checkpolicy-3.2-3

Rebase on upstream commit 32611aea6543

See
    $ cd SELinuxProject/selinux
    $ git log --pretty=oneline checkpolicy-3.2..32611aea6543 -- checkpolicy

Resolves: rhbz#1988267

0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch

@@ -0,0 +1,78 @@
+From dcd07fdcbf3ba9fc47aef924b9b9f81bdefcb18b Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 8 Mar 2021 15:49:23 -0500
+Subject: [PATCH] libsepol/checkpolicy: Set user roles using role value instead
+ of dominance
+
+Roles in an optional block have two datums, one in the global block
+and one in the avrule_decl where it is declared. The datum in the
+global block does not have its dominace set. This is a problem because
+the function set_user_role() sets the user's roles based on the global
+datum's dominance ebitmap. If a user is declared with an associated role
+that was declared in an optional block, then it will not have any roles
+set for it because the dominance ebitmap is empty.
+
+Example/
+  # handle_unknown deny
+  class CLASS1
+  sid kernel
+  class CLASS1 { PERM1 }
+  type TYPE1;
+  allow TYPE1 self:CLASS1 PERM1;
+  role ROLE1;
+  role ROLE1 types { TYPE1 };
+  optional {
+    require {
+      class CLASS1 { PERM1 };
+    }
+    role ROLE1A;
+    user USER1A roles ROLE1A;
+  }
+  user USER1 roles ROLE1;
+  sid kernel USER1:ROLE1:TYPE1
+
+In this example, USER1A would not have ROLE1A associated with it.
+
+Instead of using dominance, which has been deprecated anyway, just
+set the bit corresponding to the role's value in the user's roles
+ebitmap in set_user_role().
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+
+[N.I: added spaces around "-" operator]
+---
+ checkpolicy/policy_define.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index c9286f7733c5..16234f31bbc3 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -4088,8 +4088,6 @@ cond_expr_t *define_cond_expr(uint32_t expr_type, void *arg1, void *arg2)
+ static int set_user_roles(role_set_t * set, char *id)
+ {
+ 	role_datum_t *r;
+-	unsigned int i;
+-	ebitmap_node_t *node;
+ 
+ 	if (strcmp(id, "*") == 0) {
+ 		free(id);
+@@ -4115,12 +4113,9 @@ static int set_user_roles(role_set_t * set, char *id)
+ 		return -1;
+ 	}
+ 
+-	/* set the role and every role it dominates */
+-	ebitmap_for_each_positive_bit(&r->dominates, node, i) {
+-		if (ebitmap_set_bit(&set->roles, i, TRUE))
+-			goto oom;
+-	}
+ 	free(id);
++	if (ebitmap_set_bit(&set->roles, r->s.value - 1, TRUE))
++		goto oom;
+ 	return 0;
+       oom:
+ 	yyerror("out of memory");
+-- 
+2.32.0
+

0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch

@@ -0,0 +1,97 @@
+From 750cc1136d054b77e84cd55be5fbe0e8ad0174e8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Mon, 15 Mar 2021 11:09:37 -0400
+Subject: [PATCH] checkpolicy: Do not automatically upgrade when using "-b"
+ flag
+
+When reading a binary policy, do not automatically change the version
+to the max policy version supported by libsepol or, if specified, the
+value given using the "-c" flag.
+
+If the binary policy version is less than or equal to version 23
+(POLICYDB_VERSION_PERMISSIVE) than do not automatically upgrade the
+policy and if a policy version is specified by the "-c" flag, only set
+the binary policy to the specified version if it is lower than the
+current version.
+
+If the binary policy version is greater than version 23 than it should
+be set to the maximum version supported by libsepol or, if specified,
+the value given by the "-c" flag.
+
+The reason for this change is that policy versions 20
+(POLICYDB_VERSION_AVTAB) to 23 have a more primitive support for type
+attributes where the datums are not written out, but they exist in the
+type_attr_map. This means that when the binary policy is read by
+libsepol, there will be gaps in the type_val_to_struct and
+p_type_val_to_name arrays and policy rules can refer to those gaps.
+Certain libsepol functions like sepol_kernel_policydb_to_conf() and
+sepol_kernel_policydb_to_cil() do not support this behavior and need
+to be able to identify these policies. Policies before version 20 do not
+support attributes at all and can be handled by all libsepol functions.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ checkpolicy/checkpolicy.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
+index 5841c5c4c196..acf1eac41559 100644
+--- a/checkpolicy/checkpolicy.c
++++ b/checkpolicy/checkpolicy.c
+@@ -106,7 +106,7 @@ static int handle_unknown = SEPOL_DENY_UNKNOWN;
+ static const char *txtfile = "policy.conf";
+ static const char *binfile = "policy";
+ 
+-unsigned int policyvers = POLICYDB_VERSION_MAX;
++unsigned int policyvers = 0;
+ 
+ static __attribute__((__noreturn__)) void usage(const char *progname)
+ {
+@@ -515,7 +515,8 @@ int main(int argc, char **argv)
+ 	}
+ 
+ 	if (show_version) {
+-		printf("%d (compatibility range %d-%d)\n", policyvers,
++		printf("%d (compatibility range %d-%d)\n",
++			   policyvers ? policyvers : POLICYDB_VERSION_MAX ,
+ 		       POLICYDB_VERSION_MAX, POLICYDB_VERSION_MIN);
+ 		exit(0);
+ 	}
+@@ -588,6 +589,16 @@ int main(int argc, char **argv)
+ 				exit(1);
+ 			}
+ 		}
++
++		if (policydbp->policyvers <= POLICYDB_VERSION_PERMISSIVE) {
++			if (policyvers > policydbp->policyvers) {
++				fprintf(stderr, "Binary policies with version <= %u cannot be upgraded\n", POLICYDB_VERSION_PERMISSIVE);
++			} else if (policyvers) {
++				policydbp->policyvers = policyvers;
++			}
++		} else {
++			policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
++		}
+ 	} else {
+ 		if (conf) {
+ 			fprintf(stderr, "Can only generate policy.conf from binary policy\n");
+@@ -629,6 +640,8 @@ int main(int argc, char **argv)
+ 			policydb_destroy(policydbp);
+ 			policydbp = &policydb;
+ 		}
++
++		policydbp->policyvers = policyvers ? policyvers : POLICYDB_VERSION_MAX;
+ 	}
+ 
+ 	if (policydb_load_isids(&policydb, &sidtab))
+@@ -654,8 +667,6 @@ int main(int argc, char **argv)
+ 			}
+ 		}
+ 
+-		policydb.policyvers = policyvers;
+-
+ 		if (!cil) {
+ 			if (!conf) {
+ 				policydb.policy_type = POLICY_KERN;
+-- 
+2.32.0
+

0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch

@@ -0,0 +1,48 @@
+From ed7e3348d18bb00bcfcb3da6d4265307425bb882 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sat, 3 Jul 2021 16:31:20 +0200
+Subject: [PATCH] checkpolicy: silence -Wextra-semi-stmt warning
+
+On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
+(which is not the default build configuration), the compiler reports:
+
+      checkpolicy.c:740:33: error: empty expression statement has no
+      effect; remove unnecessary ';' to silence this warning
+      [-Werror,-Wextra-semi-stmt]
+                      FGETS(ans, sizeof(ans), stdin);
+                                                    ^
+
+Introduce "do { } while (0)" blocks to silence such warnings.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ checkpolicy/checkpolicy.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
+index acf1eac41559..8af31db5c6b7 100644
+--- a/checkpolicy/checkpolicy.c
++++ b/checkpolicy/checkpolicy.c
+@@ -119,11 +119,14 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
+ }
+ 
+ #define FGETS(out, size, in) \
+-if (fgets(out,size,in)==NULL) {	\
+-		fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__,\
+-				strerror(errno)); \
+-			exit(1);\
+-}
++do { \
++	if (fgets(out,size,in)==NULL) {	\
++		fprintf(stderr, "fgets failed at line %d: %s\n", __LINE__, \
++			strerror(errno)); \
++		exit(1);\
++	} \
++} while (0)
++
+ static int print_sid(sepol_security_id_t sid,
+ 		     context_struct_t * context
+ 		     __attribute__ ((unused)), void *data
+-- 
+2.32.0
+

0004-checkpolicy-pass-CFLAGS-at-link-stage.patch

@@ -0,0 +1,54 @@
+From 40e2f98519ba3fc6a4a0f2b4a2b8b0e1d864fd9e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:21 +0200
+Subject: [PATCH] checkpolicy: pass CFLAGS at link stage
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Pass CFLAGS when invoking CC at link time, it might contain optimization
+or sanitizer flags required for linking.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/Makefile      | 4 ++--
+ checkpolicy/test/Makefile | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
+index 0d282ef93d14..be63c0182682 100644
+--- a/checkpolicy/Makefile
++++ b/checkpolicy/Makefile
+@@ -30,10 +30,10 @@ all:  $(TARGETS)
+ 	$(MAKE) -C test
+ 
+ checkpolicy: $(CHECKPOLOBJS) $(LIBSEPOLA)
+-	$(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
++	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+ 
+ checkmodule: $(CHECKMODOBJS) $(LIBSEPOLA)
+-	$(CC) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
++	$(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LDLIBS_LIBSEPOLA)
+ 
+ %.o: %.c 
+ 	$(CC) $(CFLAGS) -o $@ -c $<
+diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
+index 89e7557c7aa6..e2a332b5a079 100644
+--- a/checkpolicy/test/Makefile
++++ b/checkpolicy/test/Makefile
+@@ -13,10 +13,10 @@ endif
+ all: dispol dismod
+ 
+ dispol: dispol.o $(LIBSEPOLA)
+-	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
++	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+ 
+ dismod: dismod.o $(LIBSEPOLA)
+-	$(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
++	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LDLIBS_LIBSEPOLA)
+ 
+ clean:
+ 	-rm -f dispol dismod *.o 
+-- 
+2.32.0
+

0005-checkpolicy-drop-pipe-compile-option.patch

@@ -0,0 +1,49 @@
+From 02678b9d40f7de5cae1840f3d7ceedf1499c84a8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:22 +0200
+Subject: [PATCH] checkpolicy: drop -pipe compile option
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The compiler option -pipe does not affect the generated code; it affects
+whether the compiler uses temporary files or pipes. As the benefit might
+vary from system to system usually its up to the packager or build
+framework to set it.
+Also these are the only places where the flag is used.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/Makefile      | 2 +-
+ checkpolicy/test/Makefile | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/checkpolicy/Makefile b/checkpolicy/Makefile
+index be63c0182682..f9e1fc7cecd4 100644
+--- a/checkpolicy/Makefile
++++ b/checkpolicy/Makefile
+@@ -10,7 +10,7 @@ TARGETS = checkpolicy checkmodule
+ LEX = flex
+ YACC = bison -y
+ 
+-CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
++CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -fno-strict-aliasing
+ 
+ # If no specific libsepol.a is specified, fall back on LDFLAGS search path
+ # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
+diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
+index e2a332b5a079..8e5d16b3c5f0 100644
+--- a/checkpolicy/test/Makefile
++++ b/checkpolicy/test/Makefile
+@@ -1,7 +1,7 @@
+ #
+ # Makefile for building the dispol program
+ #
+-CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
++CFLAGS ?= -g -Wall -W -Werror -O2
+ 
+ # If no specific libsepol.a is specified, fall back on LDFLAGS search path
+ # Otherwise, as $(LIBSEPOLA) already appears in the dependencies, there
+-- 
+2.32.0
+

0006-checkpolicy-simplify-assignment.patch

@@ -0,0 +1,42 @@
+From 7cdb2a8fd2af0a063d6e505fd1250ca10ebbea11 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:23 +0200
+Subject: [PATCH] checkpolicy: simplify assignment
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+checkpolicy.c:504:20: style: The statement 'if (policyvers!=n) policyvers=n' is logically equivalent to 'policyvers=n'. [duplicateConditionalAssign]
+    if (policyvers != n)
+                   ^
+checkpolicy.c:505:17: note: Assignment 'policyvers=n'
+     policyvers = n;
+                ^
+checkpolicy.c:504:20: note: Condition 'policyvers!=n' is redundant
+    if (policyvers != n)
+                   ^
+
+Found by Cppcheck
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/checkpolicy.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
+index 8af31db5c6b7..b52595a87b29 100644
+--- a/checkpolicy/checkpolicy.c
++++ b/checkpolicy/checkpolicy.c
+@@ -504,8 +504,7 @@ int main(int argc, char **argv)
+ 					usage(argv[0]);
+ 					exit(1);
+ 				}
+-				if (policyvers != n)
+-					policyvers = n;
++				policyvers = n;
+ 				break;
+ 			}
+ 		case 'E':
+-- 
+2.32.0
+

0007-checkpolicy-drop-dead-condition.patch

@@ -0,0 +1,47 @@
+From db674bf2186b34a3712e2069c769131503dcb9ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:24 +0200
+Subject: [PATCH] checkpolicy: drop dead condition
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The variable `id` is guaranteed to be non-NULL due to the preceding
+while condition.
+
+    policy_define.c:1171:7: style: Condition '!id' is always false [knownConditionTrueFalse]
+      if (!id) {
+          ^
+    policy_define.c:1170:13: note: Assuming that condition 'id=queue_remove(id_queue)' is not redundant
+     while ((id = queue_remove(id_queue))) {
+                ^
+    policy_define.c:1171:7: note: Condition '!id' is always false
+      if (!id) {
+          ^
+
+Found by Cppcheck.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/policy_define.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 16234f31bbc3..7eff747adacf 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -1168,11 +1168,6 @@ int expand_attrib(void)
+ 
+ 	ebitmap_init(&attrs);
+ 	while ((id = queue_remove(id_queue))) {
+-		if (!id) {
+-			yyerror("No attribute name for expandattribute statement?");
+-			goto exit;
+-		}
+-
+ 		if (!is_id_in_scope(SYM_TYPES, id)) {
+ 			yyerror2("attribute %s is not within scope", id);
+ 			goto exit;
+-- 
+2.32.0
+

0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch

@@ -0,0 +1,52 @@
+From babc3d53518b7f9f01b83b9c997f9233a58af92b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:25 +0200
+Subject: [PATCH] checkpolicy: use correct format specifier for unsigned
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    test/dispol.c:288:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
+       snprintf(buf, sizeof(buf), "unknown (%d)", i);
+       ^
+    test/dismod.c:830:4: warning: %d in format string (no. 1) requires 'int' but the argument type is 'unsigned int'. [invalidPrintfArgType_sint]
+       snprintf(buf, sizeof(buf), "unknown (%d)", i);
+       ^
+
+Found by Cppcheck.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/test/dismod.c | 2 +-
+ checkpolicy/test/dispol.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
+index 3408e9b6b767..fadbc8d16695 100644
+--- a/checkpolicy/test/dismod.c
++++ b/checkpolicy/test/dismod.c
+@@ -827,7 +827,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
+ 	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+ 		capname = sepol_polcap_getname(i);
+ 		if (capname == NULL) {
+-			snprintf(buf, sizeof(buf), "unknown (%d)", i);
++			snprintf(buf, sizeof(buf), "unknown (%u)", i);
+ 			capname = buf;
+ 		}
+ 		fprintf(fp, "\t%s\n", capname);
+diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
+index 8785b7252824..37f71842c9e6 100644
+--- a/checkpolicy/test/dispol.c
++++ b/checkpolicy/test/dispol.c
+@@ -285,7 +285,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
+ 	ebitmap_for_each_positive_bit(&p->policycaps, node, i) {
+ 		capname = sepol_polcap_getname(i);
+ 		if (capname == NULL) {
+-			snprintf(buf, sizeof(buf), "unknown (%d)", i);
++			snprintf(buf, sizeof(buf), "unknown (%u)", i);
+ 			capname = buf;
+ 		}
+ 		fprintf(fp, "\t%s\n", capname);
+-- 
+2.32.0
+

0009-checkpolicy-follow-declaration-after-statement.patch

@@ -0,0 +1,75 @@
+From 79e7724930d49cc8cdac4c7d4e80b1fafd22d1d7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:26 +0200
+Subject: [PATCH] checkpolicy: follow declaration-after-statement
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Follow the project style of no declaration after statement.
+
+Found by the GCC warning -Wdeclaration-after-statement.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/checkmodule.c   | 6 ++++--
+ checkpolicy/policy_define.c | 3 ++-
+ checkpolicy/test/dismod.c   | 2 +-
+ 3 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/checkpolicy/checkmodule.c b/checkpolicy/checkmodule.c
+index 40d0ec9924e9..316b289865e1 100644
+--- a/checkpolicy/checkmodule.c
++++ b/checkpolicy/checkmodule.c
+@@ -288,14 +288,16 @@ int main(int argc, char **argv)
+ 	}
+ 
+ 	if (policy_type != POLICY_BASE && outfile) {
++		char *out_name;
++		char *separator;
+ 		char *mod_name = modpolicydb.name;
+ 		char *out_path = strdup(outfile);
+ 		if (out_path == NULL) {
+ 			fprintf(stderr, "%s:  out of memory\n", argv[0]);
+ 			exit(1);
+ 		}
+-		char *out_name = basename(out_path);
+-		char *separator = strrchr(out_name, '.');
++		out_name = basename(out_path);
++		separator = strrchr(out_name, '.');
+ 		if (separator) {
+ 			*separator = '\0';
+ 		}
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 7eff747adacf..049df55f8468 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -1904,9 +1904,10 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
+ {
+ 	char *id;
+ 	struct av_ioctl_range_list *rnew, *r = NULL;
+-	*rangehead = NULL;
+ 	uint8_t omit = 0;
+ 
++	*rangehead = NULL;
++
+ 	/* read in all the ioctl commands */
+ 	while ((id = queue_remove(id_queue))) {
+ 		if (strcmp(id,"~") == 0) {
+diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
+index fadbc8d16695..b1b96115e79e 100644
+--- a/checkpolicy/test/dismod.c
++++ b/checkpolicy/test/dismod.c
+@@ -697,8 +697,8 @@ int display_avblock(int field, policydb_t * policy,
+ {
+ 	avrule_block_t *block = policydb.global;
+ 	while (block != NULL) {
+-		fprintf(out_fp, "--- begin avrule block ---\n");
+ 		avrule_decl_t *decl = block->branch_list;
++		fprintf(out_fp, "--- begin avrule block ---\n");
+ 		while (decl != NULL) {
+ 			if (display_avdecl(decl, field, policy, out_fp)) {
+ 				return -1;
+-- 
+2.32.0
+

0010-checkpolicy-remove-dead-assignments.patch

@@ -0,0 +1,43 @@
+From 7723180fa09b0c483c07a76a4678f2c2cd51bff6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:27 +0200
+Subject: [PATCH] checkpolicy: remove dead assignments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The variable `cladatum` is otherwise always assigned before used, so
+these two assignments without a follow up usages are not needed.
+
+Found by clang-analyzer.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/checkpolicy.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
+index b52595a87b29..58edcc34e8cc 100644
+--- a/checkpolicy/checkpolicy.c
++++ b/checkpolicy/checkpolicy.c
+@@ -1179,8 +1179,6 @@ int main(int argc, char **argv)
+ 					printf("\nNo such class.\n");
+ 					break;
+ 				}
+-				cladatum =
+-				    policydb.class_val_to_struct[tclass - 1];
+ 			} else {
+ 				ans[strlen(ans) - 1] = 0;
+ 				cladatum =
+@@ -1232,8 +1230,6 @@ int main(int argc, char **argv)
+ 					printf("\nNo such class.\n");
+ 					break;
+ 				}
+-				cladatum =
+-				    policydb.class_val_to_struct[tclass - 1];
+ 			} else {
+ 				ans[strlen(ans) - 1] = 0;
+ 				cladatum =
+-- 
+2.32.0
+

0011-checkpolicy-check-before-potential-NULL-dereference.patch

@@ -0,0 +1,43 @@
+From 5a10f05f53ef78c48ebce3d512960c71100073d0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:28 +0200
+Subject: [PATCH] checkpolicy: check before potential NULL dereference
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    policy_define.c: In function ‘define_te_avtab_extended_perms’:
+    policy_define.c:1946:17: error: potential null pointer dereference [-Werror=null-dereference]
+     1946 |         r->omit = omit;
+          |                 ^
+
+In the case of `r` being NULL, avrule_read_ioctls() would return
+with its parameter `rangehead` being a pointer to NULL, which is
+considered a failure in its caller `avrule_ioctl_ranges`.
+So it is not necessary to alter the return value.
+
+Found by GCC 11 with LTO enabled.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/policy_define.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 049df55f8468..887857851504 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -1943,7 +1943,9 @@ int avrule_read_ioctls(struct av_ioctl_range_list **rangehead)
+ 		}
+ 	}
+ 	r = *rangehead;
+-	r->omit = omit;
++	if (r) {
++		r->omit = omit;
++	}
+ 	return 0;
+ error:
+ 	yyerror("out of memory");
+-- 
+2.32.0
+

0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch

@@ -0,0 +1,62 @@
+From 5218bf4b262ae6c3aa0ec72c5116a73bbdb7806f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:29 +0200
+Subject: [PATCH] checkpolicy: avoid potential use of uninitialized variable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+    checkpolicy.c: In function ‘main’:
+    checkpolicy.c:1000:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+     1000 |                         printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
+          |                         ^
+
+    checkpolicy.c: In function ‘main’:
+    checkpolicy.c:971:25: error: ‘tsid’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
+      971 |                         printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
+          |                         ^
+
+Found by GCC 11 with LTO enabled.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/checkpolicy.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
+index 58edcc34e8cc..e6cfd3372022 100644
+--- a/checkpolicy/checkpolicy.c
++++ b/checkpolicy/checkpolicy.c
+@@ -970,8 +970,12 @@ int main(int argc, char **argv)
+ 			printf("fs kdevname?  ");
+ 			FGETS(ans, sizeof(ans), stdin);
+ 			ans[strlen(ans) - 1] = 0;
+-			sepol_fs_sid(ans, &ssid, &tsid);
+-			printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
++			ret = sepol_fs_sid(ans, &ssid, &tsid);
++			if (ret) {
++				printf("unknown fs kdevname\n");
++			} else {
++				printf("fs_sid %d default_file_sid %d\n", ssid, tsid);
++			}
+ 			break;
+ 		case '9':
+ 			printf("protocol?  ");
+@@ -999,8 +1003,12 @@ int main(int argc, char **argv)
+ 			printf("netif name?  ");
+ 			FGETS(ans, sizeof(ans), stdin);
+ 			ans[strlen(ans) - 1] = 0;
+-			sepol_netif_sid(ans, &ssid, &tsid);
+-			printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
++			ret = sepol_netif_sid(ans, &ssid, &tsid);
++			if (ret) {
++				printf("unknown name\n");
++			} else {
++				printf("if_sid %d default_msg_sid %d\n", ssid, tsid);
++			}
+ 			break;
+ 		case 'b':{
+ 				char *p;
+-- 
+2.32.0
+

0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch

@@ -0,0 +1,31 @@
+From 4e3d0990c6be73419df3c32b7de98c992797e3ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:30 +0200
+Subject: [PATCH] checkpolicy: drop redundant cast to the same type
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by clang-tidy.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/policy_define.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index 887857851504..efe3a1a26315 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -1796,7 +1796,7 @@ int define_bool_tunable(int is_tunable)
+ 		return -1;
+ 	}
+ 
+-	datum->state = (int)(bool_value[0] == 'T') ? 1 : 0;
++	datum->state = (bool_value[0] == 'T') ? 1 : 0;
+ 	free(bool_value);
+ 	return 0;
+       cleanup:
+-- 
+2.32.0
+

0014-checkpolicy-parse_util-drop-unused-declaration.patch

@@ -0,0 +1,28 @@
+From 47f4cbd357fa0b0dc46e2e95ce10fc2d9a586061 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:31 +0200
+Subject: [PATCH] checkpolicy: parse_util drop unused declaration
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/parse_util.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/checkpolicy/parse_util.c b/checkpolicy/parse_util.c
+index f2809b483be3..1795e93c31e4 100644
+--- a/checkpolicy/parse_util.c
++++ b/checkpolicy/parse_util.c
+@@ -28,7 +28,6 @@ extern int yyparse(void);
+ extern void yyrestart(FILE *);
+ extern queue_t id_queue;
+ extern unsigned int policydb_errors;
+-extern unsigned long policydb_lineno;
+ extern policydb_t *policydbp;
+ extern int mlspol;
+ extern void set_source_file(const char *name);
+-- 
+2.32.0
+

0015-checkpolicy-test-mark-file-local-functions-static.patch

@@ -0,0 +1,282 @@
+From b306cd5b90979a4d6e1a85b842835deb77272873 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:32 +0200
+Subject: [PATCH] checkpolicy/test: mark file local functions static
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/test/dismod.c | 36 ++++++++++++++++++------------------
+ checkpolicy/test/dispol.c | 22 +++++++++++-----------
+ 2 files changed, 29 insertions(+), 29 deletions(-)
+
+diff --git a/checkpolicy/test/dismod.c b/checkpolicy/test/dismod.c
+index b1b96115e79e..90c293186afd 100644
+--- a/checkpolicy/test/dismod.c
++++ b/checkpolicy/test/dismod.c
+@@ -111,7 +111,7 @@ static void display_id(policydb_t * p, FILE * fp, uint32_t symbol_type,
+ 	}
+ }
+ 
+-int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
++static int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+ 		     FILE * fp)
+ {
+ 	unsigned int i, num_types;
+@@ -175,7 +175,7 @@ int display_type_set(type_set_t * set, uint32_t flags, policydb_t * policy,
+ 	return 0;
+ }
+ 
+-int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
++static int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+ {
+ 	unsigned int i, num = 0;
+ 
+@@ -210,7 +210,7 @@ int display_mod_role_set(role_set_t * roles, policydb_t * p, FILE * fp)
+ 
+ }
+ 
+-int display_avrule(avrule_t * avrule, policydb_t * policy,
++static int display_avrule(avrule_t * avrule, policydb_t * policy,
+ 		   FILE * fp)
+ {
+ 	class_perm_node_t *cur;
+@@ -313,7 +313,7 @@ int display_avrule(avrule_t * avrule, policydb_t * policy,
+ 	return 0;
+ }
+ 
+-int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
++static int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+ {
+ 	type_datum_t *type;
+ 	FILE *fp;
+@@ -355,14 +355,14 @@ int display_type_callback(hashtab_key_t key, hashtab_datum_t datum, void *data)
+ 	return 0;
+ }
+ 
+-int display_types(policydb_t * p, FILE * fp)
++static int display_types(policydb_t * p, FILE * fp)
+ {
+ 	if (hashtab_map(p->p_types.table, display_type_callback, fp))
+ 		return -1;
+ 	return 0;
+ }
+ 
+-int display_users(policydb_t * p, FILE * fp)
++static int display_users(policydb_t * p, FILE * fp)
+ {
+ 	unsigned int i, j;
+ 	ebitmap_t *bitmap;
+@@ -381,7 +381,7 @@ int display_users(policydb_t * p, FILE * fp)
+ 	return 0;
+ }
+ 
+-int display_bools(policydb_t * p, FILE * fp)
++static int display_bools(policydb_t * p, FILE * fp)
+ {
+ 	unsigned int i;
+ 
+@@ -392,7 +392,7 @@ int display_bools(policydb_t * p, FILE * fp)
+ 	return 0;
+ }
+ 
+-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
++static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ {
+ 
+ 	cond_expr_t *cur;
+@@ -427,14 +427,14 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ 	}
+ }
+ 
+-void display_policycon(FILE * fp)
++static void display_policycon(FILE * fp)
+ {
+ 	/* There was an attempt to implement this at one time.  Look through
+ 	 * git history to find it. */
+ 	fprintf(fp, "Sorry, not implemented\n");
+ }
+ 
+-void display_initial_sids(policydb_t * p, FILE * fp)
++static void display_initial_sids(policydb_t * p, FILE * fp)
+ {
+ 	ocontext_t *cur;
+ 	char *user, *role, *type;
+@@ -459,7 +459,7 @@ void display_initial_sids(policydb_t * p, FILE * fp)
+ #endif
+ }
+ 
+-void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
++static void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+ {
+ 	unsigned int i, num = 0;
+ 
+@@ -482,7 +482,7 @@ void display_class_set(ebitmap_t *classes, policydb_t *p, FILE *fp)
+ 		fprintf(fp, " }");
+ }
+ 
+-void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
++static void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
+ {
+ 	for (; tr; tr = tr->next) {
+ 		fprintf(fp, "role transition ");
+@@ -495,7 +495,7 @@ void display_role_trans(role_trans_rule_t * tr, policydb_t * p, FILE * fp)
+ 	}
+ }
+ 
+-void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
++static void display_role_allow(role_allow_rule_t * ra, policydb_t * p, FILE * fp)
+ {
+ 	for (; ra; ra = ra->next) {
+ 		fprintf(fp, "role allow ");
+@@ -517,7 +517,7 @@ static void display_filename_trans(filename_trans_rule_t * tr, policydb_t * p, F
+ 	}
+ }
+ 
+-int role_display_callback(hashtab_key_t key __attribute__((unused)),
++static int role_display_callback(hashtab_key_t key __attribute__((unused)),
+ 			  hashtab_datum_t datum, void *data)
+ {
+ 	role_datum_t *role;
+@@ -611,7 +611,7 @@ int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+ }
+ #endif
+ 
+-int display_avdecl(avrule_decl_t * decl, int field,
++static int display_avdecl(avrule_decl_t * decl, int field,
+ 		   policydb_t * policy, FILE * out_fp)
+ {
+ 	fprintf(out_fp, "decl %u:%s\n", decl->decl_id,
+@@ -692,7 +692,7 @@ int display_avdecl(avrule_decl_t * decl, int field,
+ 	return 0;		/* should never get here */
+ }
+ 
+-int display_avblock(int field, policydb_t * policy,
++static int display_avblock(int field, policydb_t * policy,
+ 		    FILE * out_fp)
+ {
+ 	avrule_block_t *block = policydb.global;
+@@ -710,7 +710,7 @@ int display_avblock(int field, policydb_t * policy,
+ 	return 0;
+ }
+ 
+-int display_handle_unknown(policydb_t * p, FILE * out_fp)
++static int display_handle_unknown(policydb_t * p, FILE * out_fp)
+ {
+ 	if (p->handle_unknown == ALLOW_UNKNOWN)
+ 		fprintf(out_fp, "Allow unknown classes and perms\n");
+@@ -834,7 +834,7 @@ static void display_policycaps(policydb_t * p, FILE * fp)
+ 	}
+ }
+ 
+-int menu(void)
++static int menu(void)
+ {
+ 	printf("\nSelect a command:\n");
+ 	printf("1)  display unconditional AVTAB\n");
+diff --git a/checkpolicy/test/dispol.c b/checkpolicy/test/dispol.c
+index 37f71842c9e6..8ddefb04ac89 100644
+--- a/checkpolicy/test/dispol.c
++++ b/checkpolicy/test/dispol.c
+@@ -42,7 +42,7 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
+ 	exit(1);
+ }
+ 
+-int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
++static int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
+ 		       FILE * fp)
+ {
+ 	char *perm;
+@@ -54,13 +54,13 @@ int render_access_mask(uint32_t mask, avtab_key_t * key, policydb_t * p,
+ 	return 0;
+ }
+ 
+-int render_type(uint32_t type, policydb_t * p, FILE * fp)
++static int render_type(uint32_t type, policydb_t * p, FILE * fp)
+ {
+ 	fprintf(fp, "%s", p->p_type_val_to_name[type - 1]);
+ 	return 0;
+ }
+ 
+-int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
++static int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
+ {
+ 	char *stype, *ttype, *tclass;
+ 	stype = p->p_type_val_to_name[key->source_type - 1];
+@@ -84,7 +84,7 @@ int render_key(avtab_key_t * key, policydb_t * p, FILE * fp)
+ #define RENDER_DISABLED		0x0004
+ #define RENDER_CONDITIONAL	(RENDER_ENABLED|RENDER_DISABLED)
+ 
+-int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
++static int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+ 		   policydb_t * p, FILE * fp)
+ {
+ 	if (!(what & RENDER_UNCONDITIONAL)) {
+@@ -163,7 +163,7 @@ int render_av_rule(avtab_key_t * key, avtab_datum_t * datum, uint32_t what,
+ 	return 0;
+ }
+ 
+-int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
++static int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+ {
+ 	unsigned int i;
+ 	avtab_ptr_t cur;
+@@ -178,7 +178,7 @@ int display_avtab(avtab_t * a, uint32_t what, policydb_t * p, FILE * fp)
+ 	return 0;
+ }
+ 
+-int display_bools(policydb_t * p, FILE * fp)
++static int display_bools(policydb_t * p, FILE * fp)
+ {
+ 	unsigned int i;
+ 
+@@ -189,7 +189,7 @@ int display_bools(policydb_t * p, FILE * fp)
+ 	return 0;
+ }
+ 
+-void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
++static void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ {
+ 
+ 	cond_expr_t *cur;
+@@ -224,7 +224,7 @@ void display_expr(policydb_t * p, cond_expr_t * exp, FILE * fp)
+ 	}
+ }
+ 
+-int display_cond_expressions(policydb_t * p, FILE * fp)
++static int display_cond_expressions(policydb_t * p, FILE * fp)
+ {
+ 	cond_node_t *cur;
+ 	cond_av_list_t *av_cur;
+@@ -249,7 +249,7 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
+ 	return 0;
+ }
+ 
+-int display_handle_unknown(policydb_t * p, FILE * out_fp)
++static int display_handle_unknown(policydb_t * p, FILE * out_fp)
+ {
+ 	if (p->handle_unknown == ALLOW_UNKNOWN)
+ 		fprintf(out_fp, "Allow unknown classes and permissions\n");
+@@ -260,7 +260,7 @@ int display_handle_unknown(policydb_t * p, FILE * out_fp)
+ 	return 0;
+ }
+ 
+-int change_bool(char *name, int state, policydb_t * p, FILE * fp)
++static int change_bool(char *name, int state, policydb_t * p, FILE * fp)
+ {
+ 	cond_bool_datum_t *bool;
+ 
+@@ -368,7 +368,7 @@ static void display_filename_trans(policydb_t *p, FILE *fp)
+ 	hashtab_map(p->filename_trans, filenametr_display, &args);
+ }
+ 
+-int menu(void)
++static int menu(void)
+ {
+ 	printf("\nSelect a command:\n");
+ 	printf("1)  display unconditional AVTAB\n");
+-- 
+2.32.0
+

0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch

@@ -0,0 +1,81 @@
+From 1711757378d1ff1e7437fd7d5ddf263272284641 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 6 Jul 2021 19:54:33 +0200
+Subject: [PATCH] checkpolicy: mark read-only parameters in policy define const
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Make it more obvious which parameters are read-only and not being
+modified and allow callers to pass const pointers.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ checkpolicy/policy_define.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
+index efe3a1a26315..75a67d5c8a7c 100644
+--- a/checkpolicy/policy_define.c
++++ b/checkpolicy/policy_define.c
+@@ -77,7 +77,7 @@ extern int yyerror(const char *msg);
+ #define ERRORMSG_LEN 255
+ static char errormsg[ERRORMSG_LEN + 1] = {0};
+ 
+-static int id_has_dot(char *id);
++static int id_has_dot(const char *id);
+ static int parse_security_context(context_struct_t *c);
+ 
+ /* initialize all of the state variables for the scanner/parser */
+@@ -141,7 +141,7 @@ int insert_id(const char *id, int push)
+ 
+ /* If the identifier has a dot within it and that its first character
+    is not a dot then return 1, else return 0. */
+-static int id_has_dot(char *id)
++static int id_has_dot(const char *id)
+ {
+ 	if (strchr(id, '.') >= id + 1) {
+ 		return 1;
+@@ -2172,7 +2172,7 @@ void avrule_xperm_setrangebits(uint16_t low, uint16_t high,
+ 	}
+ }
+ 
+-int avrule_xperms_used(av_extended_perms_t *xperms)
++int avrule_xperms_used(const av_extended_perms_t *xperms)
+ {
+ 	unsigned int i;
+ 
+@@ -2347,7 +2347,7 @@ unsigned int xperms_for_each_bit(unsigned int *bit, av_extended_perms_t *xperms)
+ 	return 0;
+ }
+ 
+-int avrule_cpy(avrule_t *dest, avrule_t *src)
++int avrule_cpy(avrule_t *dest, const avrule_t *src)
+ {
+ 	class_perm_node_t *src_perms;
+ 	class_perm_node_t *dest_perms, *dest_tail;
+@@ -2395,7 +2395,7 @@ int avrule_cpy(avrule_t *dest, avrule_t *src)
+ 	return 0;
+ }
+ 
+-int define_te_avtab_ioctl(avrule_t *avrule_template)
++int define_te_avtab_ioctl(const avrule_t *avrule_template)
+ {
+ 	avrule_t *avrule;
+ 	struct av_ioctl_range_list *rangelist;
+@@ -3444,9 +3444,10 @@ bad:
+ 	return -1;
+ }
+ 
+-static constraint_expr_t *constraint_expr_clone(constraint_expr_t * expr)
++static constraint_expr_t *constraint_expr_clone(const constraint_expr_t * expr)
+ {
+-	constraint_expr_t *h = NULL, *l = NULL, *e, *newe;
++	constraint_expr_t *h = NULL, *l = NULL, *newe;
++	const constraint_expr_t *e;
+ 	for (e = expr; e; e = e->next) {
+ 		newe = malloc(sizeof(*newe));
+ 		if (!newe)
+-- 
+2.32.0
+

checkpolicy.spec

@@ -1,10 +1,10 @@
-%define libselinuxver 3.2-1
-%define libsepolver 3.2-1
+%define libselinuxver 3.2-5
+%define libsepolver 3.2-3
 
 Summary: SELinux policy compiler
 Name: checkpolicy
 Version: 3.2
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpolicy-3.2.tar.gz
 # $ git clone https://github.com/fedora-selinux/selinux.git
@@ -12,6 +12,22 @@ Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/checkpo
 # $ git format-patch -N 3.2 -- checkpolicy
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
+Patch0001: 0001-libsepol-checkpolicy-Set-user-roles-using-role-value.patch
+Patch0002: 0002-checkpolicy-Do-not-automatically-upgrade-when-using-.patch
+Patch0003: 0003-checkpolicy-silence-Wextra-semi-stmt-warning.patch
+Patch0004: 0004-checkpolicy-pass-CFLAGS-at-link-stage.patch
+Patch0005: 0005-checkpolicy-drop-pipe-compile-option.patch
+Patch0006: 0006-checkpolicy-simplify-assignment.patch
+Patch0007: 0007-checkpolicy-drop-dead-condition.patch
+Patch0008: 0008-checkpolicy-use-correct-format-specifier-for-unsigne.patch
+Patch0009: 0009-checkpolicy-follow-declaration-after-statement.patch
+Patch0010: 0010-checkpolicy-remove-dead-assignments.patch
+Patch0011: 0011-checkpolicy-check-before-potential-NULL-dereference.patch
+Patch0012: 0012-checkpolicy-avoid-potential-use-of-uninitialized-var.patch
+Patch0013: 0013-checkpolicy-drop-redundant-cast-to-the-same-type.patch
+Patch0014: 0014-checkpolicy-parse_util-drop-unused-declaration.patch
+Patch0015: 0015-checkpolicy-test-mark-file-local-functions-static.patch
+Patch0016: 0016-checkpolicy-mark-read-only-parameters-in-policy-defi.patch
 # Patch list end
 BuildRequires: gcc
 BuildRequires: make
@@ -61,6 +77,9 @@ install test/dispol ${RPM_BUILD_ROOT}%{_bindir}/sedispol
 %{_bindir}/sedispol
 
 %changelog
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
+- Rebase on upstream commit 32611aea6543
+
 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937