import libselinux-2.9-8.el8

import libselinux-2.9-6.el8
import libselinux-2.9-5.el8
2023-05-17 02:06:28 +00:00 · 2022-11-08 13:30:05 +00:00 · 2021-09-10 11:53:11 +00:00 · 2021-09-10 11:53:03 +00:00 · 2021-09-10 11:52:55 +00:00 · 2021-09-10 11:52:48 +00:00
18 changed files with 1462 additions and 472 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/libselinux-2.8.tar.gz
+SOURCES/libselinux-2.9.tar.gz
--- a/.libselinux.metadata
+++ b/.libselinux.metadata
@ -1 +1 @@
-d45f2db91dbec82ef5a153aca247acc04234e8af SOURCES/libselinux-2.8.tar.gz
+c53911ee9da673f7653ab1afe66c0b2bf5fb5ac9 SOURCES/libselinux-2.9.tar.gz
--- a/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+++ b/SOURCES/0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
@ -0,0 +1,31 @@
+From f71fc47524bef3c4cd8a412e43d13daebd1c418b Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 16 Jul 2014 08:28:03 +0200
+Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
+
+---
+ libselinux/man/man8/selinux.8 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index e37aee68..bf23b655 100644
+--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
+@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ .BR sepolicy (8),
+ .BR system-config-selinux (8),
+ .BR togglesebool (8),
+-.BR restorecon (8),
+ .BR fixfiles (8),
+.BR restorecon (8),
+ .BR setfiles (8),
+ .BR semanage (8),
+ .BR sepolicy (8)
+.BR seinfo (8),
+.BR sesearch (8)
+ 
+ Every confined service on the system has a man page in the following format:
+ .br
+-- 
+2.21.0
+
--- a/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+++ b/SOURCES/0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
@ -0,0 +1,214 @@
+From ad3d3a0bf819f5895a6884357c2d0e18ea1ef314 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Mon, 23 Dec 2013 09:50:54 -0500
+Subject: [PATCH] Verify context input to funtions to make sure the context
+ field is not null.
+
+Return errno EINVAL, to prevent segfault.
+
+Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
+
+FIXME: use __attribute__(nonnull (arg-index, ...))
+---
+ libselinux/src/avc_sidtab.c           | 5 +++++
+ libselinux/src/canonicalize_context.c | 5 +++++
+ libselinux/src/check_context.c        | 5 +++++
+ libselinux/src/compute_av.c           | 5 +++++
+ libselinux/src/compute_create.c       | 5 +++++
+ libselinux/src/compute_member.c       | 5 +++++
+ libselinux/src/compute_relabel.c      | 5 +++++
+ libselinux/src/compute_user.c         | 5 +++++
+ libselinux/src/fsetfilecon.c          | 8 ++++++--
+ libselinux/src/lsetfilecon.c          | 9 +++++++--
+ libselinux/src/setfilecon.c           | 8 ++++++--
+ 11 files changed, 59 insertions(+), 6 deletions(-)
+
+diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
+index 9669264d..c7754305 100644
+--- a/libselinux/src/avc_sidtab.c
+++ b/libselinux/src/avc_sidtab.c
+@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
+ 	int hvalue, rc = 0;
+ 	struct sidtab_node *cur;
+ 
+	if (! ctx) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	*sid = NULL;
+ 	hvalue = sidtab_hash(ctx);
+ 
+diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
+index ba4c9a2c..c8158725 100644
+--- a/libselinux/src/canonicalize_context.c
+++ b/libselinux/src/canonicalize_context.c
+@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
+ 	size_t size;
+ 	int fd, ret;
+ 
+	if (! con) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
+index 8a7997f0..5be84348 100644
+--- a/libselinux/src/check_context.c
+++ b/libselinux/src/check_context.c
+@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
+ 	char path[PATH_MAX];
+ 	int fd, ret;
+ 
+	if (! con) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+ 		return -1;
+diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
+index a47cffe9..6d285a2e 100644
+--- a/libselinux/src/compute_av.c
+++ b/libselinux/src/compute_av.c
+@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
+index 0975aeac..3e6a48c1 100644
+--- a/libselinux/src/compute_create.c
+++ b/libselinux/src/compute_create.c
+@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
+index 4e2d221e..d1dd9772 100644
+--- a/libselinux/src/compute_member.c
+++ b/libselinux/src/compute_member.c
+@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
+index 49f77ef3..c3db7c0a 100644
+--- a/libselinux/src/compute_relabel.c
+++ b/libselinux/src/compute_relabel.c
+@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 7b881215..401fd107 100644
+--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
+@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	if (! scon) {
+		errno=EINVAL;
+		return -1;
+	}
+
+ 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
+ 	fd = open(path, O_RDWR | O_CLOEXEC);
+ 	if (fd < 0)
+diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
+index 52707d05..0cbe12d8 100644
+--- a/libselinux/src/fsetfilecon.c
+++ b/libselinux/src/fsetfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int fsetfilecon_raw(int fd, const char * context)
+ {
+-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
+index 1d3b28a1..ea6d70b7 100644
+--- a/libselinux/src/lsetfilecon.c
+++ b/libselinux/src/lsetfilecon.c
+@@ -9,8 +9,13 @@
+ 
+ int lsetfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			 0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+
+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
+index d05969c6..3f0200e8 100644
+--- a/libselinux/src/setfilecon.c
+++ b/libselinux/src/setfilecon.c
+@@ -9,8 +9,12 @@
+ 
+ int setfilecon_raw(const char *path, const char * context)
+ {
+-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
+-			0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
+ 	if (rc < 0 && errno == ENOTSUP) {
+ 		char * ccontext = NULL;
+ 		int err = errno;
+-- 
+2.21.0
+
--- a/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
+++ b/SOURCES/0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
@ -0,0 +1,39 @@
+From a6e839be2c5a77c22a8c72cad001e3f87eaedf2e Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 11 Mar 2019 15:26:43 +0100
+Subject: [PATCH] libselinux: Allow to override OVERRIDE_GETTID from command
+ line
+
+$ make CFLAGS="$CFLAGS -DOVERRIDE_GETTID=0" ...
+
+Drop this as soon as glibc-2.30 will become real 2.30 version, see
+https://bugzilla.redhat.com/show_bug.cgi?id=1685594
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/procattr.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
+index c6799ef2..cbb6824e 100644
+--- a/libselinux/src/procattr.c
+++ b/libselinux/src/procattr.c
+@@ -24,6 +24,7 @@ static __thread char destructor_initialized;
+ 
+ /* Bionic and glibc >= 2.30 declare gettid() system call wrapper in unistd.h and
+  * has a definition for it */
+#ifndef OVERRIDE_GETTID
+ #ifdef __BIONIC__
+   #define OVERRIDE_GETTID 0
+ #elif !defined(__GLIBC_PREREQ)
+@@ -33,6 +34,7 @@ static __thread char destructor_initialized;
+ #else
+   #define OVERRIDE_GETTID 0
+ #endif
+#endif
+ 
+ #if OVERRIDE_GETTID
+ static pid_t gettid(void)
+-- 
+2.21.0
+
--- a/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
+++ b/SOURCES/0004-Bring-some-old-permission-and-flask-constants-back-t.patch
@ -0,0 +1,55 @@
+From be420729fbf4adc8b32ca3722fa6ca46bb51413d Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 27 Feb 2019 09:37:17 +0100
+Subject: [PATCH] Bring some old permission and flask constants back to Python
+ bindings
+
+---
+ libselinux/src/selinuxswig.i        | 4 ++++
+ libselinux/src/selinuxswig_python.i | 3 ++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/src/selinuxswig.i b/libselinux/src/selinuxswig.i
+index dbdb4c3d..9c5b9263 100644
+--- a/libselinux/src/selinuxswig.i
+++ b/libselinux/src/selinuxswig.i
+@@ -5,7 +5,9 @@
+ %module selinux
+ %{
+ 	#include "../include/selinux/avc.h"
+	#include "../include/selinux/av_permissions.h"
+ 	#include "../include/selinux/context.h"
+	#include "../include/selinux/flask.h"
+ 	#include "../include/selinux/get_context_list.h"
+ 	#include "../include/selinux/get_default_type.h"
+ 	#include "../include/selinux/label.h"
+@@ -58,7 +60,9 @@
+ %ignore avc_netlink_check_nb;
+ 
+ %include "../include/selinux/avc.h"
+%include "../include/selinux/av_permissions.h"
+ %include "../include/selinux/context.h"
+%include "../include/selinux/flask.h"
+ %include "../include/selinux/get_context_list.h"
+ %include "../include/selinux/get_default_type.h"
+ %include "../include/selinux/label.h"
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 4c73bf92..6eaab081 100644
+--- a/libselinux/src/selinuxswig_python.i
+++ b/libselinux/src/selinuxswig_python.i
+@@ -1,10 +1,11 @@
+ /* Author: James Athey
+  */
+ 
+-/* Never build rpm_execcon interface */
+/* Never build rpm_execcon interface unless you need to have ACG compatibility
+ #ifndef DISABLE_RPM
+ #define DISABLE_RPM
+ #endif
+*/
+ 
+ %module selinux
+ %{
+-- 
+2.21.0
+
--- a/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
+++ b/SOURCES/0005-libselinux-add-missing-av_permission-values.patch
@ -0,0 +1,32 @@
+From 903c54bf62ffba3c95e22e74c9c43838cd3935a0 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 28 Feb 2017 16:12:43 +0100
+Subject: [PATCH] libselinux: add missing av_permission values
+
+Add missing av_permission values to av_permissions.h for the sake of
+completeness (this interface is obsolete - these values are now
+obtained at runtime).
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1025931
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/include/selinux/av_permissions.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/include/selinux/av_permissions.h b/libselinux/include/selinux/av_permissions.h
+index c1269af9..631f0276 100644
+--- a/libselinux/include/selinux/av_permissions.h
+++ b/libselinux/include/selinux/av_permissions.h
+@@ -876,6 +876,8 @@
+ #define NSCD__SHMEMHOST                           0x00000080UL
+ #define NSCD__GETSERV                             0x00000100UL
+ #define NSCD__SHMEMSERV                           0x00000200UL
+#define NSCD__GETNETGRP                           0x00000400UL
+#define NSCD__SHMEMNETGRP                         0x00000800UL
+ #define ASSOCIATION__SENDTO                       0x00000001UL
+ #define ASSOCIATION__RECVFROM                     0x00000002UL
+ #define ASSOCIATION__SETCONTEXT                   0x00000004UL
+-- 
+2.21.0
+
--- a/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
+++ b/SOURCES/0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
@ -0,0 +1,177 @@
+From 67d490a38a319126f371eaf66a5fc922d7005b1f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 16 May 2019 15:01:59 +0200
+Subject: [PATCH] libselinux: Use Python distutils to install SELinux python
+ bindings
+
+SWIG-4.0 changed its behavior so that it uses: from . import _selinux  which
+looks for _selinux module in the same directory as where __init__.py is -
+$(PYLIBDIR)/site-packages/selinux. But _selinux module is installed into
+$(PYLIBDIR)/site-packages/ since a9604c30a5e2f ("libselinux: Change the location
+of _selinux.so").
+
+In order to prevent such breakage in future use Python's distutils instead of
+building and installing python bindings manually in Makefile.
+
+Fixes:
+>>> import selinux
+Traceback (most recent call last):
+  File "<stdin>", line 1, in <module>
+  File "/usr/lib64/python3.7/site-packages/selinux/__init__.py", line 13, in <module>
+    from . import _selinux
+ImportError: cannot import name '_selinux' from 'selinux' (/usr/lib64/python3.7/site-packages/selinux/__init__.py)
+>>>
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/.gitignore |  2 +-
+ libselinux/src/Makefile   | 37 ++++++++-----------------------------
+ libselinux/src/setup.py   | 24 ++++++++++++++++++++++++
+ 3 files changed, 33 insertions(+), 30 deletions(-)
+ create mode 100644 libselinux/src/setup.py
+
+diff --git a/libselinux/src/.gitignore b/libselinux/src/.gitignore
+index 4dcc3b3b..428afe5a 100644
+--- a/libselinux/src/.gitignore
+++ b/libselinux/src/.gitignore
+@@ -1,4 +1,4 @@
+ selinux.py
+-selinuxswig_wrap.c
+selinuxswig_python_wrap.c
+ selinuxswig_python_exception.i
+ selinuxswig_ruby_wrap.c
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index e9ed0383..826c830c 100644
+--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
+@@ -36,7 +36,7 @@ TARGET=libselinux.so
+ LIBPC=libselinux.pc
+ SWIGIF= selinuxswig_python.i selinuxswig_python_exception.i
+ SWIGRUBYIF= selinuxswig_ruby.i
+-SWIGCOUT= selinuxswig_wrap.c
+SWIGCOUT= selinuxswig_python_wrap.c
+ SWIGPYOUT= selinux.py
+ SWIGRUBYCOUT= selinuxswig_ruby_wrap.c
+ SWIGLOBJ:= $(patsubst %.c,$(PYPREFIX)%.lo,$(SWIGCOUT))
+@@ -55,7 +55,7 @@ ifeq ($(LIBSEPOLA),)
+         LDLIBS_LIBSEPOLA := -l:libsepol.a
+ endif
+ 
+-GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
+GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) $(SWIGCOUT) selinuxswig_python_exception.i
+ SRCS= $(filter-out $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
+ 
+ MAX_STACK_SIZE=32768
+@@ -125,25 +125,18 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+ endif
+ 
+-SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS)
+-
+ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ 
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+ 
+-pywrap: all $(SWIGFILES) $(AUDIT2WHYSO)
+pywrap: all selinuxswig_python_exception.i
+	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ 
+ rubywrap: all $(SWIGRUBYSO)
+ 
+-$(SWIGLOBJ): $(SWIGCOUT)
+-	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ 	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+ 
+-$(SWIGSO): $(SWIGLOBJ)
+-	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $< -lselinux $(PYLIBS)
+-
+ $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+ 	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(RUBYLIBS)
+ 
+@@ -161,29 +154,15 @@ $(LIBPC): $(LIBPC).in ../VERSION
+ selinuxswig_python_exception.i: ../include/selinux/selinux.h
+ 	bash -e exception.sh > $@ || (rm -f $@ ; false)
+ 
+-$(AUDIT2WHYLOBJ): audit2why.c
+-	$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+-
+-$(AUDIT2WHYSO): $(AUDIT2WHYLOBJ) $(LIBSEPOLA)
+-	$(CC) $(CFLAGS) $(LDFLAGS) -L. -shared -o $@ $^ -lselinux $(LDLIBS_LIBSEPOLA) $(PYLIBS) -Wl,-soname,audit2why.so,--version-script=audit2why.map,-z,defs
+-
+ %.o:  %.c policy.h
+ 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
+ 
+ %.lo:  %.c policy.h
+ 	$(CC) $(CFLAGS) -fPIC -DSHARED -c -o $@ $<
+ 
+-$(SWIGCOUT): $(SWIGIF)
+-	$(SWIG) $<
+-
+-$(SWIGPYOUT): $(SWIGCOUT)
+-
+ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
+ 	$(SWIGRUBY) $<
+ 
+-swigify: $(SWIGIF)
+-	$(SWIG) $<
+-
+ install: all 
+ 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
+ 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
+@@ -194,10 +173,8 @@ install: all
+ 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+ 
+ install-pywrap: pywrap
+-	test -d $(DESTDIR)$(PYTHONLIBDIR)/selinux || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)/selinux
+-	install -m 755 $(SWIGSO) $(DESTDIR)$(PYTHONLIBDIR)/_selinux$(PYCEXT)
+-	install -m 755 $(AUDIT2WHYSO) $(DESTDIR)$(PYTHONLIBDIR)/selinux/audit2why$(PYCEXT)
+-	install -m 644 $(SWIGPYOUT) $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+	$(PYTHON) setup.py install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR)`
+	install -m 644 selinux.py $(DESTDIR)$(PYTHONLIBDIR)/selinux/__init__.py
+ 
+ install-rubywrap: rubywrap
+ 	test -d $(DESTDIR)$(RUBYINSTALL) || install -m 755 -d $(DESTDIR)$(RUBYINSTALL) 
+@@ -208,6 +185,8 @@ relabel:
+ 
+ clean-pywrap:
+ 	-rm -f $(SWIGLOBJ) $(SWIGSO) $(AUDIT2WHYLOBJ) $(AUDIT2WHYSO)
+	$(PYTHON) setup.py clean
+	-rm -rf build *~ \#* *pyc .#*
+ 
+ clean-rubywrap:
+ 	-rm -f $(SWIGRUBYLOBJ) $(SWIGRUBYSO)
+diff --git a/libselinux/src/setup.py b/libselinux/src/setup.py
+new file mode 100644
+index 00000000..b12e7869
+--- /dev/null
+++ b/libselinux/src/setup.py
+@@ -0,0 +1,24 @@
+#!/usr/bin/python3
+
+from distutils.core import Extension, setup
+
+setup(
+    name="selinux",
+    version="2.9",
+    description="SELinux python 3 bindings",
+    author="SELinux Project",
+    author_email="selinux@vger.kernel.org",
+    ext_modules=[
+        Extension('selinux._selinux',
+                  sources=['selinuxswig_python.i'],
+                  include_dirs=['../include'],
+                  library_dirs=['.'],
+                  libraries=['selinux']),
+        Extension('selinux.audit2why',
+                  sources=['audit2why.c'],
+                  include_dirs=['../include'],
+                  library_dirs=['.'],
+                  libraries=['selinux'],
+                  extra_link_args=['-l:libsepol.a'])
+    ],
+)
+-- 
+2.21.0
+
--- a/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
+++ b/SOURCES/0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
@ -0,0 +1,44 @@
+From 6ec8116ee64a25a0c5eb543f0b12ed25f1348c45 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 27 Jun 2019 11:17:13 +0200
+Subject: [PATCH] libselinux: Do not use SWIG_CFLAGS when Python bindings are
+ built
+
+Fixes:
+https://rpmdiff.engineering.redhat.com/run/410372/7/
+
+Detecting usr/lib64/python3.6/site-packages/selinux/audit2why.cpython-36m-x86_64-linux-gnu.so with not-hardened warnings '
+Hardened: audit2why.cpython-36m-x86_64-linux-gnu.so: FAIL: Gaps were detected in the annobin coverage.  Run with -v to list.
+' on x86_64
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/Makefile | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 826c830c..f64f23a8 100644
+--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
+@@ -104,9 +104,6 @@ FTS_LDLIBS ?=
+ 
+ override CFLAGS += -I../include -D_GNU_SOURCE $(DISABLE_FLAGS) $(PCRE_CFLAGS)
+ 
+-SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
+-		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+-
+ RANLIB ?= ranlib
+ 
+ ARCH := $(patsubst i%86,i386,$(shell uname -m))
+@@ -130,7 +127,7 @@ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+ 
+ pywrap: all selinuxswig_python_exception.i
+-	CFLAGS="$(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+	$(PYTHON) setup.py build_ext -I $(DESTDIR)$(INCLUDEDIR) -L $(DESTDIR)$(LIBDIR)
+ 
+ rubywrap: all $(SWIGRUBYSO)
+ 
+-- 
+2.21.0
+
--- a/SOURCES/0008-Fix-mcstrans-secolor-examples.patch
+++ b/SOURCES/0008-Fix-mcstrans-secolor-examples.patch
@ -0,0 +1,66 @@
+From 90a4f2b9a5194a2d1ab4c45b7a90bbb6c8099a68 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Tue, 2 Jul 2019 14:09:05 +0200
+Subject: [PATCH] Fix mcstrans secolor examples
+
+According to "check_dominance" function:
+Range defined as "s15:c0.c1023" does not dominate any other range than
+ "s15:c0.c1023" (does not dominate "s15", "s15:c0.c200", etc.).
+While range defined as "s15-s15:c0.c1023" dominates all of the above.
+
+This is either a bug, or "s15:c0.c1023" should not be used in the
+examples.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/man/man5/secolor.conf.5    | 4 ++--
+ libselinux/man/ru/man5/secolor.conf.5 | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/man/man5/secolor.conf.5 b/libselinux/man/man5/secolor.conf.5
+index b834577a..a3bf2da1 100644
+--- a/libselinux/man/man5/secolor.conf.5
+++ b/libselinux/man/man5/secolor.conf.5
+@@ -123,7 +123,7 @@ range s7\-s7:c0.c1023 = black red
+ .br
+ range s9\-s9:c0.c1023 = black orange
+ .br
+-range s15:c0.c1023   = black yellow
+range s15\-s15:c0.c1023   = black yellow
+ .RE
+ 
+ .sp
+@@ -165,7 +165,7 @@ type xguest_t     = black green
+ .br
+ user sysadm_u     = white black
+ .br
+-range s0:c0.c1023 = black white
+range s0-s0:c0.c1023 = black white
+ .br
+ user *            = black white
+ .br
+diff --git a/libselinux/man/ru/man5/secolor.conf.5 b/libselinux/man/ru/man5/secolor.conf.5
+index 4c1236ae..bcae80c1 100644
+--- a/libselinux/man/ru/man5/secolor.conf.5
+++ b/libselinux/man/ru/man5/secolor.conf.5
+@@ -121,7 +121,7 @@ range s7\-s7:c0.c1023 = black red
+ .br
+ range s9\-s9:c0.c1023 = black orange
+ .br
+-range s15:c0.c1023   = black yellow
+range s15\-s15:c0.c1023   = black yellow
+ .RE
+ 
+ .sp
+@@ -163,7 +163,7 @@ type xguest_t     = black green
+ .br
+ user sysadm_u     = white black
+ .br
+-range s0:c0.c1023 = black white
+range s0\-s0:c0.c1023 = black white
+ .br
+ user *            = black white
+ .br
+-- 
+2.21.0
+
--- a/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
+++ b/SOURCES/0009-libselinux-Eliminate-use-of-security_compute_user.patch
@ -0,0 +1,354 @@
+From bfee1a3131580a7b9d8a7366764b8e78d99a9f1b Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 17 Feb 2020 21:47:35 +0100
+Subject: [PATCH] libselinux: Eliminate use of security_compute_user()
+
+get_ordered_context_list() code used to ask the kernel to compute the complete
+set of reachable contexts using /sys/fs/selinux/user aka
+security_compute_user(). This set can be so huge so that it doesn't fit into a
+kernel page and security_compute_user() fails. Even if it doesn't fail,
+get_ordered_context_list() throws away the vast majority of the returned
+contexts because they don't match anything in
+/etc/selinux/targeted/contexts/default_contexts or
+/etc/selinux/targeted/contexts/users/
+
+get_ordered_context_list() is rewritten to compute set of contexts based on
+/etc/selinux/targeted/contexts/users/ and
+/etc/selinux/targeted/contexts/default_contexts files and to return only valid
+contexts, using security_check_context(), from this set.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/28
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/get_context_list.c | 212 +++++++++++++-----------------
+ 1 file changed, 93 insertions(+), 119 deletions(-)
+
+diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
+index 689e4658..26d7b3b9 100644
+--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
+@@ -2,6 +2,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <stdio_ext.h>
+#include <stdint.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <ctype.h>
+@@ -114,64 +115,41 @@ int get_default_context(const char *user,
+ 	return 0;
+ }
+ 
+-static int find_partialcon(char ** list,
+-			   unsigned int nreach, char *part)
+static int is_in_reachable(char **reachable, const char *usercon_str)
+ {
+-	const char *conrole, *contype;
+-	char *partrole, *parttype, *ptr;
+-	context_t con;
+-	unsigned int i;
+	if (!reachable)
+		return 0;
+ 
+-	partrole = part;
+-	ptr = part;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	if (*ptr != ':')
+-		return -1;
+-	*ptr++ = 0;
+-	parttype = ptr;
+-	while (*ptr && !isspace(*ptr) && *ptr != ':')
+-		ptr++;
+-	*ptr = 0;
+-
+-	for (i = 0; i < nreach; i++) {
+-		con = context_new(list[i]);
+-		if (!con)
+-			return -1;
+-		conrole = context_role_get(con);
+-		contype = context_type_get(con);
+-		if (!conrole || !contype) {
+-			context_free(con);
+-			return -1;
+-		}
+-		if (!strcmp(conrole, partrole) && !strcmp(contype, parttype)) {
+-			context_free(con);
+-			return i;
+	for (; *reachable != NULL; reachable++) {
+		if (strcmp(*reachable, usercon_str) == 0) {
+			return 1;
+ 		}
+-		context_free(con);
+ 	}
+-
+-	return -1;
+	return 0;
+ }
+ 
+-static int get_context_order(FILE * fp,
+static int get_context_user(FILE * fp,
+ 			     char * fromcon,
+-			     char ** reachable,
+-			     unsigned int nreach,
+-			     unsigned int *ordering, unsigned int *nordered)
+			     const char * user,
+			     char ***reachable,
+			     unsigned int *nreachable)
+ {
+ 	char *start, *end = NULL;
+ 	char *line = NULL;
+-	size_t line_len = 0;
+	size_t line_len = 0, usercon_len;
+	size_t user_len = strlen(user);
+ 	ssize_t len;
+ 	int found = 0;
+-	const char *fromrole, *fromtype;
+	const char *fromrole, *fromtype, *fromlevel;
+ 	char *linerole, *linetype;
+-	unsigned int i;
+	char **new_reachable = NULL;
+	char *usercon_str;
+ 	context_t con;
+	context_t usercon;
+
+ 	int rc;
+ 
+-	errno = -EINVAL;
+	errno = EINVAL;
+ 
+ 	/* Extract the role and type of the fromcon for matching.
+ 	   User identity and MLS range can be variable. */
+@@ -180,6 +158,7 @@ static int get_context_order(FILE * fp,
+ 		return -1;
+ 	fromrole = context_role_get(con);
+ 	fromtype = context_type_get(con);
+	fromlevel = context_range_get(con);
+ 	if (!fromrole || !fromtype) {
+ 		context_free(con);
+ 		return -1;
+@@ -243,23 +222,75 @@ static int get_context_order(FILE * fp,
+ 		if (*end)
+ 			*end++ = 0;
+ 
+-		/* Check for a match in the reachable list. */
+-		rc = find_partialcon(reachable, nreach, start);
+-		if (rc < 0) {
+-			/* No match, skip it. */
+		/* Check whether a new context is valid */
+		if (SIZE_MAX - user_len < strlen(start) + 2) {
+			fprintf(stderr, "%s: one of partial contexts is too big\n", __FUNCTION__);
+			errno = EINVAL;
+			rc = -1;
+			goto out;
+		}
+		usercon_len = user_len + strlen(start) + 2;
+		usercon_str = malloc(usercon_len);
+		if (!usercon_str) {
+			rc = -1;
+			goto out;
+		}
+
+		/* set range from fromcon in the new usercon */
+		snprintf(usercon_str, usercon_len, "%s:%s", user, start);
+		usercon = context_new(usercon_str);
+		if (!usercon) {
+			if (errno != EINVAL) {
+				free(usercon_str);
+				rc = -1;
+				goto out;
+			}
+			fprintf(stderr,
+				"%s: can't create a context from %s, skipping\n",
+				__FUNCTION__, usercon_str);
+			free(usercon_str);
+ 			start = end;
+ 			continue;
+ 		}
+		free(usercon_str);
+		if (context_range_set(usercon, fromlevel) != 0) {
+			context_free(usercon);
+			rc = -1;
+			goto out;
+		}
+		usercon_str = context_str(usercon);
+		if (!usercon_str) {
+			context_free(usercon);
+			rc = -1;
+			goto out;
+		}
+ 
+-		/* If a match is found and the entry is not already ordered
+-		   (e.g. due to prior match in prior config file), then set
+-		   the ordering for it. */
+-		i = rc;
+-		if (ordering[i] == nreach)
+-			ordering[i] = (*nordered)++;
+		/* check whether usercon is already in reachable */
+		if (is_in_reachable(*reachable, usercon_str)) {
+			context_free(usercon);
+			start = end;
+			continue;
+		}
+		if (security_check_context(usercon_str) == 0) {
+			new_reachable = realloc(*reachable, (*nreachable + 2) * sizeof(char *));
+			if (!new_reachable) {
+				context_free(usercon);
+				rc = -1;
+				goto out;
+			}
+			*reachable = new_reachable;
+			new_reachable[*nreachable] = strdup(usercon_str);
+			if (new_reachable[*nreachable] == NULL) {
+				context_free(usercon);
+				rc = -1;
+				goto out;
+			}
+			new_reachable[*nreachable + 1] = 0;
+			*nreachable += 1;
+		}
+		context_free(usercon);
+ 		start = end;
+ 	}
+-
+ 	rc = 0;
+ 
+       out:
+@@ -313,21 +344,6 @@ static int get_failsafe_context(const char *user, char ** newcon)
+ 	return 0;
+ }
+ 
+-struct context_order {
+-	char * con;
+-	unsigned int order;
+-};
+-
+-static int order_compare(const void *A, const void *B)
+-{
+-	const struct context_order *c1 = A, *c2 = B;
+-	if (c1->order < c2->order)
+-		return -1;
+-	else if (c1->order > c2->order)
+-		return 1;
+-	return strcmp(c1->con, c2->con);
+-}
+-
+ int get_ordered_context_list_with_level(const char *user,
+ 					const char *level,
+ 					char * fromcon,
+@@ -395,11 +411,8 @@ int get_ordered_context_list(const char *user,
+ 			     char *** list)
+ {
+ 	char **reachable = NULL;
+-	unsigned int *ordering = NULL;
+-	struct context_order *co = NULL;
+-	char **ptr;
+ 	int rc = 0;
+-	unsigned int nreach = 0, nordered = 0, freefrom = 0, i;
+	unsigned nreachable = 0, freefrom = 0;
+ 	FILE *fp;
+ 	char *fname = NULL;
+ 	size_t fname_len;
+@@ -413,23 +426,6 @@ int get_ordered_context_list(const char *user,
+ 		freefrom = 1;
+ 	}
+ 
+-	/* Determine the set of reachable contexts for the user. */
+-	rc = security_compute_user(fromcon, user, &reachable);
+-	if (rc < 0)
+-		goto failsafe;
+-	nreach = 0;
+-	for (ptr = reachable; *ptr; ptr++)
+-		nreach++;
+-	if (!nreach)
+-		goto failsafe;
+-
+-	/* Initialize ordering array. */
+-	ordering = malloc(nreach * sizeof(unsigned int));
+-	if (!ordering)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++)
+-		ordering[i] = nreach;
+-
+ 	/* Determine the ordering to apply from the optional per-user config
+ 	   and from the global config. */
+ 	fname_len = strlen(user_contexts_path) + strlen(user) + 2;
+@@ -440,8 +436,8 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(fname, "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
+		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -454,8 +450,7 @@ int get_ordered_context_list(const char *user,
+ 	fp = fopen(selinux_default_context_path(), "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-		rc = get_context_order(fp, fromcon, reachable, nreach, ordering,
+-				       &nordered);
+		rc = get_context_user(fp, fromcon, user, &reachable, &nreachable);
+ 		fclose(fp);
+ 		if (rc < 0 && errno != ENOENT) {
+ 			fprintf(stderr,
+@@ -463,40 +458,19 @@ int get_ordered_context_list(const char *user,
+ 				__FUNCTION__, selinux_default_context_path());
+ 			/* Fall through */
+ 		}
+-		rc = 0;
+ 	}
+ 
+-	if (!nordered)
+	if (!nreachable)
+ 		goto failsafe;
+ 
+-	/* Apply the ordering. */
+-	co = malloc(nreach * sizeof(struct context_order));
+-	if (!co)
+-		goto failsafe;
+-	for (i = 0; i < nreach; i++) {
+-		co[i].con = reachable[i];
+-		co[i].order = ordering[i];
+-	}
+-	qsort(co, nreach, sizeof(struct context_order), order_compare);
+-	for (i = 0; i < nreach; i++)
+-		reachable[i] = co[i].con;
+-	free(co);
+-
+-	/* Only report the ordered entries to the caller. */
+-	if (nordered <= nreach) {
+-		for (i = nordered; i < nreach; i++)
+-			free(reachable[i]);
+-		reachable[nordered] = NULL;
+-		rc = nordered;
+-	}
+-
+       out:
+-	if (rc > 0)
+	if (nreachable > 0) {
+ 		*list = reachable;
+		rc = nreachable;
+	}
+ 	else
+ 		freeconary(reachable);
+ 
+-	free(ordering);
+ 	if (freefrom)
+ 		freecon(fromcon);
+ 
+@@ -519,7 +493,7 @@ int get_ordered_context_list(const char *user,
+ 		reachable = NULL;
+ 		goto out;
+ 	}
+-	rc = 1;			/* one context in the list */
+	nreachable = 1;			/* one context in the list */
+ 	goto out;
+ }
+ 
+-- 
+2.25.4
+
--- a/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
+++ b/SOURCES/0010-libselinux-deprecate-security_compute_user-update-ma.patch
@ -0,0 +1,168 @@
+From d4c22fcd5943fe35db648dee971f631d40b3eb94 Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <sds@tycho.nsa.gov>
+Date: Thu, 20 Feb 2020 10:40:19 -0500
+Subject: [PATCH] libselinux: deprecate security_compute_user(), update man
+ pages
+
+commit 1f89c4e7879fcf6da5d8d1b025dcc03371f30fc9 ("libselinux: Eliminate
+use of security_compute_user()") eliminated the use of
+security_compute_user() by get_ordered_context_list().  Deprecate
+all use of security_compute_user() by updating the headers and man
+pages and logging a warning message on any calls to it.  Remove
+the example utility that called the interface. While here, also
+fix the documentation of correct usage of the user argument to these
+interfaces.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/70
+Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/include/selinux/selinux.h          |  8 +++-
+ .../man/man3/get_ordered_context_list.3       | 24 +++++++++---
+ libselinux/man/man3/security_compute_av.3     |  5 ++-
+ libselinux/src/compute_user.c                 |  3 ++
+ libselinux/utils/compute_user.c               | 38 -------------------
+ 5 files changed, 31 insertions(+), 47 deletions(-)
+ delete mode 100644 libselinux/utils/compute_user.c
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index a34d54fc..a5ada324 100644
+--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
+@@ -246,8 +246,12 @@ extern int security_compute_member_raw(const char * scon,
+ 				       security_class_t tclass,
+ 				       char ** newcon);
+ 
+-/* Compute the set of reachable user contexts and set *con to refer to 
+-   the NULL-terminated array of contexts.  Caller must free via freeconary. */
+/*
+ * Compute the set of reachable user contexts and set *con to refer to
+ * the NULL-terminated array of contexts.  Caller must free via freeconary.
+ * These interfaces are deprecated.  Use get_ordered_context_list() or
+ * one of its variant interfaces instead.
+ */
+ extern int security_compute_user(const char * scon,
+ 				 const char *username,
+ 				 char *** con);
+diff --git a/libselinux/man/man3/get_ordered_context_list.3 b/libselinux/man/man3/get_ordered_context_list.3
+index e084da40..3ed14a96 100644
+--- a/libselinux/man/man3/get_ordered_context_list.3
+++ b/libselinux/man/man3/get_ordered_context_list.3
+@@ -26,14 +26,28 @@ get_ordered_context_list, get_ordered_context_list_with_level, get_default_conte
+ .BI "int get_default_type(const char *" role ", char **" type );
+ .
+ .SH "DESCRIPTION"
+
+This family of functions can be used to obtain either a prioritized list of
+all reachable security contexts for a given SELinux user or a single default
+(highest priority) context for a given SELinux user for use by login-like
+programs.  These functions takes a SELinux user identity that must
+be defined in the SELinux policy as their input, not a Linux username.
+Most callers should typically first call
+.BR getseuserbyname(3)
+to look up the SELinux user identity and level for a given
+Linux username and then invoke one of
+.BR get_ordered_context_list_with_level ()
+or
+.BR get_default_context_with_level ()
+with the returned SELinux user and level as inputs.
+
+ .BR get_ordered_context_list ()
+-invokes the 
+-.BR security_compute_user (3)
+-function to obtain the list of contexts for the specified
+obtains the list of contexts for the specified
+SELinux
+ .I user
+-that are reachable from the specified
+identity that are reachable from the specified
+ .I fromcon
+-context.  The function then orders the resulting list based on the global
+context based on the global
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/default_contexts
+ file and the per-user
+ .I \%/etc/selinux/{SELINUXTYPE}/contexts/users/<username>
+diff --git a/libselinux/man/man3/security_compute_av.3 b/libselinux/man/man3/security_compute_av.3
+index 2aade5fe..8e1f746a 100644
+--- a/libselinux/man/man3/security_compute_av.3
+++ b/libselinux/man/man3/security_compute_av.3
+@@ -97,8 +97,9 @@ instance.
+ 
+ .BR security_compute_user ()
+ is used to determine the set of user contexts that can be reached from a
+-source context. It is mainly used by
+-.BR get_ordered_context_list ().
+source context. This function is deprecated; use
+.BR get_ordered_context_list (3)
+instead.
+ 
+ .BR security_get_initial_context ()
+ is used to get the context of a kernel initial security identifier specified by 
+diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
+index 401fd107..0f55de84 100644
+--- a/libselinux/src/compute_user.c
+++ b/libselinux/src/compute_user.c
+@@ -8,6 +8,7 @@
+ #include "selinux_internal.h"
+ #include "policy.h"
+ #include <limits.h>
+#include "callbacks.h"
+ 
+ int security_compute_user_raw(const char * scon,
+ 			      const char *user, char *** con)
+@@ -24,6 +25,8 @@ int security_compute_user_raw(const char * scon,
+ 		return -1;
+ 	}
+ 
+	selinux_log(SELINUX_WARNING, "Direct use of security_compute_user() is deprecated, switch to get_ordered_context_list()\n");
+
+ 	if (! scon) {
+ 		errno=EINVAL;
+ 		return -1;
+diff --git a/libselinux/utils/compute_user.c b/libselinux/utils/compute_user.c
+deleted file mode 100644
+index cae62b26..00000000
+--- a/libselinux/utils/compute_user.c
+++ /dev/null
+@@ -1,38 +0,0 @@
+-#include <unistd.h>
+-#include <sys/types.h>
+-#include <fcntl.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <errno.h>
+-#include <string.h>
+-#include <ctype.h>
+-#include <selinux/selinux.h>
+-
+-int main(int argc, char **argv)
+-{
+-	char **buf, **ptr;
+-	int ret;
+-
+-	if (argc != 3) {
+-		fprintf(stderr, "usage:  %s context user\n", argv[0]);
+-		exit(1);
+-	}
+-
+-	ret = security_compute_user(argv[1], argv[2], &buf);
+-	if (ret < 0) {
+-		fprintf(stderr, "%s:  security_compute_user(%s,%s) failed\n",
+-			argv[0], argv[1], argv[2]);
+-		exit(2);
+-	}
+-
+-	if (!buf[0]) {
+-		printf("none\n");
+-		exit(0);
+-	}
+-
+-	for (ptr = buf; *ptr; ptr++) {
+-		printf("%s\n", *ptr);
+-	}
+-	freeconary(buf);
+-	exit(0);
+-}
+-- 
+2.25.4
+
--- a/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+++ b/SOURCES/0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
@ -0,0 +1,39 @@
+From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 10 Feb 2021 18:05:29 +0100
+Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
+
+Describe which type of regular expression is used in file context
+definitions and which flags are in effect.
+
+Explain how local file context modifications are processed.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/man/man5/selabel_file.5 | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
+index e97bd826..baba7776 100644
+--- a/libselinux/man/man5/selabel_file.5
+++ b/libselinux/man/man5/selabel_file.5
+@@ -125,7 +125,14 @@ Where:
+ .RS
+ .I pathname
+ .RS
+-An entry that defines the pathname that may be in the form of a regular expression.
+An entry that defines the path to be labeled.
+May contain either a fully qualified path,
+or a Perl compatible regular expression (PCRE),
+describing fully qualified path(s).
+The only PCRE flag in use is PCRE2_DOTALL,
+which causes a wildcard '.' to match anything, including a new line.
+Strings representing paths are processed as bytes (as opposed to Unicode),
+meaning that non-ASCII characters are not matched by a single wildcard.
+ .RE
+ .I file_type
+ .RS
+-- 
+2.35.3
+
--- a/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
+++ b/SOURCES/0012-libselinux-Strip-spaces-before-values-in-config.patch
@ -0,0 +1,88 @@
+From 9bf63bb85d4d2cab73181ee1d8d0b07961ce4a80 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 17 Feb 2022 14:14:15 +0100
+Subject: [PATCH] libselinux: Strip spaces before values in config
+
+Spaces before values in /etc/selinux/config should be ignored just as
+spaces after them are.
+
+E.g. "SELINUXTYPE= targeted" should be a valid value.
+
+Fixes:
+   # sed -i 's/^SELINUXTYPE=/SELINUXTYPE= /g' /etc/selinux/config
+   # dnf install <any_package>
+   ...
+   RPM: error: selabel_open: (/etc/selinux/ targeted/contexts/files/file_contexts) No such file or directory
+   RPM: error: Plugin selinux: hook tsm_pre failed
+   ...
+   Error: Could not run transaction.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/src/selinux_config.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
+index b06cb63b..0892b87c 100644
+--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
+@@ -91,6 +91,7 @@ int selinux_getenforcemode(int *enforce)
+ 	FILE *cfg = fopen(SELINUXCONFIG, "re");
+ 	if (cfg) {
+ 		char *buf;
+		char *tag;
+ 		int len = sizeof(SELINUXTAG) - 1;
+ 		buf = malloc(selinux_page_size);
+ 		if (!buf) {
+@@ -100,21 +101,24 @@ int selinux_getenforcemode(int *enforce)
+ 		while (fgets_unlocked(buf, selinux_page_size, cfg)) {
+ 			if (strncmp(buf, SELINUXTAG, len))
+ 				continue;
+			tag = buf+len;
+			while (isspace(*tag))
+				tag++;
+ 			if (!strncasecmp
+-			    (buf + len, "enforcing", sizeof("enforcing") - 1)) {
+			    (tag, "enforcing", sizeof("enforcing") - 1)) {
+ 				*enforce = 1;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "permissive",
+				(tag, "permissive",
+ 				 sizeof("permissive") - 1)) {
+ 				*enforce = 0;
+ 				ret = 0;
+ 				break;
+ 			} else
+ 			    if (!strncasecmp
+-				(buf + len, "disabled",
+				(tag, "disabled",
+ 				 sizeof("disabled") - 1)) {
+ 				*enforce = -1;
+ 				ret = 0;
+@@ -177,7 +181,10 @@ static void init_selinux_config(void)
+ 
+ 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
+ 					 sizeof(SELINUXTYPETAG) - 1)) {
+-				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+				buf_p += sizeof(SELINUXTYPETAG) - 1;
+				while (isspace(*buf_p))
+					buf_p++;
+				type = strdup(buf_p);
+ 				if (!type)
+ 					return;
+ 				end = type + strlen(type) - 1;
+@@ -199,6 +206,8 @@ static void init_selinux_config(void)
+ 			} else if (!strncmp(buf_p, REQUIRESEUSERS,
+ 					    sizeof(REQUIRESEUSERS) - 1)) {
+ 				value = buf_p + sizeof(REQUIRESEUSERS) - 1;
+				while (isspace(*value))
+					value++;
+ 				intptr = &require_seusers;
+ 			} else {
+ 				continue;
+-- 
+2.35.3
+
--- a/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
+++ b/SOURCES/0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
@ -0,0 +1,46 @@
+From 9a04499cebedac3f585c0240e6cf68f786ae62b7 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 31 Oct 2022 17:00:43 +0100
+Subject: [PATCH] libselinux: Ignore missing directories when -i is used
+
+Currently "-i" only ignores a file whose parent directory exists. Start also
+ignoring paths with missing components.
+
+Fixes:
+  # restorecon -i -v -R /var/log/missingdir/missingfile; echo $?
+  255
+  restorecon: SELinux: Could not get canonical path for /var/log/missingdir/missingfile restorecon: No such file or directory.
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 5f189235..2ff73db6 100644
+--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
+@@ -820,6 +820,10 @@ int selinux_restorecon(const char *pathname_orig,
+ 			pathname = realpath(pathname_orig, NULL);
+ 			if (!pathname) {
+ 				free(basename_cpy);
+				/* missing parent directory */
+				if (flags.ignore_noent && errno == ENOENT) {
+					return 0;
+				}
+ 				goto realpatherr;
+ 			}
+ 		} else {
+@@ -833,6 +837,9 @@ int selinux_restorecon(const char *pathname_orig,
+ 			free(dirname_cpy);
+ 			if (!pathdnamer) {
+ 				free(basename_cpy);
+				if (flags.ignore_noent && errno == ENOENT) {
+					return 0;
+				}
+ 				goto realpatherr;
+ 			}
+ 			if (!strcmp(pathdnamer, "/"))
+-- 
+2.37.3
+
--- a/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
+++ b/SOURCES/0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
@ -0,0 +1,42 @@
+From 599f1ec818d50ffc9690fea8c03b5fe278f30ed4 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Wed, 7 Dec 2022 09:19:29 +0100
+Subject: [PATCH] libselinux/restorecon: Fix memory leak - xattr_value
+
+Fix memory leak introduced by commit
+ 9a04499cebedac3f585c0240e6cf68f786ae62b7
+ libselinux: Ignore missing directories when -i is used
+
+Error: RESOURCE_LEAK:
+ selinux_restorecon.c:804: alloc_fn: Storage is returned from allocation function "malloc".
+ selinux_restorecon.c:804: var_assign: Assigning: "xattr_value" = storage returned from "malloc(fc_digest_len)".
+ selinux_restorecon.c:825: leaked_storage: Variable "xattr_value" going out of scope leaks the storage it points to.
+
+Resolves: rhbz#2137965
+---
+ libselinux/src/selinux_restorecon.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 2ff73db6..b3702764 100644
+--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
+@@ -822,6 +822,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 				free(basename_cpy);
+ 				/* missing parent directory */
+ 				if (flags.ignore_noent && errno == ENOENT) {
+					free(xattr_value);
+ 					return 0;
+ 				}
+ 				goto realpatherr;
+@@ -838,6 +839,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 			if (!pathdnamer) {
+ 				free(basename_cpy);
+ 				if (flags.ignore_noent && errno == ENOENT) {
+					free(xattr_value);
+ 					return 0;
+ 				}
+ 				goto realpatherr;
+-- 
+2.37.3
+
--- a/SOURCES/libselinux-fedora.patch
+++ b/SOURCES/libselinux-fedora.patch
@ -1,450 +0,0 @@
-diff --git libselinux-2.8/man/man3/selinux_boolean_sub.3 libselinux-2.8/man/man3/selinux_boolean_sub.3
-index 308c268..a29a38d 100644
--- libselinux-2.8/man/man3/selinux_boolean_sub.3
-+++ libselinux-2.8/man/man3/selinux_boolean_sub.3
-@@ -1,6 +1,6 @@
- .TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation"
- .SH "NAME"
-selinux_boolean_sub \-
-+selinux_boolean_sub \- Search the translated name for a boolean_name record
- .
- .SH "SYNOPSIS"
- .B #include <selinux/selinux.h>
-@@ -12,7 +12,7 @@ selinux_boolean_sub \-
- searches the
- .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist
- file
-for a maching boolean_name record.  If the record exists the boolean substitution name is returned.  If not
-+for a matching boolean_name record.  If the record exists the boolean substitution name is returned.  If not
- .BR \%selinux_boolean_sub ()
- returns the original
- .IR \%boolean_name .
-diff --git libselinux-2.8/man/man3/selinux_restorecon_xattr.3 libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-index 7280c95..516d266 100644
--- libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-+++ libselinux-2.8/man/man3/selinux_restorecon_xattr.3
-@@ -119,7 +119,7 @@ By default
- .BR selinux_restorecon_xattr (3)
- will use the default set of specfiles described in
- .BR files_contexts (5)
-to calculate the initial SHA1 digest to be used for comparision.
-+to calculate the initial SHA1 digest to be used for comparison.
- To change this default behavior
- .BR selabel_open (3)
- must be called specifying the required
-diff --git libselinux-2.8/man/man5/selabel_file.5 libselinux-2.8/man/man5/selabel_file.5
-index e738824..e97bd82 100644
--- libselinux-2.8/man/man5/selabel_file.5
-+++ libselinux-2.8/man/man5/selabel_file.5
-@@ -92,7 +92,7 @@ The optional local and distribution substitution files that perform any path ali
- .RE
- .sp
- The default file context series of files are:
-.RS
-+.RS 6
- .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts
- .br
- .I  /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local
-diff --git libselinux-2.8/man/man8/selinux.8 libselinux-2.8/man/man8/selinux.8
-index e37aee6..bf23b65 100644
--- libselinux-2.8/man/man8/selinux.8
-+++ libselinux-2.8/man/man8/selinux.8
-@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
- .BR sepolicy (8),
- .BR system-config-selinux (8),
- .BR togglesebool (8),
-.BR restorecon (8),
- .BR fixfiles (8),
-+.BR restorecon (8),
- .BR setfiles (8),
- .BR semanage (8),
- .BR sepolicy (8)
-+.BR seinfo (8),
-+.BR sesearch (8)
- 
- Every confined service on the system has a man page in the following format:
- .br
-diff --git libselinux-2.8/src/audit2why.c libselinux-2.8/src/audit2why.c
-index 0331fdf..5a1e69a 100644
--- libselinux-2.8/src/audit2why.c
-+++ libselinux-2.8/src/audit2why.c
-@@ -354,7 +354,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
- 	/* iterate over items of the list, grabbing strings, and parsing
- 	   for numbers */
- 	for (i=0; i<numlines; i++){
-		char *permstr;
-+		const char *permstr;
- 
- 		/* grab the string object from the next element of the list */
- 		strObj = PyList_GetItem(listObj, i); /* Can't fail */
-diff --git libselinux-2.8/src/avc_sidtab.c libselinux-2.8/src/avc_sidtab.c
-index 9669264..c775430 100644
--- libselinux-2.8/src/avc_sidtab.c
-+++ libselinux-2.8/src/avc_sidtab.c
-@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
- 	int hvalue, rc = 0;
- 	struct sidtab_node *cur;
- 
-+	if (! ctx) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	*sid = NULL;
- 	hvalue = sidtab_hash(ctx);
- 
-diff --git libselinux-2.8/src/booleans.c libselinux-2.8/src/booleans.c
-index b3ea362..a6d46fe 100644
--- libselinux-2.8/src/booleans.c
-+++ libselinux-2.8/src/booleans.c
-@@ -55,6 +55,7 @@ int security_get_boolean_names(char ***names, int *len)
- 	snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
- 	*len = scandir(path, &namelist, &filename_select, alphasort);
- 	if (*len <= 0) {
-+		errno = ENOENT;
- 		return -1;
- 	}
- 
-diff --git libselinux-2.8/src/canonicalize_context.c libselinux-2.8/src/canonicalize_context.c
-index ba4c9a2..c815872 100644
--- libselinux-2.8/src/canonicalize_context.c
-+++ libselinux-2.8/src/canonicalize_context.c
-@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
- 	size_t size;
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git libselinux-2.8/src/checkAccess.c libselinux-2.8/src/checkAccess.c
-index 8de5747..16bfcfb 100644
--- libselinux-2.8/src/checkAccess.c
-+++ libselinux-2.8/src/checkAccess.c
-@@ -89,8 +89,10 @@ int selinux_check_passwd_access(access_vector_t requested)
- 		int retval;
- 
- 		passwd_class = string_to_security_class("passwd");
-		if (passwd_class == 0)
-+		if (passwd_class == 0) {
-+			freecon(user_context);
- 			return 0;
-+		}
- 
- 		retval = security_compute_av_raw(user_context,
- 						     user_context,
-diff --git libselinux-2.8/src/check_context.c libselinux-2.8/src/check_context.c
-index 8a7997f..5be8434 100644
--- libselinux-2.8/src/check_context.c
-+++ libselinux-2.8/src/check_context.c
-@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
- 	char path[PATH_MAX];
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git libselinux-2.8/src/compute_av.c libselinux-2.8/src/compute_av.c
-index 1d05e7b..d9095cc 100644
--- libselinux-2.8/src/compute_av.c
-+++ libselinux-2.8/src/compute_av.c
-@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.8/src/compute_create.c libselinux-2.8/src/compute_create.c
-index 0975aea..3e6a48c 100644
--- libselinux-2.8/src/compute_create.c
-+++ libselinux-2.8/src/compute_create.c
-@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.8/src/compute_member.c libselinux-2.8/src/compute_member.c
-index 4e2d221..d1dd977 100644
--- libselinux-2.8/src/compute_member.c
-+++ libselinux-2.8/src/compute_member.c
-@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.8/src/compute_relabel.c libselinux-2.8/src/compute_relabel.c
-index 49f77ef..c3db7c0 100644
--- libselinux-2.8/src/compute_relabel.c
-+++ libselinux-2.8/src/compute_relabel.c
-@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.8/src/compute_user.c libselinux-2.8/src/compute_user.c
-index 7b88121..401fd10 100644
--- libselinux-2.8/src/compute_user.c
-+++ libselinux-2.8/src/compute_user.c
-@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if (! scon) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git libselinux-2.8/src/fsetfilecon.c libselinux-2.8/src/fsetfilecon.c
-index 52707d0..0cbe12d 100644
--- libselinux-2.8/src/fsetfilecon.c
-+++ libselinux-2.8/src/fsetfilecon.c
-@@ -9,8 +9,12 @@
- 
- int fsetfilecon_raw(int fd, const char * context)
- {
-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git libselinux-2.8/src/label_db.c libselinux-2.8/src/label_db.c
-index c46d0a1..fa481e0 100644
--- libselinux-2.8/src/label_db.c
-+++ libselinux-2.8/src/label_db.c
-@@ -283,10 +283,12 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
- 	}
- 	if (fstat(fileno(filp), &sb) < 0) {
- 		free(catalog);
-+    fclose(filp);
- 		return NULL;
- 	}
- 	if (!S_ISREG(sb.st_mode)) {
- 		free(catalog);
-+    fclose(filp);
- 		errno = EINVAL;
- 		return NULL;
- 	}
-@@ -340,6 +342,7 @@ out_error:
- 		free(spec->lr.ctx_trans);
- 	}
- 	free(catalog);
-+	fclose(filp);
- 
- 	return NULL;
- }
-diff --git libselinux-2.8/src/label_file.c libselinux-2.8/src/label_file.c
-index 560d8c3..21c8d36 100644
--- libselinux-2.8/src/label_file.c
-+++ libselinux-2.8/src/label_file.c
-@@ -317,8 +317,10 @@ end_arch_check:
- 			goto out;
- 		}
- 		rc = next_entry(str_buf, mmap_area, entry_len);
-		if (rc < 0)
-+		if (rc < 0) {
-+			free(str_buf);
- 			goto out;
-+		}
- 
- 		if (str_buf[entry_len - 1] != '\0') {
- 			free(str_buf);
-diff --git libselinux-2.8/src/load_policy.c libselinux-2.8/src/load_policy.c
-index e9f1264..20052be 100644
--- libselinux-2.8/src/load_policy.c
-+++ libselinux-2.8/src/load_policy.c
-@@ -262,8 +262,10 @@ checkbool:
- 			rc = security_get_boolean_names(&names, &len);
- 			if (!rc) {
- 				values = malloc(sizeof(int) * len);
-				if (!values)
-+				if (!values) {
-+					free(names);
- 					goto unmap;
-+				}
- 				for (i = 0; i < len; i++)
- 					values[i] =
- 						security_get_boolean_active(names[i]);
-diff --git libselinux-2.8/src/lsetfilecon.c libselinux-2.8/src/lsetfilecon.c
-index 1d3b28a..ea6d70b 100644
--- libselinux-2.8/src/lsetfilecon.c
-+++ libselinux-2.8/src/lsetfilecon.c
-@@ -9,8 +9,13 @@
- 
- int lsetfilecon_raw(const char *path, const char * context)
- {
-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
-+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git libselinux-2.8/src/selinux_config.c libselinux-2.8/src/selinux_config.c
-index 292728f..b06cb63 100644
--- libselinux-2.8/src/selinux_config.c
-+++ libselinux-2.8/src/selinux_config.c
-@@ -177,8 +177,7 @@ static void init_selinux_config(void)
- 
- 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
- 					 sizeof(SELINUXTYPETAG) - 1)) {
-				selinux_policytype = type =
-				    strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
-+				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
- 				if (!type)
- 					return;
- 				end = type + strlen(type) - 1;
-@@ -187,6 +186,11 @@ static void init_selinux_config(void)
- 					*end = 0;
- 					end--;
- 				}
-+				if (setpolicytype(type) != 0) {
-+					free(type);
-+					return;
-+				}
-+				free(type);
- 				continue;
- 			} else if (!strncmp(buf_p, SETLOCALDEFS,
- 					    sizeof(SETLOCALDEFS) - 1)) {
-@@ -212,13 +216,10 @@ static void init_selinux_config(void)
- 		fclose(fp);
- 	}
- 
-	if (!type) {
-		selinux_policytype = type = strdup(SELINUXDEFAULT);
-		if (!type)
-			return;
-	}
-+	if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0)
-+		return;
- 
-	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1)
-+	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1)
- 		return;
- 
- 	for (i = 0; i < NEL; i++)
-diff --git libselinux-2.8/src/selinux_restorecon.c libselinux-2.8/src/selinux_restorecon.c
-index ced4115..8fa4875 100644
--- libselinux-2.8/src/selinux_restorecon.c
-+++ libselinux-2.8/src/selinux_restorecon.c
-@@ -350,12 +350,19 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 	new_entry->next = NULL;
- 
- 	new_entry->directory = strdup(directory);
-	if (!new_entry->directory)
-+	if (!new_entry->directory) {
-+		free(new_entry);
-+		free(sha1_buf);
- 		goto oom;
-+	}
- 
- 	new_entry->digest = strdup(sha1_buf);
-	if (!new_entry->digest)
-+	if (!new_entry->digest) {
-+		free(new_entry->directory);
-+		free(new_entry);
-+		free(sha1_buf);
- 		goto oom;
-+	}
- 
- 	new_entry->result = digest_result;
- 
-@@ -671,8 +678,8 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
- 				selinux_log(SELINUX_INFO,
- 				 "%s not reset as customized by admin to %s\n",
- 							    pathname, curcon);
-				goto out;
- 			}
-+			goto out;
- 		}
- 
- 		if (!flags->set_specctx && curcon) {
-@@ -849,6 +856,7 @@ int selinux_restorecon(const char *pathname_orig,
- 
- 	if (lstat(pathname, &sb) < 0) {
- 		if (flags.ignore_noent && errno == ENOENT) {
-+			free(xattr_value);
- 			free(pathdnamer);
- 			free(pathname);
- 			return 0;
-diff --git libselinux-2.8/src/setfilecon.c libselinux-2.8/src/setfilecon.c
-index d05969c..3f0200e 100644
--- libselinux-2.8/src/setfilecon.c
-+++ libselinux-2.8/src/setfilecon.c
-@@ -9,8 +9,12 @@
- 
- int setfilecon_raw(const char *path, const char * context)
- {
-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git libselinux-2.8/utils/matchpathcon.c libselinux-2.8/utils/matchpathcon.c
-index 67e4a43..9756d7d 100644
--- libselinux-2.8/utils/matchpathcon.c
-+++ libselinux-2.8/utils/matchpathcon.c
-@@ -14,7 +14,7 @@
- static __attribute__ ((__noreturn__)) void usage(const char *progname)
- {
- 	fprintf(stderr,
-		"usage:  %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
-+		"usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
- 		progname);
- 	exit(1);
- }
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@ -5,23 +5,35 @@
 %global ruby_inc %(pkg-config --cflags ruby)
 %endif

-%define libsepolver 2.8-2
+%define libsepolver 2.9-1
+%define libselinuxrelease 8

 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 2.8
-Release: 6%{?dist}
+Version: 2.9
+Release: %{libselinuxrelease}%{?dist}
 License: Public Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libselinux-2.8.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libselinux-2.9.tar.gz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
-# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
-# run:
-# $ VERSION=2.8 ./make-fedora-selinux-patch.sh libselinux
-# HEAD 06620610bbe23bc88adebd38c007fa5f2e95e079
-Patch1: libselinux-fedora.patch
+# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+Patch0003: 0003-libselinux-Allow-to-override-OVERRIDE_GETTID-from-co.patch
+Patch0004: 0004-Bring-some-old-permission-and-flask-constants-back-t.patch
+Patch0005: 0005-libselinux-add-missing-av_permission-values.patch
+Patch0006: 0006-libselinux-Use-Python-distutils-to-install-SELinux-p.patch
+Patch0007: 0007-libselinux-Do-not-use-SWIG_CFLAGS-when-Python-bindin.patch
+Patch0008: 0008-Fix-mcstrans-secolor-examples.patch
+Patch0009: 0009-libselinux-Eliminate-use-of-security_compute_user.patch
+Patch0010: 0010-libselinux-deprecate-security_compute_user-update-ma.patch
+Patch0011: 0011-selinux-8-5-Describe-fcontext-regular-expressions.patch
+Patch0012: 0012-libselinux-Strip-spaces-before-values-in-config.patch
+Patch0013: 0013-libselinux-Ignore-missing-directories-when-i-is-used.patch
+Patch0014: 0014-libselinux-restorecon-Fix-memory-leak-xattr_value.patch
+
 BuildRequires: gcc
 %if 0%{?with_ruby}
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@ -52,7 +64,7 @@ process and file security contexts and to obtain security policy
 decisions.  Required for any applications that use the SELinux API.

 %package utils
-Summary: SELinux libselinux utilies
+Summary: SELinux libselinux utilities
 Requires: %{name}%{?_isa} = %{version}-%{release}

 %description utils
@ -65,7 +77,7 @@ Provides: python2-%{name} = %{version}-%{release}
 Provides: python2-%{name}%{?_isa} = %{version}-%{release}
 Obsoletes: %{name}-python < %{version}-%{release}
 Summary: SELinux python bindings for libselinux
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: %{name}%{?_isa} >= %{version}-%{libselinuxrelease}

 %description -n libselinux-python
 The libselinux-python package contains the python bindings for developing
@ -114,13 +126,14 @@ The libselinux-static package contains the static libraries
 needed for developing SELinux applications. 

 %prep
-%autosetup -p 1 -n libselinux-%{version}
+%autosetup -p 2 -n libselinux-%{version}

 %build
-export LDFLAGS="%{?__global_ldflags}"
-export DISABLE_RPM="y"
+export DISABLE_RPM="n"
 export USE_PCRE2="y"

+%set_build_flags
+
 # To support building the Python wrapper against multiple Python runtimes
 # Define a function, for how to perform a "build" of the python wrapper against
 # a specific runtime:
@ -130,13 +143,13 @@ BuildPythonWrapper() {
  # Perform the build from the upstream Makefile:
  make \
    PYTHON=$BinaryName \
-    LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \
+    LIBDIR="%{_libdir}" %{?_smp_mflags} \
    pywrap
 }

 make clean
-make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} swigify
-make LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} all
+make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
+make LIBDIR="%{_libdir}" %{?_smp_mflags} all

 %if 0%{?with_python2}
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
@ -145,7 +158,7 @@ BuildPythonWrapper %{__python2}
 BuildPythonWrapper %{__python3}

 %if 0%{?with_ruby}
-make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" CFLAGS="-g %{optflags}" %{?_smp_mflags} rubywrap
+make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
 %endif

 %install
@ -154,7 +167,7 @@ InstallPythonWrapper() {

  make \
    PYTHON=$BinaryName \
-    LIBDIR="%{_libdir}" CFLAGS="-g %{optflags}" %{?_smp_mflags} \
+    LIBDIR="%{_libdir}" %{?_smp_mflags} \
    LIBSEPOLA="%{_libdir}/libsepol.a" \
    pywrap

@ -178,8 +191,10 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli
 %if 0%{?with_python2}
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 InstallPythonWrapper %{__python2}
+mv %{buildroot}%{python2_sitearch}/selinux/_selinux.so %{buildroot}%{python2_sitearch}/
 %endif
 InstallPythonWrapper %{__python3}
+mv %{buildroot}%{python3_sitearch}/selinux/_selinux.*.so %{buildroot}%{python3_sitearch}/

 %if 0%{?with_ruby}
 make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
@ -215,7 +230,6 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %license LICENSE
 %{_libdir}/libselinux.so.*
 %dir %{_rundir}/setrans/
-%{_sbindir}/sefcontext_compile
 %{_tmpfilesdir}/libselinux.conf

 %files utils
@ -223,6 +237,7 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{_sbindir}/getenforce
 %{_sbindir}/getsebool
 %{_sbindir}/matchpathcon
+%{_sbindir}/sefcontext_compile
 %{_sbindir}/selinuxconlist
 %{_sbindir}/selinuxdefcon
 %{_sbindir}/selinuxexeccon
@ -235,6 +250,8 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{_sbindir}/selinux_check_access
 %{_mandir}/man5/*
 %{_mandir}/man8/*
+%{_mandir}/ru/man5/*
+%{_mandir}/ru/man8/*

 %files devel
 %{_libdir}/libselinux.so
@ -249,11 +266,13 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %files -n libselinux-python
 %{python2_sitearch}/selinux/
 %{python2_sitearch}/_selinux.so
+%{python2_sitearch}/selinux-%{version}-*
 %endif

 %files -n python3-libselinux
 %{python3_sitearch}/selinux/
 %{python3_sitearch}/_selinux.*.so
+%{python3_sitearch}/selinux-%{version}-*

 %if 0%{?with_ruby}
 %files ruby
@ -261,6 +280,32 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %endif

 %changelog
+* Wed Dec 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-8
+- restorecon: Fix memory leak - xattr_value (#2137965)
+
+* Tue Dec 06 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-7
+- Restorecon: Ignore missing directories when -i is used (#2137965)
+
+* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-6
+- Describe fcontext regular expressions (#1904059)
+- Strip spaces before values in config (#2012145)
+
+* Tue Oct 20 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-5
+- Deprecate security_compute_user(), update man pages (#1879368)
+
+* Thu Sep 24 2020 Vit Mojzis <vmojzis@redhat.com> - 2.9-4
+- Eliminate use of security_compute_user() (#1879368)
+
+* Fri Nov 08 2019 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
+- Fix mcstrans secolor examples in secolor.conf man page (#1770270)
+
+* Mon Jun 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2.1
+- Use Python distutils to install SELinux python bindings (#1719771)
+- Move  sefcontext_compile to -utils package (#1612518)
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
 * Tue Nov  6 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-6
 - Fix RESOURCE_LEAK coverity scan defects
Author	SHA1	Message	Date
CentOS Sources	56e7c28148	import libselinux-2.9-8.el8	2023-05-17 02:06:28 +00:00
CentOS Sources	d6a8ad831a	import libselinux-2.9-6.el8	2022-11-08 13:30:05 +00:00
CentOS Sources	a859c29b48	import libselinux-2.9-5.el8	2021-09-10 11:53:11 +00:00
CentOS Sources	0d1ce1e7df	import libselinux-2.9-4.el8_3	2021-09-10 11:53:03 +00:00
CentOS Sources	8d20340cbb	import libselinux-2.9-3.el8	2021-09-10 11:52:55 +00:00
CentOS Sources	3822b3d22d	import libselinux-2.9-2.1.el8	2021-09-10 11:52:48 +00:00