Revert "Merge remote-tracking branch 'aosp/upstream-master' into..."

Revert "Use cil_write_build_ast" Revert submission 1827311-update_libselinux Reason for revert: b/200771997 Reverted Changes: I088d1e94c:Fix build and use new cil_write_build_ast I14dc4dc58:Merge remote-tracking branch 'aosp/upstream-master... I7b77f4469:Use cil_write_build_ast Change-Id: Iec17732997ab203787f021f437f31e51ef886425
2021-09-22 09:15:53 +00:00 · 2021-09-22 09:15:53 +00:00 · c65aca49bb
commit c65aca49bb
parent f4408b8e8e
403 changed files with 9175 additions and 11632 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -1,39 +0,0 @@
 ---
 name: CIFuzz
 on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
    if: github.repository == 'SELinuxProject/selinux'
    strategy:
      fail-fast: false
      matrix:
        sanitizer: [address, undefined, memory]
    steps:
      - name: Build Fuzzers (${{ matrix.sanitizer }})
        id: build
        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
        with:
          oss-fuzz-project-name: 'selinux'
          dry-run: false
          allowed-broken-targets-percentage: 0
          sanitizer: ${{ matrix.sanitizer }}
      - name: Run Fuzzers (${{ matrix.sanitizer }})
        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
        with:
          oss-fuzz-project-name: 'selinux'
          fuzz-seconds: 180
          dry-run: false
          sanitizer: ${{ matrix.sanitizer }}
      - name: Upload Crash
        uses: actions/upload-artifact@v1
        if: failure() && steps.build.outcome == 'success'
        with:
          name: ${{ matrix.sanitizer }}-artifacts
          path: ./out/artifacts
--- a/.github/workflows/run_tests.yml
+++ b/.github/workflows/run_tests.yml
@ -1,189 +0,0 @@
 name: Run tests
 on: [push, pull_request]
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        compiler: [gcc, clang]
        python-ruby-version:
          - {python: 3.9, ruby: 2.7}
          - {python: 3.9, ruby: 2.7, other: test-flags-override}
          - {python: 3.9, ruby: 2.7, other: test-debug}
          - {python: 3.9, ruby: 2.7, other: linker-bfd}
          - {python: 3.9, ruby: 2.7, other: linker-gold}
          # Test several Python versions with the latest Ruby version
          - {python: 3.8, ruby: 2.7}
          - {python: 3.7, ruby: 2.7}
          - {python: 3.6, ruby: 2.7}
          - {python: 3.5, ruby: 2.7}
          - {python: pypy3, ruby: 2.7}
          # Test several Ruby versions with the latest Python version
          - {python: 3.9, ruby: 2.6}
          - {python: 3.9, ruby: 2.5}
        exclude:
          - compiler: clang
            python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-bfd}
          - compiler: clang
            python-ruby-version: {python: 3.9, ruby: 2.7, other: linker-gold}
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python ${{ matrix.python-ruby-version.python }}
      uses: actions/setup-python@v2
      with:
        python-version: ${{ matrix.python-ruby-version.python }}
    - name: Set up Ruby ${{ matrix.python-ruby-version.ruby }}
      uses: actions/setup-ruby@v1
      with:
        ruby-version: ${{ matrix.python-ruby-version.ruby }}
    - name: Install dependencies
      run: |
        sudo apt-get update -qq
        sudo apt-get install -qqy \
            bison \
            clang \
            flex \
            gawk \
            gettext \
            libaudit-dev \
            libcap-dev \
            libcap-ng-dev \
            libcunit1-dev \
            libdbus-glib-1-dev \
            libpcre3-dev \
            python3-dev \
            python-dev \
            ruby-dev \
            swig \
            xmlto
        pip install flake8
    - name: Configure the environment
      run: |
        DESTDIR=/tmp/destdir
        echo "PYTHON=python" >> $GITHUB_ENV
        echo "RUBY=ruby" >> $GITHUB_ENV
        echo "DESTDIR=$DESTDIR" >> $GITHUB_ENV
        CC=${{ matrix.compiler }}
        if [ "${{ matrix.python-ruby-version.other }}" = "linker-bfd" ] ; then
            CC="$CC -fuse-ld=bfd"
        elif [ "${{ matrix.python-ruby-version.other }}" = "linker-gold" ] ; then
            CC="$CC -fuse-ld=gold"
        fi
        echo "CC=$CC" >> $GITHUB_ENV
        EXPLICIT_MAKE_VARS=
        if [ "${{ matrix.python-ruby-version.other }}" = "test-flags-override" ] ; then
            # Test that overriding CFLAGS, LDFLAGS and other variables works fine
            EXPLICIT_MAKE_VARS="CFLAGS=-I$DESTDIR/usr/include LDFLAGS=-L$DESTDIR/usr/lib LDLIBS= CPPFLAGS="
        elif [ "${{ matrix.python-ruby-version.other }}" = "test-debug" ] ; then
            # Test hat debug build works fine
            EXPLICIT_MAKE_VARS="DEBUG=1"
        else
            EXPLICIT_MAKE_VARS=
        fi
        echo "EXPLICIT_MAKE_VARS=${EXPLICIT_MAKE_VARS}" >> $GITHUB_ENV
        # Find files in order of pkgconf to be able to find Python.h
        # For example with Python 3.5:
        # * python is located at /opt/hostedtoolcache/Python/3.5.10/x64/bin/python
        # * sys.prefix is /opt/hostedtoolcache/Python/3.5.10/x64
        # * Python.h is located at /opt/hostedtoolcache/Python/3.5.10/x64/include/python3.5m/Python.h
        # * python-3.5.pc is located at /opt/hostedtoolcache/Python/3.5.10/x64/lib/pkgconfig/python-3.5.pc
        PYTHON_SYS_PREFIX="$(python -c 'import sys;print(sys.prefix)')"
        echo "PKG_CONFIG_PATH=${PYTHON_SYS_PREFIX}/lib/pkgconfig" >> $GITHUB_ENV
        if [ "${{ matrix.python-ruby-version.python }}" = "pypy3" ] ; then
            # PyPy does not provide a config file for pkg-config
            # libpypy-c.so is provided in bin/libpypy-c.so for PyPy and bin/libpypy3-c.so for PyPy3
            echo "PYINC=-I${PYTHON_SYS_PREFIX}/include" >> $GITHUB_ENV
            echo "PYLIBS=-L${PYTHON_SYS_PREFIX}/bin -lpypy3-c" >> $GITHUB_ENV
        fi
        # Display the final environment file, for debugging purpose
        cat $GITHUB_ENV
    - name: Download and install refpolicy headers for sepolgen tests
      run: |
        curl --location --retry 10 -o refpolicy.tar.bz2 https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20180701/refpolicy-2.20180701.tar.bz2
        tar -xvjf refpolicy.tar.bz2
        sed -e "s,^PREFIX :=.*,PREFIX := $DESTDIR/usr," -i refpolicy/support/Makefile.devel
        sudo make -C refpolicy install-headers clean
        sudo mkdir -p /etc/selinux
        echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config
        echo 'SELINUX_DEVEL_PATH = /usr/share/selinux/refpolicy' | sudo tee /etc/selinux/sepolgen.conf
        sed -e "s,\"\(/usr/bin/[cs]\),\"$DESTDIR\1," -i python/sepolgen/src/sepolgen/module.py
        rm -r refpolicy refpolicy.tar.bz2
    - name: Display versions
      run: |
        echo "::group::Compiler ($CC):"
        $CC --version
        echo "::endgroup::"
        echo "::group::Python ($(which "$PYTHON")):"
        $PYTHON --version
        echo "::endgroup::"
        echo "::group::Ruby ($(which "$RUBY")):"
        $RUBY --version
        echo "::endgroup::"
    - name: Run tests
      run: |
        echo "::group::make install"
        make -j$(nproc) install $EXPLICIT_MAKE_VARS -k
        echo "::endgroup::"
        echo "::group::make install-pywrap"
        make -j$(nproc) install-pywrap $EXPLICIT_MAKE_VARS -k
        echo "::endgroup::"
        echo "::group::make install-rubywrap"
        make -j$(nproc) install-rubywrap $EXPLICIT_MAKE_VARS -k
        echo "::endgroup::"
        # Now that everything is installed, run "make all" to build everything which may have not been built
        echo "::group::make all"
        make -j$(nproc) all $EXPLICIT_MAKE_VARS -k
        echo "::endgroup::"
        # Set up environment variables for the tests and show variables (to help debugging issues)
        echo "::group::Environment variables"
        . ./scripts/env_use_destdir
        echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH"
        echo "PATH=$PATH"
        echo "PYTHONPATH=$PYTHONPATH"
        echo "RUBYLIB=$RUBYLIB"
        echo "::endgroup::"
        # Run tests
        echo "::group::make test"
        make test $EXPLICIT_MAKE_VARS
        echo "::endgroup::"
        # Test Python and Ruby wrappers
        echo "::group::Test Python and Ruby wrappers"
        $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
        $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
        echo "::endgroup::"
        # Run Python linter, but not on the downloaded refpolicy
        echo "::group::scripts/run-flake8"
        ./scripts/run-flake8
        echo "::endgroup::"
        echo "::group::Test .gitignore and make clean distclean"
        # Remove every installed files
        rm -rf "$DESTDIR"
        # Test that "git status" looks clean, or print a clear error message
        git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
        # Clean up everything and show which file needs to be added to "make clean"
        make clean distclean $EXPLICIT_MAKE_VARS
        git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
        echo "::endgroup::"
--- a/.github/workflows/vm_testsuite.yml
+++ b/.github/workflows/vm_testsuite.yml
@ -1,22 +0,0 @@
 name: Run SELinux testsuite in a virtual machine
 on: [push, pull_request]
 jobs:
  vm_testsuite:
    # Use VirtualBox+vagrant on macOS, as described in https://github.com/actions/virtual-environments/issues/433
    runs-on: macos-latest
    steps:
    - uses: actions/checkout@v2
    - name: Create Vagrant VM
      run: |
        cd scripts/ci
        vagrant up
    - name: Run SELinux testsuite in the VM
      run: |
        cd scripts/ci
        vagrant ssh -- ./run-selinux-test.sh
--- a/.travis.yml
+++ b/.travis.yml
@ -1,12 +1,164 @@
 # Define the building environment
 language: c
-# Use Travis-CI Ubuntu 18.04 Bionic Beaver, "full image" variant
+matrix:
  fast_finish: true
 compiler:
  - clang
  - gcc
 env:
  matrix:
    # Test the last version of Python and Ruby together, with some linkers
    - PYVER=python3.7 RUBYLIBVER=2.6
    - PYVER=python3.7 RUBYLIBVER=2.6 TEST_FLAGS_OVERRIDE=1
    - PYVER=python3.7 RUBYLIBVER=2.6 TEST_DEBUG=1
    - PYVER=python3.7 RUBYLIBVER=2.6 LINKER=gold
    - PYVER=python3.7 RUBYLIBVER=2.6 LINKER=bfd
    # Test several Python versions
    - PYVER=python3.5 RUBYLIBVER=2.6
    - PYVER=python3.6 RUBYLIBVER=2.6
    - PYVER=pypy3.5-6.0 RUBYLIBVER=2.6
    # Test several Ruby versions (http://rubies.travis-ci.org/)
    - PYVER=python3.7 RUBYLIBVER=2.5.1
    - PYVER=python3.7 RUBYLIBVER=2.4
    - PYVER=python3.7 RUBYLIBVER=2.3
    - PYVER=python3.7 RUBYLIBVER=2.2
 matrix:
  exclude:
    - compiler: clang
      env: PYVER=python3.7 RUBYLIBVER=2.6 LINKER=gold
    - compiler: clang
      env: PYVER=python3.7 RUBYLIBVER=2.6 LINKER=bfd
 # Use Travis-CI Ubuntu 16.04 Xenial Xerus infrastructure, "full image" variant
 sudo: required
-dist: bionic
+dist: xenial
 # Install SELinux userspace utilities dependencies
 addons:
  apt:
    packages:
    - bison
    - flex
    - gawk
    - gettext
    - libaudit-dev
    - libbz2-dev
    - libcap-dev
    - libcap-ng-dev # This package is not whitelisted for the container infrastructure (https://github.com/travis-ci/apt-package-whitelist/issues/1096)
    - libcunit1-dev
    - libdbus-glib-1-dev
    - libncurses5-dev
    - libpcre3-dev
    - patch
    - python3-dev
    - python-dev
    - swig
    - xmlto
 install:
  # Download and install refpolicy headers for sepolgen tests
  - curl --location --retry 10 -o "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2" https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_2_20180701/refpolicy-2.20180701.tar.bz2
  - tar -C "$TRAVIS_BUILD_DIR" -xvjf "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2"
  # Make refpolicy Makefile use the new toolchain when building modules
  - sed -e "s,^PREFIX :=.*,PREFIX := \$(DESTDIR)/usr," -i "$TRAVIS_BUILD_DIR/refpolicy/support/Makefile.devel"
  - sudo make -C "$TRAVIS_BUILD_DIR/refpolicy" install-headers
  - sudo rm -rf "$TRAVIS_BUILD_DIR/refpolicy.tar.bz2" "$TRAVIS_BUILD_DIR/refpolicy"
  - sudo mkdir -p /etc/selinux
  - echo 'SELINUXTYPE=refpolicy' | sudo tee /etc/selinux/config
  - echo 'SELINUX_DEVEL_PATH = /usr/share/selinux/refpolicy' | sudo tee /etc/selinux/sepolgen.conf
  # Make sepolgen tests work without really installing anything in the real root (doing this would conflict with Ubuntu packages)
  - sed -e "s,\"\(/usr/bin/[cs]\),\"$TRAVIS_BUILD_DIR/installdir\1," -i python/sepolgen/src/sepolgen/module.py
  # Download the required python version if it is not installed
  - VIRTUAL_ENV="$HOME/virtualenv/$PYVER"
  - if ! [ -d "$VIRTUAL_ENV" ] ; then
        curl --retry 10 -o python.tar.bz2 "https://s3.amazonaws.com/travis-python-archives/binaries/ubuntu/16.04/x86_64/${PYVER/python/python-}.tar.bz2" &&
        sudo tar xjf python.tar.bz2 --directory / &&
        rm python.tar.bz2 ;
    fi
  # Install flake8 for the given python version
  - $VIRTUAL_ENV/bin/pip install flake8
 before_script:
  # Build and install in a temporary directory to run tests
  - export DESTDIR="$TRAVIS_BUILD_DIR/installdir"
  # Configure the variables for Python parts
  - export VIRTUAL_ENV="$HOME/virtualenv/$PYVER"
  - export PYTHON="$VIRTUAL_ENV/bin/python"
  # Use the header files in /opt/python/... for Python because the virtualenvs do not provide Python.h
  - export PKG_CONFIG_PATH="/opt/python/$($PYTHON -c 'import sys;print("%d.%d.%d" % sys.version_info[:3])')/lib/pkgconfig"
  # PyPy does not provide a config file for pkg-config
  # libpypy-c.so is provided in bin/libpypy-c.so for PyPy and bin/libpypy3-c.so for PyPy3
  - if echo "$PYVER" | grep -q pypy ; then
        export PYINC=-I$($PYTHON -c 'import sys;print(sys.prefix)')/include ;
        export PYLIBS="$($PYTHON -c 'import sys;print("-L%s/bin -l%s" % (sys.prefix, "pypy-c" if sys.version_info < (3,) else "pypy3-c"))')" ;
    fi
  # Find the Ruby executable with version $RUBYLIBVER
  - rvm reinstall ruby-$RUBYLIBVER --binary
  - export RUBY="$(ls -d -1 "$HOME/.rvm/rubies/ruby-$RUBYLIBVER"*/bin/ruby | head -n 1)"
  # Set the linker in $CC so that it gets used everywhere
  - if [ -n "$LINKER" ]; then CC="$CC -fuse-ld=$LINKER" ; fi
  # Show variables and versions (to help debugging)
  - echo "$CC" ; $CC --version
  - echo "$PYTHON" ; $PYTHON --version
  - echo "$RUBY" ; $RUBY --version
  # If TEST_FLAGS_OVERRIDE is defined, test that overriding CFLAGS, LDFLAGS and other variables works fine
  - if [ -n "$TEST_FLAGS_OVERRIDE" ]; then EXPLICIT_MAKE_VARS="CFLAGS=-I$DESTDIR/usr/include LDFLAGS=-L$DESTDIR/usr/lib LDLIBS= CPPFLAGS=" ; fi
  # If TEST_DEBUG is defined, test that debug build works fine
  - if [ -n "$TEST_DEBUG" ]; then EXPLICIT_MAKE_VARS="$EXPLICIT_MAKE_VARS DEBUG=1" ; fi
 script:
-  - FEDORA_MAJOR=33 FEDORA_MINOR=1.2 scripts/ci/travis-kvm-setup.sh
+  # Start by installing everything into $DESTDIR
  - make install $EXPLICIT_MAKE_VARS -k
  - make install-pywrap $EXPLICIT_MAKE_VARS -k
  - make install-rubywrap $EXPLICIT_MAKE_VARS -k
  # Now that everything is installed, run "make all" to build everything which may have not been built
  - make all $EXPLICIT_MAKE_VARS -k
  # Set up environment variables for the tests
  - . ./scripts/env_use_destdir
  # Show variables (to help debugging issues)
  - echo "$LD_LIBRARY_PATH"
  - echo "$PATH"
  - echo "$PYTHONPATH"
  - echo "$RUBYLIB"
  # Run tests
  - make test $EXPLICIT_MAKE_VARS
  # Test Python and Ruby wrappers
  - $PYTHON -c 'import selinux;import selinux.audit2why;import semanage;print(selinux.is_selinux_enabled())'
  - $RUBY -e 'require "selinux";require "semanage";puts Selinux::is_selinux_enabled()'
  # Run Python linter
  - PATH="$VIRTUAL_ENV/bin:$PATH" ./scripts/run-flake8
  # Remove every installed files
  - rm -rf "$DESTDIR"
  # Test that "git status" looks clean, or print a clear error message
  - |-
    git status --short | sed -n 's/^??/error: missing .gitignore entry for/p' | (! grep '^')
  # Clean up everything and show which file would be added to "make clean"
  - make clean distclean $EXPLICIT_MAKE_VARS
  - |-
    git ls-files --ignored --others --exclude-standard | sed 's/^/error: "make clean distclean" did not remove /' | (! grep '^')
 # Do not spam by email so long as the build succeeds
 notifications:
--- a/25
+++ b/25
@ -0,0 +1,25 @@
 Please submit all bug reports and patches to selinux@vger.kernel.org.
 Subscribe by sending "subscribe selinux" in the body of an email
 to majordomo@vger.kernel.org.
 Build dependencies on Fedora:
 yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python3-devel python3-setools swig xmlto redhat-rpm-config
 To build and install everything under a private directory, run:
 make DESTDIR=~/obj install install-pywrap
 To install as the default system libraries and binaries
 (overwriting any previously installed ones - dangerous!),
 on x86_64, run:
 make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
 or on x86 (32-bit), run:
 make install install-pywrap relabel
 This may render your system unusable if the upstream SELinux userspace
 lacks library functions or other dependencies relied upon by your
 distribution.  If it breaks, you get to keep both pieces.
 To install libsepol on macOS (mainly for policy analysis):
 cd libsepol; make PREFIX=/usr/local install
 This requires GNU coreutils (brew install coreutils).
--- a/README.md
+++ b/README.md
@ -1,145 +0,0 @@
 SELinux Userspace
 =================
 ![SELinux logo](https://github.com/SELinuxProject.png)
 [![Build Status](https://travis-ci.org/SELinuxProject/selinux.svg?branch=master)](https://travis-ci.org/SELinuxProject/selinux)
 [![OSS-Fuzz Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/selinux.svg)](https://oss-fuzz-build-logs.storage.googleapis.com/index.html#selinux)
 [![CIFuzz Status](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml/badge.svg)](https://github.com/SELinuxProject/selinux/actions/workflows/cifuzz.yml)
 Please submit all bug reports and patches to <selinux@vger.kernel.org>.
 Subscribe by sending "subscribe selinux" in the body of an email
 to <majordomo@vger.kernel.org>.
 Archive of this mailing list is available on https://lore.kernel.org/selinux/.
 Installation
 ------------
 SELinux libraries and tools are packaged in several Linux distributions:
 * Alpine Linux (https://pkgs.alpinelinux.org/package/edge/testing/x86/policycoreutils)
 * Arch Linux User Repository (https://aur.archlinux.org/packages/policycoreutils/)
 * Buildroot (https://git.buildroot.net/buildroot/tree/package/policycoreutils)
 * Debian and Ubuntu (https://packages.debian.org/sid/policycoreutils)
 * Gentoo (https://packages.gentoo.org/packages/sys-apps/policycoreutils)
 * RHEL and Fedora (https://src.fedoraproject.org/rpms/policycoreutils)
 * Yocto Project (http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/selinux)
 * and many more (https://repology.org/project/policycoreutils/versions)
 Building and testing
 --------------------
 Build dependencies on Fedora:
 ```sh
 # For C libraries and programs
 dnf install \
    audit-libs-devel \
    bison \
    bzip2-devel \
    CUnit-devel \
    diffutils \
    flex \
    gcc \
    gettext \
    glib2-devel \
    make \
    libcap-devel \
    libcap-ng-devel \
    pam-devel \
    pcre-devel \
    xmlto
 # For Python and Ruby bindings
 dnf install \
    python3-devel \
    ruby-devel \
    swig
 ```
 Build dependencies on Debian:
 ```sh
 # For C libraries and programs
 apt-get install --no-install-recommends --no-install-suggests \
    bison \
    flex \
    gawk \
    gcc \
    gettext \
    make \
    libaudit-dev \
    libbz2-dev \
    libcap-dev \
    libcap-ng-dev \
    libcunit1-dev \
    libglib2.0-dev \
    libpcre3-dev \
    pkgconf \
    python3 \
    python3-distutils \
    systemd \
    xmlto
 # For Python and Ruby bindings
 apt-get install --no-install-recommends --no-install-suggests \
    python3-dev \
    ruby-dev \
    swig
 ```
 To build and install everything under a private directory, run:
    make clean distclean
    make DESTDIR=~/obj install install-rubywrap install-pywrap
 On Debian `PYTHON_SETUP_ARGS=--install-layout=deb` needs to be set when installing the python wrappers in order to create the correct python directory structure.
 To run tests with the built libraries and programs, several paths (relative to `$DESTDIR`) need to be added to variables `$LD_LIBRARY_PATH`, `$PATH` and `$PYTHONPATH`.
 This can be done using [./scripts/env_use_destdir](./scripts/env_use_destdir):
    DESTDIR=~/obj ./scripts/env_use_destdir make test
 Some tests require the reference policy to be installed (for example in `python/sepolgen`).
 In order to run these ones, instructions similar to the ones in section `install` of [./.travis.yml](./.travis.yml) can be executed.
 To install as the default system libraries and binaries
 (overwriting any previously installed ones - dangerous!),
 on x86_64, run:
    make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
 or on x86 (32-bit), run:
    make install install-pywrap relabel
 This may render your system unusable if the upstream SELinux userspace
 lacks library functions or other dependencies relied upon by your
 distribution.  If it breaks, you get to keep both pieces.
 ## Setting CFLAGS
 Setting CFLAGS during the make process will cause the omission of many defaults. While the project strives
 to provide a reasonable set of default flags, custom CFLAGS could break the build, or have other undesired
 changes on the build output. Thus, be very careful when setting CFLAGS. CFLAGS that are encouraged to be
 set when overriding are:
 - -fno-semantic-interposition for gcc or compilers that do not do this. clang does this by default. clang-10 and up
   will support passing this flag, but ignore it. Previous clang versions fail.
 macOS
 -----
 To install libsepol on macOS (mainly for policy analysis):
    cd libsepol; make PREFIX=/usr/local install
 This requires GNU coreutils:
    brew install coreutils
--- a/1
+++ b/1
@ -1 +0,0 @@
 3.3-rc1
--- a/checkpolicy/Makefile
+++ b/checkpolicy/Makefile
@ -10,7 +10,7 @@ TARGETS = checkpolicy checkmodule
 LEX = flex
 YACC = bison -y
-CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing
+CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
 # If no specific libsepol.a is specified, fall back on LDFLAGS search path
 # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
@ -30,10 +30,10 @@ all:  $(TARGETS)
 	$(MAKE) -C test
 checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA)
-	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+	$(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
 checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA)
-	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+	$(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
 %.o: %.c 
 	$(CC) $(CFLAGS) -o $@ -c $<
--- a/checkpolicy/VERSION
+++ b/checkpolicy/VERSION
@ -1 +1 @@
-3.3-rc1
+3.0
--- a/checkpolicy/checkmodule.8
+++ b/checkpolicy/checkmodule.8
@ -28,9 +28,6 @@ module file.  This option is a development/debugging aid.
 .B \-C,\-\-cil
 Write CIL policy file rather than binary policy file.
 .TP
 .B \-E,\-\-werror
 Treat warnings as errors
 .TP
 .B \-h,\-\-help
 Print usage.
 .TP
@ -67,6 +64,6 @@ SELinux Reference Policy documentation at https://github.com/SELinuxProject/refp
 .SH AUTHOR
 This manual page was copied from the checkpolicy man page 
-written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
+written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>, 
 and edited by Dan Walsh <dwalsh@redhat.com>.
 The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
--- a/checkpolicy/checkmodule.c
+++ b/checkpolicy/checkmodule.c
@ -25,6 +25,7 @@
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/link.h>
@ -40,7 +41,6 @@ extern int optind;
 static sidtab_t sidtab;
 extern int mlspol;
 extern int werror;
 static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
@ -126,7 +126,7 @@ static int write_binary_policy(policydb_t * p, FILE *outfp)
 static __attribute__((__noreturn__)) void usage(const char *progname)
 {
-	printf("usage:  %s [-h] [-V] [-b] [-C] [-E] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
+	printf("usage:  %s [-h] [-V] [-b] [-C] [-U handle_unknown] [-m] [-M] [-o FILE] [INPUT]\n", progname);
 	printf("Build base and policy modules.\n");
 	printf("Options:\n");
 	printf("  INPUT      build module from INPUT (else read from \"%s\")\n",
@ -134,7 +134,6 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 	printf("  -V         show policy versions created by this program\n");
 	printf("  -b         treat input as a binary policy file\n");
 	printf("  -C         output CIL policy instead of binary policy\n");
 	printf("  -E         treat warnings as errors\n");
 	printf("  -h         print usage\n");
 	printf("  -U OPTION  How to handle unknown classes and permissions\n");
 	printf("               deny: Deny unknown kernel checks\n");
@ -163,11 +162,10 @@ int main(int argc, char **argv)
 		{"handle-unknown", required_argument, NULL, 'U'},
 		{"mls", no_argument, NULL, 'M'},
 		{"cil", no_argument, NULL, 'C'},
 		{"werror", no_argument, NULL, 'E'},
 		{NULL, 0, NULL, 0}
 	};
-	while ((ch = getopt_long(argc, argv, "ho:bVEU:mMCc:", long_options, NULL)) != -1) {
+	while ((ch = getopt_long(argc, argv, "ho:bVU:mMCc:", long_options, NULL)) != -1) {
 		switch (ch) {
 		case 'h':
 			usage(argv[0]);
@ -182,9 +180,6 @@ int main(int argc, char **argv)
 		case 'V':
 			show_version = 1;
 			break;
 		case 'E':
 			werror = 1;
 			break;
 		case 'U':
 			if (!strcasecmp(optarg, "deny")) {
 				handle_unknown = DENY_UNKNOWN;
@ -288,16 +283,14 @@ int main(int argc, char **argv)
 	}
 	if (policy_type != POLICY_BASE && outfile) {
 		char *out_name;
 		char *separator;
 		char *mod_name = modpolicydb.name;
 		char *out_path = strdup(outfile);
 		if (out_path == NULL) {
 			fprintf(stderr, "%s:  out of memory\n", argv[0]);
 			exit(1);
 		}
-		out_name = basename(out_path);
+		char *out_name = basename(out_path);
-		separator = strrchr(out_name, '.');
+		char *separator = strrchr(out_name, '.');
 		if (separator) {
 			*separator = '\0';
 		}
--- a/checkpolicy/checkpolicy.8
+++ b/checkpolicy/checkpolicy.8
@ -53,9 +53,6 @@ Specify the target platform (selinux or xen).
 .B \-O,\-\-optimize
 Optimize the final kernel policy (remove redundant rules).
 .TP
 .B \-E,\-\-werror
 Treat warnings as errors
 .TP
 .B \-V,\-\-version
 Show version information.
 .TP
@ -67,6 +64,6 @@ SELinux Reference Policy documentation at https://github.com/SELinuxProject/refp
 .SH AUTHOR
-This manual page was written by Árpád Magosányi <mag@bunuel.tii.matav.hu>,
+This manual page was written by Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
 and edited by Stephen Smalley <sds@tycho.nsa.gov>.
 The program was written by Stephen Smalley <sds@tycho.nsa.gov>.
--- a/checkpolicy/checkpolicy.c
+++ b/checkpolicy/checkpolicy.c
@ -85,6 +85,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/expand.h>
 #include <sepol/policydb/link.h>
@ -100,33 +101,29 @@ static sidtab_t sidtab;
 extern policydb_t *policydbp;
 extern int mlspol;
 extern int werror;
 static int handle_unknown = SEPOL_DENY_UNKNOWN;
 static const char *txtfile = "policy.conf";
 static const char *binfile = "policy";
-unsigned int policyvers = 0;
+unsigned int policyvers = POLICYDB_VERSION_MAX;
 static __attribute__((__noreturn__)) void usage(const char *progname)
 {
 	printf
 	    ("usage:  %s [-b[F]] [-C] [-d] [-U handle_unknown (allow,deny,reject)] [-M] "
 	     "[-c policyvers (%d-%d)] [-o output_file|-] [-S] "
-	     "[-t target_platform (selinux,xen)] [-E] [-V] [input_file]\n",
+	     "[-t target_platform (selinux,xen)] [-V] [input_file]\n",
 	     progname, POLICYDB_VERSION_MIN, POLICYDB_VERSION_MAX);
 	exit(1);
 }
 #define FGETS(out, size, in) \
-do { \
+if (fgets(out,size,in)==NULL) {	\
-	if (fgets(out,size,in)==NULL) {	\
+		fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
-		fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \
+				strerror(errno)); \
-			strerror(errno)); \
+			exit(1);\
-		exit(1);\
+}
 	} \
 } while (0)
 static int print_sid(sepol_security_id_t sid,
 		     context_struct_t * context
 		     __attribute__ ((unused)), void *data
@ -424,12 +421,11 @@ int main(int argc, char **argv)
 		{"conf",no_argument, NULL, 'F'},
 		{"sort", no_argument, NULL, 'S'},
 		{"optimize", no_argument, NULL, 'O'},
 		{"werror", no_argument, NULL, 'E'},
 		{"help", no_argument, NULL, 'h'},
 		{NULL, 0, NULL, 0}
 	};
-	while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:OEh", long_options, NULL)) != -1) {
+	while ((ch = getopt_long(argc, argv, "o:t:dbU:MCFSVc:Oh", long_options, NULL)) != -1) {
 		switch (ch) {
 		case 'o':
 			outfile = optarg;
@ -504,12 +500,10 @@ int main(int argc, char **argv)
 					usage(argv[0]);
 					exit(1);
 				}
-				policyvers = n;
+				if (policyvers != n)
 					policyvers = n;
 				break;
 			}
 		case 'E':
 			 werror = 1;
 			 break;
 		case 'h':
 		default:
 			usage(argv[0]);
@ -517,8 +511,7 @@ int main(int argc, char **argv)
 	}
 	if (show_version) {
-		printf("%d (compatibility range %d-%d)\n",
+		printf("%d (compatibility range %d-%d)\n", policyvers,
 			   policyvers ? policyvers : POLICYDB_VERSION_MAX ,
 		       POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
 		exit(0);
 	}
@ -591,16 +584,6 @@ int main(int argc, char **argv)
 				exit(1);
 			}
 		}
 		if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
 			if (policyvers > policydbp->policyvers) {
 				fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
 			} else if (policyvers) {
 				policydbp->policyvers = policyvers;
 			}
 		} else {
 			policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
 		}
 	} else {
 		if (conf) {
 			fprintf(stderr, "Can only generate policy.conf from binary policy\n");
@ -642,8 +625,6 @@ int main(int argc, char **argv)
 			policydb_destroy(policydbp);
 			policydbp = &policydb;
 		}
 		policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
 	}
 	if (policydb_load_isids(&policydb, &sidtab))
@ -669,6 +650,8 @@ int main(int argc, char **argv)
 			}
 		}
 		policydb.policyvers = policyvers;
 		if (!cil) {
 			if (!conf) {
 				policydb.policy_type = POLICY_KERN;
@ -970,12 +953,8 @@ int main(int argc, char **argv)
 			printf("fs kdevname?  ");
 			FGETS(ans, sizeof(ans), stdin);
 			ans[strlen(ans) - 1] = 0;
-			ret = sepol_fs_sid(ans, &ssid, &tsid);
+			sepol_fs_sid(ans, &ssid, &tsid);
-			if (ret) {
+			printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
 				printf("unknown fs kdevname\n");
 			} else {
 				printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
 			}
 			break;
 		case '9':
 			printf("protocol?  ");
@ -1003,12 +982,8 @@ int main(int argc, char **argv)
 			printf("netif name?  ");
 			FGETS(ans, sizeof(ans), stdin);
 			ans[strlen(ans) - 1] = 0;
-			ret = sepol_netif_sid(ans, &ssid, &tsid);
+			sepol_netif_sid(ans, &ssid, &tsid);
-			if (ret) {
+			printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
 				printf("unknown name\n");
 			} else {
 				printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
 			}
 			break;
 		case 'b':{
 				char *p;
@ -1187,6 +1162,8 @@ int main(int argc, char **argv)
 					printf("\nNo such class.\n");
 					break;
 				}
 				cladatum =
 				    policydb.class_val_to_struct[tclass - 1];
 			} else {
 				ans[strlen(ans) - 1] = 0;
 				cladatum =
@ -1238,6 +1215,8 @@ int main(int argc, char **argv)
 					printf("\nNo such class.\n");
 					break;
 				}
 				cladatum =
 				    policydb.class_val_to_struct[tclass - 1];
 			} else {
 				ans[strlen(ans) - 1] = 0;
 				cladatum =
--- a/checkpolicy/parse_util.c
+++ b/checkpolicy/parse_util.c
@ -28,6 +28,7 @@ extern int yyparse(void);
 extern void yyrestart(FILE *);
 extern queue_t id_queue;
 extern unsigned int policydb_errors;
 extern unsigned long policydb_lineno;
 extern policydb_t *policydbp;
 extern int mlspol;
 extern void set_source_file(const char *name);
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@ -53,6 +53,7 @@
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/polcaps.h>
 #include "queue.h"
@ -77,7 +78,7 @@ extern int yyerror(const char *msg);
 #define ERRORMSG_LEN 255
 static char errormsg[ERRORMSG_LEN + 1] = {0};
-static int id_has_dot(const char *id);
+static int id_has_dot(char *id);
 static int parse_security_context(context_struct_t *c);
 /* initialize all of the state variables for the scanner/parser */
@ -141,7 +142,7 @@ int insert_id(const char *id, int push)
 /* If the identifier has a dot within it and that its first character
   is not a dot then return 1, else return 0. */
-static int id_has_dot(const char *id)
+static int id_has_dot(char *id)
 {
 	if (strchr(id, '.') >= id + 1) {
 		return 1;
@ -1168,6 +1169,11 @@ int expand_attrib(void)
 	ebitmap_init(&attrs);
 	while ((id = queue_remove(id_queue))) {
 		if (!id) {
 			yyerror("No attribute name for expandattribute statement?");
 			goto exit;
 		}
 		if (!is_id_in_scope(SYM_TYPES, id)) {
 			yyerror2("attribute %s is not within scope", id);
 			goto exit;
@ -1796,7 +1802,7 @@ int define_bool_tunable(int is_tunable)
 		return -1;
 	}
-	datum->state = (bool_value[0] == 'T') ? 1 : 0;
+	datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
 	free(bool_value);
 	return 0;
      cleanup:
@ -1904,9 +1910,8 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
 {
 	char *id;
 	struct av_ioctl_range_list *rnew, *r = NULL;
 	uint8_t omit = 0;
 	*rangehead = NULL;
 	uint8_t omit = 0;
 	/* read in all the ioctl commands */
 	while ((id = queue_remove(id_queue))) {
@ -1943,9 +1948,7 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
 		}
 	}
 	r = *rangehead;
-	if (r) {
+	r->omit = omit;
 		r->omit = omit;
 	}
 	return 0;
 error:
 	yyerror("out of memory");
@ -2145,7 +2148,7 @@ out:
 /* index of the u32 containing the permission */
 #define XPERM_IDX(x) (x >> 5)
 /* set bits 0 through x-1 within the u32 */
-#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
+#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
 /* low value for this u32 */
 #define XPERM_LOW(x) (x << 5)
 /* high value for this u32 */
@ -2172,7 +2175,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
 	}
 }
-int avrule_xperms_used(const av_extended_perms_t *xperms)
+int avrule_xperms_used(av_extended_perms_t *xperms)
 {
 	unsigned int i;
@ -2347,7 +2350,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
 	return 0;
 }
-int avrule_cpy(avrule_t *dest, const avrule_t *src)
+int avrule_cpy(avrule_t *dest, avrule_t *src)
 {
 	class_perm_node_t *src_perms;
 	class_perm_node_t *dest_perms, *dest_tail;
@ -2395,7 +2398,7 @@ int avrule_cpy(avrule_t *dest, const avrule_t *src)
 	return 0;
 }
-int define_te_avtab_ioctl(const avrule_t *avrule_template)
+int define_te_avtab_ioctl(avrule_t *avrule_template)
 {
 	avrule_t *avrule;
 	struct av_ioctl_range_list *rangelist;
@ -3301,6 +3304,8 @@ int define_filename_trans(void)
 	ebitmap_t e_stypes, e_ttypes;
 	ebitmap_t e_tclasses;
 	ebitmap_node_t *snode, *tnode, *cnode;
 	filename_trans_t *ft;
 	filename_trans_datum_t *ftdatum;
 	filename_trans_rule_t *ftr;
 	type_datum_t *typdatum;
 	uint32_t otype;
@ -3384,19 +3389,40 @@ int define_filename_trans(void)
 	ebitmap_for_each_positive_bit(&e_tclasses, cnode, c) {
 		ebitmap_for_each_positive_bit(&e_stypes, snode, s) {
 			ebitmap_for_each_positive_bit(&e_ttypes, tnode, t) {
-				rc = policydb_filetrans_insert(
+				ft = calloc(1, sizeof(*ft));
-					policydbp, s+1, t+1, c+1, name,
+				if (!ft) {
-					NULL, otype, NULL
+					yyerror("out of memory");
-				);
+					goto bad;
-				if (rc != SEPOL_OK) {
+				}
-					if (rc == SEPOL_EEXIST) {
+				ft->stype = s+1;
-						yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
+				ft->ttype = t+1;
-							name,
+				ft->tclass = c+1;
-							policydbp->p_type_val_to_name[s],
+				ft->name = strdup(name);
-							policydbp->p_type_val_to_name[t],
+				if (!ft->name) {
-							policydbp->p_class_val_to_name[c]);
+					yyerror("out of memory");
-						goto bad;
+					goto bad;
-					}
+				}
 				ftdatum = hashtab_search(policydbp->filename_trans,
 							 (hashtab_key_t)ft);
 				if (ftdatum) {
 					yyerror2("duplicate filename transition for: filename_trans %s %s %s:%s",
 						 name,
 						 policydbp->p_type_val_to_name[s],
 						 policydbp->p_type_val_to_name[t],
 						 policydbp->p_class_val_to_name[c]);
 					goto bad;
 				}
 				ftdatum = calloc(1, sizeof(*ftdatum));
 				if (!ftdatum) {
 					yyerror("out of memory");
 					goto bad;
 				}
 				rc = hashtab_insert(policydbp->filename_trans,
 						    (hashtab_key_t)ft,
 						    ftdatum);
 				if (rc) {
 					yyerror("out of memory");
 					goto bad;
 				}
@ -3444,10 +3470,9 @@ bad:
 	return -1;
 }
-static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
+static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
 {
-	constraint_expr_t *h = NULL, *l = NULL, *newe;
+	constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
 	const constraint_expr_t *e;
 	for (e = expr; e; e = e->next) {
 		newe = malloc(sizeof(*newe));
 		if (!newe)
@ -3478,7 +3503,12 @@ static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
 	return h;
      oom:
-	constraint_expr_destroy(h);
+	e = h;
 	while (e) {
 		l = e;
 		e = e->next;
 		constraint_expr_destroy(l);
 	}
 	return NULL;
 }
@ -4087,6 +4117,8 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
 static int set_user_roles(role_set_t * set, char *id)
 {
 	role_datum_t *r;
 	unsigned int i;
 	ebitmap_node_t *node;
 	if (strcmp(id, "*") == 0) {
 		free(id);
@ -4112,9 +4144,12 @@ static int set_user_roles(role_set_t * set, char *id)
 		return -1;
 	}
 	/* set the role and every role it dominates */
 	ebitmap_for_each_positive_bit(&r->dominates, node, i) {
 		if (ebitmap_set_bit(&set->roles, i, TRUE))
 			goto oom;
 	}
 	free(id);
 	if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE))
 		goto oom;
 	return 0;
      oom:
 	yyerror("out of memory");
@ -5474,9 +5509,7 @@ int define_genfs_context_helper(char *fstype, int has_type)
 {
 	struct genfs *genfs_p, *genfs, *newgenfs;
 	ocontext_t *newc, *c, *head, *p;
 	class_datum_t *cladatum;
 	char *type = NULL;
 	const char *sclass;
 	int len, len2;
 	if (policydbp->target_platform != SEPOL_TARGET_SELINUX) {
@ -5538,39 +5571,30 @@ int define_genfs_context_helper(char *fstype, int has_type)
 		}
 		switch (type[0]) {
 		case 'b':
-			sclass = "blk_file";
+			newc->v.sclass = SECCLASS_BLK_FILE;
 			break;
 		case 'c':
-			sclass = "chr_file";
+			newc->v.sclass = SECCLASS_CHR_FILE;
 			break;
 		case 'd':
-			sclass = "dir";
+			newc->v.sclass = SECCLASS_DIR;
 			break;
 		case 'p':
-			sclass = "fifo_file";
+			newc->v.sclass = SECCLASS_FIFO_FILE;
 			break;
 		case 'l':
-			sclass = "lnk_file";
+			newc->v.sclass = SECCLASS_LNK_FILE;
 			break;
 		case 's':
-			sclass = "sock_file";
+			newc->v.sclass = SECCLASS_SOCK_FILE;
 			break;
 		case '-':
-			sclass = "file";
+			newc->v.sclass = SECCLASS_FILE;
 			break;
 		default:
 			yyerror2("invalid type %s", type);
 			goto fail;
 		}
 		cladatum = hashtab_search(policydbp->p_classes.table,
 					  sclass);
 		if (!cladatum) {
 			yyerror2("could not find class %s for "
 				 "genfscon statement", sclass);
 			goto fail;
 		}
 		newc->v.sclass = cladatum->s.value;
 	}
 	if (parse_security_context(&newc->context[0]))
 		goto fail;
--- a/checkpolicy/policy_parse.y
+++ b/checkpolicy/policy_parse.y
@ -46,6 +46,7 @@
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/hierarchy.h>
 #include <sepol/policydb/polcaps.h>
 #include "queue.h"
--- a/checkpolicy/policy_scan.l
+++ b/checkpolicy/policy_scan.l
@ -36,8 +36,6 @@ typedef int (* require_func_t)(void);
 static char linebuf[2][255];
 static unsigned int lno = 0;
 int werror = 0;
 int yyerror(const char *msg);
 int yywarn(const char *msg);
 void set_source_file(const char *name);
@ -292,7 +290,7 @@ GLBLUB				{ return(GLBLUB); }
 "]" |
 "~" |
 "*"				{ return(yytext[0]); } 
-.                               { yyerror("unrecognized character");}
+.                               { yywarn("unrecognized character");}
 %%
 int yyerror(const char *msg)
 {
@ -312,9 +310,6 @@ int yyerror(const char *msg)
 int yywarn(const char *msg)
 {
 	if (werror)
 		return yyerror(msg);
 	if (source_file[0])
 		fprintf(stderr, "%s:%ld:",
 			source_file, source_lineno);
--- a/checkpolicy/ru/checkmodule.8
+++ b/checkpolicy/ru/checkmodule.8
@ -50,7 +50,7 @@ $ checkmodule \-M \-m httpd.te \-o httpd.mod
 .SH АВТОРЫ
-Эта страница руководства была скопирована со страницы руководства checkpolicy, написанной Árpád Magosányi <mag@bunuel.tii.matav.hu>,
+Эта страница руководства была скопирована со страницы руководства checkpolicy, написанной Arpad Magosanyi <mag@bunuel.tii.matav.hu>, 
 и отредактирована Dan Walsh <dwalsh@redhat.com>.
 Программа была написана Stephen Smalley <sds@tycho.nsa.gov>.
-Перевод на русский язык выполнила Олеся Герасименко <gammaray@basealt.ru>.
+Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
--- a/checkpolicy/ru/checkpolicy.8
+++ b/checkpolicy/ru/checkpolicy.8
@ -54,7 +54,7 @@ checkpolicy \- компилятор политики SELinux
 Документация SELinux Reference Policy по адресу https://github.com/SELinuxProject/refpolicy/wiki
 .SH АВТОРЫ
-Эта страница руководства была написана Árpád Magosányi <mag@bunuel.tii.matav.hu>,
+Эта страница руководства была написана Arpad Magosanyi <mag@bunuel.tii.matav.hu>,
 и отредактирована Stephen Smalley <sds@tycho.nsa.gov>.
 Программа была написана Stephen Smalley <sds@tycho.nsa.gov>.
-Перевод на русский язык выполнила Олеся Герасименко <gammaray@basealt.ru>.
+Перевод на русский язык выполнила Герасименко Олеся <gammaray@basealt.ru>.
--- a/checkpolicy/test/Makefile
+++ b/checkpolicy/test/Makefile
@ -1,7 +1,7 @@
 #
 # Makefile for building the dispol program
 #
-CFLAGS ?= -g -Wall -W -Werror -O2
+CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
 # If no specific libsepol.a is specified, fall back on LDFLAGS search path
 # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
@ -13,10 +13,10 @@ endif
 all: dispol dismod
 dispol: dispol.o $(LIBSEPOLA)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
 dismod: dismod.o $(LIBSEPOLA)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
 clean:
 	-rm -f dispol dismod *.o 
--- a/checkpolicy/test/dismod.c
+++ b/checkpolicy/test/dismod.c
@ -30,6 +30,7 @@
 #include <sepol/policydb/policydb.h>
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
 #include <sepol/policydb/link.h>
 #include <sepol/policydb/module.h>
 #include <sepol/policydb/util.h>
@ -111,7 +112,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
 	}
 }
-static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
 		     FILE * fp)
 {
 	unsigned int i, num_types;
@ -175,7 +176,7 @@ static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * polic
 	return 0;
 }
-static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
 {
 	unsigned int i, num = 0;
@ -210,7 +211,7 @@ static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
 }
-static int display_avrule(avrule_t * avrule, policydb_t * policy,
+int display_avrule(avrule_t * avrule, policydb_t * policy,
 		   FILE * fp)
 {
 	class_perm_node_t *cur;
@ -313,7 +314,7 @@ static int display_avrule(avrule_t * avrule, policydb_t * policy,
 	return 0;
 }
-static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
 {
 	type_datum_t *type;
 	FILE *fp;
@ -355,14 +356,14 @@ static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void
 	return 0;
 }
-static int display_types(policydb_t * p, FILE * fp)
+int display_types(policydb_t * p, FILE * fp)
 {
 	if (hashtab_map(p->p_types.table, display_type_callback, fp))
 		return -1;
 	return 0;
 }
-static int display_users(policydb_t * p, FILE * fp)
+int display_users(policydb_t * p, FILE * fp)
 {
 	unsigned int i, j;
 	ebitmap_t *bitmap;
@ -381,7 +382,7 @@ static int display_users(policydb_t * p, FILE * fp)
 	return 0;
 }
-static int display_bools(policydb_t * p, FILE * fp)
+int display_bools(policydb_t * p, FILE * fp)
 {
 	unsigned int i;
@ -392,7 +393,7 @@ static int display_bools(policydb_t * p, FILE * fp)
 	return 0;
 }
-static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
 {
 	cond_expr_t *cur;
@ -427,14 +428,14 @@ static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
 	}
 }
-static void display_policycon(FILE * fp)
+void display_policycon(FILE * fp)
 {
 	/* There was an attempt to implement this at one time.  Look through
 	 * git history to find it. */
 	fprintf(fp, "Sorry, not implemented\n");
 }
-static void display_initial_sids(policydb_t * p, FILE * fp)
+void display_initial_sids(policydb_t * p, FILE * fp)
 {
 	ocontext_t *cur;
 	char *user, *role, *type;
@ -459,7 +460,7 @@ static void display_initial_sids(policydb_t * p, FILE * fp)
 #endif
 }
-static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
 {
 	unsigned int i, num = 0;
@ -482,7 +483,7 @@ static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
 		fprintf(fp, " }");
 }
-static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
+void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
 {
 	for (; tr; tr = tr->next) {
 		fprintf(fp, "role transition ");
@ -495,7 +496,7 @@ static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp
 	}
 }
-static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
+void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
 {
 	for (; ra; ra = ra->next) {
 		fprintf(fp, "role allow ");
@ -517,7 +518,7 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
 	}
 }
-static int role_display_callback(hashtab_key_t key __attribute__((unused)),
+int role_display_callback(hashtab_key_t key __attribute__((unused)),
 			  hashtab_datum_t datum, void *data)
 {
 	role_datum_t *role;
@ -611,7 +612,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
 }
 #endif
-static int display_avdecl(avrule_decl_t * decl, int field,
+int display_avdecl(avrule_decl_t * decl, int field,
 		   policydb_t * policy, FILE * out_fp)
 {
 	fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
@ -692,13 +693,13 @@ static int display_avdecl(avrule_decl_t * decl, int field,
 	return 0;		/* should never get here */
 }
-static int display_avblock(int field, policydb_t * policy,
+int display_avblock(int field, policydb_t * policy,
 		    FILE * out_fp)
 {
 	avrule_block_t *block = policydb.global;
 	while (block != NULL) {
 		avrule_decl_t *decl = block->branch_list;
 		fprintf(out_fp, "--- begin avrule block ---\n");
 		avrule_decl_t *decl = block->branch_list;
 		while (decl != NULL) {
 			if (display_avdecl(decl, field, policy, out_fp)) {
 				return -1;
@ -710,7 +711,7 @@ static int display_avblock(int field, policydb_t * policy,
 	return 0;
 }
-static int display_handle_unknown(policydb_t * p, FILE * out_fp)
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
 {
 	if (p->handle_unknown == ALLOW_UNKNOWN)
 		fprintf(out_fp, "Allow unknown classes and perms\n");
@ -827,14 +828,14 @@ static void display_policycaps(policydb_t * p, FILE * fp)
 	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
 		capname = sepol_polcap_getname(i);
 		if (capname == NULL) {
-			snprintf(buf, sizeof(buf), "unknown (%u)", i);
+			snprintf(buf, sizeof(buf), "unknown (%d)", i);
 			capname = buf;
 		}
 		fprintf(fp, "\t%s\n", capname);
 	}
 }
-static int menu(void)
+int menu(void)
 {
 	printf("\nSelect a command:\n");
 	printf("1)  display unconditional AVTAB\n");
--- a/checkpolicy/test/dispol.c
+++ b/checkpolicy/test/dispol.c
@ -42,7 +42,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
 	exit(1);
 }
-static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
+int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
 		       FILE * fp)
 {
 	char *perm;
@ -54,13 +54,13 @@ static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
 	return 0;
 }
-static int render_type(uint32_t type, policydb_t * p, FILE * fp)
+int render_type(uint32_t type, policydb_t * p, FILE * fp)
 {
 	fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
 	return 0;
 }
-static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
+int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
 {
 	char *stype, *ttype, *tclass;
 	stype = p->p_type_val_to_name[key->source_type - 1];
@ -84,7 +84,7 @@ static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
 #define RENDER_DISABLED		0x0004
 #define RENDER_CONDITIONAL	(RENDER_ENABLED|RENDER_DISABLED)
-static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
 		   policydb_t * p, FILE * fp)
 {
 	if (!(what & RENDER_UNCONDITIONAL)) {
@ -163,7 +163,7 @@ static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t wha
 	return 0;
 }
-static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
 {
 	unsigned int i;
 	avtab_ptr_t cur;
@ -178,7 +178,7 @@ static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
 	return 0;
 }
-static int display_bools(policydb_t * p, FILE * fp)
+int display_bools(policydb_t * p, FILE * fp)
 {
 	unsigned int i;
@ -189,7 +189,7 @@ static int display_bools(policydb_t * p, FILE * fp)
 	return 0;
 }
-static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
 {
 	cond_expr_t *cur;
@ -224,7 +224,7 @@ static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
 	}
 }
-static int display_cond_expressions(policydb_t * p, FILE * fp)
+int display_cond_expressions(policydb_t * p, FILE * fp)
 {
 	cond_node_t *cur;
 	cond_av_list_t *av_cur;
@ -249,7 +249,7 @@ static int display_cond_expressions(policydb_t * p, FILE * fp)
 	return 0;
 }
-static int display_handle_unknown(policydb_t * p, FILE * out_fp)
+int display_handle_unknown(policydb_t * p, FILE * out_fp)
 {
 	if (p->handle_unknown == ALLOW_UNKNOWN)
 		fprintf(out_fp, "Allow unknown classes and permissions\n");
@ -260,7 +260,7 @@ static int display_handle_unknown(policydb_t * p, FILE * out_fp)
 	return 0;
 }
-static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+int change_bool(char *name, int state, policydb_t * p, FILE * fp)
 {
 	cond_bool_datum_t *bool;
@ -285,7 +285,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
 	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
 		capname = sepol_polcap_getname(i);
 		if (capname == NULL) {
-			snprintf(buf, sizeof(buf), "unknown (%u)", i);
+			snprintf(buf, sizeof(buf), "unknown (%d)", i);
 			capname = buf;
 		}
 		fprintf(fp, "\t%s\n", capname);
@ -335,25 +335,17 @@ static int filenametr_display(hashtab_key_t key,
 			      hashtab_datum_t datum,
 			      void *ptr)
 {
-	struct filename_trans_key *ft = (struct filename_trans_key *)key;
+	struct filename_trans *ft = (struct filename_trans *)key;
 	struct filename_trans_datum *ftdatum = datum;
 	struct filenametr_display_args *args = ptr;
 	policydb_t *p = args->p;
 	FILE *fp = args->fp;
 	ebitmap_node_t *node;
 	uint32_t bit;
 	do {
 		ebitmap_for_each_positive_bit(&ftdatum->stypes, node, bit) {
 			display_id(p, fp, SYM_TYPES, bit, "");
 			display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
 			display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
 			display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
 			fprintf(fp, " %s\n", ft->name);
 		}
 		ftdatum = ftdatum->next;
 	} while (ftdatum);
 	display_id(p, fp, SYM_TYPES, ft->stype - 1, "");
 	display_id(p, fp, SYM_TYPES, ft->ttype - 1, "");
 	display_id(p, fp, SYM_CLASSES, ft->tclass - 1, ":");
 	display_id(p, fp, SYM_TYPES, ftdatum->otype - 1, "");
 	fprintf(fp, " %s\n", ft->name);
 	return 0;
 }
@ -368,7 +360,7 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
 	hashtab_map(p->filename_trans, filenametr_display, &args);
 }
-static int menu(void)
+int menu(void)
 {
 	printf("\nSelect a command:\n");
 	printf("1)  display unconditional AVTAB\n");
--- a/dbus/VERSION
+++ b/dbus/VERSION
@ -1 +1 @@
-3.3-rc1
+3.0
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@ -2,36 +2,28 @@
 import dbus
 import dbus.service
-from dbus.mainloop.glib import DBusGMainLoop
+import dbus.mainloop.glib
 from gi.repository import GObject
-from gi.repository import GLib
+import slip.dbus.service
 from slip.dbus import polkit
 import os
 import selinux
 from subprocess import Popen, PIPE, STDOUT
-class selinux_server(dbus.service.Object):
+class selinux_server(slip.dbus.service.Object):
    default_polkit_auth_required = "org.selinux.semanage"
    def __init__(self, *p, **k):
        super(selinux_server, self).__init__(*p, **k)
    def is_authorized(self, sender, action_id):
        bus = dbus.SystemBus()
        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
        subject = ('system-bus-name', {'name': sender})
        result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
        return result[0]
    #
    # The semanage method runs a transaction on a series of semanage commands,
    # these commands can take the output of customized
    #
-    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.semanage")
-    def semanage(self, buf, sender):
+    @dbus.service.method("org.selinux", in_signature='s')
-        if not self.is_authorized(sender, "org.selinux.semanage"):
+    def semanage(self, buf):
            raise dbus.exceptions.DBusException("Not authorized")
        p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
        p.stdin.write(buf)
        output = p.communicate()
@ -43,10 +35,9 @@ class selinux_server(dbus.service.Object):
    # on the server.  This output can be used with the semanage method on
    # another server to make the two systems have duplicate policy.
    #
-    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.customized")
-    def customized(self, sender):
+    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
-        if not self.is_authorized(sender, "org.selinux.customized"):
+    def customized(self):
            raise dbus.exceptions.DBusException("Not authorized")
        p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
        buf = p.stdout.read()
        output = p.communicate()
@ -58,10 +49,9 @@ class selinux_server(dbus.service.Object):
    # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
    # since this is a readonly behaviour
    #
-    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
-    def semodule_list(self, sender):
+    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
-        if not self.is_authorized(sender, "org.selinux.semodule_list"):
+    def semodule_list(self):
            raise dbus.exceptions.DBusException("Not authorized")
        p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
        buf = p.stdout.read()
        output = p.communicate()
@ -72,28 +62,25 @@ class selinux_server(dbus.service.Object):
    #
    # The restorecon method modifies any file path to the default system label
    #
-    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.restorecon")
-    def restorecon(self, path, sender):
+    @dbus.service.method("org.selinux", in_signature='s')
-        if not self.is_authorized(sender, "org.selinux.restorecon"):
+    def restorecon(self, path):
            raise dbus.exceptions.DBusException("Not authorized")
        selinux.restorecon(str(path), recursive=1)
    #
    # The setenforce method turns off the current enforcement of SELinux
    #
-    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.setenforce")
-    def setenforce(self, value, sender):
+    @dbus.service.method("org.selinux", in_signature='i')
-        if not self.is_authorized(sender, "org.selinux.setenforce"):
+    def setenforce(self, value):
            raise dbus.exceptions.DBusException("Not authorized")
        selinux.security_setenforce(value)
    #
    # The setenforce method turns off the current enforcement of SELinux
    #
-    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
-    def relabel_on_boot(self, value, sender):
+    @dbus.service.method("org.selinux", in_signature='i')
-        if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
+    def relabel_on_boot(self, value):
            raise dbus.exceptions.DBusException("Not authorized")
        if value == 1:
            fd = open("/.autorelabel", "w")
            fd.close()
@ -124,10 +111,9 @@ class selinux_server(dbus.service.Object):
    #
    # The change_default_enforcement modifies the current enforcement mode
    #
-    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
-    def change_default_mode(self, value, sender):
+    @dbus.service.method("org.selinux", in_signature='s')
-        if not self.is_authorized(sender, "org.selinux.change_default_mode"):
+    def change_default_mode(self, value):
            raise dbus.exceptions.DBusException("Not authorized")
        values = ["enforcing", "permissive", "disabled"]
        if value not in values:
            raise ValueError("Enforcement mode must be %s" % ", ".join(values))
@ -136,20 +122,19 @@ class selinux_server(dbus.service.Object):
    #
    # The change_default_policy method modifies the policy type
    #
-    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
-    def change_default_policy(self, value, sender):
+    @dbus.service.method("org.selinux", in_signature='s')
-        if not self.is_authorized(sender, "org.selinux.change_default_policy"):
+    def change_default_policy(self, value):
            raise dbus.exceptions.DBusException("Not authorized")
        path = selinux.selinux_path() + value
        if os.path.isdir(path):
            return self.write_selinux_config(policy=value)
        raise ValueError("%s does not exist" % path)
 if __name__ == "__main__":
-    DBusGMainLoop(set_as_default=True)
+    mainloop = GObject.MainLoop()
-    mainloop = GLib.MainLoop()
+    dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
    system_bus = dbus.SystemBus()
    name = dbus.service.BusName("org.selinux", system_bus)
-    server = selinux_server(system_bus, "/org/selinux/object")
+    object = selinux_server(system_bus, "/org/selinux/object")
    slip.dbus.service.set_mainloop(mainloop)
    mainloop.run()
--- a/gui/VERSION
+++ b/gui/VERSION
@ -1 +1 @@
-3.3-rc1
+3.0
--- a/gui/fcontextPage.py
+++ b/gui/fcontextPage.py
@ -102,13 +102,6 @@ class fcontextPage(semanagePage):
        self.load()
        self.fcontextEntry = xml.get_object("fcontextEntry")
        self.fcontextFileTypeCombo = xml.get_object("fcontextFileTypeCombo")
        # Populate file type combo_box
        liststore = self.fcontextFileTypeCombo.get_model()
        for ftype in seobject.file_type_str_to_option.keys():
            iter = liststore.append()
            liststore.set_value(iter, 0, ftype)
        iter = liststore.get_iter_first()
        self.fcontextFileTypeCombo.set_active_iter(iter)
        self.fcontextTypeEntry = xml.get_object("fcontextTypeEntry")
        self.fcontextMLSEntry = xml.get_object("fcontextMLSEntry")
--- a/gui/system-config-selinux.ui
+++ b/gui/system-config-selinux.ui
@ -401,6 +401,32 @@ Level</property>
      <!-- column-name gchararray -->
      <column type="gchararray"/>
    </columns>
    <data>
      <row>
        <col id="0" translatable="yes">all files</col>
      </row>
      <row>
        <col id="0" translatable="yes">regular file</col>
      </row>
      <row>
        <col id="0" translatable="yes">directory</col>
      </row>
      <row>
        <col id="0" translatable="yes">character device</col>
      </row>
      <row>
        <col id="0" translatable="yes">block device</col>
      </row>
      <row>
        <col id="0" translatable="yes">socket file</col>
      </row>
      <row>
        <col id="0" translatable="yes">symbolic link</col>
      </row>
      <row>
        <col id="0" translatable="yes">named pipe</col>
      </row>
    </data>
  </object>
  <object class="GtkDialog" id="fcontextDialog">
    <property name="can_focus">False</property>
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@ -1,10 +1,9 @@
-SUBDIRS = include src utils man
+SUBDIRS = src include utils man
 PKG_CONFIG ?= pkg-config
 DISABLE_SETRANS ?= n
 DISABLE_RPM ?= n
 ANDROID_HOST ?= n
 LABEL_BACKEND_ANDROID ?= n
 ifeq ($(ANDROID_HOST),y)
 	override DISABLE_SETRANS=y
 	override DISABLE_BOOL=y
@ -18,10 +17,7 @@ endif
 ifeq ($(DISABLE_BOOL),y)
 	DISABLE_FLAGS+= -DDISABLE_BOOL
 endif
-ifeq ($(DISABLE_X11),y)
+export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
 	DISABLE_FLAGS+= -DNO_X_BACKEND
 endif
 export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
 USE_PCRE2 ?= n
 ifeq ($(USE_PCRE2),y)
@ -50,24 +46,24 @@ all install relabel clean distclean indent:
 	done
 swigify: all
-	$(MAKE) -C src $@
+	$(MAKE) -C src swigify $@
 pywrap: 
-	$(MAKE) -C src $@
+	$(MAKE) -C src pywrap $@
 rubywrap: 
-	$(MAKE) -C src $@
+	$(MAKE) -C src rubywrap $@
 install-pywrap: 
-	$(MAKE) -C src $@
+	$(MAKE) -C src install-pywrap $@
 install-rubywrap: 
-	$(MAKE) -C src $@
+	$(MAKE) -C src install-rubywrap $@
 clean-pywrap:
-	$(MAKE) -C src $@
+	$(MAKE) -C src clean-pywrap $@
 clean-rubywrap:
-	$(MAKE) -C src $@
+	$(MAKE) -C src clean-rubywrap $@
 test:
--- a/libselinux/VERSION
+++ b/libselinux/VERSION
@ -1 +1 @@
-3.3-rc1
+3.0
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@ -64,11 +64,7 @@ extern int avc_context_to_sid_raw(const char * ctx, security_id_t * sid);
 * reference count).  Note that avc_context_to_sid() also
 * increments reference counts.
 */
-extern int sidget(security_id_t sid)
+extern int sidget(security_id_t sid);
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 /**
 * sidput - decrement SID reference counter.
@ -80,11 +76,7 @@ __attribute__ ((deprecated))
 * zero, the SID is invalid, and avc_context_to_sid() must
 * be called to obtain a new SID for the security context.
 */
-extern int sidput(security_id_t sid)
+extern int sidput(security_id_t sid);
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 /**
 * avc_get_initial_sid - get SID for an initial kernel security identifier
@ -200,11 +192,7 @@ extern int avc_init(const char *msgprefix,
 		    const struct avc_memory_callback *mem_callbacks,
 		    const struct avc_log_callback *log_callbacks,
 		    const struct avc_thread_callback *thread_callbacks,
-		    const struct avc_lock_callback *lock_callbacks)
+		    const struct avc_lock_callback *lock_callbacks);
 #ifdef __GNUC__
 	__attribute__ ((deprecated("Use avc_open and selinux_set_callback")))
 #endif
 ;
 /**
 * avc_open - Initialize the AVC.
--- a/libselinux/include/selinux/get_context_list.h
+++ b/libselinux/include/selinux/get_context_list.h
@ -17,14 +17,14 @@ extern "C" {
   If 'fromcon' is NULL, defaults to current context.
   Caller must free via freeconary. */
 	extern int get_ordered_context_list(const char *user,
-					    const char *fromcon,
+					    char * fromcon,
 					    char *** list);
 /* As above, but use the provided MLS level rather than the
   default level for the user. */
 	extern int get_ordered_context_list_with_level(const char *user,
 						       const char *level,
-						       const char *fromcon,
+						       char * fromcon,
 						       char *** list);
 /* Get the default security context for a user session for 'user'
@ -35,14 +35,14 @@ extern "C" {
   Returns 0 on success or -1 otherwise.
   Caller must free via freecon. */
 	extern int get_default_context(const char *user,
-				       const char *fromcon,
+				       char * fromcon,
 				       char ** newcon);
 /* As above, but use the provided MLS level rather than the
   default level for the user. */
 	extern int get_default_context_with_level(const char *user,
 						  const char *level,
-						  const char *fromcon,
+						  char * fromcon,
 						  char ** newcon);
 /* Same as get_default_context, but only return a context
@ -50,7 +50,7 @@ extern "C" {
   for the user with that role, then return -1. */
 	extern int get_default_context_with_role(const char *user,
 						 const char *role,
-						 const char *fromcon,
+						 char * fromcon,
 						 char ** newcon);
 /* Same as get_default_context, but only return a context
@ -59,7 +59,7 @@ extern "C" {
 	extern int get_default_context_with_rolelevel(const char *user,
 						      const char *role,
 						      const char *level,
-						      const char *fromcon,
+						      char * fromcon,
 						      char ** newcon);
 /* Given a list of authorized security contexts for the user, 
--- a/libselinux/include/selinux/restorecon.h
+++ b/libselinux/include/selinux/restorecon.h
@ -30,82 +30,77 @@ extern int selinux_restorecon(const char *pathname,
 * Force the checking of labels even if the stored SHA1 digest
 * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
 */
-#define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
+#define SELINUX_RESTORECON_IGNORE_DIGEST		0x0001
 /*
 * Do not change file labels.
 */
-#define SELINUX_RESTORECON_NOCHANGE			0x00002
+#define SELINUX_RESTORECON_NOCHANGE			0x0002
 /*
 * If set, change file label to that in spec file.
 * If not, only change type component to that in spec file.
 */
-#define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x00004
+#define SELINUX_RESTORECON_SET_SPECFILE_CTX		0x0004
 /*
 * Recursively descend directories.
 */
-#define SELINUX_RESTORECON_RECURSE			0x00008
+#define SELINUX_RESTORECON_RECURSE			0x0008
 /*
 * Log changes to selinux log. Note that if VERBOSE and
 * PROGRESS are set, then PROGRESS will take precedence.
 */
-#define SELINUX_RESTORECON_VERBOSE			0x00010
+#define SELINUX_RESTORECON_VERBOSE			0x0010
 /*
 * If SELINUX_RESTORECON_PROGRESS is true and
 * SELINUX_RESTORECON_MASS_RELABEL is true, then output approx % complete,
 * else output the number of files in 1k blocks processed to stdout.
 */
-#define SELINUX_RESTORECON_PROGRESS			0x00020
+#define SELINUX_RESTORECON_PROGRESS			0x0020
 /*
 * Convert passed-in pathname to canonical pathname.
 */
-#define SELINUX_RESTORECON_REALPATH			0x00040
+#define SELINUX_RESTORECON_REALPATH			0x0040
 /*
 * Prevent descending into directories that have a different
 * device number than the pathname from which the descent began.
 */
-#define SELINUX_RESTORECON_XDEV				0x00080
+#define SELINUX_RESTORECON_XDEV				0x0080
 /*
 * Attempt to add an association between an inode and a specification.
 * If there is already an association for the inode and it conflicts
 * with the specification, then use the last matching specification.
 */
-#define SELINUX_RESTORECON_ADD_ASSOC			0x00100
+#define SELINUX_RESTORECON_ADD_ASSOC			0x0100
 /*
 * Abort on errors during the file tree walk.
 */
-#define SELINUX_RESTORECON_ABORT_ON_ERROR		0x00200
+#define SELINUX_RESTORECON_ABORT_ON_ERROR		0x0200
 /*
 * Log any label changes to syslog.
 */
-#define SELINUX_RESTORECON_SYSLOG_CHANGES		0x00400
+#define SELINUX_RESTORECON_SYSLOG_CHANGES		0x0400
 /*
 * Log what spec matched each file.
 */
-#define SELINUX_RESTORECON_LOG_MATCHES			0x00800
+#define SELINUX_RESTORECON_LOG_MATCHES			0x0800
 /*
 * Ignore files that do not exist.
 */
-#define SELINUX_RESTORECON_IGNORE_NOENTRY		0x01000
+#define SELINUX_RESTORECON_IGNORE_NOENTRY		0x1000
 /*
 * Do not read /proc/mounts to obtain a list of non-seclabel
 * mounts to be excluded from relabeling checks.
 */
-#define SELINUX_RESTORECON_IGNORE_MOUNTS		0x02000
+#define SELINUX_RESTORECON_IGNORE_MOUNTS		0x2000
 /*
 * Set if there is a mass relabel required.
 * See SELINUX_RESTORECON_PROGRESS flag for details.
 */
-#define SELINUX_RESTORECON_MASS_RELABEL			0x04000
+#define SELINUX_RESTORECON_MASS_RELABEL			0x4000
 /*
 * Set if no digest is to be read or written (as only processes
 * running with CAP_SYS_ADMIN can read/write digests).
 */
-#define SELINUX_RESTORECON_SKIP_DIGEST			0x08000
+#define SELINUX_RESTORECON_SKIP_DIGEST			0x8000
 /*
 * Set to treat conflicting specifications as errors.
 */
 #define SELINUX_RESTORECON_CONFLICT_ERROR		0x10000
 /**
 * selinux_restorecon_set_sehandle - Set the global fc handle.
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@ -8,17 +8,13 @@
 extern "C" {
 #endif
-/* Return 1 if we are running on a SELinux kernel, or 0 otherwise. */
+/* Return 1 if we are running on a SELinux kernel, or 0 if not or -1 if we get an error. */
 extern int is_selinux_enabled(void);
 /* Return 1 if we are running on a SELinux MLS kernel, or 0 otherwise. */
 extern int is_selinux_mls_enabled(void);
 /* No longer used; here for compatibility with legacy callers. */
-typedef char *security_context_t
+typedef char *security_context_t;
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 /* Free the memory allocated for a context by any of the below get* calls. */
 extern void freecon(char * con);
@ -182,8 +178,6 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
 #define SELINUX_WARNING		1
 #define SELINUX_INFO		2
 #define SELINUX_AVC		3
 #define SELINUX_POLICYLOAD	4
 #define SELINUX_SETENFORCE	5
 #define SELINUX_TRANS_DIR	"/var/run/setrans"
 /* Compute an access decision. */
@ -252,12 +246,8 @@ extern int security_compute_member_raw(const char * scon,
 				       security_class_t tclass,
 				       char ** newcon);
-/*
+/* Compute the set of reachable user contexts and set *con to refer to 
- * Compute the set of reachable user contexts and set *con to refer to
+   the NULL-terminated array of contexts.  Caller must free via freeconary. */
 * the NULL-terminated array of contexts.  Caller must free via freeconary.
 * These interfaces are deprecated.  Use get_ordered_context_list() or
 * one of its variant interfaces instead.
 */
 extern int security_compute_user(const char * scon,
 				 const char *username,
 				 char *** con);
@ -329,13 +319,9 @@ extern int security_set_boolean_list(size_t boolcnt,
 				     SELboolean * boollist, int permanent);
 /* Load policy boolean settings. Deprecated as local policy booleans no
- * longer supported. Will always return -1.
+ * longer supported. Will always return 0.
 */
-extern int security_load_booleans(char *path)
+extern int security_load_booleans(char *path);
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 /* Check the validity of a security context. */
 extern int security_check_context(const char * con);
@ -471,22 +457,14 @@ extern void set_matchpathcon_flags(unsigned int flags);
   function also checks for a 'path'.homedirs file and 
   a 'path'.local file and loads additional specifications 
   from them if present. */
-extern int matchpathcon_init(const char *path)
+extern int matchpathcon_init(const char *path);
 #ifdef __GNUC__
   __attribute__ ((deprecated("Use selabel_open with backend SELABEL_CTX_FILE")))
 #endif
 ;
 /* Same as matchpathcon_init, but only load entries with
   regexes that have stems that are prefixes of 'prefix'. */
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 /* Free the memory allocated by matchpathcon_init. */
-extern void matchpathcon_fini(void)
+extern void matchpathcon_fini(void);
 #ifdef __GNUC__
   __attribute__ ((deprecated("Use selabel_close")))
 #endif
 ;
 /* Resolve all of the symlinks and relative portions of a pathname, but NOT
 * the final component (same a realpath() unless the final component is a
@ -500,11 +478,7 @@ extern int realpath_not_final(const char *name, char *resolved_path);
   If matchpathcon_init has not already been called, then this function
   will call it upon its first invocation with a NULL path. */
 extern int matchpathcon(const char *path,
-			mode_t mode, char ** con)
+			mode_t mode, char ** con);
 #ifdef __GNUC__
 	__attribute__ ((deprecated("Use selabel_lookup instead")))
 #endif
 ;
 /* Same as above, but return a specification index for 
   later use in a matchpathcon_filespec_add() call - see below. */
@ -597,18 +571,10 @@ extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
 /* Deprecated as local policy booleans no longer supported. */
-extern const char *selinux_booleans_path(void)
+extern const char *selinux_booleans_path(void);
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 extern const char *selinux_customizable_types_path(void);
 /* Deprecated as policy ./users no longer supported. */
-extern const char *selinux_users_path(void)
+extern const char *selinux_users_path(void);
 #ifdef __GNUC__
 __attribute__ ((deprecated))
 #endif
 ;
 extern const char *selinux_usersconf_path(void);
 extern const char *selinux_translations_path(void);
 extern const char *selinux_colors_path(void);
@ -636,17 +602,8 @@ extern int selinux_check_access(const char * scon, const char * tcon, const char
 /* Check a permission in the passwd class.
   Return 0 if granted or -1 otherwise. */
-extern int selinux_check_passwd_access(access_vector_t requested)
+extern int selinux_check_passwd_access(access_vector_t requested);
-#ifdef __GNUC__
+extern int checkPasswdAccess(access_vector_t requested);
  __attribute__ ((deprecated("Use selinux_check_access")))
 #endif
 ;
 extern int checkPasswdAccess(access_vector_t requested)
 #ifdef __GNUC__
   __attribute__ ((deprecated("Use selinux_check_access")))
 #endif
 ;
 /* Check if the tty_context is defined as a securetty
   Return 0 if secure, < 0 otherwise. */
@ -672,11 +629,7 @@ extern int setexecfilecon(const char *filename, const char *fallback_type);
 /* Execute a helper for rpm in an appropriate security context. */
 extern int rpm_execcon(unsigned int verified,
 		       const char *filename,
-		       char *const argv[], char *const envp[])
+		       char *const argv[], char *const envp[]);
 #ifdef __GNUC__
 	__attribute__((deprecated("Use setexecfilecon and execve")))
 #endif
 ;
 #endif
 /* Returns whether a file context is customizable, and should not 
--- a/libselinux/man/man3/avc_init.3
+++ b/libselinux/man/man3/avc_init.3
@ -117,8 +117,6 @@ argument, which does not return under normal conditions.  The
 callback should cancel the running thread referenced by 
 .IR thread .
 By default, threading is not used; see 
 .B KERNEL STATUS PAGE
 and
 .B NETLINK NOTIFICATION
 below.
@ -155,49 +153,14 @@ callback should destroy
 .IR lock ,
 freeing any resources associated with it.  The default behavior is not to perform any locking.  Note that undefined behavior may result if threading is used without appropriate locking.
 .
 .SH "KERNEL STATUS PAGE"
 Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
 .BR mmap (2)
 SELinux status state in read-only mode to avoid system calls during the cache hit code path.
 .BR avc_init ()
 calls
 .BR selinux_status_open (3)
 to initialize the selinux status state. If successfully initialized, the userspace AVC will default to single-threaded mode and ignore the
 .B func_create_thread
 and
 .B func_stop_thread
 callbacks. All callbacks set via
 .BR selinux_set_callback (3)
 will still be honored.
 .BR avc_has_perm (3)
 and
 .BR selinux_check_access (3)
 both check for status updates through calls to
 .BR selinux_status_updated (3)
 at the start of each permission query and take the appropriate action.
 Two status types are currently implemented.
 .B setenforce
 events will change the effective enforcing state used within the AVC, and
 .B policyload
 events will result in a cache flush.
 .
 .SH "NETLINK NOTIFICATION"
-In the event that the kernel status page is not successfully
+Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
-.BR mmap (2)'ed
+.BR avc_has_perm (3)
-the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
+to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
 .B setenforce
 and
 .B policyload
 events will have the same results as for the status page implementation, but all status update checks will now require a system call.
-By default,
+In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query.  If threading and locking callbacks are passed to
-.BR avc_open (3)
+.BR avc_init ()
-does not set threading or locking callbacks. In the fallback case, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
+however, a dedicated thread will be started to listen on the netlink socket.  This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
 .BR avc_init (),
 a dedicated thread will be started to listen on the netlink socket.  This may increase performance in the absence of the status page and will ensure that log messages are generated immediately rather than at the time of the next permission query.
 .
 .SH "RETURN VALUE"
 Functions with a return value return zero on success.  On error, \-1 is returned and
@ -229,7 +192,5 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
 .
 .SH "SEE ALSO"
 .BR avc_open (3),
 .BR selinux_status_open (3),
 .BR selinux_status_updated (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
--- a/libselinux/man/man3/avc_netlink_loop.3
+++ b/libselinux/man/man3/avc_netlink_loop.3
@ -54,11 +54,6 @@ closes the netlink socket.  This function is called automatically by
 returns the netlink socket descriptor number and informs the userspace AVC
 not to check the socket descriptor automatically on calls to
 .BR avc_has_perm (3).
 If no such socket descriptor exists,
 .BR avc_netlink_acquire_fd (3)
 will first call
 .BR avc_netlink_open (3)
 and then return the resulting fd.
 .BR avc_netlink_release_fd ()
 returns control of the netlink socket to the userspace AVC, re-enabling
@ -83,9 +78,6 @@ with a return value return zero on success.  On error, \-1 is returned and
 .I errno
 is set appropriately.
 .
 .SH "AUTHOR"
 Originally KaiGai Kohei. Updated by Mike Palmiotto <mike.palmiotto@crunchydata.com>
 .
 .SH "SEE ALSO"
 .BR avc_open (3),
 .BR selinux_set_callback (3),
--- a/libselinux/man/man3/avc_open.3
+++ b/libselinux/man/man3/avc_open.3
@ -26,9 +26,6 @@ initializes the userspace AVC and must be called before any other AVC operation
 destroys the userspace AVC, freeing all internal memory structures.  After this call has been made, 
 .BR avc_open ()
 must be called again before any AVC operations can be performed.
 .BR avc_destroy ()
 also closes the SELinux status page, which might have been opened manually by
 .BR selinux_status_open (3).
 .BR avc_reset ()
 flushes the userspace AVC, causing it to forget any cached access decisions.  The userspace AVC normally calls this function automatically when needed, see
@ -49,37 +46,10 @@ include the following:
 .B AVC_OPT_SETENFORCE
 This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise.  The system enforcing mode will be ignored.
 .
 .SH "KERNEL STATUS PAGE"
 Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
 .BR mmap (2)
 SELinux status state in read-only mode to avoid system calls during the cache hit code path.
 .BR avc_open ()
 calls
 .BR selinux_status_open (3)
 to initialize the selinux status state.
 .BR avc_has_perm (3)
 and
 .BR selinux_check_access (3)
 both check for status updates through calls to
 .BR selinux_status_updated (3)
 at the start of each permission query and take the appropriate action.
 Two status types are currently implemented.
 .B setenforce
 events will change the effective enforcing state used within the AVC, and
 .B policyload
 events will result in a cache flush.
 .
 .SH "NETLINK NOTIFICATION"
-In the event that the kernel status page is not successfully
+Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
-.BR mmap (2)'ed
+.BR avc_has_perm (3)
-the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
+to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
 .B setenforce
 and
 .B policyload
 events will have the same results as for the status page implementation, but all status update checks will now require a system call.
 .
 .SH "RETURN VALUE"
 Functions with a return value return zero on success.  On error, \-1 is returned and
@ -91,12 +61,9 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
 .
 .SH "SEE ALSO"
 .BR selinux (8),
 .BR selinux_check_access (3),
 .BR avc_has_perm (3),
 .BR avc_context_to_sid (3),
 .BR avc_cache_stats (3),
 .BR avc_add_callback (3),
 .BR selinux_status_open (3),
 .BR selinux_status_updated (3),
 .BR selinux_set_callback (3),
 .BR security_compute_av (3)
--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
@ -7,17 +7,17 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .br
 .B #include <selinux/get_context_list.h>
 .sp
-.BI "int get_ordered_context_list(const char *" user ", const char *" fromcon ", char ***" list );
+.BI "int get_ordered_context_list(const char *" user ", char *" fromcon ", char ***" list );
 .sp
-.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", const char *" fromcon ", char ***" list );
+.BI "int get_ordered_context_list_with_level(const char *" user ", const char *" level ", char *" fromcon ", char ***" list );
 .sp
-.BI "int get_default_context(const char *" user ", const char *" fromcon ", char **" newcon );
+.BI "int get_default_context(const char *" user ", char *" fromcon ", char **" newcon );
 .sp
-.BI "int get_default_context_with_level(const char *" user ", const char *" level ", const char *" fromcon ", char **" newcon );
+.BI "int get_default_context_with_level(const char *" user ", const char *" level ", char *" fromcon ", char **" newcon );
 .sp
-.BI "int get_default_context_with_role(const char *" user ", const char *" role ", const char *" fromcon ", char **" newcon ");
+.BI "int get_default_context_with_role(const char *" user ", const char *" role ", char *" fromcon ", char **" newcon ");
 .sp
-.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" role ", const char *" level ", const char *" fromcon ", char **" newcon ");
+.BI "int get_default_context_with_rolelevel(const char *" user ", const char *" role ", const char *" level ", char *" fromcon ", char **" newcon ");
 .sp
 .BI "int query_user_context(char **" list ", char **" newcon );
 .sp
@ -26,28 +26,14 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .BI "int get_default_type(const char *" role ", char **" type );
 .
 .SH "DESCRIPTION"
 This family of functions can be used to obtain either a prioritized list of
 all reachable security contexts for a given SELinux user or a single default
 (highest priority) context for a given SELinux user for use by login-like
 programs.  These functions takes a SELinux user identity that must
 be defined in the SELinux policy as their input, not a Linux username.
 Most callers should typically first call
 .BR getseuserbyname(3)
 to look up the SELinux user identity and level for a given
 Linux username and then invoke one of
 .BR get_ordered_context_list_with_level ()
 or
 .BR get_default_context_with_level ()
 with the returned SELinux user and level as inputs.
 .BR get_ordered_context_list ()
-obtains the list of contexts for the specified
+invokes the 
-SELinux
+.BR security_compute_user (3)
 function to obtain the list of contexts for the specified
 .I user
-identity that are reachable from the specified
+that are reachable from the specified
 .I fromcon
-context based on the global
+context.  The function then orders the resulting list based on the global
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
 file and the per-user
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
--- a/libselinux/man/man3/getcon.3
+++ b/libselinux/man/man3/getcon.3
@ -7,7 +7,7 @@ freecon, freeconary \- free memory associated with SELinux security contexts
 getpeercon \- get security context of a peer socket
 setcon \- set current security context of a process
-
+.
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
@ -31,39 +31,30 @@ setcon \- set current security context of a process
 .sp
 .BI "void freeconary(char **" con );
 .sp
-.BI "int setcon(const char *" context );
+.BI "int setcon(char *" context );
 .sp
-.BI "int setcon_raw(const char *" context );
+.BI "int setcon_raw(char *" context );
-
+.
 .SH "DESCRIPTION"
 .TP
 .BR getcon ()
 retrieves the context of the current process, which must be free'd with
-.BR freecon ().
+freecon.
 .TP
 .BR getprevcon ()
 same as getcon but gets the context before the last exec.
 .TP
 .BR getpidcon ()
-returns the process context for the specified PID, which must be free'd with
+returns the process context for the specified PID.
 .BR freecon ().
 .TP
 .BR getpeercon ()
-retrieves the context of the peer socket, which must be free'd with
+retrieves context of peer socket, and set
 .BI * context
 to refer to it, which must be free'd with
 .BR freecon ().
 .TP
 .BR freecon ()
 frees the memory allocated for a security context.
 If
 .I con
 is NULL, no operation is performed.
 .TP
 .BR freeconary ()
 frees the memory allocated for a context array.
@ -71,7 +62,6 @@ If
 .I con
 is NULL, no operation is performed.
 .TP
 .BR setcon ()
 sets the current security context of the process to a new value.  Note
 that use of this function requires that the entire application be
@ -120,8 +110,6 @@ context and the
 .BR setcon ()
 will fail if it is not allowed by policy.
 .TP
 .BR *_raw()
 .BR getcon_raw (),
 .BR getprevcon_raw (),
 .BR getpidcon_raw (),
@ -130,14 +118,9 @@ and
 .BR setcon_raw ()
 behave identically to their non-raw counterparts but do not perform context
 translation.
-
+.
 .SH "RETURN VALUE"
-On error \-1 is returned with errno set.  On success 0 is returned.
+On error \-1 is returned.  On success 0 is returned.
-
+.
 .SH "NOTES"
 The retrieval functions might return success and set
 .I *context
 to NULL if and only if SELinux is not enabled.
 .SH "SEE ALSO"
 .BR selinux "(8), " setexeccon "(3)"
--- a/libselinux/man/man3/is_selinux_enabled.3
+++ b/libselinux/man/man3/is_selinux_enabled.3
@ -15,6 +15,7 @@ is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Secu
 .SH "DESCRIPTION"
 .BR is_selinux_enabled ()
 returns 1 if SELinux is running or 0 if it is not. 
 On error, \-1 is returned.
 .BR is_selinux_mls_enabled ()
 returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To
--- a/libselinux/man/man3/security_check_context.3
+++ b/libselinux/man/man3/security_check_context.3
@ -5,9 +5,9 @@ security_check_context \- check the validity of a SELinux context
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
 .sp
-.BI "int security_check_context(const char *" con );
+.BI "int security_check_context(char *" con );
 .sp
-.BI "int security_check_context_raw(const char *" con );
+.BI "int security_check_context_raw(char *" con );
 .
 .SH "DESCRIPTION"
 .BR security_check_context ()
--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
@ -134,9 +134,8 @@ instance.
 .BR security_compute_user ()
 is used to determine the set of user contexts that can be reached from a
-source context. This function is deprecated; use
+source context. It is mainly used by
-.BR get_ordered_context_list (3)
+.BR get_ordered_context_list (3).
 instead.
 .BR security_validatetrans ()
 is used to determine if a transition from scon to newcon using tcon as the object
--- a/libselinux/man/man3/selinux_restorecon.3
+++ b/libselinux/man/man3/selinux_restorecon.3
@ -152,10 +152,6 @@ Setting
 .B SELINUX_RESTORECON_IGNORE_MOUNTS
 is useful where there is a non-seclabel fs mounted with a seclabel fs mounted
 on a directory below this.
 .sp
 .B SELINUX_RESTORECON_CONFLICT_ERROR
 to treat conflicting specifications, such as where two hardlinks for the
 same inode have different contexts, as errors.
 .RE
 .sp
 The behavior regarding the checking and updating of the SHA1 digest described
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@ -46,20 +46,6 @@ argument indicates the type of message and will be set to one of the following:
 .B SELINUX_INFO
 .B SELINUX_AVC
 .B SELINUX_POLICYLOAD
 .B SELINUX_SETENFORCE
 SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
 levels and are not auditable messages.
 The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
 audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
 values from libaudit, respectively.  If they are not audited, SELINUX_AVC should be
 considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
 SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
 .
 .TP
 .B SELINUX_CB_AUDIT
--- a/libselinux/man/man3/selinux_status_open.3
+++ b/libselinux/man/man3/selinux_status_open.3
@ -48,7 +48,7 @@ Set 1 on the
 argument to handle a case of older kernels without kernel status page support.
 In this case, this function tries to open a netlink socket using
 .BR avc_netlink_open (3)
-and overwrite corresponding callbacks (setenforce and policyload).
+and overwrite corresponding callbacks ( setenforce and policyload).
 Thus, we need to pay attention to the interaction with these interfaces,
 when fallback mode is enabled.
 .sp
@ -57,14 +57,9 @@ unmap the kernel status page and close its file descriptor, or close the
 netlink socket if fallbacked.
 .sp
 .BR selinux_status_updated ()
-processes status update events. There are two kinds of status updates.
+informs us whether something has been updated since the last call.
-.B setenforce
+It returns 0 if nothing was happened, however, 1 if something has been
-events will change the effective enforcing state used within the AVC, and
+updated in this duration, or \-1 on error.
 .B policyload
 events will result in a cache flush.
 This function returns 0 if there have been no updates since the last call,
 1 if there have been updates since the last call, or \-1 on error.
 .sp
 .BR selinux_status_getenforce ()
 returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
@ -125,14 +125,7 @@ Where:
 .RS
 .I pathname
 .RS
-An entry that defines the path to be labeled.
+An entry that defines the pathname that may be in the form of a regular expression.
 May contain either a fully qualified path,
 or a Perl compatible regular expression (PCRE),
 describing fully qualified path(s).
 The only PCRE flag in use is PCRE2_DOTALL,
 which causes a wildcard '.' to match anything, including a new line.
 Strings representing paths are processed as bytes (as opposed to Unicode),
 meaning that non-ASCII characters are not matched by a single wildcard.
 .RE
 .I file_type
 .RS
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@ -19,36 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
 permissive mode or enforcing mode.  The
 .B SELINUX
 variable may be set to
-any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+any one of disabled, permissive, or enforcing to select one of these
-select one of these options.  The \fIdisabled\fR disables most of the
+options.  The disabled option completely disables the SELinux kernel
-SELinux kernel and application code, leaving the system
+and application code, leaving the system running without any SELinux
-running without any SELinux protection.  The \fIpermissive\fR option
+protection.  The permissive option enables the SELinux code, but
-enables the SELinux code, but causes it to operate in a mode where
+causes it to operate in a mode where accesses that would be denied by
-accesses that would be denied by policy are permitted but audited.  The
+policy are permitted but audited.  The enforcing option enables the
-\fIenforcing\fR option enables the SELinux code and causes it to enforce
+SELinux code and causes it to enforce access denials as well as
-access denials as well as auditing them.  \fIpermissive\fR mode may
+auditing them.  Permissive mode may yield a different set of denials
-yield a different set of denials than enforcing mode, both because
+than enforcing mode, both because enforcing mode will prevent an
-enforcing mode will prevent an operation from proceeding past the first
+operation from proceeding past the first denial and because some
-denial and because some application code will fall back to a less
+application code will fall back to a less privileged mode of operation
-privileged mode of operation if denied access.
+if denied access.
 .B NOTE:
 Disabling SELinux by setting
 .B SELINUX=disabled
 in
 .I /etc/selinux/config
 is deprecated and depending on kernel version and configuration it might
 not lead to SELinux being completely disabled.  Specifically, the
 SELinux hooks will still be executed internally, but the SELinux policy
 will not be loaded and no operation will be denied.  In such state, the
 system will act as if SELinux was disabled, although some operations
 might behave slightly differently.  To properly disable SELinux, it is
 recommended to use the
 .B selinux=0
 kernel boot option instead.  In that case SELinux will be disabled
 regardless of what is set in the
 .I /etc/selinux/config
 file.
 The
 .I /etc/selinux/config
@ -94,13 +76,6 @@ and reboot.
 also has this capability.  The
 .BR restorecon / fixfiles
 commands are also available for relabeling files.
 Please note that using mount flag
 .I nosuid
 also disables SELinux domain transitions, unless permission
 .I nosuid_transition
 is used in the policy to allow this, which in turn needs also policy capability
 .IR nnp_nosuid_transition .
 .
 .SH AUTHOR
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
--- a/libselinux/man/ru/man5/failsafe_context.5
+++ b/libselinux/man/ru/man5/failsafe_context.5
@ -1,6 +1,6 @@
 .TH "failsafe_context" "5" "28 ноября 2011" "Security Enhanced Linux" "Конфигурация SELinux"
 .SH "ИМЯ"
-failsafe_context \- файл конфигурации резервного контекста SELinux
+failsafe_context \- файл конфигурации надёжного контекста SELinux
 .
 .SH "ОПИСАНИЕ"
 Файл
@ -10,7 +10,7 @@ failsafe_context \- файл конфигурации резервного ко
 получать известный действительный контекст входа для администратора, если в других расположениях отсутствуют действительные записи по умолчанию.
 .sp
 .BR selinux_failsafe_context_path "(3) "
-возвращает путь активной политики к этому файлу. Файл резервного контекста по умолчанию:
+возвращает путь активной политики к этому файлу. Файл надёжного контекста по умолчанию:
 .RS
 .I /etc/selinux/{SELINUXTYPE}/contexts/failsafe_context
 .RE
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@ -15,7 +15,7 @@ INCLUDEDIR ?= $(PREFIX)/include
 PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
 PYLIBS ?= $(shell $(PKG_CONFIG) --libs $(PYPREFIX))
 PYTHONLIBDIR ?= $(shell $(PYTHON) -c "from distutils.sysconfig import *; print(get_python_lib(plat_specific=1, prefix='$(PREFIX)'))")
-PYCEXT ?= $(shell $(PYTHON) -c 'import importlib.machinery;print(importlib.machinery.EXTENSION_SUFFIXES[0])')
+PYCEXT ?= $(shell $(PYTHON) -c 'import imp;print([s for s,m,t in imp.get_suffixes() if t == imp.C_EXTENSION][0])')
 RUBYINC ?= $(shell $(RUBY) -e 'puts "-I" + RbConfig::CONFIG["rubyarchhdrdir"] + " -I" + RbConfig::CONFIG["rubyhdrdir"]')
 RUBYLIBS ?= $(shell $(RUBY) -e 'puts "-L" + RbConfig::CONFIG["libdir"] + " -L" + RbConfig::CONFIG["archlibdir"] + " " + RbConfig::CONFIG["LIBRUBYARG_SHARED"]')
 RUBYINSTALL ?= $(shell $(RUBY) -e 'puts RbConfig::CONFIG["vendorarchdir"]')
@ -65,7 +65,7 @@ EXTRA_CFLAGS = -fipa-pure-const -Wlogical-op -Wpacked-bitfield-compat -Wsync-nan
 	-Wcoverage-mismatch -Wcpp -Wformat-contains-nul -Wnormalized=nfc -Wsuggest-attribute=const \
 	-Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines -Wjump-misses-init \
 	-Wno-suggest-attribute=pure -Wno-suggest-attribute=const -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 \
-	-Wstrict-overflow=5 -fno-semantic-interposition
+	-Wstrict-overflow=5
 else
 EXTRA_CFLAGS = -Wunused-command-line-argument
 endif
@ -90,7 +90,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
          -Werror -Wno-aggregate-return -Wno-redundant-decls \
          $(EXTRA_CFLAGS)
-LD_SONAME_FLAGS=-soname,$(LIBSO),--version-script=libselinux.map,-z,defs,-z,relro
+LD_SONAME_FLAGS=-soname,$(LIBSO),-z,defs,-z,relro
 ifeq ($(OS), Darwin)
 override CFLAGS += -I/opt/local/include
@ -105,8 +105,7 @@ FTS_LDLIBS ?=
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
-		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations \
+		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
 		-Wno-deprecated-declarations
 RANLIB ?= ranlib
@ -122,16 +121,8 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
 	label_backends_android.c regex.c label_support.c \
 	matchpathcon.c setrans_client.c sha1.c booleans.c
 else
 LABEL_BACKEND_ANDROID=y
 endif
 ifneq ($(LABEL_BACKEND_ANDROIDT),y)
 SRCS:= $(filter-out label_backends_android.c, $(SRCS))
 DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
-endif
+SRCS:= $(filter-out label_backends_android.c, $(SRCS))
 ifeq ($(DISABLE_X11),y)
 SRCS:= $(filter-out label_x.c, $(SRCS))
 endif
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
@ -182,7 +173,7 @@ install: all
 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
 install-pywrap: pywrap
-	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)` $(PYTHON_SETUP_ARGS)
+	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
 	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
 	ln -sf --relative $(DESTDIR)$(PYTHONLIBDIR)/selinux/_selinux$(PYCEXT) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
--- a/libselinux/src/audit2why.c
+++ b/libselinux/src/audit2why.c
@ -204,8 +204,8 @@ static int __policy_init(const char *init_path)
 		fp = fopen(path, "re");
 		if (!fp) {
 			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
+				 "unable to open %s:  %s\n",
-				 path);
+				 path, strerror(errno));
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
@ -221,8 +221,9 @@ static int __policy_init(const char *init_path)
 		fp = fopen(curpolicy, "re");
 		if (!fp) {
 			snprintf(errormsg, sizeof(errormsg), 
-				 "unable to open %s:  %m\n",
+				 "unable to open %s:  %s\n",
-				 curpolicy);
+				 curpolicy,
 				 strerror(errno));
 			PyErr_SetString( PyExc_ValueError, errormsg);
 			return 1;
 		}
@ -241,7 +242,7 @@ static int __policy_init(const char *init_path)
 	if (sepol_policy_file_create(&pf) ||
 	    sepol_policydb_create(&avc->policydb)) {
 		snprintf(errormsg, sizeof(errormsg), 
-			 "policydb_init failed: %m\n");
+			 "policydb_init failed: %s\n", strerror(errno));
 		PyErr_SetString( PyExc_RuntimeError, errormsg);
 		fclose(fp);
 		return 1;
@ -274,7 +275,7 @@ static int __policy_init(const char *init_path)
 	}
 	sepol_bool_iterate(avc->handle, avc->policydb,
-			   load_booleans, NULL);
+			   load_booleans, (void *)NULL);
 	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
 	   and sepol_compute_av_reason. */
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@ -50,6 +50,7 @@ struct avc_callback_node {
 	struct avc_callback_node *next;
 };
 static void *avc_netlink_thread = NULL;
 static void *avc_lock = NULL;
 static void *avc_log_lock = NULL;
 static struct avc_node *avc_node_freelist = NULL;
@ -144,7 +145,22 @@ int avc_get_initial_sid(const char * name, security_id_t * sid)
 	return rc;
 }
-static int avc_init_internal(const char *prefix,
+int avc_open(struct selinux_opt *opts, unsigned nopts)
 {
 	avc_setenforce = 0;
 	while (nopts--)
 		switch(opts[nopts].type) {
 		case AVC_OPT_SETENFORCE:
 			avc_setenforce = 1;
 			avc_enforcing = !!opts[nopts].value;
 			break;
 		}
 	return avc_init("avc", NULL, NULL, NULL, NULL);
 }
 int avc_init(const char *prefix,
 	     const struct avc_memory_callback *mem_cb,
 	     const struct avc_log_callback *log_cb,
 	     const struct avc_thread_callback *thread_cb,
@ -206,49 +222,30 @@ static int avc_init_internal(const char *prefix,
 		rc = security_getenforce();
 		if (rc < 0) {
 			avc_log(SELINUX_ERROR,
-				"%s:  could not determine enforcing mode: %m\n",
+				"%s:  could not determine enforcing mode: %s\n",
-				avc_prefix);
+				avc_prefix,
 				strerror(errno));
 			goto out;
 		}
 		avc_enforcing = rc;
 	}
-	rc = selinux_status_open(0);
+	rc = avc_netlink_open(0);
 	if (rc < 0) {
 		avc_log(SELINUX_ERROR,
-			"%s: could not open selinux status page: %d (%m)\n",
+			"%s:  can't open netlink socket: %d (%s)\n",
-			avc_prefix, errno);
+			avc_prefix, errno, strerror(errno));
 		goto out;
 	}
 	if (avc_using_threads) {
 		avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
 		avc_netlink_trouble = 0;
 	}
 	avc_running = 1;
      out:
 	return rc;
 }
 int avc_open(struct selinux_opt *opts, unsigned nopts)
 {
 	avc_setenforce = 0;
 	while (nopts--)
 		switch(opts[nopts].type) {
 		case AVC_OPT_SETENFORCE:
 			avc_setenforce = 1;
 			avc_enforcing = !!opts[nopts].value;
 			break;
 		}
 	return avc_init_internal("avc", NULL, NULL, NULL, NULL);
 }
 int avc_init(const char *prefix,
 	     const struct avc_memory_callback *mem_cb,
 	     const struct avc_log_callback *log_cb,
 	     const struct avc_thread_callback *thread_cb,
 	     const struct avc_lock_callback *lock_cb)
 {
 	return avc_init_internal(prefix, mem_cb, log_cb, thread_cb, lock_cb);
 }
 void avc_cache_stats(struct avc_cache_stats *p)
 {
 	memcpy(p, &cache_stats, sizeof(cache_stats));
@ -297,6 +294,7 @@ void avc_av_stats(void)
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
 }
 hidden_def(avc_av_stats)
 static inline struct avc_node *avc_reclaim_node(void)
 {
@ -496,6 +494,7 @@ void avc_cleanup(void)
 {
 }
 hidden_def(avc_cleanup)
 int avc_reset(void)
 {
@ -540,6 +539,7 @@ int avc_reset(void)
 	return rc;
 }
 hidden_def(avc_reset)
 void avc_destroy(void)
 {
@ -551,7 +551,9 @@ void avc_destroy(void)
 	avc_get_lock(avc_lock);
-	selinux_status_close();
+	if (avc_using_threads)
 		avc_stop_thread(avc_netlink_thread);
 	avc_netlink_close();
 	for (i = 0; i < AVC_CACHE_SLOTS; i++) {
 		node = avc_cache.slots[i];
@ -731,6 +733,7 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	avc_release_lock(avc_log_lock);
 }
 hidden_def(avc_audit)
 static void avd_init(struct av_decision *avd)
@ -758,7 +761,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
 		avd_init(avd);
 	if (!avc_using_threads && !avc_app_main_loop) {
-		(void) selinux_status_updated();
+		(void)avc_netlink_check_nb();
 	}
 	if (!aeref) {
@ -822,6 +825,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
 	return rc;
 }
 hidden_def(avc_has_perm_noaudit)
 int avc_has_perm(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t requested,
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@ -53,49 +53,6 @@ int avc_enforcing = 1;
 int avc_setenforce = 0;
 int avc_netlink_trouble = 0;
 /* process setenforce events for netlink and sestatus */
 int avc_process_setenforce(int enforcing)
 {
 	int rc = 0;
 	avc_log(SELINUX_SETENFORCE,
 		"%s:  op=setenforce lsm=selinux enforcing=%d res=1",
 		avc_prefix, enforcing);
 	if (avc_setenforce)
 		goto out;
 	avc_enforcing = enforcing;
 	if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
 		avc_log(SELINUX_ERROR,
 			"%s:  cache reset returned %d (errno %d)\n",
 			avc_prefix, rc, errno);
 		return rc;
 	}
 out:
 	return selinux_netlink_setenforce(enforcing);
 }
 /* process policyload events for netlink and sestatus */
 int avc_process_policyload(uint32_t seqno)
 {
 	int rc = 0;
 	avc_log(SELINUX_POLICYLOAD,
 		"%s:  op=load_policy lsm=selinux seqno=%u res=1",
 		avc_prefix, seqno);
 	rc = avc_ss_reset(seqno);
 	if (rc < 0) {
 		avc_log(SELINUX_ERROR,
 			"%s:  cache reset returned %d (errno %d)\n",
 			avc_prefix, rc, errno);
 		return rc;
 	}
 	selinux_flush_class_cache();
 	return selinux_netlink_policyload(seqno);
 }
 /* netlink socket code */
 static int fd = -1;
@ -220,7 +177,20 @@ static int avc_netlink_process(void *buf)
 	case SELNL_MSG_SETENFORCE:{
 		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
-		rc = avc_process_setenforce(!!msg->val);
+		msg->val = !!msg->val;
 		avc_log(SELINUX_INFO,
 			"%s:  received setenforce notice (enforcing=%d)\n",
 			avc_prefix, msg->val);
 		if (avc_setenforce)
 			break;
 		avc_enforcing = msg->val;
 		if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
 			avc_log(SELINUX_ERROR,
 				"%s:  cache reset returned %d (errno %d)\n",
 				avc_prefix, rc, errno);
 			return rc;
 		}
 		rc = selinux_netlink_setenforce(msg->val);
 		if (rc < 0)
 			return rc;
 		break;
@ -228,7 +198,18 @@ static int avc_netlink_process(void *buf)
 	case SELNL_MSG_POLICYLOAD:{
 		struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
-		rc = avc_process_policyload(msg->seqno);
+		avc_log(SELINUX_INFO,
 			"%s:  received policyload notice (seqno=%u)\n",
 			avc_prefix, msg->seqno);
 		rc = avc_ss_reset(msg->seqno);
 		if (rc < 0) {
 			avc_log(SELINUX_ERROR,
 				"%s:  cache reset returned %d (errno %d)\n",
 				avc_prefix, rc, errno);
 			return rc;
 		}
 		selinux_flush_class_cache();
 		rc = selinux_netlink_policyload(msg->seqno);
 		if (rc < 0)
 			return rc;
 		break;
@ -303,17 +284,6 @@ void avc_netlink_loop(void)
 int avc_netlink_acquire_fd(void)
 {
 	if (fd < 0) {
 		int rc = 0;
 		rc = avc_netlink_open(0);
 		if (rc < 0) {
 			avc_log(SELINUX_ERROR,
 				"%s: could not open netlink socket: %d (%m)\n",
 				avc_prefix, errno);
 			return rc;
 		}
 	}
    avc_app_main_loop = 1;
    return fd;
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@ -14,27 +14,24 @@
 #include <string.h>
 #include <selinux/avc.h>
 #include "callbacks.h"
 #include "dso.h"
 /* callback pointers */
-extern void *(*avc_func_malloc) (size_t) ;
+extern void *(*avc_func_malloc) (size_t) hidden;
-extern void (*avc_func_free) (void *);
+extern void (*avc_func_free) (void *)hidden;
-extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) ;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
-extern void (*avc_func_audit) (void *, security_class_t, char *, size_t);
+extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
-extern int avc_using_threads ;
+extern int avc_using_threads hidden;
-extern int avc_app_main_loop ;
+extern int avc_app_main_loop hidden;
-extern void *(*avc_func_create_thread) (void (*)(void));
+extern void *(*avc_func_create_thread) (void (*)(void))hidden;
-extern void (*avc_func_stop_thread) (void *);
+extern void (*avc_func_stop_thread) (void *)hidden;
-extern void *(*avc_func_alloc_lock) (void);
+extern void *(*avc_func_alloc_lock) (void)hidden;
-extern void (*avc_func_get_lock) (void *);
+extern void (*avc_func_get_lock) (void *)hidden;
-extern void (*avc_func_release_lock) (void *);
+extern void (*avc_func_release_lock) (void *)hidden;
-extern void (*avc_func_free_lock) (void *);
+extern void (*avc_func_free_lock) (void *)hidden;
 /* selinux status processing for netlink and sestatus */
 extern int avc_process_setenforce(int enforcing);
 extern int avc_process_policyload(uint32_t seqno);
 static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 				 const struct avc_log_callback *log_cb,
@ -64,10 +61,10 @@ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
 /* message prefix and enforcing mode*/
 #define AVC_PREFIX_SIZE 16
-extern char avc_prefix[AVC_PREFIX_SIZE] ;
+extern char avc_prefix[AVC_PREFIX_SIZE] hidden;
-extern int avc_running ;
+extern int avc_running hidden;
-extern int avc_enforcing ;
+extern int avc_enforcing hidden;
-extern int avc_setenforce ;
+extern int avc_setenforce hidden;
 /* user-supplied callback interface for avc */
 static inline void *avc_malloc(size_t size)
@ -85,12 +82,10 @@ static inline void avc_free(void *ptr)
 /* this is a macro in order to use the variadic capability. */
 #define avc_log(type, format...) \
-  do { \
+  if (avc_func_log) \
-    if (avc_func_log) \
+    avc_func_log(format); \
-      avc_func_log(format); \
+  else \
-    else \
+    selinux_log(type, format);
      selinux_log(type, format); \
  } while (0)
 static inline void avc_suppl_audit(void *ptr, security_class_t class,
 				   char *buf, size_t len)
@ -139,18 +134,14 @@ static inline void avc_free_lock(void *lock)
 #ifdef AVC_CACHE_STATS
 #define avc_cache_stats_incr(field) \
-  do { \
+  cache_stats.field ++;
    cache_stats.field ++; \
  } while (0)
 #define avc_cache_stats_add(field, num) \
-  do { \
+  cache_stats.field += num;
    cache_stats.field += num; \
  } while (0)
 #else
-#define avc_cache_stats_incr(field) do {} while (0)
+#define avc_cache_stats_incr(field)
-#define avc_cache_stats_add(field, num) do {} while (0)
+#define avc_cache_stats_add(field, num)
 #endif
@ -164,23 +155,28 @@ static inline void avc_free_lock(void *lock)
 /* internal callbacks */
 int avc_ss_grant(security_id_t ssid, security_id_t tsid,
 		 security_class_t tclass, access_vector_t perms,
-		 uint32_t seqno) ;
+		 uint32_t seqno) hidden;
 int avc_ss_try_revoke(security_id_t ssid, security_id_t tsid,
 		      security_class_t tclass,
 		      access_vector_t perms, uint32_t seqno,
-		      access_vector_t * out_retained) ;
+		      access_vector_t * out_retained) hidden;
 int avc_ss_revoke(security_id_t ssid, security_id_t tsid,
 		  security_class_t tclass, access_vector_t perms,
-		  uint32_t seqno) ;
+		  uint32_t seqno) hidden;
-int avc_ss_reset(uint32_t seqno) ;
+int avc_ss_reset(uint32_t seqno) hidden;
 int avc_ss_set_auditallow(security_id_t ssid, security_id_t tsid,
 			  security_class_t tclass, access_vector_t perms,
-			  uint32_t seqno, uint32_t enable) ;
+			  uint32_t seqno, uint32_t enable) hidden;
 int avc_ss_set_auditdeny(security_id_t ssid, security_id_t tsid,
 			 security_class_t tclass, access_vector_t perms,
-			 uint32_t seqno, uint32_t enable) ;
+			 uint32_t seqno, uint32_t enable) hidden;
 /* netlink kernel message code */
-extern int avc_netlink_trouble ;
+extern int avc_netlink_trouble hidden;
 hidden_proto(avc_av_stats)
    hidden_proto(avc_cleanup)
    hidden_proto(avc_reset)
    hidden_proto(avc_audit)
    hidden_proto(avc_has_perm_noaudit)
 #endif				/* _SELINUX_AVC_INTERNAL_H_ */
--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c
@ -15,13 +15,14 @@
 static inline unsigned sidtab_hash(const char * key)
 {
-	const char *p;
+	char *p, *keyp;
 	unsigned int size;
 	unsigned int val;
 	val = 0;
-	size = strlen(key);
+	keyp = (char *)key;
-	for (p = key; (unsigned int)(p - key) < size; p++)
+	size = strlen(keyp);
 	for (p = keyp; (unsigned int)(p - keyp) < size; p++)
 		val =
 		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
 	return val & (SIDTAB_SIZE - 1);
@ -56,7 +57,7 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
 		rc = -1;
 		goto out;
 	}
-	newctx = strdup(ctx);
+	newctx = (char *) strdup(ctx);
 	if (!newctx) {
 		rc = -1;
 		avc_free(newnode);
@ -100,7 +101,7 @@ sidtab_context_to_sid(struct sidtab *s,
 	return rc;
 }
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
+void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
 {
 	int i, chain_len, slots_used, max_chain_len;
 	struct sidtab_node *cur;
@ -108,7 +109,7 @@ void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
 	slots_used = 0;
 	max_chain_len = 0;
 	for (i = 0; i < SIDTAB_SIZE; i++) {
-		cur = s->htable[i];
+		cur = h->htable[i];
 		if (cur) {
 			slots_used++;
 			chain_len = 0;
@ -124,7 +125,7 @@ void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
 	snprintf(buf, buflen,
 		 "%s:  %u SID entries and %d/%d buckets used, longest "
-		 "chain length %d\n", avc_prefix, s->nel, slots_used,
+		 "chain length %d\n", avc_prefix, h->nel, slots_used,
 		 SIDTAB_SIZE, max_chain_len);
 }
--- a/libselinux/src/avc_sidtab.h
+++ b/libselinux/src/avc_sidtab.h
@ -7,6 +7,7 @@
 #include <selinux/selinux.h>
 #include <selinux/avc.h>
 #include "dso.h"
 struct sidtab_node {
 	struct security_id sid_s;
@ -23,13 +24,13 @@ struct sidtab {
 	unsigned nel;
 };
-int sidtab_init(struct sidtab *s) ;
+int sidtab_init(struct sidtab *s) hidden;
-int sidtab_insert(struct sidtab *s, const char * ctx) ;
+int sidtab_insert(struct sidtab *s, const char * ctx) hidden;
 int sidtab_context_to_sid(struct sidtab *s,
-			  const char * ctx, security_id_t * sid) ;
+			  const char * ctx, security_id_t * sid) hidden;
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) hidden;
-void sidtab_destroy(struct sidtab *s) ;
+void sidtab_destroy(struct sidtab *s) hidden;
 #endif				/* _SELINUX_AVC_SIDTAB_H_ */
--- a/libselinux/src/booleans.c
+++ b/libselinux/src/booleans.c
@ -414,3 +414,8 @@ char *selinux_boolean_sub(const char *name __attribute__((unused)))
 }
 #endif
 hidden_def(security_get_boolean_names)
 hidden_def(selinux_boolean_sub)
 hidden_def(security_get_boolean_active)
 hidden_def(security_set_boolean)
 hidden_def(security_commit_booleans)
--- a/libselinux/src/callbacks.h
+++ b/libselinux/src/callbacks.h
@ -9,21 +9,22 @@
 #include <stdlib.h>
 #include <string.h>
 #include <selinux/selinux.h>
 #include "dso.h"
 /* callback pointers */
 extern int __attribute__ ((format(printf, 2, 3)))
-(*selinux_log) (int type, const char *, ...) ;
+(*selinux_log) (int type, const char *, ...) hidden;
 extern int
-(*selinux_audit) (void *, security_class_t, char *, size_t) ;
+(*selinux_audit) (void *, security_class_t, char *, size_t) hidden;
 extern int
-(*selinux_validate)(char **ctx) ;
+(*selinux_validate)(char **ctx) hidden;
 extern int
-(*selinux_netlink_setenforce) (int enforcing) ;
+(*selinux_netlink_setenforce) (int enforcing) hidden;
 extern int
-(*selinux_netlink_policyload) (int seqno) ;
+(*selinux_netlink_policyload) (int seqno) hidden;
 #endif				/* _SELINUX_CALLBACKS_H_ */
--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
@ -60,6 +60,7 @@ int security_canonicalize_context_raw(const char * con,
 	return ret;
 }
 hidden_def(security_canonicalize_context_raw)
 int security_canonicalize_context(const char * con,
 				      char ** canoncon)
@ -82,3 +83,4 @@ int security_canonicalize_context(const char * con,
 	return ret;
 }
 hidden_def(security_canonicalize_context)
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@ -39,7 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
 	if (rc < 0)
 		return rc;
-	(void) selinux_status_updated();
+	(void) avc_netlink_check_nb();
       sclass = string_to_security_class(class);
       if (sclass == 0) {
@ -64,7 +64,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
       return avc_has_perm (scon_id, tcon_id, sclass, av, NULL, aux);
 }
-static int selinux_check_passwd_access_internal(access_vector_t requested)
+int selinux_check_passwd_access(access_vector_t requested)
 {
 	int status = -1;
 	char *user_context;
@ -78,9 +78,7 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
 		passwd_class = string_to_security_class("passwd");
 		if (passwd_class == 0) {
 			freecon(user_context);
-			if (security_deny_unknown() == 0)
+			return 0;
 				return 0;
 			return -1;
 		}
 		retval = security_compute_av_raw(user_context,
@ -101,11 +99,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
 	return status;
 }
-int selinux_check_passwd_access(access_vector_t requested) {
+hidden_def(selinux_check_passwd_access)
 	return selinux_check_passwd_access_internal(requested);
 }
 int checkPasswdAccess(access_vector_t requested)
 {
-	return selinux_check_passwd_access_internal(requested);
+	return selinux_check_passwd_access(requested);
 }
--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
@ -31,6 +31,7 @@ int security_check_context_raw(const char * con)
 	return 0;
 }
 hidden_def(security_check_context_raw)
 int security_check_context(const char * con)
 {
@ -47,3 +48,4 @@ int security_check_context(const char * con)
 	return ret;
 }
 hidden_def(security_check_context)
--- a/libselinux/src/checkreqprot.c
+++ b/libselinux/src/checkreqprot.c
@ -37,3 +37,4 @@ int security_get_checkreqprot(void)
 	return checkreqprot;
 }
 hidden_def(security_get_checkreqprot);
--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
@ -80,6 +80,7 @@ int security_compute_av_flags_raw(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_av_flags_raw)
 int security_compute_av_raw(const char * scon,
 			    const char * tcon,
@ -106,6 +107,7 @@ int security_compute_av_raw(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_av_raw)
 int security_compute_av_flags(const char * scon,
 			      const char * tcon,
@ -132,6 +134,7 @@ int security_compute_av_flags(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_av_flags)
 int security_compute_av(const char * scon,
 			const char * tcon,
@ -159,3 +162,4 @@ int security_compute_av(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_av)
--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
@ -105,6 +105,7 @@ int security_compute_create_name_raw(const char * scon,
 	close(fd);
 	return ret;
 }
 hidden_def(security_compute_create_name_raw)
 int security_compute_create_raw(const char * scon,
 				const char * tcon,
@ -114,6 +115,7 @@ int security_compute_create_raw(const char * scon,
 	return security_compute_create_name_raw(scon, tcon, tclass,
 						NULL, newcon);
 }
 hidden_def(security_compute_create_raw)
 int security_compute_create_name(const char * scon,
 				 const char * tcon,
@ -144,6 +146,7 @@ int security_compute_create_name(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_create_name)
 int security_compute_create(const char * scon,
 				const char * tcon,
@ -152,3 +155,4 @@ int security_compute_create(const char * scon,
 {
 	return security_compute_create_name(scon, tcon, tclass, NULL, newcon);
 }
 hidden_def(security_compute_create)
--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
@ -60,6 +60,7 @@ int security_compute_member_raw(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_member_raw)
 int security_compute_member(const char * scon,
 			    const char * tcon,
--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
@ -60,6 +60,7 @@ int security_compute_relabel_raw(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_relabel_raw)
 int security_compute_relabel(const char * scon,
 			     const char * tcon,
--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
@ -8,7 +8,6 @@
 #include "selinux_internal.h"
 #include "policy.h"
 #include <limits.h>
 #include "callbacks.h"
 int security_compute_user_raw(const char * scon,
 			      const char *user, char *** con)
@ -25,8 +24,6 @@ int security_compute_user_raw(const char * scon,
 		return -1;
 	}
 	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
@ -80,6 +77,7 @@ int security_compute_user_raw(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_user_raw)
 int security_compute_user(const char * scon,
 			  const char *user, char *** con)
@ -109,3 +107,4 @@ int security_compute_user(const char * scon,
 	return ret;
 }
 hidden_def(security_compute_user)
--- a/libselinux/src/context.c
+++ b/libselinux/src/context.c
@ -37,7 +37,7 @@ context_t context_new(const char *str)
 	}
 	n->current_str = n->component[0] = n->component[1] = n->component[2] =
 	    n->component[3] = 0;
-	for (count = 0, p = str; *p; p++) {
+	for (i = count = 0, p = str; *p; p++) {
 		switch (*p) {
 		case ':':
 			count++;
@ -82,6 +82,7 @@ context_t context_new(const char *str)
 	return 0;
 }
 hidden_def(context_new)
 static void conditional_free(char **v)
 {
@ -112,6 +113,7 @@ void context_free(context_t context)
 	}
 }
 hidden_def(context_free)
 /*
 * Return a pointer to the string value of the context.
@ -142,6 +144,7 @@ char *context_str(context_t context)
 	return n->current_str;
 }
 hidden_def(context_str)
 /* Returns nonzero iff failed */
 static int set_comp(context_private_t * n, int idx, const char *str)
@ -151,14 +154,14 @@ static int set_comp(context_private_t * n, int idx, const char *str)
 	if (str) {
 		t = (char *)malloc(strlen(str) + 1);
 		if (!t) {
-			return -1;
+			return 1;
 		}
 		for (p = str; *p; p++) {
 			if (*p == '\t' || *p == '\n' || *p == '\r' ||
 			    ((*p == ':' || *p == ' ') && idx != COMP_RANGE)) {
 				free(t);
 				errno = EINVAL;
-				return -1;
+				return 1;
 			}
 		}
 		strcpy(t, str);
@ -173,7 +176,8 @@ const char * context_ ## name ## _get(context_t context) \
 { \
        context_private_t *n = context->ptr; \
        return n->component[tag]; \
-}
+} \
 hidden_def(context_ ## name ## _get)
 def_get(type, COMP_TYPE)
    def_get(user, COMP_USER)
@ -183,7 +187,8 @@ def_get(type, COMP_TYPE)
 int context_ ## name ## _set(context_t context, const char* str) \
 { \
        return set_comp(context->ptr,tag,str);\
-}
+} \
 hidden_def(context_ ## name ## _set)
    def_set(type, COMP_TYPE)
    def_set(role, COMP_ROLE)
    def_set(user, COMP_USER)
--- a/libselinux/src/context_internal.h
+++ b/libselinux/src/context_internal.h
@ -1,2 +1,14 @@
 #include <selinux/context.h>
 #include "dso.h"
 hidden_proto(context_new)
    hidden_proto(context_free)
    hidden_proto(context_str)
    hidden_proto(context_type_set)
    hidden_proto(context_type_get)
    hidden_proto(context_role_set)
    hidden_proto(context_role_get)
    hidden_proto(context_user_set)
    hidden_proto(context_user_get)
    hidden_proto(context_range_set)
    hidden_proto(context_range_get)
--- a/libselinux/src/deny_unknown.c
+++ b/libselinux/src/deny_unknown.c
@ -37,3 +37,4 @@ int security_deny_unknown(void)
 	return deny_unknown;
 }
 hidden_def(security_deny_unknown);
--- a/libselinux/src/disable.c
+++ b/libselinux/src/disable.c
@ -35,3 +35,4 @@ int security_disable(void)
 	return 0;
 }
 hidden_def(security_disable)
--- a/libselinux/src/dso.h
+++ b/libselinux/src/dso.h
@ -0,0 +1,23 @@
 #ifndef _SELINUX_DSO_H
 #define _SELINUX_DSO_H	1
 #ifdef SHARED
 # define hidden __attribute__ ((visibility ("hidden")))
 # define hidden_proto(fct) __hidden_proto (fct, fct##_internal)
 # define __hidden_proto(fct, internal)	\
     extern __typeof (fct) internal;	\
     extern __typeof (fct) fct __asm (#internal) hidden;
 # if defined(__alpha__) || defined(__mips__)
 #  define hidden_def(fct) \
     asm (".globl " #fct "\n" #fct " = " #fct "_internal");
 # else
 #  define hidden_def(fct) \
     asm (".globl " #fct "\n.set " #fct ", " #fct "_internal");
 #endif
 #else
 # define hidden
 # define hidden_proto(fct)
 # define hidden_def(fct)
 #endif
 #endif
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@ -20,6 +20,7 @@ int is_selinux_enabled(void)
 #endif
 }
 hidden_def(is_selinux_enabled)
 /*
 * Function: is_selinux_mls_enabled()
@ -54,3 +55,4 @@ int is_selinux_mls_enabled(void)
 	return enabled;
 }
 hidden_def(is_selinux_mls_enabled)
--- a/libselinux/src/exception.sh
+++ b/libselinux/src/exception.sh
@ -1,5 +1,3 @@
 #!/bin/bash
 function except() {
 case $1 in
    selinux_file_context_cmp) # ignore
@ -12,26 +10,15 @@ echo "
     PyErr_SetFromErrno(PyExc_OSError);
     SWIG_fail;
  }
-}"
+}
 "
 ;;
 esac
 }
-
+if ! ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
 # Make sure that selinux.h is included first in order not to depend on the order
 # in which "#include <selinux/selinux.h>" appears in other files.
 FILE_LIST=(
    ../include/selinux/selinux.h
    ../include/selinux/avc.h
    ../include/selinux/context.h
    ../include/selinux/get_context_list.h
    ../include/selinux/get_default_type.h
    ../include/selinux/label.h
    ../include/selinux/restorecon.h
 )
 if ! cat "${FILE_LIST[@]}" | ${CC:-gcc} -x c -c -I../include -o temp.o - -aux-info temp.aux
 then
    # clang does not support -aux-info so fall back to gcc
-    cat "${FILE_LIST[@]}" | gcc -x c -c -I../include -o temp.o - -aux-info temp.aux
+    gcc -x c -c -I../include -o temp.o - -aux-info temp.aux < ../include/selinux/selinux.h
 fi
 for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done 
 rm -f -- temp.aux temp.o
--- a/libselinux/src/fgetfilecon.c
+++ b/libselinux/src/fgetfilecon.c
@ -49,6 +49,7 @@ int fgetfilecon_raw(int fd, char ** context)
 	return ret;
 }
 hidden_def(fgetfilecon_raw)
 int fgetfilecon(int fd, char ** context)
 {
--- a/libselinux/src/freecon.c
+++ b/libselinux/src/freecon.c
@ -8,3 +8,4 @@ void freecon(char * con)
 	free(con);
 }
 hidden_def(freecon)
--- a/libselinux/src/freeconary.c
+++ b/libselinux/src/freeconary.c
@ -16,3 +16,4 @@ void freeconary(char ** con)
 	free(con);
 }
 hidden_def(freeconary)
--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
@ -25,6 +25,7 @@ int fsetfilecon_raw(int fd, const char * context)
 	return rc;
 }
 hidden_def(fsetfilecon_raw)
 int fsetfilecon(int fd, const char *context)
 {
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@ -2,7 +2,6 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
@ -13,7 +12,7 @@
 int get_default_context_with_role(const char *user,
 				  const char *role,
-				  const char *fromcon,
+				  char * fromcon,
 				  char ** newcon)
 {
 	char **conary;
@ -52,28 +51,28 @@ int get_default_context_with_role(const char *user,
 	return rc;
 }
 hidden_def(get_default_context_with_role)
 int get_default_context_with_rolelevel(const char *user,
 				       const char *role,
 				       const char *level,
-				       const char *fromcon,
+				       char * fromcon,
 				       char ** newcon)
 {
-	int rc;
+	int rc = 0;
-	char *backup_fromcon = NULL;
+	int freefrom = 0;
 	context_t con;
-	const char *newfromcon;
+	char *newfromcon;
 	if (!level)
 		return get_default_context_with_role(user, role, fromcon,
 						     newcon);
 	if (!fromcon) {
-		rc = getcon(&backup_fromcon);
+		rc = getcon(&fromcon);
 		if (rc < 0)
 			return rc;
-		fromcon = backup_fromcon;
+		freefrom = 1;
 	}
 	rc = -1;
@ -92,13 +91,14 @@ int get_default_context_with_rolelevel(const char *user,
      out:
 	context_free(con);
-	freecon(backup_fromcon);
+	if (freefrom)
 		freecon(fromcon);
 	return rc;
 }
 int get_default_context(const char *user,
-			const char *fromcon, char ** newcon)
+			char * fromcon, char ** newcon)
 {
 	char **conary;
 	int rc;
@ -114,41 +114,64 @@ int get_default_context(const char *user,
 	return 0;
 }
-static int is_in_reachable(char **reachable, const char *usercon_str)
+static int find_partialcon(char ** list,
 			   unsigned int nreach, char *part)
 {
-	if (!reachable)
+	const char *conrole, *contype;
-		return 0;
+	char *partrole, *parttype, *ptr;
 	context_t con;
 	unsigned int i;
-	for (; *reachable != NULL; reachable++) {
+	partrole = part;
-		if (strcmp(*reachable, usercon_str) == 0) {
+	ptr = part;
-			return 1;
+	while (*ptr && !isspace(*ptr) && *ptr != ':')
 		ptr++;
 	if (*ptr != ':')
 		return -1;
 	*ptr++ = 0;
 	parttype = ptr;
 	while (*ptr && !isspace(*ptr) && *ptr != ':')
 		ptr++;
 	*ptr = 0;
 	for (i = 0; i < nreach; i++) {
 		con = context_new(list[i]);
 		if (!con)
 			return -1;
 		conrole = context_role_get(con);
 		contype = context_type_get(con);
 		if (!conrole || !contype) {
 			context_free(con);
 			return -1;
 		}
 		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
 			context_free(con);
 			return i;
 		}
 		context_free(con);
 	}
-	return 0;
+
 	return -1;
 }
-static int get_context_user(FILE * fp,
+static int get_context_order(FILE * fp,
-			     const char * fromcon,
+			     char * fromcon,
-			     const char * user,
+			     char ** reachable,
-			     char ***reachable,
+			     unsigned int nreach,
-			     unsigned int *nreachable)
+			     unsigned int *ordering, unsigned int *nordered)
 {
 	char *start, *end = NULL;
 	char *line = NULL;
-	size_t line_len = 0, usercon_len;
+	size_t line_len = 0;
 	size_t user_len = strlen(user);
 	ssize_t len;
 	int found = 0;
-	const char *fromrole, *fromtype, *fromlevel;
+	const char *fromrole, *fromtype;
 	char *linerole, *linetype;
-	char **new_reachable = NULL;
+	unsigned int i;
 	char *usercon_str;
 	context_t con;
 	context_t usercon;
 	int rc;
-	errno = EINVAL;
+	errno = -EINVAL;
 	/* Extract the role and type of the fromcon for matching.
 	   User identity and MLS range can be variable. */
@ -157,7 +180,6 @@ static int get_context_user(FILE * fp,
 		return -1;
 	fromrole = context_role_get(con);
 	fromtype = context_type_get(con);
 	fromlevel = context_range_get(con);
 	if (!fromrole || !fromtype) {
 		context_free(con);
 		return -1;
@ -221,75 +243,23 @@ static int get_context_user(FILE * fp,
 		if (*end)
 			*end++ = 0;
-		/* Check whether a new context is valid */
+		/* Check for a match in the reachable list. */
-		if (SIZE_MAX - user_len < strlen(start) + 2) {
+		rc = find_partialcon(reachable, nreach, start);
-			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+		if (rc < 0) {
-			errno = EINVAL;
+			/* No match, skip it. */
 			rc = -1;
 			goto out;
 		}
 		usercon_len = user_len + strlen(start) + 2;
 		usercon_str = malloc(usercon_len);
 		if (!usercon_str) {
 			rc = -1;
 			goto out;
 		}
 		/* set range from fromcon in the new usercon */
 		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
 		usercon = context_new(usercon_str);
 		if (!usercon) {
 			if (errno != EINVAL) {
 				free(usercon_str);
 				rc = -1;
 				goto out;
 			}
 			fprintf(stderr,
 				"%s: can't create a context from %s, skipping\n",
 				__FUNCTION__, usercon_str);
 			free(usercon_str);
 			start = end;
 			continue;
 		}
 		free(usercon_str);
 		if (context_range_set(usercon, fromlevel) != 0) {
 			context_free(usercon);
 			rc = -1;
 			goto out;
 		}
 		usercon_str = context_str(usercon);
 		if (!usercon_str) {
 			context_free(usercon);
 			rc = -1;
 			goto out;
 		}
-		/* check whether usercon is already in reachable */
+		/* If a match is found and the entry is not already ordered
-		if (is_in_reachable(*reachable, usercon_str)) {
+		   (e.g. due to prior match in prior config file), then set
-			context_free(usercon);
+		   the ordering for it. */
-			start = end;
+		i = rc;
-			continue;
+		if (ordering[i] == nreach)
-		}
+			ordering[i] = (*nordered)++;
 		if (security_check_context(usercon_str) == 0) {
 			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
 			if (!new_reachable) {
 				context_free(usercon);
 				rc = -1;
 				goto out;
 			}
 			*reachable = new_reachable;
 			new_reachable[*nreachable] = strdup(usercon_str);
 			if (new_reachable[*nreachable] == NULL) {
 				context_free(usercon);
 				rc = -1;
 				goto out;
 			}
 			new_reachable[*nreachable + 1] = 0;
 			*nreachable += 1;
 		}
 		context_free(usercon);
 		start = end;
 	}
 	rc = 0;
      out:
@ -343,24 +313,39 @@ static int get_failsafe_context(const char *user, char ** newcon)
 	return 0;
 }
 struct context_order {
 	char * con;
 	unsigned int order;
 };
 static int order_compare(const void *A, const void *B)
 {
 	const struct context_order *c1 = A, *c2 = B;
 	if (c1->order < c2->order)
 		return -1;
 	else if (c1->order > c2->order)
 		return 1;
 	return strcmp(c1->con, c2->con);
 }
 int get_ordered_context_list_with_level(const char *user,
 					const char *level,
-					const char *fromcon,
+					char * fromcon,
 					char *** list)
 {
 	int rc;
-	char *backup_fromcon = NULL;
+	int freefrom = 0;
 	context_t con;
-	const char *newfromcon;
+	char *newfromcon;
 	if (!level)
 		return get_ordered_context_list(user, fromcon, list);
 	if (!fromcon) {
-		rc = getcon(&backup_fromcon);
+		rc = getcon(&fromcon);
 		if (rc < 0)
 			return rc;
-		fromcon = backup_fromcon;
+		freefrom = 1;
 	}
 	rc = -1;
@ -379,14 +364,16 @@ int get_ordered_context_list_with_level(const char *user,
      out:
 	context_free(con);
-	freecon(backup_fromcon);
+	if (freefrom)
 		freecon(fromcon);
 	return rc;
 }
 hidden_def(get_ordered_context_list_with_level)
 int get_default_context_with_level(const char *user,
 				   const char *level,
-				   const char *fromcon,
+				   char * fromcon,
 				   char ** newcon)
 {
 	char **conary;
@ -404,13 +391,15 @@ int get_default_context_with_level(const char *user,
 }
 int get_ordered_context_list(const char *user,
-			     const char *fromcon,
+			     char * fromcon,
 			     char *** list)
 {
 	char **reachable = NULL;
 	unsigned int *ordering = NULL;
 	struct context_order *co = NULL;
 	char **ptr;
 	int rc = 0;
-	unsigned nreachable = 0;
+	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
 	char *backup_fromcon = NULL;
 	FILE *fp;
 	char *fname = NULL;
 	size_t fname_len;
@ -418,12 +407,29 @@ int get_ordered_context_list(const char *user,
 	if (!fromcon) {
 		/* Get the current context and use it for the starting context */
-		rc = getcon(&backup_fromcon);
+		rc = getcon(&fromcon);
 		if (rc < 0)
 			return rc;
-		fromcon = backup_fromcon;
+		freefrom = 1;
 	}
 	/* Determine the set of reachable contexts for the user. */
 	rc = security_compute_user(fromcon, user, &reachable);
 	if (rc < 0)
 		goto failsafe;
 	nreach = 0;
 	for (ptr = reachable; *ptr; ptr++)
 		nreach++;
 	if (!nreach)
 		goto failsafe;
 	/* Initialize ordering array. */
 	ordering = malloc(nreach * sizeof(unsigned int));
 	if (!ordering)
 		goto failsafe;
 	for (i = 0; i < nreach; i++)
 		ordering[i] = nreach;
 	/* Determine the ordering to apply from the optional per-user config
 	   and from the global config. */
 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@ -434,8 +440,8 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(fname, "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
-		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
-
+				       &nordered);
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@ -448,7 +454,8 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(selinux_default_context_path(), "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
-		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
 				       &nordered);
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@ -456,20 +463,42 @@ int get_ordered_context_list(const char *user,
 				__FUNCTION__, selinux_default_context_path());
 			/* Fall through */
 		}
 		rc = 0;
 	}
-	if (!nreachable)
+	if (!nordered)
 		goto failsafe;
-      out:
+	/* Apply the ordering. */
-	if (nreachable > 0) {
+	co = malloc(nreach * sizeof(struct context_order));
-		*list = reachable;
+	if (!co)
-		rc = nreachable;
+		goto failsafe;
 	for (i = 0; i < nreach; i++) {
 		co[i].con = reachable[i];
 		co[i].order = ordering[i];
 	}
 	qsort(co, nreach, sizeof(struct context_order), order_compare);
 	for (i = 0; i < nreach; i++)
 		reachable[i] = co[i].con;
 	free(co);
 	/* Only report the ordered entries to the caller. */
 	if (nordered <= nreach) {
 		for (i = nordered; i < nreach; i++)
 			free(reachable[i]);
 		reachable[nordered] = NULL;
 		rc = nordered;
 	}
      out:
 	if (rc > 0)
 		*list = reachable;
 	else
 		freeconary(reachable);
-	freecon(backup_fromcon);
+	free(ordering);
 	if (freefrom)
 		freecon(fromcon);
 	return rc;
@ -490,7 +519,8 @@ int get_ordered_context_list(const char *user,
 		reachable = NULL;
 		goto out;
 	}
-	nreachable = 1;			/* one context in the list */
+	rc = 1;			/* one context in the list */
 	goto out;
 }
 hidden_def(get_ordered_context_list)
--- a/libselinux/src/get_context_list_internal.h
+++ b/libselinux/src/get_context_list_internal.h
@ -1,2 +1,6 @@
 #include <selinux/get_context_list.h>
 #include "dso.h"
 hidden_proto(get_ordered_context_list)
    hidden_proto(get_ordered_context_list_with_level)
    hidden_proto(get_default_context_with_role)
--- a/libselinux/src/get_default_type_internal.h
+++ b/libselinux/src/get_default_type_internal.h
@ -1,2 +1,4 @@
 #include <selinux/get_default_type.h>
 #include "dso.h"
 hidden_proto(selinux_default_type_path)
--- a/libselinux/src/get_initial_context.c
+++ b/libselinux/src/get_initial_context.c
@ -53,6 +53,7 @@ int security_get_initial_context_raw(const char * name, char ** con)
 	return ret;
 }
 hidden_def(security_get_initial_context_raw)
 int security_get_initial_context(const char * name, char ** con)
 {
@ -68,3 +69,4 @@ int security_get_initial_context(const char * name, char ** con)
 	return ret;
 }
 hidden_def(security_get_initial_context)
--- a/libselinux/src/getenforce.c
+++ b/libselinux/src/getenforce.c
@ -37,3 +37,4 @@ int security_getenforce(void)
 	return !!enforce;
 }
 hidden_def(security_getenforce)
--- a/libselinux/src/getfilecon.c
+++ b/libselinux/src/getfilecon.c
@ -49,6 +49,7 @@ int getfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 hidden_def(getfilecon_raw)
 int getfilecon(const char *path, char ** context)
 {
@ -69,3 +70,4 @@ int getfilecon(const char *path, char ** context)
 	return ret;
 }
 hidden_def(getfilecon)
--- a/libselinux/src/getpeercon.c
+++ b/libselinux/src/getpeercon.c
@ -43,6 +43,7 @@ int getpeercon_raw(int fd, char ** context)
 	return ret;
 }
 hidden_def(getpeercon_raw)
 int getpeercon(int fd, char ** context)
 {
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@ -12,6 +12,7 @@
 #include <stdint.h>
 #include <limits.h>
 #include "dso.h"
 #include "policy.h"
 #include "selinux_internal.h"
 #include "setrans_internal.h"
@ -78,6 +79,7 @@ int selinuxfs_exists(void)
 	fclose(fp);
 	return exists;
 }
 hidden_def(selinuxfs_exists)
 static void init_selinuxmnt(void)
 {
@ -136,12 +138,14 @@ void fini_selinuxmnt(void)
 	selinux_mnt = NULL;
 }
 hidden_def(fini_selinuxmnt)
 void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
 hidden_def(set_selinuxmnt)
 static void init_lib(void) __attribute__ ((constructor));
 static void init_lib(void)
--- a/libselinux/src/is_customizable_type.c
+++ b/libselinux/src/is_customizable_type.c
@ -38,7 +38,7 @@ static int get_customizable_type_list(char *** retlist)
 			while (fgets_unlocked(buf, selinux_page_size, fp)
 			       && i < ctr) {
 				buf[strlen(buf) - 1] = 0;
-				list[i] = strdup(buf);
+				list[i] = (char *) strdup(buf);
 				if (!list[i]) {
 					unsigned int j;
 					for (j = 0; j < i; j++)
--- a/libselinux/src/label_backends_android.c
+++ b/libselinux/src/label_backends_android.c
@ -96,15 +96,9 @@ static int process_line(struct selabel_handle *rec,
 	items = read_spec_entries(line_buf, &errbuf, 2, &prop, &context);
 	if (items < 0) {
 		items = errno;
-		if (errbuf) {
+		selinux_log(SELINUX_ERROR,
-			selinux_log(SELINUX_ERROR,
+			"%s:  line %u error due to: %s\n", path,
-				    "%s:  line %u error due to: %s\n", path,
+			lineno, errbuf ?: strerror(errno));
 				    lineno, errbuf);
 		} else {
 			selinux_log(SELINUX_ERROR,
 				    "%s:  line %u error due to: %m\n", path,
 				    lineno);
 		}
 		errno = items;
 		return -1;
 	}
--- a/libselinux/src/label_db.c
+++ b/libselinux/src/label_db.c
@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
 	if (!path)
 		path = selinux_sepgsql_context_path();
-	if ((filp = fopen(path, "re")) == NULL) {
+	if ((filp = fopen(path, "rb")) == NULL) {
 		free(catalog);
 		return NULL;
 	}
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@ -374,7 +374,7 @@ end_arch_check:
 		if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
 			spec->stem_id = -1;
-		else
+		 else
 			spec->stem_id = stem_map[stem_id];
 		/* retrieve the hasMetaChars bit */
@ -898,7 +898,7 @@ static void closef(struct selabel_handle *rec)
 // Finds all the matches of |key| in the given context. Returns the result in
 // the allocated array and updates the match count. If match_count is NULL,
 // stops early once the 1st match is found.
-static struct spec **lookup_all(struct selabel_handle *rec,
+static const struct spec **lookup_all(struct selabel_handle *rec,
                                      const char *key,
                                      int type,
                                      bool partial,
@ -907,14 +907,13 @@ static struct spec **lookup_all(struct selabel_handle *rec,
 	struct saved_data *data = (struct saved_data *)rec->data;
 	struct spec *spec_arr = data->spec_arr;
 	int i, rc, file_stem;
 	size_t len;
 	mode_t mode = (mode_t)type;
 	char *clean_key = NULL;
 	const char *prev_slash, *next_slash;
 	unsigned int sofar = 0;
 	char *sub = NULL;
-	struct spec **result = NULL;
+	const struct spec **result = NULL;
 	if (match_count) {
 		*match_count = 0;
 		result = calloc(data->nspec, sizeof(struct spec*));
@ -948,27 +947,6 @@ static struct spec **lookup_all(struct selabel_handle *rec,
 		key = clean_key;
 	}
 	/* remove trailing slash */
 	len = strlen(key);
 	if (len == 0) {
 		errno = EINVAL;
 		goto finish;
 	}
 	if (len > 1 && key[len - 1] == '/') {
 		/* reuse clean_key from above if available */
 		if (!clean_key) {
 			clean_key = (char *) malloc(len);
 			if (!clean_key)
 				goto finish;
 			memcpy(clean_key, key, len - 1);
 		}
 		clean_key[len - 1] = '\0';
 		key = clean_key;
 	}
 	sub = selabel_sub_key(data, key);
 	if (sub)
 		key = sub;
@ -1023,8 +1001,6 @@ static struct spec **lookup_all(struct selabel_handle *rec,
 			goto finish;
 		}
 	}
 	if (!result[0])
 		errno = ENOENT;
 finish:
 	free(clean_key);
@ -1040,11 +1016,11 @@ static struct spec *lookup_common(struct selabel_handle *rec,
                                  const char *key,
                                  int type,
                                  bool partial) {
-	struct spec **matches = lookup_all(rec, key, type, partial, NULL);
+	const struct spec **matches = lookup_all(rec, key, type, partial, NULL);
 	if (!matches) {
 		return NULL;
 	}
-	struct spec *result = matches[0];
+	struct spec *result = (struct spec*)matches[0];
 	free(matches);
 	return result;
 }
@ -1107,7 +1083,7 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
 	assert(digest);
 	size_t total_matches;
-	struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
+	const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
 	if (!matches) {
 		return false;
 	}
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@ -286,6 +286,7 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len)
 		tmp_arr = realloc(data->stem_arr,
 				  sizeof(*tmp_arr) * alloc_stems);
 		if (!tmp_arr) {
 			free(buf);
 			return -1;
 		}
 		data->alloc_stems = alloc_stems;
@ -307,7 +308,6 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
 	int stem_len = get_stem_from_spec(buf);
 	int stemid;
 	char *stem;
 	int r;
 	if (!stem_len)
 		return -1;
@ -321,11 +321,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
 	if (!stem)
 		return -1;
-	r = store_stem(data, stem, stem_len);
+	return store_stem(data, stem, stem_len);
 	if (r < 0)
 		free(stem);
 	return r;
 }
 /* This will always check for buffer over-runs and either read the next entry
@ -445,15 +441,9 @@ static inline int process_line(struct selabel_handle *rec,
 	items = read_spec_entries(line_buf, &errbuf, 3, &regex, &type, &context);
 	if (items < 0) {
 		rc = errno;
-		if (errbuf) {
+		selinux_log(SELINUX_ERROR,
-			selinux_log(SELINUX_ERROR,
+			"%s:  line %u error due to: %s\n", path,
-				    "%s:  line %u error due to: %s\n", path,
+			lineno, errbuf ?: strerror(errno));
 				    lineno, errbuf);
 		} else {
 			selinux_log(SELINUX_ERROR,
 				    "%s:  line %u error due to: %m\n", path,
 				    lineno);
 		}
 		errno = rc;
 		return -1;
 	}
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@ -13,6 +13,7 @@
 #include <stdio.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
 #include "dso.h"
 #include "sha1.h"
 #if defined(ANDROID) || defined(__APPLE__)
@ -25,22 +26,22 @@
 */
 int selabel_file_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 int selabel_media_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 int selabel_x_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 int selabel_db_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 int selabel_property_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 int selabel_exact_match_init(struct selabel_handle *rec,
 			    const struct selinux_opt *opts,
-			    unsigned nopts) ;
+			    unsigned nopts) hidden;
 /*
 * Labeling internal structures
@ -121,26 +122,24 @@ struct selabel_handle {
 */
 extern int
 selabel_validate(struct selabel_handle *rec,
-		 struct selabel_lookup_rec *contexts) ;
+		 struct selabel_lookup_rec *contexts) hidden;
 /*
 * Compatibility support
 */
 extern int myprintf_compat;
 extern void __attribute__ ((format(printf, 1, 2)))
-(*myprintf) (const char *fmt, ...) ;
+(*myprintf) (const char *fmt, ...) hidden;
-#define COMPAT_LOG(type, fmt...) do {			\
+#define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
-	if (myprintf_compat)				\
+		myprintf(fmt);				  \
-		myprintf(fmt);				\
+	else						  \
-	else						\
+		selinux_log(type, fmt);
 		selinux_log(type, fmt);			\
 	} while (0)
 extern int
 compat_validate(struct selabel_handle *rec,
 		struct selabel_lookup_rec *contexts,
-		const char *path, unsigned lineno) ;
+		const char *path, unsigned lineno) hidden;
 /*
 * The read_spec_entries function may be used to
--- a/libselinux/src/label_media.c
+++ b/libselinux/src/label_media.c
@ -119,6 +119,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 			if (process_line(path, line_buf, pass, ++lineno, rec))
 				goto finish;
 		}
 		lineno = 0;
 		if (pass == 0) {
 			if (data->nspec == 0) {
--- a/libselinux/src/label_support.c
+++ b/libselinux/src/label_support.c
@ -63,7 +63,7 @@ static inline int read_spec_entry(char **entry, char **ptr, int *len, const char
 * This function calls read_spec_entry() to do the actual string processing.
 * As such, can return anything from that function as well.
 */
-int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+int hidden read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 {
 	char **spec_entry, *buf_p;
 	int len, rc, items, entry_len = 0;
@ -113,7 +113,7 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
 }
 /* Once all the specfiles are in the hash_buf, generate the hash. */
-void  digest_gen_hash(struct selabel_digest *digest)
+void hidden digest_gen_hash(struct selabel_digest *digest)
 {
 	Sha1Context context;
@ -141,7 +141,7 @@ void  digest_gen_hash(struct selabel_digest *digest)
 *
 * Return %0 on success, -%1 with @errno set on failure.
 */
-int  digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+int hidden digest_add_specfile(struct selabel_digest *digest, FILE *fp,
 				    char *from_addr, size_t buf_len,
 				    const char *path)
 {
--- a/libselinux/src/label_x.c
+++ b/libselinux/src/label_x.c
@ -146,6 +146,7 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
 			if (process_line(path, line_buf, pass, ++lineno, rec))
 				goto finish;
 		}
 		lineno = 0;
 		if (pass == 0) {
 			if (data->nspec == 0) {
--- a/libselinux/src/lgetfilecon.c
+++ b/libselinux/src/lgetfilecon.c
@ -49,6 +49,7 @@ int lgetfilecon_raw(const char *path, char ** context)
 	return ret;
 }
 hidden_def(lgetfilecon_raw)
 int lgetfilecon(const char *path, char ** context)
 {
--- a/libselinux/src/libselinux.map
+++ b/libselinux/src/libselinux.map
@ -1,242 +0,0 @@
 LIBSELINUX_1.0 {
  global:
    avc_add_callback;
    avc_audit;
    avc_av_stats;
    avc_cache_stats;
    avc_cleanup;
    avc_compute_create;
    avc_compute_member;
    avc_context_to_sid;
    avc_context_to_sid_raw;
    avc_destroy;
    avc_get_initial_sid;
    avc_has_perm;
    avc_has_perm_noaudit;
    avc_init;
    avc_netlink_acquire_fd;
    avc_netlink_check_nb;
    avc_netlink_close;
    avc_netlink_loop;
    avc_netlink_open;
    avc_netlink_release_fd;
    avc_open;
    avc_reset;
    avc_sid_stats;
    avc_sid_to_context;
    avc_sid_to_context_raw;
    checkPasswdAccess;
    context_free;
    context_new;
    context_range_get;
    context_range_set;
    context_role_get;
    context_role_set;
    context_str;
    context_type_get;
    context_type_set;
    context_user_get;
    context_user_set;
    fgetfilecon;
    fgetfilecon_raw;
    fini_selinuxmnt;
    freecon;
    freeconary;
    fsetfilecon;
    fsetfilecon_raw;
    getcon;
    getcon_raw;
    get_default_context;
    get_default_context_with_level;
    get_default_context_with_role;
    get_default_context_with_rolelevel;
    get_default_type;
    getexeccon;
    getexeccon_raw;
    getfilecon;
    getfilecon_raw;
    getfscreatecon;
    getfscreatecon_raw;
    getkeycreatecon;
    getkeycreatecon_raw;
    get_ordered_context_list;
    get_ordered_context_list_with_level;
    getpeercon;
    getpeercon_raw;
    getpidcon;
    getpidcon_raw;
    getprevcon;
    getprevcon_raw;
    getseuser;
    getseuserbyname;
    getsockcreatecon;
    getsockcreatecon_raw;
    is_context_customizable;
    is_selinux_enabled;
    is_selinux_mls_enabled;
    lgetfilecon;
    lgetfilecon_raw;
    lsetfilecon;
    lsetfilecon_raw;
    manual_user_enter_context;
    matchmediacon;
    matchpathcon;
    matchpathcon_checkmatches;
    matchpathcon_filespec_add;
    matchpathcon_filespec_destroy;
    matchpathcon_filespec_eval;
    matchpathcon_fini;
    matchpathcon_index;
    matchpathcon_init;
    matchpathcon_init_prefix;
    mode_to_security_class;
    print_access_vector;
    query_user_context;
    realpath_not_final;
    rpm_execcon;
    security_av_perm_to_string;
    security_av_string;
    security_canonicalize_context;
    security_canonicalize_context_raw;
    security_check_context;
    security_check_context_raw;
    security_class_to_string;
    security_commit_booleans;
    security_compute_av;
    security_compute_av_flags;
    security_compute_av_flags_raw;
    security_compute_av_raw;
    security_compute_create;
    security_compute_create_name;
    security_compute_create_name_raw;
    security_compute_create_raw;
    security_compute_member;
    security_compute_member_raw;
    security_compute_relabel;
    security_compute_relabel_raw;
    security_compute_user;
    security_compute_user_raw;
    security_deny_unknown;
    security_disable;
    security_get_boolean_active;
    security_get_boolean_names;
    security_get_boolean_pending;
    security_get_checkreqprot;
    security_getenforce;
    security_get_initial_context;
    security_get_initial_context_raw;
    security_load_booleans;
    security_load_policy;
    security_policyvers;
    security_reject_unknown;
    security_set_boolean;
    security_set_boolean_list;
    security_setenforce;
    security_validatetrans;
    security_validatetrans_raw;
    selabel_close;
    selabel_cmp;
    selabel_digest;
    selabel_get_digests_all_partial_matches;
    selabel_hash_all_partial_matches;
    selabel_lookup;
    selabel_lookup_best_match;
    selabel_lookup_best_match_raw;
    selabel_lookup_raw;
    selabel_open;
    selabel_partial_match;
    selabel_stats;
    selinux_binary_policy_path;
    selinux_booleans_path;
    selinux_booleans_subs_path;
    selinux_boolean_sub;
    selinux_check_access;
    selinux_check_passwd_access;
    selinux_check_securetty_context;
    selinux_colors_path;
    selinux_contexts_path;
    selinux_current_policy_path;
    selinux_customizable_types_path;
    selinux_default_context_path;
    selinux_default_type_path;
    selinux_failsafe_context_path;
    selinux_file_context_cmp;
    selinux_file_context_homedir_path;
    selinux_file_context_local_path;
    selinux_file_context_path;
    selinux_file_context_subs_dist_path;
    selinux_file_context_subs_path;
    selinux_file_context_verify;
    selinux_flush_class_cache;
    selinuxfs_exists;
    selinux_get_callback;
    selinux_getenforcemode;
    selinux_getpolicytype;
    selinux_homedir_context_path;
    selinux_init_load_policy;
    selinux_lsetfilecon_default;
    selinux_lxc_contexts_path;
    selinux_media_context_path;
    selinux_mkload_policy;
    selinux_mnt;
    selinux_netfilter_context_path;
    selinux_openrc_contexts_path;
    selinux_openssh_contexts_path;
    selinux_path;
    selinux_policy_root;
    selinux_raw_context_to_color;
    selinux_raw_to_trans_context;
    selinux_removable_context_path;
    selinux_reset_config;
    selinux_restorecon;
    selinux_restorecon_default_handle;
    selinux_restorecon_set_alt_rootpath;
    selinux_restorecon_set_exclude_list;
    selinux_restorecon_set_sehandle;
    selinux_restorecon_xattr;
    selinux_securetty_types_path;
    selinux_sepgsql_context_path;
    selinux_set_callback;
    selinux_set_mapping;
    selinux_set_policy_root;
    selinux_snapperd_contexts_path;
    selinux_status_close;
    selinux_status_deny_unknown;
    selinux_status_getenforce;
    selinux_status_open;
    selinux_status_policyload;
    selinux_status_updated;
    selinux_systemd_contexts_path;
    selinux_translations_path;
    selinux_trans_to_raw_context;
    selinux_user_contexts_path;
    selinux_usersconf_path;
    selinux_users_path;
    selinux_virtual_domain_context_path;
    selinux_virtual_image_context_path;
    selinux_x_context_path;
    setcon;
    setcon_raw;
    setexeccon;
    setexeccon_raw;
    setexecfilecon;
    setfilecon;
    setfilecon_raw;
    setfscreatecon;
    setfscreatecon_raw;
    setkeycreatecon;
    setkeycreatecon_raw;
    set_matchpathcon_canoncon;
    set_matchpathcon_flags;
    set_matchpathcon_invalidcon;
    set_matchpathcon_printf;
    set_selinuxmnt;
    setsockcreatecon;
    setsockcreatecon_raw;
    sidget;
    sidput;
    string_to_av_perm;
    string_to_security_class;
  local:
    *;
 };
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@ -45,6 +45,7 @@ int security_load_policy(void *data, size_t len)
 	return 0;
 }
 hidden_def(security_load_policy)
 #ifndef ANDROID
 #undef max
@ -76,11 +77,11 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 #ifdef SHARED
 	char *errormsg = NULL;
 	void *libsepolh = NULL;
-	libsepolh = dlopen("libsepol.so.2", RTLD_NOW);
+	libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
 	if (libsepolh) {
 		usesepol = 1;
 		dlerror();
-#define DLERR() do { if ((errormsg = dlerror())) goto dlclose; } while (0)
+#define DLERR() if ((errormsg = dlerror())) goto dlclose;
 		vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
 		DLERR();
 		vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
@ -137,15 +138,15 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	}
 	if (fd < 0) {
 		fprintf(stderr,
-			"SELinux:  Could not open policy file <= %s.%d:  %m\n",
+			"SELinux:  Could not open policy file <= %s.%d:  %s\n",
-			selinux_binary_policy_path(), maxvers);
+			selinux_binary_policy_path(), maxvers, strerror(errno));
 		goto dlclose;
 	}
 	if (fstat(fd, &sb) < 0) {
 		fprintf(stderr,
-			"SELinux:  Could not stat policy file %s:  %m\n",
+			"SELinux:  Could not stat policy file %s:  %s\n",
-			path);
+			path, strerror(errno));
 		goto close;
 	}
@ -153,8 +154,8 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	data = map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (map == MAP_FAILED) {
 		fprintf(stderr,
-			"SELinux:  Could not map policy file %s:  %m\n",
+			"SELinux:  Could not map policy file %s:  %s\n",
-			path);
+			path, strerror(errno));
 		goto close;
 	}
@ -193,8 +194,8 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	if (rc)
 		fprintf(stderr,
-			"SELinux:  Could not load policy file %s:  %m\n",
+			"SELinux:  Could not load policy file %s:  %s\n",
-			path);
+			path, strerror(errno));
      unmap:
 	if (data != map)
@ -212,6 +213,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	return rc;
 }
 hidden_def(selinux_mkload_policy)
 /*
 * Mount point for selinuxfs. 
@ -279,8 +281,7 @@ int selinux_init_load_policy(int *enforce)
 	const char *mntpoint = NULL;
 	/* First make sure /sys is mounted */
 	if (mount("sysfs", "/sys", "sysfs", 0, 0) == 0 || errno == EBUSY) {
-		/* MS_NODEV can't be set because of /sys/fs/selinux/null device, used by Android */
+		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
 		if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, MS_NOEXEC | MS_NOSUID, 0) == 0 || errno == EBUSY) {
 			mntpoint = SELINUXMNT;
 		} else {
 			/* check old mountpoint */
@ -306,7 +307,7 @@ int selinux_init_load_policy(int *enforce)
 			*enforce = 0;
 		} else {
 			/* Only emit this error if selinux was not disabled */
-			fprintf(stderr, "Mount failed for selinuxfs on %s:  %m\n", SELINUXMNT);
+			fprintf(stderr, "Mount failed for selinuxfs on %s:  %s\n", SELINUXMNT, strerror(errno));
 		}
 		if (rc == 0)
@ -352,7 +353,7 @@ int selinux_init_load_policy(int *enforce)
 	if (orig_enforce != *enforce) {
 		rc = security_setenforce(*enforce);
 		if (rc < 0) {
-			fprintf(stderr, "SELinux:  Unable to switch to %s mode:  %m\n", (*enforce ? "enforcing" : "permissive"));
+			fprintf(stderr, "SELinux:  Unable to switch to %s mode:  %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno));
 			if (*enforce)
 				goto noload;
 		}
--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
@ -25,6 +25,7 @@ int lsetfilecon_raw(const char *path, const char * context)
 	return rc;
 }
 hidden_def(lsetfilecon_raw)
 int lsetfilecon(const char *path, const char *context)
 {
--- a/libselinux/src/matchmediacon.c
+++ b/libselinux/src/matchmediacon.c
@ -22,7 +22,6 @@ int matchmediacon(const char *media, char ** con)
 		return -1;
 	while (!feof_unlocked(infile)) {
 		if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
 			fclose(infile);
 			return -1;
 		}
 		if (current_line[strlen(current_line) - 1])
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@ -78,30 +78,17 @@ static pthread_once_t once = PTHREAD_ONCE_INIT;
 static pthread_key_t destructor_key;
 static int destructor_key_initialized = 0;
 static void free_array_elts(void)
 {
 	int i;
 	for (i = 0; i < con_array_used; i++)
 		free(con_array[i]);
 	free(con_array);
 	con_array_size = con_array_used = 0;
 	con_array = NULL;
 }
 static int add_array_elt(char *con)
 {
 	char **tmp;
 	if (con_array_size) {
 		while (con_array_used >= con_array_size) {
 			con_array_size *= 2;
-			tmp = (char **)realloc(con_array, sizeof(char*) *
+			con_array = (char **)realloc(con_array, sizeof(char*) *
 						     con_array_size);
-			if (!tmp) {
+			if (!con_array) {
-				free_array_elts();
+				con_array_size = con_array_used = 0;
 				return -1;
 			}
 			con_array = tmp;
 		}
 	} else {
 		con_array_size = 1000;
@ -118,6 +105,13 @@ static int add_array_elt(char *con)
 	return con_array_used++;
 }
 static void free_array_elts(void)
 {
 	con_array_size = con_array_used = 0;
 	free(con_array);
 	con_array = NULL;
 }
 void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c))
 {
 	myinvalidcon = f;
@ -321,24 +315,14 @@ void matchpathcon_filespec_destroy(void)
 	fl_head = NULL;
 }
 static void matchpathcon_fini_internal(void)
 {
 	free_array_elts();
 	if (hnd) {
 		selabel_close(hnd);
 		hnd = NULL;
 	}
 }
 static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 {
-	matchpathcon_fini_internal();
+	matchpathcon_fini();
 }
 void __attribute__((destructor)) matchpathcon_lib_destructor(void);
-void  __attribute__((destructor)) matchpathcon_lib_destructor(void)
+void hidden __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
 		__selinux_key_delete(destructor_key);
@ -367,6 +351,7 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	return hnd ? 0 : -1;
 }
 hidden_def(matchpathcon_init_prefix)
 int matchpathcon_init(const char *path)
 {
@ -375,7 +360,12 @@ int matchpathcon_init(const char *path)
 void matchpathcon_fini(void)
 {
-	matchpathcon_fini_internal();
+	free_array_elts();
 	if (hnd) {
 		selabel_close(hnd);
 		hnd = NULL;
 	}
 }
 /*
@ -393,8 +383,8 @@ int realpath_not_final(const char *name, char *resolved_path)
 	tmp_path = strdup(name);
 	if (!tmp_path) {
-		myprintf("symlink_realpath(%s) strdup() failed: %m\n",
+		myprintf("symlink_realpath(%s) strdup() failed: %s\n",
-			name);
+			name, strerror(errno));
 		rc = -1;
 		goto out;
 	}
@ -414,8 +404,8 @@ int realpath_not_final(const char *name, char *resolved_path)
 	}
 	if (!p) {
-		myprintf("symlink_realpath(%s) realpath() failed: %m\n",
+		myprintf("symlink_realpath(%s) realpath() failed: %s\n",
-			name);
+			name, strerror(errno));
 		rc = -1;
 		goto out;
 	}
@ -438,7 +428,7 @@ out:
 	return rc;
 }
-static int matchpathcon_internal(const char *path, mode_t mode, char ** con)
+int matchpathcon(const char *path, mode_t mode, char ** con)
 {
 	char stackpath[PATH_MAX + 1];
 	char *p = NULL;
@ -459,13 +449,9 @@ static int matchpathcon_internal(const char *path, mode_t mode, char ** con)
 		selabel_lookup(hnd, con, path, mode);
 }
 int matchpathcon(const char *path, mode_t mode, char ** con) {
 	return matchpathcon_internal(path, mode, con);
 }
 int matchpathcon_index(const char *name, mode_t mode, char ** con)
 {
-	int i = matchpathcon_internal(name, mode, con);
+	int i = matchpathcon(name, mode, con);
 	if (i < 0)
 		return -1;
@ -483,15 +469,15 @@ void matchpathcon_checkmatches(char *str __attribute__((unused)))
 int selinux_file_context_cmp(const char * a,
 			     const char * b)
 {
-	const char *rest_a, *rest_b;	/* Rest of the context after the user */
+	char *rest_a, *rest_b;	/* Rest of the context after the user */
 	if (!a && !b)
 		return 0;
 	if (!a)
 		return -1;
 	if (!b)
 		return 1;
-	rest_a = strchr(a, ':');
+	rest_a = strchr((char *)a, ':');
-	rest_b = strchr(b, ':');
+	rest_b = strchr((char *)b, ':');
 	if (!rest_a && !rest_b)
 		return 0;
 	if (!rest_a)
--- a/libselinux/src/policyvers.c
+++ b/libselinux/src/policyvers.c
@ -7,6 +7,7 @@
 #include "selinux_internal.h"
 #include <stdio.h>
 #include "policy.h"
 #include "dso.h"
 #include <limits.h>
 int security_policyvers(void)
@ -41,3 +42,4 @@ int security_policyvers(void)
 	return vers;
 }
 hidden_def(security_policyvers)
--- a/Show more
+++ b/Show more