15 changed files with 13 additions and 1073 deletions
--- a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+++ b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
@ -1,7 +1,7 @@
 From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Wed, 16 Jul 2014 08:28:03 +0200
-Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
+Subject: [PATCH 1/5] Fix selinux man page to refer seinfo and sesearch tools.
 ---
 libselinux/man/man8/selinux.8 | 4 +++-
--- a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+++ b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
@ -1,7 +1,7 @@
 From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
 From: Dan Walsh <dwalsh@redhat.com>
 Date: Mon, 23 Dec 2013 09:50:54 -0500
-Subject: [PATCH] Verify context input to funtions to make sure the context
+Subject: [PATCH 2/5] Verify context input to funtions to make sure the context
 field is not null.
 Return errno EINVAL, to prevent segfault.
--- a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
+++ b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
@ -1,8 +1,8 @@
-From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
+From 431f72836d6c02450725cf6ffb1c7223b9fa6acc Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 11 Mar 2019 15:26:43 +0100
-Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
+Subject: [PATCH 3/5] libselinux: Allow to override OVERRIDE_GETTID from
- line
+ command line
 $ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
--- a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
+++ b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
@ -1,8 +1,8 @@
-From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
+From dca54ca1a8ab0b256e7834f7f5e97375427fbfd9 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Wed, 27 Feb 2019 09:37:17 +0100
-Subject: [PATCH] Bring some old permission and flask constants back to Python
+Subject: [PATCH 4/5] Bring some old permission and flask constants back to
- bindings
+ Python bindings
 ---
 libselinux/src/selinuxswig.i        | 4 ++++
--- a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
+++ b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
@ -1,7 +1,7 @@
-From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
+From 8384ffa7a371c8845c145951363da5d978ab98b5 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Tue, 28 Feb 2017 16:12:43 +0100
-Subject: [PATCH] libselinux: add missing av_permission values
+Subject: [PATCH 5/5] libselinux: add missing av_permission values
 Add missing av_permission values to av_permissions.h for the sake of
 completeness (this interface is obsolete - these values are now
--- a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
+++ b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
@ -1,177 +0,0 @@
 From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 16 May 2019 15:01:59 +0200
 Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
 bindings
 SWIG-4.0 changed its behavior so that it uses: from . import _selinux  which
 looks for _selinux module in the same directory as where __init__.py is -
 $(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
 $(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
 of _selinux.so").
 In order to prevent such breakage in future use Python's distutils instead of
 building and installing python bindings manually in Makefile.
 Fixes:
 >>> import selinux
 Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
    from . import _selinux
 ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
 >>>
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/src/.gitignore |  2 +-
 libselinux/src/Makefile   | 37 ++++++++-----------------------------
 libselinux/src/setup.py   | 24 ++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 30 deletions(-)
 create mode 100644 libselinux/src/setup.py
 diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
 index 4dcc3b3b..428afe5a 100644
 --- a/libselinux/src/.gitignore
 +++ b/libselinux/src/.gitignore
@@ -1,4 +1,4 @@
 selinux.py
 -selinuxswig_wrap.c
 +selinuxswig_python_wrap.c
 selinuxswig_python_exception.i
 selinuxswig_ruby_wrap.c
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
 index e9ed0383..826c830c 100644
 --- a/libselinux/src/Makefile
 +++ b/libselinux/src/Makefile
@@ -36,7 +36,7 @@ TARGET=libselinux.so
 LIBPC=libselinux.pc
 SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
 SWIGRUBYIF= selinuxswig_ruby.i
 -SWIGCOUT= selinuxswig_wrap.c
 +SWIGCOUT= selinuxswig_python_wrap.c
 SWIGPYOUT= selinux.py
 SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
 SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
         LDLIBS_LIBSEPOLA := -l:libsepol.a
 endif
 -GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
 +GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
 SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
 MAX_STACK_SIZE=32768
@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
 SRCS:= $(filter-out label_backends_android.c, $(SRCS))
 endif
 -SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
 -
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
 all: $(LIBA) $(LIBSO) $(LIBPC)
 -pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
 +pywrap: all selinuxswig_python_exception.i
 +	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
 rubywrap: all $(SWIGRUBYSO)
 -$(SWIGLOBJ): $(SWIGCOUT)
 -	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
 -
 $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
 	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
 -$(SWIGSO): $(SWIGLOBJ)
 -	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
 -
 $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
 	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
 selinuxswig_python_exception.i: ../include/selinux/selinux.h
 	bash -e exception.sh > $@ || (rm -f $@ ; false)
 -$(AUDIT2WHYLOBJ): audit2why.c
 -	$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
 -
 -$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
 -	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
 -
 %.o:  %.c policy.h
 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
 %.lo:  %.c policy.h
 	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
 -$(SWIGCOUT): $(SWIGIF)
 -	$(SWIG) $<
 -
 -$(SWIGPYOUT): $(SWIGCOUT)
 -
 $(SWIGRUBYCOUT): $(SWIGRUBYIF)
 	$(SWIGRUBY) $<
 -swigify: $(SWIGIF)
 -	$(SWIG) $<
 -
 install: all 
 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
@@ -194,10 +173,8 @@ install: all
 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
 install-pywrap: pywrap
 -	test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
 -	install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
 -	install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
 -	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
 +	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
 +	install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
 install-rubywrap: rubywrap
 	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
@@ -208,6 +185,8 @@ relabel:
 clean-pywrap:
 	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
 +	$(PYTHON) setup.py clean
 +	-rm -rf build *~ \#* *pyc .#*
 clean-rubywrap:
 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
 diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
 new file mode 100644
 index 00000000..b12e7869
 --- /dev/null
 +++ b/libselinux/src/setup.py
@@ -0,0 +1,24 @@
 +#!/usr/bin/python3
 +
 +from distutils.core import Extension, setup
 +
 +setup(
 +    name="selinux",
 +    version="2.9",
 +    description="SELinux python 3 bindings",
 +    author="SELinux Project",
 +    author_email="selinux@vger.kernel.org",
 +    ext_modules=[
 +        Extension('selinux._selinux',
 +                  sources=['selinuxswig_python.i'],
 +                  include_dirs=['../include'],
 +                  library_dirs=['.'],
 +                  libraries=['selinux']),
 +        Extension('selinux.audit2why',
 +                  sources=['audit2why.c'],
 +                  include_dirs=['../include'],
 +                  library_dirs=['.'],
 +                  libraries=['selinux'],
 +                  extra_link_args=['-l:libsepol.a'])
 +    ],
 +)
 -- 
 2.21.0
--- a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
+++ b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
@ -1,44 +0,0 @@
 From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Thu, 27 Jun 2019 11:17:13 +0200
 Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
 built
 Fixes:
 https://rpmdiff.engineering.redhat.com/run/410372/7/
 Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
 Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
 ' on x86_64
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/src/Makefile | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
 index 826c830c..f64f23a8 100644
 --- a/libselinux/src/Makefile
 +++ b/libselinux/src/Makefile
@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
 override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
 -SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
 -		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
 -
 RANLIB ?= ranlib
 ARCH := $(patsubst i%86,i386,$(shell uname -m))
@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
 all: $(LIBA) $(LIBSO) $(LIBPC)
 pywrap: all selinuxswig_python_exception.i
 -	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
 +	$(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
 rubywrap: all $(SWIGRUBYSO)
 -- 
 2.21.0
--- a/SOURCES/0008-Fix-mcstrans-secolor-examples.patch
+++ b/SOURCES/0008-Fix-mcstrans-secolor-examples.patch
@ -1,66 +0,0 @@
 From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Tue, 2 Jul 2019 14:09:05 +0200
 Subject: [PATCH] Fix mcstrans secolor examples
 According to "check_dominance" function:
 Range defined as "s15:c0.c1023" does not dominate any other range than
 "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
 While range defined as "s15-s15:c0.c1023" dominates all of the above.
 This is either a bug, or "s15:c0.c1023" should not be used in the
 examples.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 libselinux/man/man5/secolor.conf.5    | 4 ++--
 libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
 index b834577a..a3bf2da1 100644
 --- a/libselinux/man/man5/secolor.conf.5
 +++ b/libselinux/man/man5/secolor.conf.5
@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
 .br
 range s9\-s9:c0.c1023 = black orange
 .br
 -range s15:c0.c1023   = black yellow
 +range s15\-s15:c0.c1023   = black yellow
 .RE
 .sp
@@ -165,7 +165,7 @@ type xguest_t     = black green
 .br
 user sysadm_u     = white black
 .br
 -range s0:c0.c1023 = black white
 +range s0-s0:c0.c1023 = black white
 .br
 user *            = black white
 .br
 diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
 index 4c1236ae..bcae80c1 100644
 --- a/libselinux/man/ru/man5/secolor.conf.5
 +++ b/libselinux/man/ru/man5/secolor.conf.5
@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
 .br
 range s9\-s9:c0.c1023 = black orange
 .br
 -range s15:c0.c1023   = black yellow
 +range s15\-s15:c0.c1023   = black yellow
 .RE
 .sp
@@ -163,7 +163,7 @@ type xguest_t     = black green
 .br
 user sysadm_u     = white black
 .br
 -range s0:c0.c1023 = black white
 +range s0\-s0:c0.c1023 = black white
 .br
 user *            = black white
 .br
 -- 
 2.21.0
--- a/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
+++ b/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
@ -1,354 +0,0 @@
 From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Mon, 17 Feb 2020 21:47:35 +0100
 Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
 get_ordered_context_list() code used to ask the kernel to compute the complete
 set of reachable contexts using /sys/fs/selinux/user aka
 security_compute_user(). This set can be so huge so that it doesn't fit into a
 kernel page and security_compute_user() fails. Even if it doesn't fail,
 get_ordered_context_list() throws away the vast majority of the returned
 contexts because they don't match anything in
 /etc/selinux/targeted/contexts/default_contexts or
 /etc/selinux/targeted/contexts/users/
 get_ordered_context_list() is rewritten to compute set of contexts based on
 /etc/selinux/targeted/contexts/users/ and
 /etc/selinux/targeted/contexts/default_contexts files and to return only valid
 contexts, using security_check_context(), from this set.
 Fixes: https://github.com/SELinuxProject/selinux/issues/28
 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
 1 file changed, 93 insertions(+), 119 deletions(-)
 diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
 index 689e4658..26d7b3b9 100644
 --- a/libselinux/src/get_context_list.c
 +++ b/libselinux/src/get_context_list.c
@@ -2,6 +2,7 @@
 #include <errno.h>
 #include <stdio.h>
 #include <stdio_ext.h>
 +#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
 #include <ctype.h>
@@ -114,64 +115,41 @@ int get_default_context(const char *user,
 	return 0;
 }
 -static int find_partialcon(char ** list,
 -			   unsigned int nreach, char *part)
 +static int is_in_reachable(char **reachable, const char *usercon_str)
 {
 -	const char *conrole, *contype;
 -	char *partrole, *parttype, *ptr;
 -	context_t con;
 -	unsigned int i;
 +	if (!reachable)
 +		return 0;
 -	partrole = part;
 -	ptr = part;
 -	while (*ptr && !isspace(*ptr) && *ptr != ':')
 -		ptr++;
 -	if (*ptr != ':')
 -		return -1;
 -	*ptr++ = 0;
 -	parttype = ptr;
 -	while (*ptr && !isspace(*ptr) && *ptr != ':')
 -		ptr++;
 -	*ptr = 0;
 -
 -	for (i = 0; i < nreach; i++) {
 -		con = context_new(list[i]);
 -		if (!con)
 -			return -1;
 -		conrole = context_role_get(con);
 -		contype = context_type_get(con);
 -		if (!conrole || !contype) {
 -			context_free(con);
 -			return -1;
 -		}
 -		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
 -			context_free(con);
 -			return i;
 +	for (; *reachable != NULL; reachable++) {
 +		if (strcmp(*reachable, usercon_str) == 0) {
 +			return 1;
 		}
 -		context_free(con);
 	}
 -
 -	return -1;
 +	return 0;
 }
 -static int get_context_order(FILE * fp,
 +static int get_context_user(FILE * fp,
 			     char * fromcon,
 -			     char ** reachable,
 -			     unsigned int nreach,
 -			     unsigned int *ordering, unsigned int *nordered)
 +			     const char * user,
 +			     char ***reachable,
 +			     unsigned int *nreachable)
 {
 	char *start, *end = NULL;
 	char *line = NULL;
 -	size_t line_len = 0;
 +	size_t line_len = 0, usercon_len;
 +	size_t user_len = strlen(user);
 	ssize_t len;
 	int found = 0;
 -	const char *fromrole, *fromtype;
 +	const char *fromrole, *fromtype, *fromlevel;
 	char *linerole, *linetype;
 -	unsigned int i;
 +	char **new_reachable = NULL;
 +	char *usercon_str;
 	context_t con;
 +	context_t usercon;
 +
 	int rc;
 -	errno = -EINVAL;
 +	errno = EINVAL;
 	/* Extract the role and type of the fromcon for matching.
 	   User identity and MLS range can be variable. */
@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
 		return -1;
 	fromrole = context_role_get(con);
 	fromtype = context_type_get(con);
 +	fromlevel = context_range_get(con);
 	if (!fromrole || !fromtype) {
 		context_free(con);
 		return -1;
@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
 		if (*end)
 			*end++ = 0;
 -		/* Check for a match in the reachable list. */
 -		rc = find_partialcon(reachable, nreach, start);
 -		if (rc < 0) {
 -			/* No match, skip it. */
 +		/* Check whether a new context is valid */
 +		if (SIZE_MAX - user_len < strlen(start) + 2) {
 +			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
 +			errno = EINVAL;
 +			rc = -1;
 +			goto out;
 +		}
 +		usercon_len = user_len + strlen(start) + 2;
 +		usercon_str = malloc(usercon_len);
 +		if (!usercon_str) {
 +			rc = -1;
 +			goto out;
 +		}
 +
 +		/* set range from fromcon in the new usercon */
 +		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
 +		usercon = context_new(usercon_str);
 +		if (!usercon) {
 +			if (errno != EINVAL) {
 +				free(usercon_str);
 +				rc = -1;
 +				goto out;
 +			}
 +			fprintf(stderr,
 +				"%s: can't create a context from %s, skipping\n",
 +				__FUNCTION__, usercon_str);
 +			free(usercon_str);
 			start = end;
 			continue;
 		}
 +		free(usercon_str);
 +		if (context_range_set(usercon, fromlevel) != 0) {
 +			context_free(usercon);
 +			rc = -1;
 +			goto out;
 +		}
 +		usercon_str = context_str(usercon);
 +		if (!usercon_str) {
 +			context_free(usercon);
 +			rc = -1;
 +			goto out;
 +		}
 -		/* If a match is found and the entry is not already ordered
 -		   (e.g. due to prior match in prior config file), then set
 -		   the ordering for it. */
 -		i = rc;
 -		if (ordering[i] == nreach)
 -			ordering[i] = (*nordered)++;
 +		/* check whether usercon is already in reachable */
 +		if (is_in_reachable(*reachable, usercon_str)) {
 +			context_free(usercon);
 +			start = end;
 +			continue;
 +		}
 +		if (security_check_context(usercon_str) == 0) {
 +			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
 +			if (!new_reachable) {
 +				context_free(usercon);
 +				rc = -1;
 +				goto out;
 +			}
 +			*reachable = new_reachable;
 +			new_reachable[*nreachable] = strdup(usercon_str);
 +			if (new_reachable[*nreachable] == NULL) {
 +				context_free(usercon);
 +				rc = -1;
 +				goto out;
 +			}
 +			new_reachable[*nreachable + 1] = 0;
 +			*nreachable += 1;
 +		}
 +		context_free(usercon);
 		start = end;
 	}
 -
 	rc = 0;
       out:
@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
 	return 0;
 }
 -struct context_order {
 -	char * con;
 -	unsigned int order;
 -};
 -
 -static int order_compare(const void *A, const void *B)
 -{
 -	const struct context_order *c1 = A, *c2 = B;
 -	if (c1->order < c2->order)
 -		return -1;
 -	else if (c1->order > c2->order)
 -		return 1;
 -	return strcmp(c1->con, c2->con);
 -}
 -
 int get_ordered_context_list_with_level(const char *user,
 					const char *level,
 					char * fromcon,
@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
 			     char *** list)
 {
 	char **reachable = NULL;
 -	unsigned int *ordering = NULL;
 -	struct context_order *co = NULL;
 -	char **ptr;
 	int rc = 0;
 -	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
 +	unsigned nreachable = 0, freefrom = 0;
 	FILE *fp;
 	char *fname = NULL;
 	size_t fname_len;
@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
 		freefrom = 1;
 	}
 -	/* Determine the set of reachable contexts for the user. */
 -	rc = security_compute_user(fromcon, user, &reachable);
 -	if (rc < 0)
 -		goto failsafe;
 -	nreach = 0;
 -	for (ptr = reachable; *ptr; ptr++)
 -		nreach++;
 -	if (!nreach)
 -		goto failsafe;
 -
 -	/* Initialize ordering array. */
 -	ordering = malloc(nreach * sizeof(unsigned int));
 -	if (!ordering)
 -		goto failsafe;
 -	for (i = 0; i < nreach; i++)
 -		ordering[i] = nreach;
 -
 	/* Determine the ordering to apply from the optional per-user config
 	   and from the global config. */
 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(fname, "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 -		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
 -				       &nordered);
 +		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
 +
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
 	fp = fopen(selinux_default_context_path(), "re");
 	if (fp) {
 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
 -		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
 -				       &nordered);
 +		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
 		fclose(fp);
 		if (rc < 0 && errno != ENOENT) {
 			fprintf(stderr,
@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
 				__FUNCTION__, selinux_default_context_path());
 			/* Fall through */
 		}
 -		rc = 0;
 	}
 -	if (!nordered)
 +	if (!nreachable)
 		goto failsafe;
 -	/* Apply the ordering. */
 -	co = malloc(nreach * sizeof(struct context_order));
 -	if (!co)
 -		goto failsafe;
 -	for (i = 0; i < nreach; i++) {
 -		co[i].con = reachable[i];
 -		co[i].order = ordering[i];
 -	}
 -	qsort(co, nreach, sizeof(struct context_order), order_compare);
 -	for (i = 0; i < nreach; i++)
 -		reachable[i] = co[i].con;
 -	free(co);
 -
 -	/* Only report the ordered entries to the caller. */
 -	if (nordered <= nreach) {
 -		for (i = nordered; i < nreach; i++)
 -			free(reachable[i]);
 -		reachable[nordered] = NULL;
 -		rc = nordered;
 -	}
 -
       out:
 -	if (rc > 0)
 +	if (nreachable > 0) {
 		*list = reachable;
 +		rc = nreachable;
 +	}
 	else
 		freeconary(reachable);
 -	free(ordering);
 	if (freefrom)
 		freecon(fromcon);
@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
 		reachable = NULL;
 		goto out;
 	}
 -	rc = 1;			/* one context in the list */
 +	nreachable = 1;			/* one context in the list */
 	goto out;
 }
 -- 
 2.25.4
--- a/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
+++ b/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
@ -1,168 +0,0 @@
 From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
 From: Stephen Smalley <sds@tycho.nsa.gov>
 Date: Thu, 20 Feb 2020 10:40:19 -0500
 Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
 pages
 commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
 use of security_compute_user()") eliminated the use of
 security_compute_user() by get_ordered_context_list().  Deprecate
 all use of security_compute_user() by updating the headers and man
 pages and logging a warning message on any calls to it.  Remove
 the example utility that called the interface. While here, also
 fix the documentation of correct usage of the user argument to these
 interfaces.
 Fixes: https://github.com/SELinuxProject/selinux/issues/70
 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
 Acked-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/include/selinux/selinux.h          |  8 +++-
 .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
 libselinux/man/man3/security_compute_av.3     |  5 ++-
 libselinux/src/compute_user.c                 |  3 ++
 libselinux/utils/compute_user.c               | 38 -------------------
 5 files changed, 31 insertions(+), 47 deletions(-)
 delete mode 100644 libselinux/utils/compute_user.c
 diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
 index a34d54fc..a5ada324 100644
 --- a/libselinux/include/selinux/selinux.h
 +++ b/libselinux/include/selinux/selinux.h
@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
 				       security_class_t tclass,
 				       char ** newcon);
 -/* Compute the set of reachable user contexts and set *con to refer to 
 -   the NULL-terminated array of contexts.  Caller must free via freeconary. */
 +/*
 + * Compute the set of reachable user contexts and set *con to refer to
 + * the NULL-terminated array of contexts.  Caller must free via freeconary.
 + * These interfaces are deprecated.  Use get_ordered_context_list() or
 + * one of its variant interfaces instead.
 + */
 extern int security_compute_user(const char * scon,
 				 const char *username,
 				 char *** con);
 diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
 index e084da40..3ed14a96 100644
 --- a/libselinux/man/man3/get_ordered_context_list.3
 +++ b/libselinux/man/man3/get_ordered_context_list.3
@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
 .BI "int get_default_type(const char *" role ", char **" type );
 .
 .SH "DESCRIPTION"
 +
 +This family of functions can be used to obtain either a prioritized list of
 +all reachable security contexts for a given SELinux user or a single default
 +(highest priority) context for a given SELinux user for use by login-like
 +programs.  These functions takes a SELinux user identity that must
 +be defined in the SELinux policy as their input, not a Linux username.
 +Most callers should typically first call
 +.BR getseuserbyname(3)
 +to look up the SELinux user identity and level for a given
 +Linux username and then invoke one of
 +.BR get_ordered_context_list_with_level ()
 +or
 +.BR get_default_context_with_level ()
 +with the returned SELinux user and level as inputs.
 +
 .BR get_ordered_context_list ()
 -invokes the 
 -.BR security_compute_user (3)
 -function to obtain the list of contexts for the specified
 +obtains the list of contexts for the specified
 +SELinux
 .I user
 -that are reachable from the specified
 +identity that are reachable from the specified
 .I fromcon
 -context.  The function then orders the resulting list based on the global
 +context based on the global
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
 file and the per-user
 .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
 diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
 index 2aade5fe..8e1f746a 100644
 --- a/libselinux/man/man3/security_compute_av.3
 +++ b/libselinux/man/man3/security_compute_av.3
@@ -97,8 +97,9 @@ instance.
 .BR security_compute_user ()
 is used to determine the set of user contexts that can be reached from a
 -source context. It is mainly used by
 -.BR get_ordered_context_list ().
 +source context. This function is deprecated; use
 +.BR get_ordered_context_list (3)
 +instead.
 .BR security_get_initial_context ()
 is used to get the context of a kernel initial security identifier specified by 
 diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
 index 401fd107..0f55de84 100644
 --- a/libselinux/src/compute_user.c
 +++ b/libselinux/src/compute_user.c
@@ -8,6 +8,7 @@
 #include "selinux_internal.h"
 #include "policy.h"
 #include <limits.h>
 +#include "callbacks.h"
 int security_compute_user_raw(const char * scon,
 			      const char *user, char *** con)
@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
 		return -1;
 	}
 +	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
 +
 	if (! scon) {
 		errno=EINVAL;
 		return -1;
 diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
 deleted file mode 100644
 index cae62b26..00000000
 --- a/libselinux/utils/compute_user.c
 +++ /dev/null
@@ -1,38 +0,0 @@
 -#include <unistd.h>
 -#include <sys/types.h>
 -#include <fcntl.h>
 -#include <stdio.h>
 -#include <stdlib.h>
 -#include <errno.h>
 -#include <string.h>
 -#include <ctype.h>
 -#include <selinux/selinux.h>
 -
 -int main(int argc, char **argv)
 -{
 -	char **buf, **ptr;
 -	int ret;
 -
 -	if (argc != 3) {
 -		fprintf(stderr, "usage:  %s context user\n", argv[0]);
 -		exit(1);
 -	}
 -
 -	ret = security_compute_user(argv[1], argv[2], &buf);
 -	if (ret < 0) {
 -		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
 -			argv[0], argv[1], argv[2]);
 -		exit(2);
 -	}
 -
 -	if (!buf[0]) {
 -		printf("none\n");
 -		exit(0);
 -	}
 -
 -	for (ptr = buf; *ptr; ptr++) {
 -		printf("%s\n", *ptr);
 -	}
 -	freeconary(buf);
 -	exit(0);
 -}
 -- 
 2.25.4
--- a/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+++ b/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
@ -1,39 +0,0 @@
 From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 10 Feb 2021 18:05:29 +0100
 Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
 Describe which type of regular expression is used in file context
 definitions and which flags are in effect.
 Explain how local file context modifications are processed.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 Acked-by: Petr Lautrbach <plautrba@redhat.com>
 ---
 libselinux/man/man5/selabel_file.5 | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
 index e97bd826..baba7776 100644
 --- a/libselinux/man/man5/selabel_file.5
 +++ b/libselinux/man/man5/selabel_file.5
@@ -125,7 +125,14 @@ Where:
 .RS
 .I pathname
 .RS
 -An entry that defines the pathname that may be in the form of a regular expression.
 +An entry that defines the path to be labeled.
 +May contain either a fully qualified path,
 +or a Perl compatible regular expression (PCRE),
 +describing fully qualified path(s).
 +The only PCRE flag in use is PCRE2_DOTALL,
 +which causes a wildcard '.' to match anything, including a new line.
 +Strings representing paths are processed as bytes (as opposed to Unicode),
 +meaning that non-ASCII characters are not matched by a single wildcard.
 .RE
 .I file_type
 .RS
 -- 
 2.35.3
--- a/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
+++ b/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
@ -1,88 +0,0 @@
 From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Thu, 17 Feb 2022 14:14:15 +0100
 Subject: [PATCH] libselinux: Strip spaces before values in config
 Spaces before values in /etc/selinux/config should be ignored just as
 spaces after them are.
 E.g. "SELINUXTYPE= targeted" should be a valid value.
 Fixes:
   # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
   # dnf install <any_package>
   ...
   RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
   RPM: error: Plugin selinux: hook tsm_pre failed
   ...
   Error: Could not run transaction.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 libselinux/src/selinux_config.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
 index b06cb63b..0892b87c 100644
 --- a/libselinux/src/selinux_config.c
 +++ b/libselinux/src/selinux_config.c
@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
 	FILE *cfg = fopen(SELINUXCONFIG, "re");
 	if (cfg) {
 		char *buf;
 +		char *tag;
 		int len = sizeof(SELINUXTAG) - 1;
 		buf = malloc(selinux_page_size);
 		if (!buf) {
@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
 		while (fgets_unlocked(buf, selinux_page_size, cfg)) {
 			if (strncmp(buf, SELINUXTAG, len))
 				continue;
 +			tag = buf+len;
 +			while (isspace(*tag))
 +				tag++;
 			if (!strncasecmp
 -			    (buf + len, "enforcing", sizeof("enforcing") - 1)) {
 +			    (tag, "enforcing", sizeof("enforcing") - 1)) {
 				*enforce = 1;
 				ret = 0;
 				break;
 			} else
 			    if (!strncasecmp
 -				(buf + len, "permissive",
 +				(tag, "permissive",
 				 sizeof("permissive") - 1)) {
 				*enforce = 0;
 				ret = 0;
 				break;
 			} else
 			    if (!strncasecmp
 -				(buf + len, "disabled",
 +				(tag, "disabled",
 				 sizeof("disabled") - 1)) {
 				*enforce = -1;
 				ret = 0;
@@ -177,7 +181,10 @@ static void init_selinux_config(void)
 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
 					 sizeof(SELINUXTYPETAG) - 1)) {
 -				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
 +				buf_p += sizeof(SELINUXTYPETAG) - 1;
 +				while (isspace(*buf_p))
 +					buf_p++;
 +				type = strdup(buf_p);
 				if (!type)
 					return;
 				end = type + strlen(type) - 1;
@@ -199,6 +206,8 @@ static void init_selinux_config(void)
 			} else if (!strncmp(buf_p, REQUIRESEUSERS,
 					    sizeof(REQUIRESEUSERS) - 1)) {
 				value = buf_p + sizeof(REQUIRESEUSERS) - 1;
 +				while (isspace(*value))
 +					value++;
 				intptr = &require_seusers;
 			} else {
 				continue;
 -- 
 2.35.3
--- a/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
+++ b/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
@ -1,46 +0,0 @@
 From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Mon, 31 Oct 2022 17:00:43 +0100
 Subject: [PATCH] libselinux: Ignore missing directories when -i is used
 Currently "-i" only ignores a file whose parent directory exists. Start also
 ignoring paths with missing components.
 Fixes:
  # restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
  255
  restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 libselinux/src/selinux_restorecon.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
 index 5f189235..2ff73db6 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
 			pathname = realpath(pathname_orig, NULL);
 			if (!pathname) {
 				free(basename_cpy);
 +				/* missing parent directory */
 +				if (flags.ignore_noent && errno == ENOENT) {
 +					return 0;
 +				}
 				goto realpatherr;
 			}
 		} else {
@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
 			free(dirname_cpy);
 			if (!pathdnamer) {
 				free(basename_cpy);
 +				if (flags.ignore_noent && errno == ENOENT) {
 +					return 0;
 +				}
 				goto realpatherr;
 			}
 			if (!strcmp(pathdnamer, "/"))
 -- 
 2.37.3
--- a/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
+++ b/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
@ -1,42 +0,0 @@
 From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Wed, 7 Dec 2022 09:19:29 +0100
 Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
 Fix memory leak introduced by commit
 9a04499cebedac3f585c0240e6cf68f786ae62b7
 libselinux: Ignore missing directories when -i is used
 Error: RESOURCE_LEAK:
 selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
 selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
 selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
 Resolves: rhbz#2137965
 ---
 libselinux/src/selinux_restorecon.c | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
 index 2ff73db6..b3702764 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
 				free(basename_cpy);
 				/* missing parent directory */
 				if (flags.ignore_noent && errno == ENOENT) {
 +					free(xattr_value);
 					return 0;
 				}
 				goto realpatherr;
@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
 			if (!pathdnamer) {
 				free(basename_cpy);
 				if (flags.ignore_noent && errno == ENOENT) {
 +					free(xattr_value);
 					return 0;
 				}
 				goto realpatherr;
 -- 
 2.37.3
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@ -6,7 +6,7 @@
 %endif
 %define libsepolver 2.9-1
-%define libselinuxrelease 8
+%define libselinuxrelease 1
 Summary: SELinux library and simple utilities
 Name: libselinux
@ -24,15 +24,6 @@ Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
 Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
 Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
 Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
 Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
 Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
 Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
 Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
 Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
 Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
 Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
 Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
 Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
 BuildRequires: gcc
 %if 0%{?with_ruby}
@ -64,7 +55,7 @@ process and file security contexts and to obtain security policy
 decisions.  Required for any applications that use the SELinux API.
 %package utils
-Summary: SELinux libselinux utilities
+Summary: SELinux libselinux utilies
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %description utils
@ -191,10 +182,8 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli
 %if 0%{?with_python2}
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 InstallPythonWrapper %{__python2}
 mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
 %endif
 InstallPythonWrapper %{__python3}
 mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/
 %if 0%{?with_ruby}
 make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
@ -230,6 +219,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %license LICENSE
 %{_libdir}/libselinux.so.*
 %dir %{_rundir}/setrans/
 %{_sbindir}/sefcontext_compile
 %{_tmpfilesdir}/libselinux.conf
 %files utils
@ -237,7 +227,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{_sbindir}/getenforce
 %{_sbindir}/getsebool
 %{_sbindir}/matchpathcon
 %{_sbindir}/sefcontext_compile
 %{_sbindir}/selinuxconlist
 %{_sbindir}/selinuxdefcon
 %{_sbindir}/selinuxexeccon
@ -266,13 +255,11 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %files -n libselinux-python
 %{python2_sitearch}/selinux/
 %{python2_sitearch}/_selinux.so
 %{python2_sitearch}/selinux-%{version}-*
 %endif
 %files -n python3-libselinux
 %{python3_sitearch}/selinux/
 %{python3_sitearch}/_selinux.*.so
 %{python3_sitearch}/selinux-%{version}-*
 %if 0%{?with_ruby}
 %files ruby
@ -280,29 +267,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %endif
 %changelog
 * Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
 - restorecon: Fix memory leak - xattr_value (#2137965)
 * Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
 - Restorecon: Ignore missing directories when -i is used (#2137965)
 * Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
 - Describe fcontext regular expressions (#1904059)
 - Strip spaces before values in config (#2012145)
 * Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
 - Deprecate security_compute_user(), update man pages (#1879368)
 * Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
 - Eliminate use of security_compute_user() (#1879368)
 * Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
 - Fix mcstrans secolor examples in secolor.conf man page (#1770270)
 * Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
 - Use Python distutils to install SELinux python bindings (#1719771)
 - Move  sefcontext_compile to -utils package (#1612518)
 * Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
 - SELinux userspace 2.9 release