From ec77318e329585079f51128994f337d966cd1287 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Fri, 11 Jun 2010 18:34:24 -0400
Subject: [PATCH] Leave rules to build .man.in and .cat files uncommented but
 only make them part of the "all" rule in devel mode. Generate .cat files
 directly from .man.in instead of .man using default values in configure.in

---
 configure               |  54 +++--
 configure.in            |  35 +--
 doc/Makefile.in         | 113 ++++-----
 doc/sudo.cat            | 206 ++++++++--------
 doc/sudo.man.in         |   2 +-
 doc/sudo_plugin.cat     |  32 +--
 doc/sudo_plugin.man.in  |   2 +-
 doc/sudoers.cat         | 516 ++++++++++++++++++++--------------------
 doc/sudoers.ldap.cat    |  24 +-
 doc/sudoers.ldap.man.in |   2 +-
 doc/sudoers.man.in      |  10 +-
 doc/sudoreplay.cat      |  10 +-
 doc/sudoreplay.man.in   |   2 +-
 doc/visudo.cat          |   6 +-
 doc/visudo.man.in       |   2 +-
 15 files changed, 517 insertions(+), 499 deletions(-)

diff --git a/configure b/configure
index d3de88d05..da73d0c40 100755
--- a/configure
+++ b/configure
@@ -2779,6 +2779,10 @@ $as_echo "$as_me: Configuring Sudo version $PACKAGE_VERSION" >&6;}
 
 
 
+#
+# Begin initial values for man page substitution
+#
+timedir=/var/run/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
@@ -2794,8 +2798,8 @@ mail_no_user=on
 mail_no_host=off
 mail_no_perms=off
 mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
@@ -2804,7 +2808,15 @@ tty_tickets=off
 insults=off
 root_sudo=on
 path_info=on
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
+#
+# End initial values for man page substitution
+#
 INSTALL_NOEXEC=
 devdir='$(srcdir)'
 PROGS="sudo"
@@ -4102,11 +4114,11 @@ if test "${with_ldap_conf_file+set}" = set; then :
   withval=$with_ldap_conf_file;
 fi
 
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
 cat >>confdefs.h <<EOF
-#define _PATH_LDAP_CONF "${with_ldap_conf_file-/etc/ldap.conf}"
+#define _PATH_LDAP_CONF "$ldap_conf"
 EOF
 
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
 
 
 # Check whether --with-ldap-secret-file was given.
@@ -4114,11 +4126,11 @@ if test "${with_ldap_secret_file+set}" = set; then :
   withval=$with_ldap_secret_file;
 fi
 
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
 cat >>confdefs.h <<EOF
-#define _PATH_LDAP_SECRET "${with_ldap_secret_file-/etc/ldap.secret}"
+#define _PATH_LDAP_SECRET "$ldap_secret"
 EOF
 
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
 
 
 # Check whether --with-pc-insults was given.
@@ -6596,13 +6608,13 @@ if test "${lt_cv_nm_interface+set}" = set; then :
 else
   lt_cv_nm_interface="BSD nm"
   echo "int some_variable = 0;" > conftest.$ac_ext
-  (eval echo "\"\$as_me:6599: $ac_compile\"" >&5)
+  (eval echo "\"\$as_me:6611: $ac_compile\"" >&5)
   (eval "$ac_compile" 2>conftest.err)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6602: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
+  (eval echo "\"\$as_me:6614: $NM \\\"conftest.$ac_objext\\\"\"" >&5)
   (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out)
   cat conftest.err >&5
-  (eval echo "\"\$as_me:6605: output\"" >&5)
+  (eval echo "\"\$as_me:6617: output\"" >&5)
   cat conftest.out >&5
   if $GREP 'External.*some_variable' conftest.out > /dev/null; then
     lt_cv_nm_interface="MS dumpbin"
@@ -7807,7 +7819,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 7810 "configure"' > conftest.$ac_ext
+  echo '#line 7822 "configure"' > conftest.$ac_ext
   if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9199,11 +9211,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9202: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9214: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9206: \$? = $ac_status" >&5
+   echo "$as_me:9218: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9538,11 +9550,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9541: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9553: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:9545: \$? = $ac_status" >&5
+   echo "$as_me:9557: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -9643,11 +9655,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9646: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9658: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9650: \$? = $ac_status" >&5
+   echo "$as_me:9662: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -9698,11 +9710,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:9701: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:9713: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:9705: \$? = $ac_status" >&5
+   echo "$as_me:9717: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12065,7 +12077,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12068 "configure"
+#line 12080 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12161,7 +12173,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<_LT_EOF
-#line 12164 "configure"
+#line 12176 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -15933,8 +15945,6 @@ fi
 done
 
 
-netsvc_conf='/etc/netsvc.conf'
-nsswitch_conf='/etc/nsswitch.conf'
 if test ${with_netsvc-"no"} != "no"; then
     cat >>confdefs.h <<EOF
 #define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
diff --git a/configure.in b/configure.in
index c7aa1eeaf..d27a711ee 100644
--- a/configure.in
+++ b/configure.in
@@ -62,7 +62,7 @@ AC_SUBST([CONFIGURE_ARGS])
 dnl
 dnl Variables that get substituted in docs (not overridden by environment)
 dnl
-AC_SUBST([timedir])dnl initial value from SUDO_TIMEDIR
+AC_SUBST([timedir])dnl real initial value from SUDO_TIMEDIR
 AC_SUBST([timeout])
 AC_SUBST([password_timeout])
 AC_SUBST([sudo_umask])
@@ -93,9 +93,10 @@ AC_SUBST([ldap_secret])
 AC_SUBST([nsswitch_conf])
 AC_SUBST([netsvc_conf])
 AC_SUBST([secure_path])
-dnl
-dnl Initial values for above
-dnl
+#
+# Begin initial values for man page substitution
+#
+timedir=/var/run/sudo
 timeout=5
 password_timeout=5
 sudo_umask=0022
@@ -111,8 +112,8 @@ mail_no_user=on
 mail_no_host=off
 mail_no_perms=off
 mailto=root
-mailsub='*** SECURITY information for %h ***'
-badpass_message='Sorry, try again.'
+mailsub="*** SECURITY information for %h ***"
+badpass_message="Sorry, try again."
 fqdn=off
 runas_default=root
 env_editor=off
@@ -121,13 +122,21 @@ tty_tickets=off
 insults=off
 root_sudo=on
 path_info=on
+ldap_conf=/etc/ldap.conf
+ldap_secret=/etc/ldap.secret
+netsvc_conf=/etc/netsvc.conf
+noexec_file=/usr/local/libexec/sudo_noexec.so
+nsswitch_conf=/etc/nsswitch.conf
 secure_path="not set"
-INSTALL_NOEXEC=
-devdir='$(srcdir)'
+#
+# End initial values for man page substitution
+#
 dnl
 dnl Initial values for Makefile variables listed above
 dnl May be overridden by environment variables..
 dnl
+INSTALL_NOEXEC=
+devdir='$(srcdir)'
 PROGS="sudo"
 : ${MANTYPE='man'}
 : ${mansrcdir='.'}
@@ -980,12 +989,12 @@ AC_ARG_WITH(ldap, [AS_HELP_STRING([--with-ldap[[=DIR]]], [enable LDAP support])]
 esac])
 
 AC_ARG_WITH(ldap-conf-file, [AS_HELP_STRING([--with-ldap-conf-file], [path to LDAP configuration file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "${with_ldap_conf_file-/etc/ldap.conf}", [Path to the ldap.conf file])
-ldap_conf=${with_ldap_conf_file-'/etc/ldap.conf'}
+test -n "$with_ldap_conf_file" && ldap_conf="$with_ldap_conf_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_CONF, "$ldap_conf", [Path to the ldap.conf file])
 
 AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path to LDAP secret password file])])
-SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "${with_ldap_secret_file-/etc/ldap.secret}", [Path to the ldap.secret file])
-ldap_secret=${with_ldap_secret_file-'/etc/ldap.secret'}
+test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
 
 AC_ARG_WITH(pc-insults, [AS_HELP_STRING([--with-pc-insults], [replace politically incorrect insults with less offensive ones])],
 [case $with_pc_insults in
@@ -2045,8 +2054,6 @@ AC_INCLUDES_DEFAULT
 dnl
 dnl nsswitch.conf and its equivalents
 dnl
-netsvc_conf='/etc/netsvc.conf'
-nsswitch_conf='/etc/nsswitch.conf'
 if test ${with_netsvc-"no"} != "no"; then
     SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
     netsvc_conf=${with_netsvc-/etc/netsvc.conf}
diff --git a/doc/Makefile.in b/doc/Makefile.in
index 040776749..1ba0c4653 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -52,99 +52,99 @@ SHELL = @SHELL@
 DOCS =	sudo.man visudo.man sudoers.man sudoers.ldap.man sudoers.man \
 	sudoreplay.man sudo_plugin.man
 
-VERSION = @PACKAGE_VERSION@
+@DEV@DEVDOCS =	$(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
+		$(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
+		$(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+		$(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
+		$(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+		$(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat \
+		$(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat \
+		$(srcdir)/HISTORY $(srcdir)/LICENSE
 
-all: $(DOCS)
+VERSION = @PACKAGE_VERSION@
 
-.SUFFIXES: .man .cat
+all: $(DEVDOCS) $(DOCS)
 
-.man.cat:
-	@rm -f $@
-	sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $@
+.SUFFIXES:
 
-@DEV@sudo.man.in: $(srcdir)/sudo.man.in
+varsub: $(top_srcdir)/configure.in
+	printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@
 
-@DEV@$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudo.man.pl >> $@ )
+$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudo.man.pl >> $@ )
 
 sudo.man: $(srcdir)/sudo.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@sudo.cat: $(srcdir)/sudo.cat
+$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in
+	sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@
 
-@DEV@$(srcdir)/sudo.cat: sudo.man
+visudo.man.in: $(srcdir)/visudo.man.in
 
-@DEV@visudo.man.in: $(srcdir)/visudo.man.in
-
-@DEV@$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 
 visudo.man: $(srcdir)/visudo.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@visudo.cat: $(srcdir)/visudo.cat
-
-@DEV@$(srcdir)/visudo.cat: visudo.man
+$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in
+	sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@
 
-@DEV@sudoers.man.in: $(srcdir)/sudoers.man.in
+sudoers.man.in: $(srcdir)/sudoers.man.in
 
-@DEV@$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudoers.man.pl >> $@ )
+$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" | perl -p sudoers.man.pl >> $@ )
 
-sudoers.man:: $(srcdir)/sudoers.man.in
+sudoers.man: $(srcdir)/sudoers.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@sudoers.cat: $(srcdir)/sudoers.cat
+$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in
+	sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@
 
-@DEV@$(srcdir)/sudoers.cat: sudoers.man
+sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.man.in
 
-@DEV@sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.man.in
+$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 
-@DEV@$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
-
-sudoers.ldap.man:: $(srcdir)/sudoers.ldap.man.in
+sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@sudoers.ldap.cat: $(srcdir)/sudoers.ldap.cat
-
-@DEV@$(srcdir)/sudoers.ldap.cat: sudoers.ldap.man
+$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in
+	sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@
 
-@DEV@sudoreplay.man.in: $(srcdir)/sudoreplay.man.in
+sudoreplay.man.in: $(srcdir)/sudoreplay.man.in
 
-@DEV@$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 
-sudoreplay.man:: $(srcdir)/sudoreplay.man.in
+sudoreplay.man: $(srcdir)/sudoreplay.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@sudoreplay.cat: $(srcdir)/sudoreplay.cat
-
-@DEV@$(srcdir)/sudoreplay.cat: sudoreplay.man
+$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in
+	sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@
 
-@DEV@sudo_plugin.man.in: $(srcdir)/sudo_plugin.man.in
+sudo_plugin.man.in: $(srcdir)/sudo_plugin.man.in
 
-@DEV@$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
-@DEV@	@rm -f $(srcdir)/$@
-@DEV@	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo_plugin.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
+$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.pod
+	@rm -f $(srcdir)/$@
+	( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo_plugin.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo_plugin.pod | sed -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ )
 
-sudo_plugin.man:: $(srcdir)/sudo_plugin.man.in
+sudo_plugin.man: $(srcdir)/sudo_plugin.man.in
 	(cd $(top_builddir) && $(SHELL) config.status --file=doc/$@)
 
-@DEV@sudo_plugin.cat: $(srcdir)/sudo_plugin.cat
+$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.man.in
+	sed -f varsub $(srcdir)/sudo_plugin.man.in | $(NROFF) -man > $@
 
-@DEV@$(srcdir)/sudo_plugin.cat: sudo_plugin.man
+HISTORY: history.pod
+	pod2text -l -i0 $> > $@
 
-@DEV@HISTORY: history.pod
-@DEV@	pod2text -l -i0 $> > $@
-@DEV@
-@DEV@LICENSE: license.pod
-@DEV@	pod2text -l -i0 $> | sed '1,2d' > $@
+LICENSE: license.pod
+	pod2text -l -i0 $> | sed '1,2d' > $@
 
 install: install-dirs install-man
 
@@ -173,6 +173,7 @@ check:
 	@echo nothing to check
 
 clean:
+	-rm -f varsub
 
 mostlyclean: clean
 
diff --git a/doc/sudo.cat b/doc/sudo.cat
index a2ad93fc2..b301deb11 100644
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -17,8 +17,8 @@ SSYYNNOOPPSSIISS
        [--pp _p_r_o_m_p_t] [--UU _u_s_e_r _n_a_m_e] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [_c_o_m_m_a_n_d]
 
        ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--DD _l_e_v_e_l] [--cc _c_l_a_s_s|_-]
-       [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e]
-       [--ii | --ss] [_c_o_m_m_a_n_d]
+       [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--rr _r_o_l_e] [--tt _t_y_p_e]
+       [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [--ii | --ss] [_c_o_m_m_a_n_d]
 
        ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--DD _l_e_v_e_l]
        [--gg _g_r_o_u_p _n_a_m_e|_#_g_i_d] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r _n_a_m_e|_#_u_i_d] file ...
@@ -41,9 +41,10 @@ DDEESSCCRRIIPPTTIIOONN
 
        ssuuddoo determines who is an authorized user by consulting the file
        _/_e_t_c_/_s_u_d_o_e_r_s.  By running ssuuddoo with the --vv option, a user can update
-       the time stamp without running a _c_o_m_m_a_n_d. The password prompt itself
-       will also time out if the user's password is not entered within 5
-       minutes (unless overridden via _s_u_d_o_e_r_s).
+       the time stamp without running a _c_o_m_m_a_n_d.  If a password is required,
+       ssuuddoo will exit if the user's password is not entered within a
+       configurable time limit.  The default password prompt timeout is 5
+       minutes.
 
        If a user who is not listed in the _s_u_d_o_e_r_s file tries to run a command
        via ssuuddoo, mail is sent to the proper authorities, as defined at
@@ -57,11 +58,10 @@ DDEESSCCRRIIPPTTIIOONN
        be used by a user to log commands through sudo even when a root shell
        has been invoked.  It also allows the --ee option to remain useful even
        when being run via a sudo-run script or program.  Note however, that
-       the sudoers lookup is still done for root, not the user specified by
 
 
 
-1.8.0a2                   June  9, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -70,6 +70,7 @@ DDEESSCCRRIIPPTTIIOONN
 SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
+       the sudoers lookup is still done for root, not the user specified by
        SUDO_USER.
 
        ssuuddoo can log both successful and unsuccessful attempts (as well as
@@ -123,11 +124,10 @@ OOPPTTIIOONNSS
                    defined in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f, or a single '-' character.
                    Specifying a _c_l_a_s_s of - indicates that the command should
                    be run restricted by the default login capabilities for the
-                   user the command is run as.  If the _c_l_a_s_s argument
 
 
 
-1.8.0a2                   June  9, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -136,6 +136,7 @@ OOPPTTIIOONNSS
 SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
+                   user the command is run as.  If the _c_l_a_s_s argument
                    specifies an existing user class, the command must be run
                    as root, or the ssuuddoo command must be run from a shell that
                    is already root.  This option is only available on systems
@@ -189,11 +190,10 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
        -H          The --HH (_H_O_M_E) option sets the HOME environment variable to
                    the homedir of the target user (root by default) as
                    specified in _p_a_s_s_w_d(4).  By default, ssuuddoo does not modify
-                   HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)).
 
 
 
-1.8.0a2                   June  9, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
 
@@ -202,6 +202,8 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
+                   HOME (see _s_e_t___h_o_m_e and _a_l_w_a_y_s___s_e_t___h_o_m_e in _s_u_d_o_e_r_s(4)).
+
        -h          The --hh (_h_e_l_p) option causes ssuuddoo to print a usage message
                    and exit.
 
@@ -254,12 +256,10 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
                    required for the command to run, ssuuddoo will display an error
                    messages and exit.
 
-       -P          The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
-                   preserve the invoking user's group vector unaltered.  By
 
 
 
-1.8.0a2                   June  9, 2010                         4
+1.8.0b1                   June 11, 2010                         4
 
 
 
@@ -268,6 +268,8 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
+       -P          The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to
+                   preserve the invoking user's group vector unaltered.  By
                    default, ssuuddoo will initialize the group vector to the list
                    of groups the target user is in.  The real and effective
                    group IDs, however, are still set to match the target user.
@@ -298,6 +300,9 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
                    system password prompt on systems that support PAM unless
                    the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
 
+       -r _r_o_l_e     The --rr (_r_o_l_e) option causes the new (SELinux) security
+                   context to have the role specified by _r_o_l_e.
+
        -S          The --SS (_s_t_d_i_n) option causes ssuuddoo to read the password from
                    the standard input instead of the terminal device.  The
                    password must be followed by a newline character.
@@ -309,30 +314,35 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
                    the shell for execution.  Otherwise, an interactive shell
                    is executed.
 
+       -t _t_y_p_e     The --tt (_t_y_p_e) option causes the new (SELinux) security
+                   context to have the type specified by _t_y_p_e.  If no type is
+                   specified, the default type is derived from the specified
+                   role.
+
        -U _u_s_e_r     The --UU (_o_t_h_e_r _u_s_e_r) option is used in conjunction with the
                    --ll option to specify the user whose privileges should be
                    listed.  Only root or a user with ssuuddoo ALL on the current
-                   host may use this option.
 
-       -u _u_s_e_r     The --uu (_u_s_e_r) option causes ssuuddoo to run the specified
-                   command as a user other than _r_o_o_t.  To specify a _u_i_d
-                   instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d.  When running commands as
-                   a _u_i_d, many shells require that the '#' be escaped with a
-                   backslash ('\').  Note that if the _t_a_r_g_e_t_p_w Defaults option
-                   is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands
-                   with a uid not listed in the password database.
 
 
+1.8.0b1                   June 11, 2010                         5
 
 
-1.8.0a2                   June  9, 2010                         5
 
 
 
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
 
 
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+                   host may use this option.
 
+       -u _u_s_e_r     The --uu (_u_s_e_r) option causes ssuuddoo to run the specified
+                   command as a user other than _r_o_o_t.  To specify a _u_i_d
+                   instead of a _u_s_e_r _n_a_m_e, use _#_u_i_d.  When running commands as
+                   a _u_i_d, many shells require that the '#' be escaped with a
+                   backslash ('\').  Note that if the _t_a_r_g_e_t_p_w Defaults option
+                   is set (see _s_u_d_o_e_r_s(4)) it is not possible to run commands
+                   with a uid not listed in the password database.
 
        -V          The --VV (_v_e_r_s_i_o_n) option causes ssuuddoo to print the version
                    number and exit.  If the invoking user is already root the
@@ -370,6 +380,26 @@ PPLLUUGGIINNSS
        use the traditional _s_u_d_o_e_r_s security policy and I/O logging, which
        corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file.
 
+
+
+
+
+
+
+
+
+
+
+
+1.8.0b1                   June 11, 2010                         6
+
+
+
+
+
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+
+
         #
         # Default /etc/sudo.conf file
         #
@@ -388,18 +418,6 @@ PPLLUUGGIINNSS
        A Plugin line consists of the Plugin keyword, followed by the
        _s_y_m_b_o_l___n_a_m_e and the _p_a_t_h to the shared object containing the plugin.
        The _s_y_m_b_o_l___n_a_m_e is the name of the struct policy_plugin or struct
-
-
-
-1.8.0a2                   June  9, 2010                         6
-
-
-
-
-
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
-
-
        io_plugin in the plugin shared object.  The _p_a_t_h may be fully qualified
        or relative.  If not fully qualified it is relative to the
        _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory.  Any additional parameters after the _p_a_t_h
@@ -436,6 +454,18 @@ SSEECCUURRIITTYY NNOOTTEESS
        If, however, the _e_n_v___r_e_s_e_t option is disabled in _s_u_d_o_e_r_s, any variables
        not explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are
        inherited from the invoking process.  In this case, _e_n_v___c_h_e_c_k and
+
+
+
+1.8.0b1                   June 11, 2010                         7
+
+
+
+
+
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+
+
        _e_n_v___d_e_l_e_t_e behave like a blacklist.  Since it is not possible to
        blacklist all potentially dangerous environment variables, use of the
        default _e_n_v___r_e_s_e_t behavior is encouraged.
@@ -454,18 +484,6 @@ SSEECCUURRIITTYY NNOOTTEESS
        ssuuddoo to preserve them.
 
        To prevent command spoofing, ssuuddoo checks "." and "" (both denoting
-
-
-
-1.8.0a2                   June  9, 2010                         7
-
-
-
-
-
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
-
-
        current directory) last when searching for a command in the user's PATH
        (if one or both are in the PATH).  Note, however, that the actual PATH
        environment variable is _n_o_t modified and is passed unchanged to the
@@ -502,6 +520,18 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
        command with ssuuddoo after authenticating, logout, login again, and run
        ssuuddoo without authenticating so long as the time stamp file's
        modification time is within 5 minutes (or whatever the timeout is set
+
+
+
+1.8.0b1                   June 11, 2010                         8
+
+
+
+
+
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+
+
        to in _s_u_d_o_e_r_s).  When the _t_t_y___t_i_c_k_e_t_s option is enabled in _s_u_d_o_e_r_s, the
        time stamp has per-tty granularity but still may outlive the user's
        session.  On Linux systems where the devpts filesystem is used, Solaris
@@ -520,18 +550,6 @@ SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
        when giving users access to commands via ssuuddoo to verify that the
        command does not inadvertently give the user an effective root shell.
        For more information, please see the PREVENTING SHELL ESCAPES section
-
-
-
-1.8.0a2                   June  9, 2010                         8
-
-
-
-
-
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
-
-
        in _s_u_d_o_e_r_s(4).
 
 EENNVVIIRROONNMMEENNTT
@@ -568,6 +586,18 @@ EENNVVIIRROONNMMEENNTT
 
        SUDO_USER       Set to the login of the user who invoked sudo
 
+
+
+
+1.8.0b1                   June 11, 2010                         9
+
+
+
+
+
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+
+
        USER            Set to the target user (root unless the --uu option is
                        specified)
 
@@ -587,17 +617,6 @@ FFIILLEESS
 EEXXAAMMPPLLEESS
        Note: the following examples assume suitable _s_u_d_o_e_r_s(4) entries.
 
-
-
-1.8.0a2                   June  9, 2010                         9
-
-
-
-
-
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
-
-
        To get a file listing of an unreadable directory:
 
         $ sudo ls /usr/local/protected
@@ -633,6 +652,18 @@ SSEEEE AALLSSOO
        _g_r_e_p(1), _s_u(1), _s_t_a_t(2), _l_o_g_i_n___c_a_p(3), _p_a_s_s_w_d(4), _s_u_d_o_e_r_s(4),
        _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o_r_e_p_l_a_y(1m), _v_i_s_u_d_o(1m)
 
+
+
+
+1.8.0b1                   June 11, 2010                        10
+
+
+
+
+
+SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
+
+
 AAUUTTHHOORRSS
        Many people have worked on ssuuddoo over the years; this version consists
        of code written primarily by:
@@ -652,18 +683,6 @@ CCAAVVEEAATTSS
 
        It is not meaningful to run the cd command directly via sudo, e.g.,
 
-
-
-
-1.8.0a2                   June  9, 2010                        10
-
-
-
-
-
-SUDO(1m)               MAINTENANCE COMMANDS              SUDO(1m)
-
-
         $ sudo cd /usr/local/protected
 
        since when the command exits the parent process (your shell) will still
@@ -702,25 +721,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a2                   June  9, 2010                        11
+1.8.0b1                   June 11, 2010                        11
 
 
diff --git a/doc/sudo.man.in b/doc/sudo.man.in
index 165ff0d6a..5be68213c 100644
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -149,7 +149,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 10, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/doc/sudo_plugin.cat b/doc/sudo_plugin.cat
index 8679a6290..c8405b6f1 100644
--- a/doc/sudo_plugin.cat
+++ b/doc/sudo_plugin.cat
@@ -61,7 +61,7 @@ SSuuddoo PPlluuggiinn AAPPII
 
 
 
-1.8.0a2                   June  9, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -193,7 +193,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
 
@@ -259,7 +259,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         4
+1.8.0b1                   June 11, 2010                         4
 
 
 
@@ -325,7 +325,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         5
+1.8.0b1                   June 11, 2010                         5
 
 
 
@@ -391,7 +391,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         6
+1.8.0b1                   June 11, 2010                         6
 
 
 
@@ -457,7 +457,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         7
+1.8.0b1                   June 11, 2010                         7
 
 
 
@@ -523,7 +523,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         8
+1.8.0b1                   June 11, 2010                         8
 
 
 
@@ -589,7 +589,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                         9
+1.8.0b1                   June 11, 2010                         9
 
 
 
@@ -655,7 +655,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        10
+1.8.0b1                   June 11, 2010                        10
 
 
 
@@ -721,7 +721,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        11
+1.8.0b1                   June 11, 2010                        11
 
 
 
@@ -787,7 +787,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        12
+1.8.0b1                   June 11, 2010                        12
 
 
 
@@ -853,7 +853,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        13
+1.8.0b1                   June 11, 2010                        13
 
 
 
@@ -919,7 +919,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        14
+1.8.0b1                   June 11, 2010                        14
 
 
 
@@ -985,7 +985,7 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        15
+1.8.0b1                   June 11, 2010                        15
 
 
 
@@ -1051,6 +1051,6 @@ SUDO_PLUGIN(1m)        MAINTENANCE COMMANDS       SUDO_PLUGIN(1m)
 
 
 
-1.8.0a2                   June  9, 2010                        16
+1.8.0b1                   June 11, 2010                        16
 
 
diff --git a/doc/sudo_plugin.man.in b/doc/sudo_plugin.man.in
index 7dc045581..f4f9fe473 100644
--- a/doc/sudo_plugin.man.in
+++ b/doc/sudo_plugin.man.in
@@ -139,7 +139,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDO_PLUGIN @mansectsu@"
-.TH SUDO_PLUGIN @mansectsu@ "June  9, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDO_PLUGIN @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index c17aeb05e..f6df430a4 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
 
 
 
-1.8.0a2                   June  8, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.8.0a2                   June  8, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -193,7 +193,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.8.0a2                   June  8, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
 
@@ -259,7 +259,7 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
 
-1.8.0a2                   June  8, 2010                         4
+1.8.0b1                   June 11, 2010                         4
 
 
 
@@ -275,10 +275,12 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         Cmnd_Spec_List ::= Cmnd_Spec |
                            Cmnd_Spec ',' Cmnd_Spec_List
 
-        Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+        Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
 
         Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
+        SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
         Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
                       'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
                       'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
@@ -320,12 +322,10 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
         dgb    boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
 
-       Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but  _/_b_i_n_/_k_i_l_l
-       and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
 
 
 
-1.8.0a2                   June  8, 2010                         5
+1.8.0b1                   June 11, 2010                         5
 
 
 
@@ -334,6 +334,9 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+       Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but  _/_b_i_n_/_k_i_l_l
+       and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott.
+
        We can extend this to allow ddggbb to run /bin/ls with either the user or
        group set to ooppeerraattoorr:
 
@@ -347,6 +350,13 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         tcm    boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
                /usr/local/bin/minicom
 
+   SSEELLiinnuuxx__SSppeecc
+       On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an
+       SELinux role and/or type associated with a command.  If a role or type
+       is specified with the command it will override any default values
+       specified in _s_u_d_o_e_r_s.  A role or type specified on the command line,
+       however, will supercede the values in _s_u_d_o_e_r_s.
+
    TTaagg__SSppeecc
        A command may have zero or more tags associated with it.  There are
        eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
@@ -378,27 +388,27 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        By default, if the NOPASSWD tag is applied to any of the entries for a
        user on the current host, he or she will be able to run sudo -l without
        a password.  Additionally, a user may only run sudo -v without a
-       password if the NOPASSWD tag is present for all a user's entries that
-       pertain to the current host.  This behavior may be overridden via the
-       verifypw and listpw options.
 
-       _N_O_E_X_E_C _a_n_d _E_X_E_C
 
-       If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
-       operating system supports it, the NOEXEC tag can be used to prevent a
-       dynamically-linked executable from running further commands itself.
 
+1.8.0b1                   June 11, 2010                         6
 
 
 
-1.8.0a2                   June  8, 2010                         6
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+       password if the NOPASSWD tag is present for all a user's entries that
+       pertain to the current host.  This behavior may be overridden via the
+       verifypw and listpw options.
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       _N_O_E_X_E_C _a_n_d _E_X_E_C
 
+       If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying
+       operating system supports it, the NOEXEC tag can be used to prevent a
+       dynamically-linked executable from running further commands itself.
 
        In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and
        _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled.
@@ -444,27 +454,28 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
        [!...]  Matches any character nnoott in the specified range.
 
-       \x      For any character "x", evaluates to "x".  This is used to
-               escape special characters such as: "*", "?", "[", and "}".
 
-       POSIX character classes may also be used if your system's _g_l_o_b(3) and
-       _f_n_m_a_t_c_h(3) functions support them.  However, because the ':' character
-       has special meaning in _s_u_d_o_e_r_s, it must be escaped.  For example:
 
-           /bin/ls [[\:alpha\:]]*
 
-       Would match any file name beginning with a letter.
+1.8.0b1                   June 11, 2010                         7
 
 
 
-1.8.0a2                   June  8, 2010                         7
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+       \x      For any character "x", evaluates to "x".  This is used to
+               escape special characters such as: "*", "?", "[", and "}".
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       POSIX character classes may also be used if your system's _g_l_o_b(3) and
+       _f_n_m_a_t_c_h(3) functions support them.  However, because the ':' character
+       has special meaning in _s_u_d_o_e_r_s, it must be escaped.  For example:
 
+           /bin/ls [[\:alpha\:]]*
+
+       Would match any file name beginning with a letter.
 
        Note that a forward slash ('/') will nnoott be matched by wildcards used
        in the path name.  When matching the command line arguments, however, a
@@ -509,29 +520,29 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s.
 
        The #includedir directive can be used to create a _s_u_d_o_._d directory that
-       the system package manager can drop _s_u_d_o_e_r_s rules into as part of
-       package installation.  For example, given:
 
-       #includedir /etc/sudoers.d
 
-       ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
-       end in ~ or contain a . character to avoid causing problems with
-       package manager or editor temporary/backup files.  Files are parsed in
-       sorted lexical order.  That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
-       before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d.  Be aware that because the sorting is
-       lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
 
+1.8.0b1                   June 11, 2010                         8
 
 
-1.8.0a2                   June  8, 2010                         8
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       the system package manager can drop _s_u_d_o_e_r_s rules into as part of
+       package installation.  For example, given:
 
+       #includedir /etc/sudoers.d
 
+       ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that
+       end in ~ or contain a . character to avoid causing problems with
+       package manager or editor temporary/backup files.  Files are parsed in
+       sorted lexical order.  That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed
+       before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d.  Be aware that because the sorting is
+       lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr
        _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d.  Using a consistent number of leading zeroes
        in the file names can be used to avoid such problems.
 
@@ -576,28 +587,27 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
        earlier.  A list of all supported Defaults parameters, grouped by type,
        are listed below.
 
-       BBoooolleeaann FFllaaggss:
-
-       always_set_home If set, ssuuddoo will set the HOME environment variable to
-                       the home directory of the target user (which is root
-                       unless the --uu option is used).  This effectively means
-                       that the --HH option is always implied.  This flag is _o_f_f
-                       by default.
 
-       authenticate    If set, users must authenticate themselves via a
-                       password (or other means of authentication) before they
 
+1.8.0b1                   June 11, 2010                         9
 
 
-1.8.0a2                   June  8, 2010                         9
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       BBoooolleeaann FFllaaggss:
 
+       always_set_home If set, ssuuddoo will set the HOME environment variable to
+                       the home directory of the target user (which is root
+                       unless the --uu option is used).  This effectively means
+                       that the --HH option is always implied.  This flag is _o_f_f
+                       by default.
 
+       authenticate    If set, users must authenticate themselves via a
+                       password (or other means of authentication) before they
                        may run commands.  This default may be overridden via
                        the PASSWD and NOPASSWD tags.  This flag is _o_n by
                        default.
@@ -642,20 +652,10 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function,
                        which does not access the file system to do its
                        matching.  The disadvantage of _f_a_s_t___g_l_o_b is that it is
-                       unable to match relative path names such as _._/_l_s or
-                       _._._/_b_i_n_/_l_s.  This has security implications when path
-                       names that include globbing characters are used with
-                       the negation operator, '!', as such rules can be
-                       trivially bypassed.  As such, this option should not be
-                       used when _s_u_d_o_e_r_s contains rules that contain negated
-                       path names which include globbing characters.  This
-                       flag is _o_f_f by default.
-
-       fqdn            Set this flag if you want to put fully qualified host
 
 
 
-1.8.0a2                   June  8, 2010                        10
+1.8.0b1                   June 11, 2010                        10
 
 
 
@@ -664,6 +664,16 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+                       unable to match relative path names such as _._/_l_s or
+                       _._._/_b_i_n_/_l_s.  This has security implications when path
+                       names that include globbing characters are used with
+                       the negation operator, '!', as such rules can be
+                       trivially bypassed.  As such, this option should not be
+                       used when _s_u_d_o_e_r_s contains rules that contain negated
+                       path names which include globbing characters.  This
+                       flag is _o_f_f by default.
+
+       fqdn            Set this flag if you want to put fully qualified host
                        names in the _s_u_d_o_e_r_s file.  I.e., instead of myhost you
                        would use myhost.mydomain.edu.  You may still use the
                        short form if you wish (and even mix the two).  Beware
@@ -708,27 +718,28 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        long_otp_prompt When validating with a One Time Password (OPT) scheme
                        such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to
                        make it easier to cut and paste the challenge to a
-                       local window.  It's not as pretty as the default but
-                       some people find it more convenient.  This flag is _o_f_f
-                       by default.
 
-       mail_always     Send mail to the _m_a_i_l_t_o user every time a users runs
-                       ssuuddoo.  This flag is _o_f_f by default.
 
-       mail_badpass    Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
-                       does not enter the correct password.  This flag is _o_f_f
-                       by default.
 
+1.8.0b1                   June 11, 2010                        11
 
 
-1.8.0a2                   June  8, 2010                        11
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+                       local window.  It's not as pretty as the default but
+                       some people find it more convenient.  This flag is _o_f_f
+                       by default.
 
+       mail_always     Send mail to the _m_a_i_l_t_o user every time a users runs
+                       ssuuddoo.  This flag is _o_f_f by default.
+
+       mail_badpass    Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo
+                       does not enter the correct password.  This flag is _o_f_f
+                       by default.
 
        mail_no_host    If set, mail will be sent to the _m_a_i_l_t_o user if the
                        invoking user exists in the _s_u_d_o_e_r_s file, but is not
@@ -773,6 +784,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group
                        vector is left unaltered.  The real and effective group
                        IDs, however, are still set to match the target user.
+
+
+
+1.8.0b1                   June 11, 2010                        12
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
                        This flag is _o_f_f by default.
 
        pwfeedback      By default, ssuuddoo reads the password like most other
@@ -785,17 +808,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        able to determine the length of the password being
                        entered.  This flag is _o_f_f by default.
 
-
-
-1.8.0a2                   June  8, 2010                        12
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
        requiretty      If set, ssuuddoo will only run when the user is logged in
                        to a real tty.  When this flag is set, ssuuddoo can only be
                        run from a login session and not via other means such
@@ -838,6 +850,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        the value of _s_e_t___l_o_g_n_a_m_e.  This flag is _o_f_f by default.
 
        setenv          Allow the user to disable the _e_n_v___r_e_s_e_t option from the
+
+
+
+1.8.0b1                   June 11, 2010                        13
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
                        command line.  Additionally, environment variables set
                        via the command line are not subject to the
                        restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or
@@ -850,18 +874,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        shell as root (the shell is determined by the SHELL
                        environment variable if it is set, falling back on the
                        shell listed in the invoking user's /etc/passwd entry
-
-
-
-1.8.0a2                   June  8, 2010                        13
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
                        if not).  This flag is _o_f_f by default.
 
        stay_setuid     Normally, when ssuuddoo executes a command the real and
@@ -905,28 +917,27 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        using a unique session ID that is included in the
                        normal ssuuddoo log line, prefixed with _T_S_I_D_=.
 
-                       Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
-                       utility, which can also be used to list or search the
-                       available logs.
-
-       tty_tickets     If set, users must authenticate on a per-tty basis.
-                       Normally, ssuuddoo uses a directory in the ticket dir with
-                       the same name as the user running it.  With this flag
-                       enabled, ssuuddoo will use a file named for the tty the
-                       user is logged in on in that directory.  This flag is
-                       _o_f_f by default.
 
 
+1.8.0b1                   June 11, 2010                        14
 
 
-1.8.0a2                   June  8, 2010                        14
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+                       Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m)
+                       utility, which can also be used to list or search the
+                       available logs.
 
+       tty_tickets     If set, users must authenticate on a per-tty basis.
+                       Normally, ssuuddoo uses a directory in the ticket dir with
+                       the same name as the user running it.  With this flag
+                       enabled, ssuuddoo will use a file named for the tty the
+                       user is logged in on in that directory.  This flag is
+                       _o_f_f by default.
 
        umask_override  If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s
                        without modification.  This makes it possible to
@@ -971,21 +982,10 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
        IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
 
-       loglinelen      Number of characters per line for the file log.  This
-                       value is used to decide when to wrap lines for nicer
-                       log files.  This has no effect on the syslog log file,
-                       only the file log.  The default is 80 (use 0 or negate
-                       the option to disable word wrap).
-
-       passwd_timeout  Number of minutes before the ssuuddoo password prompt times
-                       out.  The timeout may include a fractional component if
-                       minute granularity is insufficient, for example 2.5.
-                       The default is 5; set this to 0 for no password
-                       timeout.
 
 
 
-1.8.0a2                   June  8, 2010                        15
+1.8.0b1                   June 11, 2010                        15
 
 
 
@@ -994,6 +994,17 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
+       loglinelen      Number of characters per line for the file log.  This
+                       value is used to decide when to wrap lines for nicer
+                       log files.  This has no effect on the syslog log file,
+                       only the file log.  The default is 80 (use 0 or negate
+                       the option to disable word wrap).
+
+       passwd_timeout  Number of minutes before the ssuuddoo password prompt times
+                       out, or 0 for no timeout.  The timeout may include a
+                       fractional component if minute granularity is
+                       insufficient, for example 2.5.  The default is 5.
+
        timestamp_timeout
                        Number of minutes that can elapse before ssuuddoo will ask
                        for a passwd again.  The timeout may include a
@@ -1038,28 +1049,27 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        LD_PRELOAD or its equivalent.  Defaults to
                        _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o.
 
-       passprompt      The default prompt to use when asking for a password;
-                       can be overridden via the --pp option or the SUDO_PROMPT
-                       environment variable.  The following percent (`%')
-                       escapes are supported:
-
-                       %H  expanded to the local host name including the
-                           domain name (on if the machine's host name is fully
-                           qualified or the _f_q_d_n option is set)
 
-                       %h  expanded to the local host name without the domain
 
+1.8.0b1                   June 11, 2010                        16
 
 
-1.8.0a2                   June  8, 2010                        16
 
 
 
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
 
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+       passprompt      The default prompt to use when asking for a password;
+                       can be overridden via the --pp option or the SUDO_PROMPT
+                       environment variable.  The following percent (`%')
+                       escapes are supported:
 
+                       %H  expanded to the local host name including the
+                           domain name (on if the machine's host name is fully
+                           qualified or the _f_q_d_n option is set)
 
+                       %h  expanded to the local host name without the domain
                            name
 
                        %p  expanded to the user whose password is being asked
@@ -1076,6 +1086,12 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
                        The default value is Password:.
 
+       role            The default SELinux role to use when constructing a new
+                       security context to run the command.  The default role
+                       may be overridden on a per-command basis in _s_u_d_o_e_r_s or
+                       via command line options.  This option is only
+                       available whe ssuuddoo is built with SELinux support.
+
        runas_default   The default user to run commands as if the --uu option is
                        not specified on the command line.  This defaults to
                        root.  Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur
@@ -1097,6 +1113,24 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        timestampowner  The owner of the timestamp directory and the timestamps
                        stored therein.  The default is root.
 
+       type            The default SELinux type to use when constructing a new
+
+
+
+1.8.0b1                   June 11, 2010                        17
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
+                       security context to run the command.  The default type
+                       may be overridden on a per-command basis in _s_u_d_o_e_r_s or
+                       via command line options.  This option is only
+                       available whe ssuuddoo is built with SELinux support.
+
        SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt:
 
        askpass     The _a_s_k_p_a_s_s option specifies the fully qualified path to a
@@ -1114,18 +1148,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                    the program being run.  Entries in this file should either
                    be of the form VARIABLE=value or export VARIABLE=value.
                    The value may optionally be surrounded by single or double
-
-
-
-1.8.0a2                   June  8, 2010                        17
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
                    quotes.  Variables in this file are subject to other ssuuddoo
                    environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k.
 
@@ -1158,6 +1180,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
                    all     All the user's _s_u_d_o_e_r_s entries for the current host
                            must have the NOPASSWD flag set to avoid entering a
+
+
+
+1.8.0b1                   June 11, 2010                        18
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
                            password.
 
                    always  The user must always enter a password to use the --ll
@@ -1180,18 +1214,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
 
        mailerflags Flags to use when invoking mailer. Defaults to --tt.
 
-
-
-
-1.8.0a2                   June  8, 2010                        18
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
        mailerpath  Path to mail program used to send warning mail.  Defaults
                    to the path to sendmail found at configure time.
 
@@ -1224,6 +1246,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                            password.
 
                    always  The user must always enter a password to use the --vv
+
+
+
+1.8.0b1                   June 11, 2010                        19
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
                            option.
 
                    any     At least one of the user's _s_u_d_o_e_r_s entries for the
@@ -1246,18 +1280,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        programs.  The argument may be a double-quoted, space-
                        separated list or a single value without double-quotes.
                        The list can be replaced, added to, deleted from, or
-
-
-
-1.8.0a2                   June  8, 2010                        19
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
                        disabled by using the =, +=, -=, and ! operators
                        respectively.  Regardless of whether the env_reset
                        option is enabled or disabled, variables specified by
@@ -1290,6 +1312,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                        with the _-_V option.
 
        When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the
+
+
+
+1.8.0b1                   June 11, 2010                        20
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
        syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your
        OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33,
        llooccaall44, llooccaall55, llooccaall66, and llooccaall77.  The following syslog priorities
@@ -1309,21 +1343,6 @@ EEXXAAMMPPLLEESS
        Below are example _s_u_d_o_e_r_s entries.  Admittedly, some of these are a bit
        contrived.  First, we define our _a_l_i_a_s_e_s:
 
-
-
-
-
-
-
-1.8.0a2                   June  8, 2010                        20
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
         # User alias specification
         User_Alias     FULLTIMERS = millert, mikef, dowdy
         User_Alias     PARTTIMERS = bostley, jwfox, crawl
@@ -1359,6 +1378,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         Cmnd_Alias     PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
 
        Here we override some of the compiled in default values.  We want ssuuddoo
+
+
+
+1.8.0b1                   June 11, 2010                        21
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
        to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases.  We don't
        want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt
        need not give a password, and we don't want to reset the LOGNAME, USER
@@ -1378,18 +1409,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         Defaults!PAGERS        noexec
 
        The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run
-
-
-
-1.8.0a2                   June  8, 2010                        21
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
        what.
 
         root           ALL = (ALL) ALL
@@ -1425,6 +1444,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         operator       ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
                        sudoedit /etc/printcap, /usr/oper/bin/
 
+
+
+
+1.8.0b1                   June 11, 2010                        22
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
        The ooppeerraattoorr user may run commands limited to simple maintenance.
        Here, those are commands related to backups, killing processes, the
        printing system, shutting down the system, and any commands in the
@@ -1445,17 +1476,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        the _H_P_P_A machines.  Note that this assumes _p_a_s_s_w_d(1) does not take
        multiple user names on the command line.
 
-
-
-1.8.0a2                   June  8, 2010                        22
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
         bob            SPARC = (OP) ALL : SGI = (OP) ALL
 
        The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user
@@ -1490,6 +1510,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
         jill           SERVERS = /usr/bin/, !SU, !SHELLS
 
        For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in
+
+
+
+1.8.0b1                   June 11, 2010                        23
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
        the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U
        and _S_H_E_L_L_S Cmnd_Aliases.
 
@@ -1509,19 +1541,6 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
        and wim), may run any command as user www (which owns the web pages) or
        simply _s_u(1) to www.
 
-
-
-
-
-1.8.0a2                   June  8, 2010                        23
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
         ALL            CDROM = NOPASSWD: /sbin/umount /CDROM,\
                        /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
 
@@ -1557,6 +1576,18 @@ SSEECCUURRIITTYY NNOOTTEESS
              /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
 
        User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by
+
+
+
+1.8.0b1                   June 11, 2010                        24
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
        changing to _/_u_s_r_/_b_i_n and running ./passwd root instead.
 
 PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
@@ -1576,18 +1607,6 @@ PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS
                  number of programs that offer shell escapes, restricting
                  users to the set of programs that do not if often unworkable.
 
-
-
-
-1.8.0a2                   June  8, 2010                        24
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
        noexec    Many systems that support shared libraries have the ability
                  to override default library functions by pointing an
                  environment variable (usually LD_PRELOAD) to an alternate
@@ -1623,6 +1642,18 @@ SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
                  documented in the User Specification section above.  Here is
                  that example again:
 
+
+
+
+1.8.0b1                   June 11, 2010                        25
+
+
+
+
+
+SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
+
+
                   aaron  shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
 
                  This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i
@@ -1642,18 +1673,6 @@ SSEEEE AALLSSOO
 
 CCAAVVEEAATTSS
        The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which
-
-
-
-1.8.0a2                   June  8, 2010                        25
-
-
-
-
-
-SUDOERS(4)             MAINTENANCE COMMANDS            SUDOERS(4)
-
-
        locks the file and does grammatical checking. It is imperative that
        _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a
        syntactically incorrect _s_u_d_o_e_r_s file.
@@ -1692,25 +1711,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a2                   June  8, 2010                        26
+1.8.0b1                   June 11, 2010                        26
 
 
diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index 52950f9d3..b88ba9dad 100644
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
 
 
 
-1.8.0a1                    May 25, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -193,7 +193,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
 
@@ -259,7 +259,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         4
+1.8.0b1                   June 11, 2010                         4
 
 
 
@@ -325,7 +325,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         5
+1.8.0b1                   June 11, 2010                         5
 
 
 
@@ -391,7 +391,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         6
+1.8.0b1                   June 11, 2010                         6
 
 
 
@@ -457,7 +457,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         7
+1.8.0b1                   June 11, 2010                         7
 
 
 
@@ -523,7 +523,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                         8
+1.8.0b1                   June 11, 2010                         8
 
 
 
@@ -589,7 +589,7 @@ EEXXAAMMPPLLEESS
 
 
 
-1.8.0a1                    May 25, 2010                         9
+1.8.0b1                   June 11, 2010                         9
 
 
 
@@ -655,7 +655,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                        10
+1.8.0b1                   June 11, 2010                        10
 
 
 
@@ -721,7 +721,7 @@ SUDOERS.LDAP(4)        MAINTENANCE COMMANDS       SUDOERS.LDAP(4)
 
 
 
-1.8.0a1                    May 25, 2010                        11
+1.8.0b1                   June 11, 2010                        11
 
 
 
@@ -787,6 +787,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-1.8.0a1                    May 25, 2010                        12
+1.8.0b1                   June 11, 2010                        12
 
 
diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 8daaf03b0..f94bd576d 100644
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -140,7 +140,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index d95a223ee..3ec34c76a 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -148,7 +148,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June  8, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -1058,10 +1058,10 @@ effect on the syslog log file, only the file log.  The default is
 \&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
 .IP "passwd_timeout" 16
 .IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out.
-The timeout may include a fractional component if minute granularity
-is insufficient, for example \f(CW2.5\fR.  The default is \f(CW\*(C`@password_timeout@\*(C'\fR;
-set this to \f(CW0\fR for no password timeout.
+Number of minutes before the \fBsudo\fR password prompt times out, or
+\&\f(CW0\fR for no timeout.  The timeout may include a fractional component
+if minute granularity is insufficient, for example \f(CW2.5\fR.  The
+default is \f(CW\*(C`@password_timeout@\*(C'\fR.
 .IP "timestamp_timeout" 16
 .IX Item "timestamp_timeout"
 Number of minutes that can elapse before \fBsudo\fR will ask for a
diff --git a/doc/sudoreplay.cat b/doc/sudoreplay.cat
index 65b0a5c5e..ccc48c396 100644
--- a/doc/sudoreplay.cat
+++ b/doc/sudoreplay.cat
@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
 
 
 
-1.8.0a2                    May 30, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ SUDOREPLAY(1m)         MAINTENANCE COMMANDS        SUDOREPLAY(1m)
 
 
 
-1.8.0a2                    May 30, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -193,7 +193,7 @@ SUDOREPLAY(1m)         MAINTENANCE COMMANDS        SUDOREPLAY(1m)
 
 
 
-1.8.0a2                    May 30, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
 
@@ -259,7 +259,7 @@ EEXXAAMMPPLLEESS
 
 
 
-1.8.0a2                    May 30, 2010                         4
+1.8.0b1                   June 11, 2010                         4
 
 
 
@@ -325,6 +325,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-1.8.0a2                    May 30, 2010                         5
+1.8.0b1                   June 11, 2010                         5
 
 
diff --git a/doc/sudoreplay.man.in b/doc/sudoreplay.man.in
index 65a72f5bd..222dd1f03 100644
--- a/doc/sudoreplay.man.in
+++ b/doc/sudoreplay.man.in
@@ -139,7 +139,7 @@
 .\" ========================================================================
 .\"
 .IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "May 30, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
diff --git a/doc/visudo.cat b/doc/visudo.cat
index 576fa64d9..b4af190db 100644
--- a/doc/visudo.cat
+++ b/doc/visudo.cat
@@ -61,7 +61,7 @@ OOPPTTIIOONNSS
 
 
 
-1.8.0a1                    May 25, 2010                         1
+1.8.0b1                   June 11, 2010                         1
 
 
 
@@ -127,7 +127,7 @@ AAUUTTHHOORR
 
 
 
-1.8.0a1                    May 25, 2010                         2
+1.8.0b1                   June 11, 2010                         2
 
 
 
@@ -193,6 +193,6 @@ DDIISSCCLLAAIIMMEERR
 
 
 
-1.8.0a1                    May 25, 2010                         3
+1.8.0b1                   June 11, 2010                         3
 
 
diff --git a/doc/visudo.man.in b/doc/visudo.man.in
index ad7e52a74..0754b8c1f 100644
--- a/doc/visudo.man.in
+++ b/doc/visudo.man.in
@@ -144,7 +144,7 @@
 .\" ========================================================================
 .\"
 .IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 11, 2010" "1.8.0b1" "MAINTENANCE COMMANDS"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
-- 
2.40.0