ((s0)(s0 (c0))))
+(userrange root ((s0)(s0 (c0))))
+(userrange unconfined_u ((s0)(s0 (c0))))
+
+; Define domain types
+(type automount_t)
+(type ftpd_t)
+(type httpd_t)
+(type kernel_t)
+(type nsplugin_t)
+(type postfix_local_t)
+(type qemu_t)
+(type smbd_t)
+
+(roletype system_r automount_t)
+(roletype system_r ftpd_t)
+(roletype system_r httpd_t)
+(roletype system_r kernel_t)
+(roletype system_r postfix_local_t)
+(roletype system_r qemu_t)
+(roletype system_r smbd_t)
+(roletype unconfined_r nsplugin_t)
+
+; Define file types
+(type automount_lock_t)
+(type default_t)
+(type fixed_disk_device_t)
+(type home_root_t)
+(type httpd_sys_content_t)
+(type httpd_sys_script_exec_t)
+(type mail_spool_t)
+(type ssh_home_t)
+(type usr_t)
+(type var_t)
+
+; Define port types
+(type mysqld_port_t)
+(type reserved_port_t)
+
+; Define initial SID
+(sid kernel)
+(sidorder (kernel))
+(sidcontext kernel (system_u system_r kernel_t ((s0) (s0))))
+
+; Define classes
+(class blk_file (getattr open read write))
+(class dir (append open search))
+(class file (execute execute_no_trans getattr open read write))
+(class tcp_socket (ioctl name_bind name_connect))
+(classorder (blk_file file dir tcp_socket))
+
+; The policy compiler requires at least one rule
+(allow kernel_t default_t (file (open read write)))

python/chcat/Makefile

@@ -17,3 +17,5 @@ clean:
 indent:
 
 relabel:
+
+test:

python/sepolgen/src/sepolgen/defaults.py

@@ -70,7 +70,10 @@ def attribute_info():
 
 def refpolicy_makefile():
     chooser = PathChooser("/etc/selinux/sepolgen.conf")
-    return chooser("Makefile")
+    result = chooser("Makefile")
+    if not os.path.exists(result):
+        result = chooser("include/Makefile")
+    return result
 
 def headers():
     chooser = PathChooser("/etc/selinux/sepolgen.conf")

python/sepolicy/sepolicy/gui.py

@@ -149,6 +149,7 @@ class SELinuxGui():
         self.clear_entry = True
         self.files_add = False
         self.network_add = False
+        self.mislabeled_files = False
 
         self.all_domains = []
         self.installed_list = []

restorecond/Makefile

@@ -50,7 +50,7 @@ install: all
 	-mkdir -p $(DESTDIR)$(AUTOSTARTDIR)
 	install -m 644 restorecond.desktop $(DESTDIR)$(AUTOSTARTDIR)/restorecond.desktop
 	-mkdir -p $(DESTDIR)$(DBUSSERVICEDIR)
-	install -m 600 org.selinux.Restorecond.service  $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service
+	install -m 644 org.selinux.Restorecond.service  $(DESTDIR)$(DBUSSERVICEDIR)/org.selinux.Restorecond.service
 	-mkdir -p $(DESTDIR)$(SYSTEMDDIR)/system
 	install -m 644 restorecond.service $(DESTDIR)$(SYSTEMDDIR)/system/
 relabel: install

restorecond/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

sandbox/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

scripts/env_use_destdir

@@ -0,0 +1,36 @@
+#!/bin/sh
+# Set-up environment variables to run programs which are built in DESTDIR folder
+#
+# Usage example to use variables in the current shell:
+#   $ export DESTDIR=$HOME/selinux-destdir
+#   $ make install install-pywrap install-rubywrap
+#   $ . ./scripts/env_use_destdir
+#   $ make test
+#
+# Or to use variables in a subcommand, for example to run tests:
+#   $ export DESTDIR=$HOME/selinux-destdir
+#   $ make install install-pywrap install-rubywrap
+#   $ ./scripts/env_use_destdir secilc ...
+#   $ ./scripts/env_use_destdir make test
+
+if [ -z "${DESTDIR:-}" ] ; then
+    echo >&2 "Error: variable DESTDIR needs to be defined in order to use this script."
+    echo >&2 "Example:"
+    # shellcheck disable=SC2164
+    echo >&2 "    DESTDIR=$(cd "$(dirname -- "$0")/.." ; pwd)/DESTDIR . $0"
+    exit 1
+fi
+
+export LD_LIBRARY_PATH="$DESTDIR/usr/lib:$DESTDIR/lib"
+export PATH="$DESTDIR/usr/sbin:$DESTDIR/usr/bin:$DESTDIR/sbin:$DESTDIR/bin:$PATH"
+
+# shellcheck disable=SC2155
+export PYTHONPATH="$DESTDIR$(${PYTHON:-python} -c "from distutils.sysconfig import *;print(get_python_lib(prefix='/usr'))")"
+
+# shellcheck disable=SC2155
+export RUBYLIB="$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorlibdir"]'):$DESTDIR/$(${RUBY:-ruby} -e 'puts RbConfig::CONFIG["vendorarchdir"]')"
+
+# Run the command given on the command line
+if [ $# -gt 0 ] ; then
+    exec "$@"
+fi

scripts/run-flake8

@@ -4,6 +4,11 @@
 # Run on the base directory if no argument has been given
 if [ $# -eq 0 ] ; then
     cd "$(dirname -- "$0")/.." || exit $?
+
+    # Run on both files ending with .py and Python files without extension
+    # shellcheck disable=SC2046
+    set -- $( (find . -name '*.py' ; grep --exclude-dir=.git -l -e '^#!\s*/usr/bin/python' -e '^#!/usr/bin/env python' -r .) | sort -u )
+    echo "Analyzing $# Python scripts"
 fi
 
 # Assign each ignore warning on a line, in order to ease testing enabling the warning again

secilc/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1

semodule-utils/VERSION

@@ -1 +1 @@
-2.8
+2.9-rc1