Merge upstream '3.3' into update_3_3

Followed the following steps: # aosp mirror does not have the upstream tags. Manually mark the # 3.3 release. See # https://github.com/SELinuxProject/selinux/releases/tag/3.3 git tag 3.3 7f600c40bc repo start update_3_3 . git merge 3.3 --no-ff # No merge conflicts were found. lunch && m repo upload . Bug: 37755687 Test: Build aosp_bramble-userdebug and manually compare the generated /{system,vendor,product}/etc/selinux* files with their previous versions. All are identical. Change-Id: I6a514d7db9a752c44cc61d343f7c1a60f750f317
2021-12-21 10:25:53 +11:00 · 2021-12-21 10:25:53 +11:00 · 671624ef61
commit 671624ef61
parent 58458b0578 7f600c40bc
58 changed files with 329 additions and 231 deletions
--- a/.github/workflows/vm_testsuite.yml
+++ b/.github/workflows/vm_testsuite.yml
@ -6,7 +6,8 @@ jobs:
  vm_testsuite:
    # Use VirtualBox+vagrant on macOS, as described in https://github.com/actions/virtual-environments/issues/433
-    runs-on: macos-latest
+    # Use an old version of macOS until https://github.com/actions/virtual-environments/pull/4010 is merged.
    runs-on: macos-10.15
    steps:
    - uses: actions/checkout@v2
--- a/README.md
+++ b/README.md
@ -2,7 +2,8 @@ SELinux Userspace
 =================
 ![SELinux logo](https://github.com/SELinuxProject.png)
-[![Build Status](https://travis-ci.org/SELinuxProject/selinux.svg?branch=master)](https://travis-ci.org/SELinuxProject/selinux)
+[![Run Tests](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/run_tests.yml)
 [![Run SELinux testsuite in a virtual machine](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/vm_testsuite.yml)
 [![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/selinux.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#selinux)
 [![CIFuzz Status](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml)
--- a/2
+++ b/2
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/checkpolicy/VERSION
+++ b/checkpolicy/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@ -3,7 +3,7 @@
 checkmodule \- SELinux policy module compiler
 .SH SYNOPSIS
 .B checkmodule
-.I "[\-h] [\-b] [\-C] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
+.I "[\-h] [\-b] [\-c policy_version] [\-C] [\-E] [\-m] [\-M] [\-U handle_unknown] [\-V] [\-o output_file] [input_file]"
 .SH "DESCRIPTION"
 This manual page describes the
 .BR checkmodule
@ -15,9 +15,12 @@ into a binary representation.  It can generate either a base policy
 module (default) or a non-base policy module (\-m option); typically,
 you would build a non-base policy module to add to an existing module
 store that already has a base module provided by the base policy.  Use
-semodule_package to combine this module with its optional file
+.B semodule_package(8)
-contexts to create a policy package, and then use semodule to install
+to combine this module with its optional file
-the module package into the module store and load the resulting policy.
+contexts to create a policy package, and then use
 .B semodule(8)
 to install the module package into the module store and load the resulting
 policy.
 .SH OPTIONS
 .TP
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@ -34,9 +34,6 @@
 #include "checkpolicy.h"
 #include "parse_util.h"
 extern char *optarg;
 extern int optind;
 static sidtab_t sidtab;
 extern int mlspol;
@ -126,7 +123,7 @@ static int write_binary_policy(policydb_t * p, FILE *outfp)
 static __attribute__((__noreturn__)) void usage(const char *progname)
 {
-	printf("usage:  %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+	printf("usage:  %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [-c VERSION] [INPUT]\n", progname);
 	printf("Build base and policy modules.\n");
 	printf("Options:\n");
 	printf("  INPUT      build module from INPUT (else read from \"%s\")\n",
@ -155,7 +152,7 @@ int main(int argc, char **argv)
 	int ch;
 	int show_version = 0;
 	policydb_t modpolicydb;
-	struct option long_options[] = {
+	const struct option long_options[] = {
 		{"help", no_argument, NULL, 'h'},
 		{"output", required_argument, NULL, 'o'},
 		{"binary", no_argument, NULL, 'b'},
@ -271,7 +268,7 @@ int main(int argc, char **argv)
 	} else {
 		if (policydb_init(&modpolicydb)) {
 			fprintf(stderr, "%s: out of memory!\n", argv[0]);
-			return -1;
+			exit(1);
 		}
 		modpolicydb.policy_type = policy_type;
@ -283,7 +280,7 @@ int main(int argc, char **argv)
 		}
 		if (hierarchy_check_constraints(NULL, &modpolicydb)) {
-			return -1;
+			exit(1);
 		}
 	}
@ -336,7 +333,7 @@ int main(int argc, char **argv)
 		FILE *outfp = fopen(outfile, "w");
 		if (!outfp) {
-			perror(outfile);
+			fprintf(stderr, "%s:  error opening %s:  %s\n", argv[0], outfile, strerror(errno));
 			exit(1);
 		}
@ -352,7 +349,10 @@ int main(int argc, char **argv)
 			}
 		}
-		fclose(outfp);
+		if (fclose(outfp)) {
 			fprintf(stderr, "%s:  error closing %s:  %s\n", argv[0], outfile, strerror(errno));
 			exit(1);
 		}
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
 		exit(1);
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@ -3,7 +3,7 @@
 checkpolicy \- SELinux policy compiler
 .SH SYNOPSIS
 .B checkpolicy
-.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-V] [input_file]"
+.I "[\-b[F]] [\-C] [\-d] [\-U handle_unknown (allow,deny,reject)] [\-M] [\-c policyvers] [\-o output_file|\-] [\-S] [\-t target_platform (selinux,xen)] [\-O] [\-E] [\-V] [input_file]"
 .br
 .SH "DESCRIPTION"
 This manual page describes the
@ -13,8 +13,10 @@ command.
 .B checkpolicy
 is a program that checks and compiles a SELinux security policy configuration
 into a binary representation that can be loaded into the kernel.  If no 
-input file name is specified, checkpolicy will attempt to read from
+input file name is specified,
-policy.conf or policy, depending on whether the \-b flag is specified.
+.B checkpolicy
 will attempt to read from policy.conf or policy, depending on whether the \-b
 flag is specified.
 .SH OPTIONS
 .TP
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@ -92,9 +92,6 @@
 #include "checkpolicy.h"
 #include "parse_util.h"
 extern char *optarg;
 extern int optind;
 static policydb_t policydb;
 static sidtab_t sidtab;
@ -112,7 +109,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
-	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
+	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] [-O] "
 	     "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
@ -297,9 +294,7 @@ static int identify_equiv_types(void)
 }
 #endif
-extern char *av_to_string(uint32_t tclass, sepol_access_vector_t av);
+static int display_bools(void)
 int display_bools(void)
 {
 	uint32_t i;
@ -310,10 +305,10 @@ int display_bools(void)
 	return 0;
 }
-void display_expr(cond_expr_t * exp)
+static void display_expr(const cond_expr_t * exp)
 {
-	cond_expr_t *cur;
+	const cond_expr_t *cur;
 	for (cur = exp; cur != NULL; cur = cur->next) {
 		switch (cur->expr_type) {
 		case COND_BOOL:
@ -345,9 +340,9 @@ void display_expr(cond_expr_t * exp)
 	}
 }
-int display_cond_expressions(void)
+static int display_cond_expressions(void)
 {
-	cond_node_t *cur;
+	const cond_node_t *cur;
 	for (cur = policydbp->cond_list; cur != NULL; cur = cur->next) {
 		printf("expression: ");
@ -357,7 +352,7 @@ int display_cond_expressions(void)
 	return 0;
 }
-int change_bool(char *name, int state)
+static int change_bool(const char *name, int state)
 {
 	cond_bool_datum_t *bool;
@ -412,7 +407,7 @@ int main(int argc, char **argv)
 	unsigned int reason;
 	int flags;
 	struct policy_file pf;
-	struct option long_options[] = {
+	const struct option long_options[] = {
 		{"output", required_argument, NULL, 'o'},
 		{"target", required_argument, NULL, 't'},
 		{"binary", no_argument, NULL, 'b'},
@ -706,7 +701,10 @@ int main(int argc, char **argv)
 		}
 		if (outfp != stdout) {
-			fclose(outfp);
+			if(fclose(outfp)) {
 				fprintf(stderr, "%s:  error closing %s:  %s\n", argv[0], outfile, strerror(errno));
 				exit(1);
 			}
 		}
 	} else if (cil) {
 		fprintf(stderr, "%s:  No file to write CIL was specified\n", argv[0]);
@ -796,7 +794,7 @@ int main(int argc, char **argv)
 			case 0:
 				printf("\nallowed {");
 				for (i = 1; i <= sizeof(avd.allowed) * 8; i++) {
-					if (avd.allowed & (1 << (i - 1))) {
+					if (avd.allowed & (UINT32_C(1) << (i - 1))) {
 						v.val = i;
 						ret =
 						    hashtab_map(cladatum->
--- a/checkpolicy/module_compiler.c
+++ b/checkpolicy/module_compiler.c
@ -165,7 +165,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
 			    decl->decl_id, dest_value);
 	if (ret == 1 && dest_value) {
-		symtab_datum_t *s =
+		hashtab_datum_t s =
 			hashtab_search(policydbp->symtab[symbol_type].table,
 				       key);
 		assert(s != NULL);
@ -173,7 +173,7 @@ static int create_symbol(uint32_t symbol_type, hashtab_key_t key, hashtab_datum_
 		if (symbol_type == SYM_LEVELS) {
 			*dest_value = ((level_datum_t *)s)->level->sens;
 		} else {
-			*dest_value = s->value;
+			*dest_value = ((symtab_datum_t *)s)->value;
 		}
 	} else if (ret == -2) {
 		return -2;
@ -999,7 +999,7 @@ static int require_bool_tunable(int pass, int is_tunable)
 	if (is_tunable)
 		booldatum->flags |= COND_BOOL_FLAGS_TUNABLE;
 	retval =
-	    require_symbol(SYM_BOOLS, id, (hashtab_datum_t *) booldatum,
+	    require_symbol(SYM_BOOLS, id, booldatum,
 			   &booldatum->s.value, &booldatum->s.value);
 	if (retval != 0) {
 		cond_destroy_bool(id, booldatum, NULL);
@ -1051,7 +1051,7 @@ int require_sens(int pass)
 		return -1;
 	}
 	mls_level_init(level->level);
-	retval = require_symbol(SYM_LEVELS, id, (hashtab_datum_t *) level,
+	retval = require_symbol(SYM_LEVELS, id, level,
 				&level->level->sens, &level->level->sens);
 	if (retval != 0) {
 		free(id);
@ -1089,7 +1089,7 @@ int require_cat(int pass)
 	}
 	cat_datum_init(cat);
-	retval = require_symbol(SYM_CATS, id, (hashtab_datum_t *) cat,
+	retval = require_symbol(SYM_CATS, id, cat,
 				&cat->s.value, &cat->s.value);
 	if (retval != 0) {
 		free(id);
@ -1104,14 +1104,14 @@ int require_cat(int pass)
 	return 0;
 }
-static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
+static int is_scope_in_stack(const scope_datum_t * scope, const scope_stack_t * stack)
 {
 	uint32_t i;
 	if (stack == NULL) {
 		return 0;	/* no matching scope found */
 	}
 	if (stack->type == 1) {
-		avrule_decl_t *decl = stack->decl;
+		const avrule_decl_t *decl = stack->decl;
 		for (i = 0; i < scope->decl_ids_len; i++) {
 			if (scope->decl_ids[i] == decl->decl_id) {
 				return 1;
@ -1126,9 +1126,9 @@ static int is_scope_in_stack(scope_datum_t * scope, scope_stack_t * stack)
 	return is_scope_in_stack(scope, stack->parent);
 }
-int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
+int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id)
 {
-	scope_datum_t *scope =
+	const scope_datum_t *scope =
 	    (scope_datum_t *) hashtab_search(policydbp->scope[symbol_type].
 					     table, id);
 	if (scope == NULL) {
@ -1138,7 +1138,7 @@ int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id)
 }
 static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
-				  scope_index_t * scope)
+				  const scope_index_t * scope)
 {
 	if (class_value > scope->class_perms_len) {
 		return 1;
@ -1151,7 +1151,7 @@ static int is_perm_in_scope_index(uint32_t perm_value, uint32_t class_value,
 }
 static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
-			    scope_stack_t * stack)
+			    const scope_stack_t * stack)
 {
 	if (stack == NULL) {
 		return 0;	/* no matching scope found */
@ -1173,12 +1173,12 @@ static int is_perm_in_stack(uint32_t perm_value, uint32_t class_value,
 	return is_perm_in_stack(perm_value, class_value, stack->parent);
 }
-int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id)
+int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id)
 {
-	class_datum_t *cladatum =
+	const class_datum_t *cladatum =
 	    (class_datum_t *) hashtab_search(policydbp->p_classes.table,
 					     class_id);
-	perm_datum_t *perdatum;
+	const perm_datum_t *perdatum;
 	if (cladatum == NULL) {
 		return 1;
 	}
@ -1361,17 +1361,17 @@ int begin_optional_else(int pass)
 	return 0;
 }
-static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
+static int copy_requirements(avrule_decl_t * dest, const scope_stack_t * stack)
 {
 	uint32_t i;
 	if (stack == NULL) {
 		return 0;
 	}
 	if (stack->type == 1) {
-		scope_index_t *src_scope = &stack->decl->required;
+		const scope_index_t *src_scope = &stack->decl->required;
 		scope_index_t *dest_scope = &dest->required;
 		for (i = 0; i < SYM_NUM; i++) {
-			ebitmap_t *src_bitmap = &src_scope->scope[i];
+			const ebitmap_t *src_bitmap = &src_scope->scope[i];
 			ebitmap_t *dest_bitmap = &dest_scope->scope[i];
 			if (ebitmap_union(dest_bitmap, src_bitmap)) {
 				yyerror("Out of memory!");
@ -1397,7 +1397,7 @@ static int copy_requirements(avrule_decl_t * dest, scope_stack_t * stack)
 			    src_scope->class_perms_len;
 		}
 		for (i = 0; i < src_scope->class_perms_len; i++) {
-			ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
+			const ebitmap_t *src_bitmap = &src_scope->class_perms_map[i];
 			ebitmap_t *dest_bitmap =
 			    &dest_scope->class_perms_map[i];
 			if (ebitmap_union(dest_bitmap, src_bitmap)) {
--- a/checkpolicy/module_compiler.h
+++ b/checkpolicy/module_compiler.h
@ -65,12 +65,12 @@ int require_cat(int pass);
 /* Check if an identifier is within the scope of the current
 * declaration or any of its parents.  Return 1 if it is, 0 if not.
 * If the identifier is not known at all then return 1 (truth).  */
-int is_id_in_scope(uint32_t symbol_type, hashtab_key_t id);
+int is_id_in_scope(uint32_t symbol_type, const_hashtab_key_t id);
 /* Check if a particular permission is within the scope of the current
 * declaration or any of its parents.  Return 1 if it is, 0 if not.
 * If the identifier is not known at all then return 1 (truth).  */
-int is_perm_in_scope(hashtab_key_t perm_id, hashtab_key_t class_id);
+int is_perm_in_scope(const_hashtab_key_t perm_id, const_hashtab_key_t class_id);
 /* Search the current avrules block for a conditional with the same
 * expression as 'cond'.  If the conditional does not exist then
--- a/checkpolicy/parse_util.c
+++ b/checkpolicy/parse_util.c
@ -36,7 +36,7 @@ int read_source_policy(policydb_t * p, const char *file, const char *progname)
 {
 	yyin = fopen(file, "r");
 	if (!yyin) {
-		fprintf(stderr, "%s:  unable to open %s\n", progname, file);
+		fprintf(stderr, "%s:  unable to open %s:  %s\n", progname, file, strerror(errno));
 		return -1;
 	}
 	set_source_file(file);
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@ -60,10 +60,13 @@
 #include "module_compiler.h"
 #include "policy_define.h"
 extern void init_parser(int pass_number);
 __attribute__ ((format(printf, 1, 2)))
 extern void yyerror2(const char *fmt, ...);
 policydb_t *policydbp;
 queue_t id_queue = 0;
 unsigned int pass;
 char *curfile = 0;
 int mlspol = 0;
 extern unsigned long policydb_lineno;
@ -74,12 +77,6 @@ extern char source_file[PATH_MAX];
 extern int yywarn(const char *msg);
 extern int yyerror(const char *msg);
 #define ERRORMSG_LEN 255
 static char errormsg[ERRORMSG_LEN + 1] = {0};
 static int id_has_dot(const char *id);
 static int parse_security_context(context_struct_t *c);
 /* initialize all of the state variables for the scanner/parser */
 void init_parser(int pass_number)
 {
@ -89,12 +86,12 @@ void init_parser(int pass_number)
 	pass = pass_number;
 }
 __attribute__ ((format(printf, 1, 2)))
 void yyerror2(const char *fmt, ...)
 {
 	char errormsg[256];
 	va_list ap;
 	va_start(ap, fmt);
-	vsnprintf(errormsg, ERRORMSG_LEN, fmt, ap);
+	vsnprintf(errormsg, sizeof(errormsg), fmt, ap);
 	yyerror(errormsg);
 	va_end(ap);
 }
@ -1605,7 +1602,7 @@ static int set_types(type_set_t * set, char *id, int *add, char starallowed)
 	return -1;
 }
-int define_compute_type_helper(int which, avrule_t ** rule)
+static int define_compute_type_helper(int which, avrule_t ** rule)
 {
 	char *id;
 	type_datum_t *datum;
@ -1832,7 +1829,7 @@ struct av_ioctl_range_list {
 	struct av_ioctl_range_list *next;
 };
-int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead)
+static int avrule_sort_ioctls(struct av_ioctl_range_list **rangehead)
 {
 	struct av_ioctl_range_list *r, *r2, *sorted, *sortedhead = NULL;
@ -1880,7 +1877,7 @@ error:
 	return -1;
 }
-int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
+static int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
 {
 	struct av_ioctl_range_list *r, *tmp;
 	r = *rangehead;
@ -1900,7 +1897,7 @@ int avrule_merge_ioctls(struct av_ioctl_range_list **rangehead)
 	return 0;
 }
-int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
+static int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
 {
 	char *id;
 	struct av_ioctl_range_list *rnew, *r = NULL;
@ -1953,7 +1950,7 @@ error:
 }
 /* flip to included ranges */
-int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead)
+static int avrule_omit_ioctls(struct av_ioctl_range_list **rangehead)
 {
 	struct av_ioctl_range_list *rnew, *r, *newhead, *r2;
@ -2001,7 +1998,7 @@ error:
 	return -1;
 }
-int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
+static int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
 {
 	struct av_ioctl_range_list *rangehead;
 	uint8_t omit;
@ -2029,7 +2026,7 @@ int avrule_ioctl_ranges(struct av_ioctl_range_list **rangelist)
 	return 0;
 }
-int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
+static int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
 {
 	char *id;
 	class_perm_node_t *perms, *tail = NULL, *cur_perms = NULL;
@ -2129,7 +2126,7 @@ int define_te_avtab_xperms_helper(int which, avrule_t ** rule)
 			     policydbp->p_class_val_to_name[i]);
 			continue;
 		} else {
-			cur_perms->data |= 1U << (perdatum->s.value - 1);
+			cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1);
 		}
 	}
@ -2143,14 +2140,14 @@ out:
 }
 /* index of the u32 containing the permission */
-#define XPERM_IDX(x) (x >> 5)
+#define XPERM_IDX(x) ((x) >> 5)
 /* set bits 0 through x-1 within the u32 */
-#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
+#define XPERM_SETBITS(x) ((UINT32_C(1) << ((x) & 0x1f)) - 1)
 /* low value for this u32 */
-#define XPERM_LOW(x) (x << 5)
+#define XPERM_LOW(x) ((x) << 5)
 /* high value for this u32 */
-#define XPERM_HIGH(x) (((x + 1) << 5) - 1)
+#define XPERM_HIGH(x) ((((x) + 1) << 5) - 1)
-void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
+static void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
 				av_extended_perms_t *xperms)
 {
 	unsigned int i;
@ -2172,7 +2169,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
 	}
 }
-int avrule_xperms_used(const av_extended_perms_t *xperms)
+static int avrule_xperms_used(const av_extended_perms_t *xperms)
 {
 	unsigned int i;
@ -2189,10 +2186,10 @@ int avrule_xperms_used(const av_extended_perms_t *xperms)
 * dir, size, driver, and function. Only the driver and function fields
 * are considered here
 */
-#define IOC_DRIV(x) (x >> 8)
+#define IOC_DRIV(x) ((x) >> 8)
-#define IOC_FUNC(x) (x & 0xff)
+#define IOC_FUNC(x) ((x) & 0xff)
-#define IOC_CMD(driver, func) ((driver << 8) + func)
+#define IOC_CMD(driver, func) (((driver) << 8) + (func))
-int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
+static int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
 				av_extended_perms_t *complete_driver,
 				av_extended_perms_t **extended_perms)
 {
@ -2231,7 +2228,7 @@ int avrule_ioctl_partialdriver(struct av_ioctl_range_list *rangelist,
 }
-int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
+static int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
 			av_extended_perms_t **extended_perms)
 {
 	struct av_ioctl_range_list *r;
@ -2273,7 +2270,7 @@ int avrule_ioctl_completedriver(struct av_ioctl_range_list *rangelist,
 	return 0;
 }
-int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
+static int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
 		av_extended_perms_t **extended_perms, unsigned int driver)
 {
 	struct av_ioctl_range_list *r;
@ -2323,18 +2320,7 @@ int avrule_ioctl_func(struct av_ioctl_range_list *rangelist,
 	return 0;
 }
-void avrule_ioctl_freeranges(struct av_ioctl_range_list *rangelist)
+static unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
 {
 	struct av_ioctl_range_list *r, *tmp;
 	r = rangelist;
 	while (r) {
 		tmp = r;
 		r = r->next;
 		free(tmp);
 	}
 }
 unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
 {
 	unsigned int i;
 	for (i = *bit; i < sizeof(xperms->perms)*8; i++) {
@ -2347,7 +2333,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
 	return 0;
 }
-int avrule_cpy(avrule_t *dest, const avrule_t *src)
+static int avrule_cpy(avrule_t *dest, const avrule_t *src)
 {
 	class_perm_node_t *src_perms;
 	class_perm_node_t *dest_perms, *dest_tail;
@ -2395,10 +2381,10 @@ int avrule_cpy(avrule_t *dest, const avrule_t *src)
 	return 0;
 }
-int define_te_avtab_ioctl(const avrule_t *avrule_template)
+static int define_te_avtab_ioctl(const avrule_t *avrule_template)
 {
 	avrule_t *avrule;
-	struct av_ioctl_range_list *rangelist;
+	struct av_ioctl_range_list *rangelist, *r;
 	av_extended_perms_t *complete_driver, *partial_driver, *xperms;
 	unsigned int i;
@ -2456,6 +2442,12 @@ done:
 	if (partial_driver)
 		free(partial_driver);
 	while (rangelist != NULL) {
 		r = rangelist;
 		rangelist = rangelist->next;
 		free(r);
 	}
 	return 0;
 }
@ -2464,6 +2456,7 @@ int define_te_avtab_extended_perms(int which)
 	char *id;
 	unsigned int i;
 	avrule_t *avrule_template;
 	int rc = 0;
 	if (pass == 1) {
 		for (i = 0; i < 4; i++) {
@ -2479,18 +2472,20 @@ int define_te_avtab_extended_perms(int which)
 	id = queue_remove(id_queue);
 	if (strcmp(id,"ioctl") == 0) {
-		free(id);
+		rc = define_te_avtab_ioctl(avrule_template);
 		if (define_te_avtab_ioctl(avrule_template))
 			return -1;
 	} else {
 		yyerror("only ioctl extended permissions are supported");
-		free(id);
+		rc = -1;
 		return -1;
 	}
-	return 0;
+
 	free(id);
 	avrule_destroy(avrule_template);
 	free(avrule_template);
 	return rc;
 }
-int define_te_avtab_helper(int which, avrule_t ** rule)
+static int define_te_avtab_helper(int which, avrule_t ** rule)
 {
 	char *id;
 	class_datum_t *cladatum;
@ -2617,7 +2612,7 @@ int define_te_avtab_helper(int which, avrule_t ** rule)
 				}
 				continue;
 			} else {
-				cur_perms->data |= 1U << (perdatum->s.value - 1);
+				cur_perms->data |= UINT32_C(1) << (perdatum->s.value - 1);
 			}
 		      next:
 			cur_perms = cur_perms->next;
@ -3620,7 +3615,7 @@ int define_constraint(constraint_expr_t * expr)
 					return -1;
 				}
 			}
-			node->permissions |= (1 << (perdatum->s.value - 1));
+			node->permissions |= (UINT32_C(1) << (perdatum->s.value - 1));
 		}
 		free(id);
 	}
@ -5470,7 +5465,7 @@ int define_fs_use(int behavior)
 	return 0;
 }
-int define_genfs_context_helper(char *fstype, int has_type)
+static int define_genfs_context_helper(char *fstype, int has_type)
 {
 	struct genfs *genfs_p, *genfs, *newgenfs;
 	ocontext_t *newc, *c, *head, *p;
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@ -890,10 +890,26 @@ filename		: FILENAME
 			{ yytext[strlen(yytext) - 1] = '\0'; if (insert_id(yytext + 1,0)) return -1; }
 			;
 number			: NUMBER 
-			{ $$ = strtoul(yytext,NULL,0); }
+			{ unsigned long x;
 			  errno = 0;
 			  x = strtoul(yytext, NULL, 0);
 			  if (errno)
 			      return -1;
 #if ULONG_MAX > UINT_MAX
 			  if (x > UINT_MAX)
 			      return -1;
 #endif
 			  $$ = (unsigned int) x;
 			}
 			;
 number64		: NUMBER
-			{ $$ = strtoull(yytext,NULL,0); }
+			{ unsigned long long x;
 			  errno = 0;
 			  x = strtoull(yytext, NULL, 0);
 			  if (errno)
 			      return -1;
 			  $$ = (uint64_t) x;
 			}
 			;
 ipv6_addr		: IPV6_ADDR
 			{ if (insert_id(yytext,0)) return -1; }
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@ -59,12 +59,17 @@ alnum   [a-zA-Z0-9]
 hexval	[0-9A-Fa-f]
 %%
-\n.*				{ strncpy(linebuf[lno], yytext+1, 255);
+\n.*				{
-                                  linebuf[lno][254] = 0;
+				  strncpy(linebuf[lno], yytext+1, 255);
-                                  lno = 1 - lno; 
+				  linebuf[lno][254] = 0;
-                                  policydb_lineno++;
+				  lno = 1 - lno;
-				  source_lineno++;
+				  policydb_lineno++;
-                                  yyless(1); }
+				  if (source_lineno == ULONG_MAX)
 				      yywarn("source line number overflow");
 				  else
 				      source_lineno++;
 				  yyless(1);
 				}
 CLONE |
 clone				{ return(CLONE); }
 COMMON |
@ -270,7 +275,13 @@ GLBLUB				{ return(GLBLUB); }
 {hexval}{0,4}":"{hexval}{0,4}":"({hexval}|[:.])*  { return(IPV6_ADDR); }
 {digit}+(\.({alnum}|[_.])*)?    { return(VERSION_IDENTIFIER); }
 #line[ ]1[ ]\"[^\n]*\"		{ set_source_file(yytext+9); }
-#line[ ]{digit}+	        { source_lineno = atoi(yytext+6)-1; }
+#line[ ]{digit}+	        {
 				  errno = 0;
 				  source_lineno = strtoul(yytext+6, NULL, 10) - 1;
 				  if (errno) {
 				    yywarn("source line number too big");
 				  }
 				}
 #[^\n]*                         { /* delete comments */ }
 [ \t\f]+			{ /* delete whitespace */ }
 "==" 				{ return(EQUALS); }
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@ -89,7 +89,7 @@ static void render_access_bitmap(ebitmap_t * map, uint32_t class,
 	fprintf(fp, "{");
 	for (i = ebitmap_startbit(map); i < ebitmap_length(map); i++) {
 		if (ebitmap_get_bit(map, i)) {
-			perm = sepol_av_to_string(p, class, 1 << i);
+			perm = sepol_av_to_string(p, class, UINT32_C(1) << i);
 			if (perm)
 				fprintf(fp, " %s", perm);
 		}
@ -751,12 +751,14 @@ static int read_policy(char *filename, policydb_t * policy)
 			fprintf(stderr, "%s:  Out of memory!\n", __FUNCTION__);
 			exit(1);
 		}
 		sepol_policydb_free(package->policy);
 		package->policy = (sepol_policydb_t *) policy;
 		package->file_contexts = NULL;
 		retval =
 		    sepol_module_package_read(package,
 					      (sepol_policy_file_t *) & f, 1);
-		free(package->file_contexts);
+		package->policy = NULL;
 		sepol_module_package_free(package);
 	} else {
 		if (policydb_init(policy)) {
 			fprintf(stderr, "%s:  Out of memory!\n", __FUNCTION__);
--- a/dbus/VERSION
+++ b/dbus/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/gui/VERSION
+++ b/gui/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/libselinux/VERSION
+++ b/libselinux/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/libselinux/src/mapping.c
+++ b/libselinux/src/mapping.c
@ -144,9 +144,9 @@ unmap_perm(security_class_t tclass, access_vector_t tperm)
 		access_vector_t kperm = 0;
 		for (i = 0; i < current_mapping[tclass].num_perms; i++)
-			if (tperm & (1<<i)) {
+			if (tperm & (UINT32_C(1)<<i)) {
 				kperm |= current_mapping[tclass].perms[i];
-				tperm &= ~(1<<i);
+				tperm &= ~(UINT32_C(1)<<i);
 			}
 		return kperm;
 	}
@ -191,7 +191,7 @@ map_perm(security_class_t tclass, access_vector_t kperm)
 		for (i = 0; i < current_mapping[tclass].num_perms; i++)
 			if (kperm & current_mapping[tclass].perms[i]) {
-				tperm |= 1<<i;
+				tperm |= UINT32_C(1)<<i;
 				kperm &= ~current_mapping[tclass].perms[i];
 			}
@ -216,30 +216,30 @@ map_decision(security_class_t tclass, struct av_decision *avd)
 		for (i = 0, result = 0; i < n; i++) {
 			if (avd->allowed & mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 			else if (allow_unknown && !mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 		}
 		avd->allowed = result;
 		for (i = 0, result = 0; i < n; i++) {
 			if (avd->decided & mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 			else if (allow_unknown && !mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 		}
 		avd->decided = result;
 		for (i = 0, result = 0; i < n; i++)
 			if (avd->auditallow & mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 		avd->auditallow = result;
 		for (i = 0, result = 0; i < n; i++) {
 			if (avd->auditdeny & mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 			else if (!allow_unknown && !mapping->perms[i])
-				result |= 1<<i;
+				result |= UINT32_C(1)<<i;
 		}
 		/*
@ -248,7 +248,7 @@ map_decision(security_class_t tclass, struct av_decision *avd)
 		 * a bug in the object manager.
 		 */
 		for (; i < (sizeof(result)*8); i++)
-			result |= 1<<i;
+			result |= UINT32_C(1)<<i;
 		avd->auditdeny = result;
 	}
 }
--- a/libselinux/src/setup.py
+++ b/libselinux/src/setup.py
@ -4,7 +4,7 @@ from distutils.core import Extension, setup
 setup(
    name="selinux",
-    version="3.3-rc1",
+    version="3.3",
    description="SELinux python 3 bindings",
    author="SELinux Project",
    author_email="selinux@vger.kernel.org",
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@ -229,7 +229,7 @@ access_vector_t string_to_av_perm(security_class_t tclass, const char *s)
 		size_t i;
 		for (i = 0; i < MAXVECTORS && node->perms[i] != NULL; i++)
 			if (strcmp(node->perms[i],s) == 0)
-				return map_perm(tclass, 1<<i);
+				return map_perm(tclass, UINT32_C(1)<<i);
 	}
 	errno = EINVAL;
@ -261,7 +261,7 @@ const char *security_av_perm_to_string(security_class_t tclass,
 	node = get_class_cache_entry_value(tclass);
 	if (av && node)
 		for (i = 0; i<MAXVECTORS; i++)
-			if ((1<<i) & av)
+			if ((UINT32_C(1)<<i) & av)
 				return node->perms[i];
 	return NULL;
@ -279,7 +279,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
 	/* first pass computes the required length */
 	for (i = 0; tmp; tmp >>= 1, i++) {
 		if (tmp & 1) {
-			str = security_av_perm_to_string(tclass, av & (1<<i));
+			str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
 			if (str)
 				len += strlen(str) + 1;
 		}
@ -303,7 +303,7 @@ int security_av_string(security_class_t tclass, access_vector_t av, char **res)
 	ptr += sprintf(ptr, "{ ");
 	for (i = 0; tmp; tmp >>= 1, i++) {
 		if (tmp & 1) {
-			str = security_av_perm_to_string(tclass, av & (1<<i));
+			str = security_av_perm_to_string(tclass, av & (UINT32_C(1)<<i));
 			if (str)
 				ptr += sprintf(ptr, "%s ", str);
 		}
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@ -52,9 +52,7 @@ else
 TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 endif
-sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
+sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
 sefcontext_compile: sefcontext_compile.o ../src/regex.o
 all: $(TARGETS)
--- a/libsemanage/VERSION
+++ b/libsemanage/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/libsepol/VERSION
+++ b/libsepol/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@ -1225,7 +1225,7 @@ int __perm_str_to_datum(char *perm_str, class_datum_t *sepol_class, uint32_t *da
 			goto exit;
 		}
 	}
-	*datum |= 1 << (sepol_perm->s.value - 1);
+	*datum |= UINT32_C(1) << (sepol_perm->s.value - 1);
 	return SEPOL_OK;
@ -1523,7 +1523,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
 /* index of the u32 containing the permission */
 #define XPERM_IDX(x) (x >> 5)
 /* set bits 0 through x-1 within the u32 */
-#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
+#define XPERM_SETBITS(x) ((UINT32_C(1) << (x & 0x1f)) - 1)
 /* low value for this u32 */
 #define XPERM_LOW(x) (x << 5)
 /* high value for this u32 */
@ -4760,7 +4760,7 @@ static struct cil_list *cil_classperms_from_sepol(policydb_t *pdb, uint16_t clas
 	cil_list_init(&cp->perms, CIL_PERM);
 	for (i = 0; i < sepol_class->permissions.nprim; i++) {
 		struct cil_perm *perm;
-		if ((data & (1 << i)) == 0) continue;
+		if ((data & (UINT32_C(1) << i)) == 0) continue;
 		perm = perm_value_to_cil[class][i+1];
 		if (!perm) goto exit;
 		cil_list_append(cp->perms, CIL_PERM, perm);
@ -4825,6 +4825,7 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 			avtab_ptr_t cur;
 			struct cil_avrule target;
 			struct cil_tree_node *n1 = NULL;
 			int count_bad = 0;
 			*violation = CIL_TRUE;
@ -4838,10 +4839,13 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 			for (cur = bad; cur; cur = cur->next) {
 				struct cil_list_item *i2;
 				struct cil_list *matching;
 				int num_matching = 0;
 				int count_matching = 0;
 				rc = cil_avrule_from_sepol(pdb, cur, &target, type_value_to_cil, class_value_to_cil, perm_value_to_cil);
 				if (rc != SEPOL_OK) {
 					cil_log(CIL_ERR, "Failed to convert sepol avrule to CIL\n");
 					bounds_destroy_bad(bad);
 					goto exit;
 				}
 				__cil_print_rule("  ", "allow", &target);
@ -4854,6 +4858,9 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 					bounds_destroy_bad(bad);
 					goto exit;
 				}
 				cil_list_for_each(i2, matching) {
 					num_matching++;
 				}
 				cil_list_for_each(i2, matching) {
 					struct cil_tree_node *n2 = i2->data;
 					struct cil_avrule *r2 = n2->data;
@ -4864,9 +4871,19 @@ static int cil_check_type_bounds(const struct cil_db *db, policydb_t *pdb, void
 						__cil_print_parents("    ", n2);
 						__cil_print_rule("      ", "allow", r2);
 					}
 					count_matching++;
 					if (count_matching >= 2) {
 						cil_log(CIL_ERR, "    Only first 2 of %d matching rules shown\n", num_matching);
 						break;
 					}
 				}
 				cil_list_destroy(&matching, CIL_FALSE);
 				cil_list_destroy(&target.perms.classperms, CIL_TRUE);
 				count_bad++;
 				if (count_bad >= 2) {
 					cil_log(CIL_ERR, "  Only first 2 of %d bad rules shown\n", numbad);
 					break;
 				}
 			}
 			bounds_destroy_bad(bad);
 		}
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@ -134,8 +134,7 @@ int cil_add_decl_to_symtab(struct cil_db *db, symtab_t *symtab, hashtab_key_t ke
 		/* multiple_decls is enabled and works for this datum type, add node */
 		cil_list_append(prev->nodes, CIL_NODE, node);
 		node->data = prev;
-		cil_symtab_datum_destroy(datum);
+		return SEPOL_EEXIST;
 		free(datum);
 	}
 	return SEPOL_OK;
@ -2367,7 +2366,12 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct
 	key = parse_current->next->data;
 	rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)type, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPE);
 	if (rc != SEPOL_OK) {
-		goto exit;
+		if (rc == SEPOL_EEXIST) {
 			cil_destroy_type(type);
 			type = NULL;
 		} else {
 			goto exit;
 		}
 	}
 	return SEPOL_OK;
@ -2415,7 +2419,12 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current
 	key = parse_current->next->data;
 	rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)attr, (hashtab_key_t)key, CIL_SYM_TYPES, CIL_TYPEATTRIBUTE);
 	if (rc != SEPOL_OK) {
-		goto exit;
+		if (rc == SEPOL_EEXIST) {
 			cil_destroy_typeattribute(attr);
 			attr = NULL;
 		} else {
 			goto exit;
 		}
 	}
 	return SEPOL_OK;
@ -5480,8 +5489,14 @@ int cil_gen_optional(struct cil_db *db, struct cil_tree_node *parse_current, str
 	key = parse_current->next->data;
 	rc = cil_gen_node(db, ast_node, (struct cil_symtab_datum*)optional, (hashtab_key_t)key, CIL_SYM_BLOCKS, CIL_OPTIONAL);
-	if (rc != SEPOL_OK)
+	if (rc != SEPOL_OK) {
-		goto exit;
+		if (rc == SEPOL_EEXIST) {
 			cil_destroy_optional(optional);
 			optional = NULL;
 		} else {
 			goto exit;
 		}
 	}
 	return SEPOL_OK;
--- a/libsepol/cil/src/cil_copy_ast.c
+++ b/libsepol/cil/src/cil_copy_ast.c
@ -590,20 +590,12 @@ int cil_copy_roleallow(__attribute__((unused)) struct cil_db *db, void *data, vo
 	return SEPOL_OK;
 }
-int cil_copy_type(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab)
+int cil_copy_type(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
 {
-	struct cil_type *orig = data;
+	struct cil_type *new;
 	char *key = orig->datum.name;
 	struct cil_symtab_datum *datum = NULL;
-	cil_symtab_get_datum(symtab, key, &datum);
+	cil_type_init(&new);
-	if (datum == NULL) {
+	*copy = new;
 		struct cil_type *new;
 		cil_type_init(&new);
 		*copy = new;
 	} else {
 		*copy = datum;
 	}
 	return SEPOL_OK;
 }
@ -622,20 +614,12 @@ int cil_copy_typepermissive(__attribute__((unused)) struct cil_db *db, void *dat
 	return SEPOL_OK;
 }
-int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, void *data, void **copy, symtab_t *symtab)
+int cil_copy_typeattribute(__attribute__((unused)) struct cil_db *db, __attribute__((unused)) void *data, void **copy, __attribute__((unused)) symtab_t *symtab)
 {
-	struct cil_typeattribute *orig = data;
+	struct cil_typeattribute *new;
 	char *key = orig->datum.name;
 	struct cil_symtab_datum *datum = NULL;
-	cil_symtab_get_datum(symtab, key, &datum);
+	cil_typeattribute_init(&new);
-	if (datum == NULL) {
+	*copy = new;
 		struct cil_typeattribute *new;
 		cil_typeattribute_init(&new);
 		*copy = new;
 	} else {
 		*copy = datum;
 	}
 	return SEPOL_OK;
 }
@ -2056,7 +2040,14 @@ int __cil_copy_node_helper(struct cil_tree_node *orig, uint32_t *finished, void
 			rc = cil_add_decl_to_symtab(db, symtab, DATUM(orig->data)->name, DATUM(data), new);
 			if (rc != SEPOL_OK) {
-				goto exit;
+				if (rc == SEPOL_EEXIST) {
 					cil_symtab_datum_destroy(data);
 					free(data);
 					data = NULL;
 					rc = SEPOL_OK;
 				} else {
 					goto exit;
 				}
 			}
 			namespace = new;
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@ -3946,7 +3946,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	}
 	if (node->flavor == CIL_MACRO) {
-		if (pass != CIL_PASS_TIF) {
+		if (pass > CIL_PASS_IN_AFTER) {
 			*finished = CIL_TREE_SKIP_HEAD;
 			rc = SEPOL_OK;
 			goto exit;
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@ -1689,6 +1689,15 @@ exit:
 	return rc;
 }
 static int __add_perm_to_list(__attribute__((unused)) hashtab_key_t k, hashtab_datum_t d, void *args)
 {
 	struct cil_list *perm_list = (struct cil_list *)args;
 	cil_list_append(perm_list, CIL_DATUM, d);
 	return SEPOL_OK;
 }
 static int __cil_verify_classperms(struct cil_list *classperms,
 				   struct cil_symtab_datum *orig,
 				   struct cil_symtab_datum *parent,
@ -1730,13 +1739,34 @@ static int __cil_verify_classperms(struct cil_list *classperms,
 			if (FLAVOR(cp->class) != CIL_CLASS) { /* MAP */
 				struct cil_list_item *i = NULL;
 				cil_list_for_each(i, cp->perms) {
-					struct cil_perm *cmp = i->data;
+					if (i->flavor != CIL_OP) {
-					rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
+						struct cil_perm *cmp = i->data;
-					if (rc != SEPOL_OK) {
+						rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
-						goto exit;
+						if (rc != SEPOL_OK) {
 							goto exit;
 						}
 					} else {
 						enum cil_flavor op = (enum cil_flavor)(uintptr_t)i->data;
 						if (op == CIL_ALL) {
 							struct cil_class *mc = cp->class;
 							struct cil_list *perm_list;
 							struct cil_list_item *j = NULL;
 							cil_list_init(&perm_list, CIL_MAP_PERM);
 							cil_symtab_map(&mc->perms, __add_perm_to_list, perm_list);
 							cil_list_for_each(j, perm_list) {
 								struct cil_perm *cmp = j->data;
 								rc = __cil_verify_classperms(cmp->classperms, orig, &cp->class->datum, &cmp->datum, CIL_MAP_PERM, steps, limit);
 								if (rc != SEPOL_OK) {
 									cil_list_destroy(&perm_list, CIL_FALSE);
 									goto exit;
 								}
 							}
 							cil_list_destroy(&perm_list, CIL_FALSE);
 						}
 					}
 				}
-			}	
+			}
 		} else { /* SET */
 			struct cil_classperms_set *cp_set = curr->data;
 			struct cil_classpermission *cp = cp_set->set;
--- a/libsepol/src/avtab.c
+++ b/libsepol/src/avtab.c
@ -376,7 +376,7 @@ int avtab_alloc(avtab_t *h, uint32_t nrules)
 	}
 	if (shift > 2)
 		shift = shift - 2;
-	nslot = 1 << shift;
+	nslot = UINT32_C(1) << shift;
 	if (nslot > MAX_AVTAB_HASH_BUCKETS)
 		nslot = MAX_AVTAB_HASH_BUCKETS;
 	mask = nslot - 1;
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@ -411,13 +411,13 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
 		}
 		/* loop through all possible combinations of values for bools in expression */
-		for (test = 0x0; test < (0x1U << cn->nbools); test++) {
+		for (test = 0x0; test < (UINT32_C(1) << cn->nbools); test++) {
 			/* temporarily set the value for all the bools in the
 			 * expression using the corr.  bit in test */
 			for (j = 0; j < cn->nbools; j++) {
 				p->bool_val_to_struct[cn->bool_ids[j] -
 						      1]->state =
-				    (test & (0x1 << j)) ? 1 : 0;
+				    (test & (UINT32_C(1) << j)) ? 1 : 0;
 			}
 			k = cond_evaluate_expr(p, cn->expr);
 			if (k == -1) {
@ -428,7 +428,7 @@ int cond_normalize_expr(policydb_t * p, cond_node_t * cn)
 			}
 			/* set the bit if expression evaluates true */
 			if (k)
-				cn->expr_pre_comp |= 0x1 << test;
+				cn->expr_pre_comp |= UINT32_C(1) << test;
 		}
 		/* restore bool default values */
--- a/libsepol/src/ebitmap.c
+++ b/libsepol/src/ebitmap.c
@ -17,7 +17,8 @@
 int ebitmap_or(ebitmap_t * dst, const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2, *new, *prev;
+	const ebitmap_node_t *n1, *n2;
 	ebitmap_node_t *new, *prev;
 	ebitmap_init(dst);
@ -154,7 +155,7 @@ int ebitmap_hamming_distance(const ebitmap_t * e1, const ebitmap_t * e2)
 int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2;
+	const ebitmap_node_t *n1, *n2;
 	if (e1->highbit != e2->highbit)
 		return 0;
@ -175,7 +176,8 @@ int ebitmap_cmp(const ebitmap_t * e1, const ebitmap_t * e2)
 int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
 {
-	ebitmap_node_t *n, *new, *prev;
+	const ebitmap_node_t *n;
 	ebitmap_node_t *new, *prev;
 	ebitmap_init(dst);
 	n = src->node;
@ -204,7 +206,7 @@ int ebitmap_cpy(ebitmap_t * dst, const ebitmap_t * src)
 int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
 {
-	ebitmap_node_t *n1, *n2;
+	const ebitmap_node_t *n1, *n2;
 	if (e1->highbit < e2->highbit)
 		return 0;
@ -231,8 +233,8 @@ int ebitmap_contains(const ebitmap_t * e1, const ebitmap_t * e2)
 int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
 {
-	ebitmap_node_t *n1 = e1->node;
+	const ebitmap_node_t *n1 = e1->node;
-	ebitmap_node_t *n2 = e2->node;
+	const ebitmap_node_t *n2 = e2->node;
 	while (n1 && n2) {
 		if (n1->startbit < n2->startbit) {
@ -253,7 +255,7 @@ int ebitmap_match_any(const ebitmap_t *e1, const ebitmap_t *e2)
 int ebitmap_get_bit(const ebitmap_t * e, unsigned int bit)
 {
-	ebitmap_node_t *n;
+	const ebitmap_node_t *n;
 	if (e->highbit < bit)
 		return 0;
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@ -243,7 +243,7 @@ static int perm_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	new_perm->s.value = perm->s.value;
 	s->nprim++;
-	ret = hashtab_insert(s->table, new_id, (hashtab_datum_t *) new_perm);
+	ret = hashtab_insert(s->table, new_id, (hashtab_datum_t) new_perm);
 	if (ret) {
 		free(new_id);
 		free(new_perm);
@ -294,7 +294,7 @@ static int common_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	ret =
 	    hashtab_insert(state->out->p_commons.table, new_id,
-			   (hashtab_datum_t *) new_common);
+			   (hashtab_datum_t) new_common);
 	if (ret) {
 		ERR(state->handle, "hashtab overflow");
 		free(new_common);
@ -492,7 +492,7 @@ static int class_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 	ret =
 	    hashtab_insert(state->out->p_classes.table, new_id,
-			   (hashtab_datum_t *) new_class);
+			   (hashtab_datum_t) new_class);
 	if (ret) {
 		ERR(state->handle, "hashtab overflow");
 		free(new_class);
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@ -1291,10 +1291,10 @@ static int copy_avrule_list(avrule_t * list, avrule_t ** dst,
 				     i <
 				     module->perm_map_len[cur_perm->tclass - 1];
 				     i++) {
-					if (!(cur_perm->data & (1U << i)))
+					if (!(cur_perm->data & (UINT32_C(1) << i)))
 						continue;
 					new_perm->data |=
-					    (1U <<
+					    (UINT32_C(1) <<
 					     (module->
 					      perm_map[cur_perm->tclass - 1][i] -
 					      1));
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@ -573,7 +573,7 @@ static int avrule_to_cil(int indent, struct policydb *pdb, uint32_t type, const
 		rule = "auditallow";
 		break;
 	case AVRULE_AUDITDENY:
-		rule = "auditdenty";
+		rule = "auditdeny";
 		break;
 	case AVRULE_DONTAUDIT:
 		rule = "dontaudit";
@ -3354,9 +3354,14 @@ static int typealiases_to_cil(int indent, struct policydb *pdb, struct avrule_bl
 	char *type_name;
 	struct list_node *curr;
 	struct avrule_decl *decl = stack_peek(decl_stack);
-	struct list *alias_list = typealias_lists[decl->decl_id];
+	struct list *alias_list;
 	int rc = -1;
 	if (decl == NULL) {
 		return -1;
 	}
 	alias_list = typealias_lists[decl->decl_id];
 	if (alias_list == NULL) {
 		return 0;
 	}
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@ -4166,7 +4166,7 @@ static sepol_access_vector_t policydb_string_to_av_perm(
 			hashtab_search(tclass_datum->permissions.table,
 			(hashtab_key_t)perm_name);
 	if (perm_datum != NULL)
-		return 0x1U << (perm_datum->s.value - 1);
+		return UINT32_C(1) << (perm_datum->s.value - 1);
 	if (tclass_datum->comdatum == NULL)
 		return 0;
@ -4176,7 +4176,7 @@ static sepol_access_vector_t policydb_string_to_av_perm(
 			(hashtab_key_t)perm_name);
 	if (perm_datum != NULL)
-		return 0x1U << (perm_datum->s.value - 1);
+		return UINT32_C(1) << (perm_datum->s.value - 1);
 	return 0;
 }
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@ -722,12 +722,21 @@ bad:
 	return -1;
 }
 static void validate_array_destroy(validate_t flavors[])
 {
 	unsigned int i;
 	for (i = 0; i < SYM_NUM; i++) {
 		ebitmap_destroy(&flavors[i].gaps);
 	}
 }
 /*
 * Validate policydb
 */
 int validate_policydb(sepol_handle_t *handle, policydb_t *p)
 {
-	validate_t flavors[SYM_NUM];
+	validate_t flavors[SYM_NUM] = {};
 	if (validate_array_init(p, flavors))
 		goto bad;
@ -756,9 +765,12 @@ int validate_policydb(sepol_handle_t *handle, policydb_t *p)
 	if (validate_datum_arrays(handle, p, flavors))
 		goto bad;
 	validate_array_destroy(flavors);
 	return 0;
 bad:
 	ERR(handle, "Invalid policydb");
 	validate_array_destroy(flavors);
 	return -1;
 }
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@ -1213,7 +1213,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass,
 			hashtab_search(tclass_datum->permissions.table,
 			perm_name);
 	if (perm_datum != NULL) {
-		*av = 0x1 << (perm_datum->s.value - 1);
+		*av = UINT32_C(1) << (perm_datum->s.value - 1);
 		return STATUS_SUCCESS;
 	}
@ -1225,7 +1225,7 @@ int sepol_string_to_av_perm(sepol_security_class_t tclass,
 			perm_name);
 	if (perm_datum != NULL) {
-		*av = 0x1 << (perm_datum->s.value - 1);
+		*av = UINT32_C(1) << (perm_datum->s.value - 1);
 		return STATUS_SUCCESS;
 	}
 out:
--- a/libsepol/src/util.c
+++ b/libsepol/src/util.c
@ -92,7 +92,7 @@ char *sepol_av_to_string(policydb_t * policydbp, uint32_t tclass,
 	cladatum = policydbp->class_val_to_struct[tclass - 1];
 	p = avbuf;
 	for (i = 0; i < cladatum->permissions.nprim; i++) {
-		if (av & (1 << i)) {
+		if (av & (UINT32_C(1) << i)) {
 			v.val = i + 1;
 			rc = hashtab_map(cladatum->permissions.table,
 					 perm_name, &v);
--- a/mcstrans/VERSION
+++ b/mcstrans/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/policycoreutils/VERSION
+++ b/policycoreutils/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@ -12,7 +12,7 @@ AUDITH ?= $(shell test -f $(INCLUDEDIR)/libaudit.h && echo y)
 # This will make newrole a setuid root program.
 # The capabilities used are: CAP_AUDIT_WRITE.
 AUDIT_LOG_PRIV ?= n
-# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# Enable capabilities to permit newrole to utilize the pam_namespace module.
 # This will make newrole a setuid root program.
 # The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
 # CAP_DAC_OVERRIDE. 
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@ -1022,7 +1022,7 @@ static int set_signal_handles(void)
 int main(int argc, char *argv[])
 {
 	char *new_context = NULL;	/* target security context */
-	char *old_context = NULL;	/* original securiy context */
+	char *old_context = NULL;	/* original security context */
 	char *tty_context = NULL;	/* current context of tty */
 	char *new_tty_context = NULL;	/* new context of tty */
--- a/policycoreutils/semodule/semodule.c
+++ b/policycoreutils/semodule/semodule.c
@ -452,8 +452,7 @@ int main(int argc, char *argv[])
 					}
 					semanage_module_info_get_priority(sh, extract_info, &curr_priority);
-					printf("Module '%s' does not exist at the default priority '%d'. "
+					printf("Extracting at highest existing priority '%d'.\n", curr_priority);
 							"Extracting at highest existing priority '%d'.\n", mode_arg, priority, curr_priority);
 					priority = curr_priority;
 				}
--- a/python/VERSION
+++ b/python/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@ -129,7 +129,7 @@ class SetImportFile(argparse.Action):
                sys.exit(1)
        setattr(namespace, self.dest, values)
-# define dictonary for seobject OBEJCTS
+# define dictionary for seobject OBEJCTS
 object_dict = {
    'login': seobject.loginRecords,
    'user': seobject.seluserRecords,
@ -146,7 +146,7 @@ object_dict = {
 }
 def generate_custom_usage(usage_text, usage_dict):
-    # generate custom usage from given text and dictonary
+    # generate custom usage from given text and dictionary
    sorted_keys = []
    for i in usage_dict.keys():
        sorted_keys.append(i)
@ -160,7 +160,7 @@ def generate_custom_usage(usage_text, usage_dict):
 def handle_opts(args, dict, target_key):
-    # handle conflict and required options for given dictonary
+    # handle conflict and required options for given dictionary
    # {action:[conflict_opts,require_opts]}
    # first we need to catch conflicts
--- a/python/sepolgen/VERSION
+++ b/python/sepolgen/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/python/sepolgen/src/sepolgen/refpolicy.py
+++ b/python/sepolgen/src/sepolgen/refpolicy.py
@ -42,7 +42,7 @@ PERMS     = 3
 ROLE      = 4
 DEST_TYPE = 5
-# String represenations of the above constants
+# String representations of the above constants
 field_to_str = ["source", "target", "object", "permission", "role", "destination" ]
 str_to_field = { "source" : SRC_TYPE, "target" : TGT_TYPE, "object" : OBJ_CLASS,
                "permission" : PERMS, "role" : ROLE, "destination" : DEST_TYPE }
--- a/python/sepolgen/src/sepolgen/yacc.py
+++ b/python/sepolgen/src/sepolgen/yacc.py
@ -1502,7 +1502,7 @@ class Grammar(object):
        self.Precedence   = {}      # Precedence rules for each terminal. Contains tuples of the
                                    # form ('right',level) or ('nonassoc', level) or ('left',level)
-        self.UsedPrecedence = set() # Precedence rules that were actually used by the grammer.
+        self.UsedPrecedence = set() # Precedence rules that were actually used by the grammar.
                                    # This is only used to provide error checking and to generate
                                    # a warning about unused precedence rules.
--- a/python/sepolicy/sepolicy/manpage.py
+++ b/python/sepolicy/sepolicy/manpage.py
@ -797,7 +797,7 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
 .B STANDARD FILE CONTEXT
 SELinux defines the file context types for the %(domainname)s, if you wanted to
-store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
+store files with these types in a diffent paths, you need to execute the semanage command to specify alternate labeling and then use restorecon to put the labels on disk.
 .B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
 .br
--- a/python/sepolicy/setup.py
+++ b/python/sepolicy/setup.py
@ -6,7 +6,7 @@ from distutils.core import setup
 setup(
    name="sepolicy",
-    version="3.3-rc1",
+    version="3.3",
    description="Python SELinux Policy Analyses bindings",
    author="Daniel Walsh",
    author_email="dwalsh@redhat.com",
--- a/restorecond/VERSION
+++ b/restorecond/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/sandbox/VERSION
+++ b/sandbox/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/secilc/VERSION
+++ b/secilc/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3
--- a/secilc/docs/cil_access_vector_rules.md
+++ b/secilc/docs/cil_access_vector_rules.md
@ -360,7 +360,7 @@ dontauditx
 Do not audit the access rights defined when access denied. This stops excessive log entries for known events.
-Note that for this to work there must *also* be atleast one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
+Note that for this to work there must *also* be at least one [`allowx`](cil_access_vector_rules.md#allowx) rule associated with the target type.
 Note that these rules can be omitted by the CIL compiler command line parameter `-D` or `--disable-dontaudit` flags.
--- a/secilc/docs/secil.xml
+++ b/secilc/docs/secil.xml
@ -208,7 +208,7 @@
            <context name="String" attribute="String" lineEndContext="#stay">
                <RegExpr attribute="Char" context="#stay" String="#\\."/>
-                <!-- allow escaping " or similiar -->
+                <!-- allow escaping " or similar -->
                <HlCStringChar attribute="String Char" context="#stay"/>
                <DetectChar attribute="String" context="#pop" char="&quot;"/>
--- a/secilc/test/block_test.cil
+++ b/secilc/test/block_test.cil
@ -84,7 +84,7 @@
 )
-;; Inherting the abstract block causes the allow rule to be in the policy
+;; Inheriting the abstract block causes the allow rule to be in the policy
 (type t5)
 (block b5
  (blockabstract b5)
--- a/semodule-utils/VERSION
+++ b/semodule-utils/VERSION
@ -1 +1 @@
-3.3-rc1
+3.3