libsepol/libsepol-rhat.patch

diff --git a/libsepol/include/sepol/policydb/polcaps.h b/libsepol/include/sepol/policydb/polcaps.h
index f90a48d..9152446 100644
--- a/libsepol/include/sepol/policydb/polcaps.h
+++ b/libsepol/include/sepol/policydb/polcaps.h
@@ -5,7 +5,7 @@
 enum {
 	POLICYDB_CAPABILITY_NETPEER,
 	POLICYDB_CAPABILITY_OPENPERM,
-	POLICYDB_CAPABILITY_REDHAT1, /* reserved for RH testing of ptrace_child */
+	POLICYDB_CAPABILITY_PTRACE_CHILD,
 	POLICYDB_CAPABILITY_ALWAYSNETWORK,
 	__POLICYDB_CAPABILITY_MAX
 };
diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h
index aef0c7b..3fd9700 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -58,6 +58,36 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid,
 				   struct sepol_av_decision *avd,
 				   unsigned int *reason);
 
+/* 
+ * Same as above, but also returns the constraint expression calculations
+ * whether allowed or denied in a buffer. This buffer is allocated by
+ * this call and must be free'd by the caller.
+ * The contraint buffer is in RPN format.
+ */
+extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
+				   sepol_security_id_t tsid,
+				   sepol_security_class_t tclass,
+				   sepol_access_vector_t requested,
+				   struct sepol_av_decision *avd,
+				   unsigned int *reason,
+				   char **reason_buf);
+
+/*
+ * Return a class ID associated with the class string representation
+ * specified by `class_name'.
+ */
+extern int sepol_class_name_to_id(const char *class_name,
+					sepol_security_class_t  *tclass);
+
+/*
+ * Return a permission av bit associated with tclass and the string
+ * representation of the `perm_name'.
+ */
+extern int sepol_perm_name_to_av(sepol_security_class_t tclass,
+					const char *perm_name,
+					sepol_access_vector_t *av);
+
+
 /*
  * Compute a SID to use for labeling a new object in the 
  * class `tclass' based on a SID pair.  
diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
index 2003eb6..a2d209c 100644
--- a/libsepol/src/expand.c
+++ b/libsepol/src/expand.c
@@ -49,6 +49,82 @@ typedef struct expand_state {
 	int expand_neverallow;
 } expand_state_t;
 
+struct linear_probe {
+	filename_trans_t **table;	/* filename_trans chunks with same stype */
+	filename_trans_t **ends;	/* pointers to ends of **table chunks */
+	uint32_t length;		/* length of the table */
+};
+
+static int linear_probe_create(struct linear_probe *probe, uint32_t length)
+{
+	probe->table = calloc(length, sizeof(*probe->table));
+	if (probe->table == NULL)
+		return -1;
+
+	probe->ends = calloc(length, sizeof(*probe->ends));
+	if (probe->ends == NULL)
+		return -1;
+
+	probe->length = length;
+
+	return 0;
+}
+
+static void linear_probe_destroy(struct linear_probe *probe)
+{
+	if (probe->length == 0)
+		return;
+
+	free(probe->table);
+	free(probe->ends);
+	memset(probe, 0, sizeof(*probe));
+}
+
+static void linear_probe_insert(struct linear_probe *probe, uint32_t key,
+				filename_trans_t *data)
+{
+	assert(probe->length > key);
+
+	if (probe->table[key] != NULL) {
+		data->next = probe->table[key];
+		probe->table[key] = data;
+	} else {
+		probe->table[key] = probe->ends[key] = data;
+	}
+}
+
+static filename_trans_t *linear_probe_find(struct linear_probe *probe, uint32_t key)
+{
+	assert(probe->length > key);
+
+	return probe->table[key];
+}
+
+/* Returns all chunks stored in the *probe as single-linked list */
+static filename_trans_t *linear_probe_dump(struct linear_probe *probe,
+					   filename_trans_t **endp)
+{
+	uint32_t i;
+	filename_trans_t *result = NULL;
+	filename_trans_t *end = NULL;
+
+	for (i = 0; i < probe->length; i++) {
+		if (probe->table[i] != NULL) {
+			if (end == NULL)
+				end = probe->ends[i];
+			probe->ends[i]->next = result;
+			result = probe->table[i];
+			probe->table[i] = probe->ends[i] = NULL;
+		}
+	}
+
+	/* Incoherent result and end pointers indicates bug */
+	assert((result != NULL && end != NULL) || (result == NULL && end == NULL));
+
+	*endp = end;
+	return result;
+}
+
 static void expand_state_init(expand_state_t * state)
 {
 	memset(state, 0, sizeof(expand_state_t));
@@ -1357,10 +1433,20 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
 static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
 {
 	unsigned int i, j;
-	filename_trans_t *new_trans, *cur_trans;
+	filename_trans_t *new_trans, *cur_trans, *end;
 	filename_trans_rule_t *cur_rule;
 	ebitmap_t stypes, ttypes;
 	ebitmap_node_t *snode, *tnode;
+	struct linear_probe probe;
+
+	/*
+	 * Linear probing speeds-up finding filename_trans rules with certain
+	 * "stype" value.
+	 */
+	if (linear_probe_create(&probe, 4096)) { /* Assume 4096 is enough for most cases */
+		ERR(state->handle, "Out of memory!");
+		return -1;
+	}
 
 	cur_rule = rules;
 	while (cur_rule) {
@@ -1383,6 +1469,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
 
 		mapped_otype = state->typemap[cur_rule->otype - 1];
 
+		if (ebitmap_length(&stypes) > probe.length) {
+			linear_probe_destroy(&probe);
+			if (linear_probe_create(&probe, ebitmap_length(&stypes))) {
+				ERR(state->handle, "Out of memory!");
+				return -1;
+			}
+		}
+
 		ebitmap_for_each_bit(&stypes, snode, i) {
 			if (!ebitmap_node_get_bit(snode, i))
 				continue;
@@ -1390,16 +1484,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
 				if (!ebitmap_node_get_bit(tnode, j))
 					continue;
 
-				cur_trans = state->out->filename_trans;
-				while (cur_trans) {
-					if ((cur_trans->stype == i + 1) &&
-					    (cur_trans->ttype == j + 1) &&
+				cur_trans = linear_probe_find(&probe, i);
+				while (cur_trans != NULL) {
+					if ((cur_trans->ttype == j + 1) &&
 					    (cur_trans->tclass == cur_rule->tclass) &&
 					    (!strcmp(cur_trans->name, cur_rule->name))) {
 						/* duplicate rule, who cares */
 						if (cur_trans->otype == mapped_otype)
 							break;
-
 						ERR(state->handle, "Conflicting filename trans rules %s %s %s : %s otype1:%s otype2:%s",
 						    cur_trans->name,
 						    state->out->p_type_val_to_name[i],
@@ -1407,7 +1499,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
 						    state->out->p_class_val_to_name[cur_trans->tclass - 1],
 						    state->out->p_type_val_to_name[cur_trans->otype - 1],
 						    state->out->p_type_val_to_name[mapped_otype - 1]);
-						    
+
 						return -1;
 					}
 					cur_trans = cur_trans->next;
@@ -1422,8 +1514,6 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
 					return -1;
 				}
 				memset(new_trans, 0, sizeof(*new_trans));
-				new_trans->next = state->out->filename_trans;
-				state->out->filename_trans = new_trans;
 
 				new_trans->name = strdup(cur_rule->name);
 				if (!new_trans->name) {
@@ -1434,9 +1524,16 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
 				new_trans->ttype = j + 1;
 				new_trans->tclass = cur_rule->tclass;
 				new_trans->otype = mapped_otype;
+				linear_probe_insert(&probe, i, new_trans);
 			}
 		}
 
+		cur_trans = linear_probe_dump(&probe, &end);
+		if (cur_trans != NULL) {
+			end->next = state->out->filename_trans;
+			state->out->filename_trans = cur_trans;
+		}
+
 		ebitmap_destroy(&stypes);
 		ebitmap_destroy(&ttypes);
 
@@ -2037,14 +2134,13 @@ static int ocontext_copy_xen(expand_state_t *state)
 			else
 				state->out->ocontexts[i] = n;
 			l = n;
+			if (context_copy(&n->context[0], &c->context[0],
+				state)) {
+				ERR(state->handle, "Out of memory!");
+				return -1;
+			}
 			switch (i) {
 			case OCON_XEN_ISID:
-				if (c->context[0].user == 0) {
-					ERR(state->handle,
-					    "Missing context for %s initial sid",
-					    c->u.name);
-					return -1;
-				}
 				n->sid[0] = c->sid[0];
 				break;
 			case OCON_XEN_PIRQ:
@@ -2067,11 +2163,6 @@ static int ocontext_copy_xen(expand_state_t *state)
 				ERR(state->handle, "Unknown ocontext");
 				return -1;
 			}
-			if (context_copy(&n->context[0], &c->context[0],
-				state)) {
-				ERR(state->handle, "Out of memory!");
-				return -1;
-			}
 		}
 	}
 	return 0;
@@ -2096,14 +2187,12 @@ static int ocontext_copy_selinux(expand_state_t *state)
 			else
 				state->out->ocontexts[i] = n;
 			l = n;
+			if (context_copy(&n->context[0], &c->context[0], state)) {
+				ERR(state->handle, "Out of memory!");
+				return -1;
+			}
 			switch (i) {
 			case OCON_ISID:
-				if (c->context[0].user == 0) {
-					ERR(state->handle,
-					    "Missing context for %s initial sid",
-					    c->u.name);
-					return -1;
-				}
 				n->sid[0] = c->sid[0];
 				break;
 			case OCON_FS:	/* FALLTHROUGH */
@@ -2147,10 +2236,6 @@ static int ocontext_copy_selinux(expand_state_t *state)
 				ERR(state->handle, "Unknown ocontext");
 				return -1;
 			}
-			if (context_copy(&n->context[0], &c->context[0], state)) {
-				ERR(state->handle, "Out of memory!");
-				return -1;
-			}
 		}
 	}
 	return 0;
diff --git a/libsepol/src/polcaps.c b/libsepol/src/polcaps.c
index 43a71a7..7615a9b 100644
--- a/libsepol/src/polcaps.c
+++ b/libsepol/src/polcaps.c
@@ -8,7 +8,7 @@
 static const char *polcap_names[] = {
 	"network_peer_controls",	/* POLICYDB_CAPABILITY_NETPEER */
 	"open_perms",			/* POLICYDB_CAPABILITY_OPENPERM */
-	"redhat1",			/* POLICYDB_CAPABILITY_REDHAT1, aka ptrace_child */
+	"ptrace_child",			/* POLICYDB_CAPABILITY_PTRACE_CHILD */
 	"always_check_network",		/* POLICYDB_CAPABILITY_ALWAYSNETWORK */
 	NULL
 };
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index 9c2920c..04f9978 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -54,6 +54,7 @@
 #include <sepol/policydb/services.h>
 #include <sepol/policydb/conditional.h>
 #include <sepol/policydb/flask.h>
+#include <sepol/policydb/util.h>
 
 #include "debug.h"
 #include "private.h"
@@ -112,20 +113,208 @@ int sepol_set_policydb_from_file(FILE * fp)
 static uint32_t latest_granting = 0;
 
 /*
- * Return the boolean value of a constraint expression 
- * when it is applied to the specified source and target 
+ * Start of changes to support constraint reason failures.
+ */
+
+/*
+ * get_names_list obtains the list of users, roles or types when expr
+ * has a names list. For 'types' only, find how many in the name list, and
+ * then the attributes associated to them (also count these). When
+ * complete take the list of attributes and find those whose count
+ * matches the number of types. The attributes in the final list will be
+ * one of those that needs to has the type added (but which one !!!).
+ *
+ * The best way to solve this is for the compilers (checkpolicy and
+ * checkmodule) to add attributes to the constraint_expr_t structure
+ * (see constraint.h). The CIL compiler does add attribute names to
+ * constraint_expr_t->names, but the kernel does not translate them to
+ * types (i.e. the 30-04-12 version of the CIL compiler does not build
+ * the policy correctly).
+ *
+ * Note that the type_datum_t ->types (policydb.h) does not contain
+ * a list of types when inspecting a binary policy. This is only used
+ * in the *.pp modules.
+ */
+int get_names_list(const ebitmap_t * e, int type, char ** expr_buf)
+{
+	type_datum_t *t1 = NULL;
+
+#define MAX_ATTRS 300
+	/* Hold the type attribute names and count of instances */
+	struct attr_entries {
+		unsigned int entry;
+		int count;
+	} attr_info[MAX_ATTRS];
+
+	int struct_count = 0;
+	int x;
+
+	int rc = 0;
+	unsigned int i;
+	int entry_count = 0;
+	int is_attr = 0;
+
+	char tmp_buf[100];
+	/* if empty_set is 0, then <empty_set> */
+	int empty_set = 0;
+
+	ebitmap_t *attr;
+	unsigned int j;
+
+	int type_count = 0;
+
+	if (!*expr_buf)
+		return 0;
+
+	for (x = 0; x < MAX_ATTRS; x++) {
+		attr_info[x].entry = '\0';
+		attr_info[x].count = '\0';
+	}
+
+	/* For type entries find how many entries so we can check attributes */
+	if (type == CEXPR_TYPE) {
+		for (j = ebitmap_startbit(e); j < ebitmap_length(e); j++) {
+			if ((rc = ebitmap_get_bit(e, j)) == 0)
+				continue;
+			type_count++;
+		}
+	}
+
+	/* Start the list of names where e = &e->names */
+	strcat(*expr_buf, "{ ");
+
+	for (i = ebitmap_startbit(e); i < ebitmap_length(e); i++) {
+		if ((rc = ebitmap_get_bit(e, i)) == 0)
+			continue;
+
+		switch (type) {
+		case CEXPR_USER:
+			sprintf(tmp_buf, "%s ", policydb->p_user_val_to_name[i]);
+			strcat(*expr_buf, tmp_buf);
+			break;
+
+		case CEXPR_ROLE:
+			sprintf(tmp_buf, "%s ", policydb->p_role_val_to_name[i]);
+			strcat(*expr_buf, tmp_buf);
+			break;
+
+		case CEXPR_TYPE:
+/*
+ * When checking a type for associated attributes, you can get a number
+ * of attributes, any one of which could be the one to update, for example:
+ *
+ *	constrain process { transition noatsecure siginh rlimitinh }
+ *	(
+ *		r1 == r2
+ *		or ( t1 == can_change_process_role and t2 == process_user_target )
+ *	   	or ( t1 == cron_source_domain and t2 == cron_job_domain )
+ *		or ( t1 == can_system_change and r2 == system_r )
+ *		or ( t1 == process_uncond_exempt )
+ *	);
+ *
+ * for the 'targeted' policy it will yeld for "can_change_process_role"
+ * the following possible entries: can_change_process_role,
+ * nsswitch_domain or domain as each type that makes up
+ * "can_change_process_role" is also in the others.
+ *
+ * The "cron_source_domain" will give the largest amount of attributes
+ * as there is only one type (crond_t) but has 36 associations.
+ */
+			/*
+			 * Get node for the type ID and if an attribute just add name,
+			 * otherwise find the list of attrs associated to this type.
+			 */
+			t1 = policydb->type_val_to_struct[i];
+			if (t1->flavor == TYPE_ATTRIB) {
+				is_attr = 1;
+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
+				strcat(*expr_buf, tmp_buf);
+				break;
+			} else {
+				/* Have type so but names in buffer and sort out attrs */
+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[i]);
+				strcat(*expr_buf, tmp_buf);
+				/* Process attributes attached to the type */
+				attr = &policydb->type_attr_map[t1->s.value-1];
+				unsigned int z;
+				struct_count = 0;
+				for (z = ebitmap_startbit(attr); z < ebitmap_length(attr); z++) {
+					if ((rc = ebitmap_get_bit(attr, z)) == 0)
+						continue;
+					t1 = policydb->type_val_to_struct[z];
+					if (t1->flavor == TYPE_ATTRIB) {
+						x = 0;
+						while (x < MAX_ATTRS) {
+							if (attr_info[x].entry == z) {
+								attr_info[x].entry = z;
+								attr_info[x].count++;
+								break;
+							}
+							if (attr_info[x].entry == 0) {
+								attr_info[x].entry = z;
+								attr_info[x].count++;
+								break;
+							}
+							x++;
+						}
+						struct_count++;
+					}
+				}
+				break;
+			}
+			break;
+
+		default:
+			ERR(NULL, "Invalid u_r_t value: %d\n", type);
+			return -1;
+			break;
+		}
+		empty_set++;
+		entry_count++;
+	}
+
+	/* End the list of names but if type then check for attributes. */
+	if (empty_set == 0) {
+		strcat(*expr_buf, "<empty_set> }");
+	} else if (type == CEXPR_TYPE && is_attr == 0) {
+		strcat(*expr_buf, "} ** Attributes associated to the types: ");
+		for (x = 0; x < MAX_ATTRS; x++) {
+			if (attr_info[x].count == type_count) {
+				sprintf(tmp_buf, "%s ", policydb->p_type_val_to_name[attr_info[x].entry]);
+				strcat(*expr_buf, tmp_buf);
+			}
+		}
+		strcat(*expr_buf, "**");
+	} else
+		strcat(*expr_buf, "}");
+	return 0;
+}
+
+
+/*
+ * Modified version of constraint_expr_eval
+ *
+ * Return the boolean value of a constraint expression
+ * when it is applied to the specified source and target
  * security contexts.
  *
  * xcontext is a special beast...  It is used by the validatetrans rules
  * only.  For these rules, scontext is the context before the transition,
  * tcontext is the context after the transition, and xcontext is the context
  * of the process performing the transition.  All other callers of
- * constraint_expr_eval should pass in NULL for xcontext.
+ * constraint_expr_eval_reason should pass in NULL for xcontext.
+ * 
+ * This function will also build a buffer as the constraint is processed
+ * for analysis. If this option is not required, then:
+ *      'tclass' and 'allowed' should be '0' and expr_buf MUST be NULL.
  */
-static int constraint_expr_eval(context_struct_t * scontext,
+static int constraint_expr_eval_reason(context_struct_t * scontext,
 				context_struct_t * tcontext,
 				context_struct_t * xcontext,
-				constraint_expr_t * cexpr)
+				sepol_security_class_t tclass,
+				sepol_access_vector_t allowed,
+				constraint_expr_t * cexpr,
+				char ** expr_buf)
 {
 	uint32_t val1, val2;
 	context_struct_t *c;
@@ -135,21 +324,68 @@ static int constraint_expr_eval(context_struct_t * scontext,
 	int s[CEXPR_MAXDEPTH];
 	int sp = -1;
 
+	char tmp_buf[1024];
+
+/*
+ * Define the s_t_x_num values that make up r1, t2 etc. in text strings
+ * Set 1 = source, 2 = target, 3 = xcontext for validatetrans
+ */
+#define SOURCE  1
+#define TARGET  2
+#define XTARGET 3
+
+	int s_t_x_num = SOURCE;
+
+	/* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */
+	int u_r_t = 0;
+
+	char *name1, *name2;
+
+	if (*expr_buf) {
+		/* Get constraint statement type */
+		sprintf(tmp_buf, "constrain ");
+		for (e = cexpr; e; e = e->next) {
+			if (e->attr >= CEXPR_L1L2) {
+				sprintf(tmp_buf, "mlsconstrain ");
+				break;
+			}
+		}
+		strcat(*expr_buf, tmp_buf);
+
+		/* Get class entry */
+		sprintf(tmp_buf, "%s ", policydb->p_class_val_to_name[tclass - 1]);
+		strcat(*expr_buf, tmp_buf);
+
+		/*
+		 * Get permission entries sepol_av_to_string defined in util.c
+		 * and its buffer to hold the perm list is 1024 chars.
+		 */
+		sprintf(tmp_buf, "{%s } ", sepol_av_to_string(policydb, tclass, allowed));
+		strcat(*expr_buf, tmp_buf);
+	}
+
+	/* Original function but with buffer support */
 	for (e = cexpr; e; e = e->next) {
 		switch (e->expr_type) {
 		case CEXPR_NOT:
 			BUG_ON(sp < 0);
 			s[sp] = !s[sp];
+			if (*expr_buf)
+				strcat(*expr_buf, " not ");
 			break;
 		case CEXPR_AND:
 			BUG_ON(sp < 1);
 			sp--;
 			s[sp] &= s[sp + 1];
+			if (*expr_buf)
+				strcat(*expr_buf, " and ");
 			break;
 		case CEXPR_OR:
 			BUG_ON(sp < 1);
 			sp--;
 			s[sp] |= s[sp + 1];
+			if (*expr_buf)
+				strcat(*expr_buf, " or ");
 			break;
 		case CEXPR_ATTR:
 			if (sp == (CEXPR_MAXDEPTH - 1))
@@ -158,33 +394,57 @@ static int constraint_expr_eval(context_struct_t * scontext,
 			case CEXPR_USER:
 				val1 = scontext->user;
 				val2 = tcontext->user;
+				if (*expr_buf)
+					strcat(*expr_buf, "(u1 u2 ");
 				break;
 			case CEXPR_TYPE:
 				val1 = scontext->type;
 				val2 = tcontext->type;
+				if (*expr_buf)
+					strcat(*expr_buf, "(t1 t2 ");
 				break;
 			case CEXPR_ROLE:
 				val1 = scontext->role;
 				val2 = tcontext->role;
 				r1 = policydb->role_val_to_struct[val1 - 1];
 				r2 = policydb->role_val_to_struct[val2 - 1];
+				if (*expr_buf) {
+					name1 = policydb->p_role_val_to_name[r1->s.value - 1];
+					name2 = policydb->p_role_val_to_name[r2->s.value - 1];
+					sprintf(tmp_buf, "(r1-%s r2-%s ", name1, name2);
+					strcat(*expr_buf, tmp_buf);
+				}
 				switch (e->op) {
 				case CEXPR_DOM:
-					s[++sp] =
-					    ebitmap_get_bit(&r1->dominates,
-							    val2 - 1);
+					s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "dom -Fail-) ");
+						} else {
+							strcat(*expr_buf, "dom -Fail-) ");
+						}
+					}
 					continue;
 				case CEXPR_DOMBY:
-					s[++sp] =
-					    ebitmap_get_bit(&r2->dominates,
-							    val1 - 1);
+					s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "domby -Fail-) ");
+						} else {
+							strcat(*expr_buf, "domby +Pass+) ");
+						}
+					}
 					continue;
 				case CEXPR_INCOMP:
-					s[++sp] =
-					    (!ebitmap_get_bit
-					     (&r1->dominates, val2 - 1)
-					     && !ebitmap_get_bit(&r2->dominates,
-								 val1 - 1));
+					s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)
+						 && !ebitmap_get_bit(&r2->dominates, val1 - 1));
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "incomp -Fail-) ");
+						} else {
+							strcat(*expr_buf, "incomp +Pass+) ");
+						}
+					}
 					continue;
 				default:
 					break;
@@ -193,43 +453,90 @@ static int constraint_expr_eval(context_struct_t * scontext,
 			case CEXPR_L1L2:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(tcontext->range.level[0]);
+				if (*expr_buf)
+					strcat(*expr_buf, "(l1 l2 ");
 				goto mls_ops;
 			case CEXPR_L1H2:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(tcontext->range.level[1]);
+				if (*expr_buf)
+					strcat(*expr_buf, "(l1 h2 ");
 				goto mls_ops;
 			case CEXPR_H1L2:
 				l1 = &(scontext->range.level[1]);
 				l2 = &(tcontext->range.level[0]);
+				if (*expr_buf)
+					strcat(*expr_buf,"(h1 l2 ");
 				goto mls_ops;
 			case CEXPR_H1H2:
 				l1 = &(scontext->range.level[1]);
 				l2 = &(tcontext->range.level[1]);
+				if (*expr_buf)
+					strcat(*expr_buf, "(h1 h2 ");
 				goto mls_ops;
 			case CEXPR_L1H1:
 				l1 = &(scontext->range.level[0]);
 				l2 = &(scontext->range.level[1]);
+				if (*expr_buf)
+					strcat(*expr_buf, "(l1 h1 ");
 				goto mls_ops;
 			case CEXPR_L2H2:
 				l1 = &(tcontext->range.level[0]);
 				l2 = &(tcontext->range.level[1]);
+				if (*expr_buf)
+					strcat(*expr_buf, "(l2 h2 ");
 				goto mls_ops;
-			      mls_ops:
+				  mls_ops:
 				switch (e->op) {
 				case CEXPR_EQ:
 					s[++sp] = mls_level_eq(l1, l2);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "eq -Fail-) ");
+						} else {
+							strcat(*expr_buf, "eq +Pass+) ");
+						}
+					}
 					continue;
 				case CEXPR_NEQ:
 					s[++sp] = !mls_level_eq(l1, l2);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "neq -Fail-) ");
+						} else {
+							strcat(*expr_buf, "neq +Pass+) ");
+						}
+					}
 					continue;
 				case CEXPR_DOM:
 					s[++sp] = mls_level_dom(l1, l2);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "dom -Fail-) ");
+						} else {
+							strcat(*expr_buf, "dom +Pass+) ");
+						}
+					}
 					continue;
 				case CEXPR_DOMBY:
 					s[++sp] = mls_level_dom(l2, l1);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "domby -Fail-) ");
+						} else {
+							strcat(*expr_buf, "domby +Pass+) ");
+						}
+					}
 					continue;
 				case CEXPR_INCOMP:
 					s[++sp] = mls_level_incomp(l2, l1);
+					if (*expr_buf) {
+						if (s[sp] == 0) {
+							strcat(*expr_buf, "incomp -Fail-) ");
+						} else {
+							strcat(*expr_buf, "incomp +Pass+) ");
+						}
+					}
 					continue;
 				default:
 					BUG();
@@ -244,9 +551,23 @@ static int constraint_expr_eval(context_struct_t * scontext,
 			switch (e->op) {
 			case CEXPR_EQ:
 				s[++sp] = (val1 == val2);
+				if (*expr_buf) {
+					if (s[sp] == 0) {
+						strcat(*expr_buf, "eq -Fail-) ");
+					} else {
+						strcat(*expr_buf, "eq +Pass+) ");
+					}
+				}
 				break;
 			case CEXPR_NEQ:
 				s[++sp] = (val1 != val2);
+				if (*expr_buf) {
+					if (s[sp] == 0) {
+						strcat(*expr_buf, "neq -Fail-) ");
+					} else {
+						strcat(*expr_buf, "neq +Pass+) ");
+					}
+				}
 				break;
 			default:
 				BUG();
@@ -256,22 +577,46 @@ static int constraint_expr_eval(context_struct_t * scontext,
 		case CEXPR_NAMES:
 			if (sp == (CEXPR_MAXDEPTH - 1))
 				return 0;
+			s_t_x_num = SOURCE;
 			c = scontext;
-			if (e->attr & CEXPR_TARGET)
+			if (e->attr & CEXPR_TARGET) {
+				s_t_x_num = TARGET;
 				c = tcontext;
-			else if (e->attr & CEXPR_XTARGET) {
+			} else if (e->attr & CEXPR_XTARGET) {
+				s_t_x_num = XTARGET;
 				c = xcontext;
-				if (!c) {
-					BUG();
-					return 0;
-				}
 			}
-			if (e->attr & CEXPR_USER)
+			if (!c) {
+				BUG();
+				return 0;
+			}
+			if (e->attr & CEXPR_USER) {
+				u_r_t = CEXPR_USER;
 				val1 = c->user;
-			else if (e->attr & CEXPR_ROLE)
+				if (*expr_buf) {
+					name1 = policydb->p_user_val_to_name[val1 - 1];
+					sprintf(tmp_buf, "(u%d-%s ", s_t_x_num, name1);
+					strcat(*expr_buf, tmp_buf);
+				}
+			}
+			else if (e->attr & CEXPR_ROLE) {
+				u_r_t = CEXPR_ROLE;
 				val1 = c->role;
-			else if (e->attr & CEXPR_TYPE)
+				if (*expr_buf) {
+					name1 = policydb->p_role_val_to_name[val1 - 1];
+					sprintf(tmp_buf, "(r%d-%s ", s_t_x_num, name1);
+					strcat(*expr_buf, tmp_buf);
+				}
+			}
+			else if (e->attr & CEXPR_TYPE) {
+				u_r_t = CEXPR_TYPE;
 				val1 = c->type;
+				if (*expr_buf) {
+					name1 = policydb->p_type_val_to_name[val1 - 1];
+					sprintf(tmp_buf, "(t%d-%s ", s_t_x_num, name1);
+					strcat(*expr_buf, tmp_buf);
+				}
+			}
 			else {
 				BUG();
 				return 0;
@@ -279,10 +624,61 @@ static int constraint_expr_eval(context_struct_t * scontext,
 
 			switch (e->op) {
 			case CEXPR_EQ:
+				switch (u_r_t) {
+				case CEXPR_USER:
+					name1 = policydb->p_user_val_to_name[val1 - 1];
+					break;
+				case CEXPR_ROLE:
+					name1 = policydb->p_role_val_to_name[val1 - 1];
+					break;
+				case CEXPR_TYPE:
+					name1 = policydb->p_type_val_to_name[val1 - 1];
+					break;
+				default:
+					name1 = NULL;
+					ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
+					break;
+				}
+
+				get_names_list(&e->names, u_r_t, expr_buf);
+
 				s[++sp] = ebitmap_get_bit(&e->names, val1 - 1);
+				if (*expr_buf) {
+					if (s[sp] == 0) {
+						strcat(*expr_buf, " eq -Fail-) ");
+					} else {
+						strcat(*expr_buf, " eq +Pass+) ");
+					}
+				}
 				break;
+
 			case CEXPR_NEQ:
+				switch (u_r_t) {
+				case CEXPR_USER:
+					name1 = policydb->p_user_val_to_name[val1 - 1];
+					break;
+				case CEXPR_ROLE:
+					name1 = policydb->p_role_val_to_name[val1 - 1];
+					break;
+				case CEXPR_TYPE:
+					name1 = policydb->p_type_val_to_name[val1 - 1];
+					break;
+				default:
+					name1 = NULL;
+					ERR(NULL, "unrecognized u_r_t Value: %d", u_r_t);
+					break;
+				}
+
+				get_names_list(&e->names, u_r_t, expr_buf);
+
 				s[++sp] = !ebitmap_get_bit(&e->names, val1 - 1);
+				if (*expr_buf) {
+					if (s[sp] == 0) {
+						strcat(*expr_buf, " neq -Fail-) ");
+					} else {
+						strcat(*expr_buf, " neq +Pass+) ");
+					}
+				}
 				break;
 			default:
 				BUG();
@@ -296,9 +692,21 @@ static int constraint_expr_eval(context_struct_t * scontext,
 	}
 
 	BUG_ON(sp != 0);
+
+	if (*expr_buf) {
+		if (s[0] == 0) {
+			char *denied = {"\n** Constraint DENIED access **\n\n"};
+			strcat(*expr_buf, denied);
+		} else {
+			char *allow = {"\n** Constraint ALLOWED access **\n\n"};
+			strcat(*expr_buf, allow);
+		}
+	}
 	return s[0];
 }
 
+
+
 /*
  * Compute access vectors based on a context structure pair for
  * the permissions in a particular class.
@@ -308,7 +716,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
 				     sepol_security_class_t tclass,
 				     sepol_access_vector_t requested,
 				     struct sepol_av_decision *avd,
-				     unsigned int *reason)
+				     unsigned int *reason,
+					 char *expr_buf)
 {
 	constraint_node_t *constraint;
 	struct role_allow *ra;
@@ -383,8 +792,8 @@ static int context_struct_compute_av(context_struct_t * scontext,
 	constraint = tclass_datum->constraints;
 	while (constraint) {
 		if ((constraint->permissions & (avd->allowed)) &&
-		    !constraint_expr_eval(scontext, tcontext, NULL,
-					  constraint->expr)) {
+		    !constraint_expr_eval_reason(scontext, tcontext, NULL,
+					  tclass, avd->allowed, constraint->expr, &expr_buf)) {
 			avd->allowed =
 			    (avd->allowed) & ~(constraint->permissions);
 		}
@@ -459,8 +868,8 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
 
 	constraint = tclass_datum->validatetrans;
 	while (constraint) {
-		if (!constraint_expr_eval(ocontext, ncontext, tcontext,
-					  constraint->expr)) {
+		if (!constraint_expr_eval_reason(ocontext, ncontext, tcontext,
+					  0, 0, constraint->expr, NULL)) {
 			return -EPERM;
 		}
 		constraint = constraint->next;
@@ -469,13 +878,21 @@ int hidden sepol_validate_transition(sepol_security_id_t oldsid,
 	return 0;
 }
 
-int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
+/* 
+ * sepol_compute_av_reason_buffer - the reason buffer is malloc'd
+ * to REASON_BUF_SIZE that seems okay for the Reference Policy.
+ * TODO manage size using realloc at some stage.
+ */
+#define REASON_BUF_SIZE 100000
+int hidden sepol_compute_av_reason_buffer(sepol_security_id_t ssid,
 				   sepol_security_id_t tsid,
 				   sepol_security_class_t tclass,
 				   sepol_access_vector_t requested,
 				   struct sepol_av_decision *avd,
-				   unsigned int *reason)
+				   unsigned int *reason,
+				   char **reason_buf)
 {
+	char *expr_buf = NULL;
 	context_struct_t *scontext = 0, *tcontext = 0;
 	int rc = 0;
 
@@ -485,6 +902,7 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 		rc = -EINVAL;
 		goto out;
 	}
+
 	tcontext = sepol_sidtab_search(sidtab, tsid);
 	if (!tcontext) {
 		ERR(NULL, "unrecognized SID %d", tsid);
@@ -493,11 +911,36 @@ int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
 	}
 
 	rc = context_struct_compute_av(scontext, tcontext, tclass,
-				       requested, avd, reason);
-      out:
+				       requested, avd, reason, expr_buf);
+	if (rc) {
+		goto out;
+	}
+
+	if (!avd->allowed && (*reason & SEPOL_COMPUTEAV_CONS) && reason_buf) {
+		expr_buf = calloc(REASON_BUF_SIZE,1);
+		if (!expr_buf) {
+			ERR(NULL, "malloc failed to allocate constraint reason buffer");
+			return -ENOMEM;
+		}
+		rc = context_struct_compute_av(scontext, tcontext, tclass,
+					       requested, avd, reason, expr_buf);
+		*reason_buf = expr_buf;
+	}
+
+out:
 	return rc;
 }
 
+int hidden sepol_compute_av_reason(sepol_security_id_t ssid,
+				   sepol_security_id_t tsid,
+				   sepol_security_class_t tclass,
+				   sepol_access_vector_t requested,
+				   struct sepol_av_decision *avd,
+				   unsigned int *reason)
+{
+	return sepol_compute_av_reason_buffer(ssid, tsid, tclass, requested, avd, reason, NULL);
+}
+
 int hidden sepol_compute_av(sepol_security_id_t ssid,
 			    sepol_security_id_t tsid,
 			    sepol_security_class_t tclass,
@@ -510,6 +953,65 @@ int hidden sepol_compute_av(sepol_security_id_t ssid,
 }
 
 /*
+ * Return a class ID associated with the class string representation
+ * specified by `class_name'.
+ */
+int hidden sepol_class_name_to_id(const char *class_name,
+			sepol_security_class_t *tclass)
+{
+	char *class = NULL;
+	sepol_security_class_t id;
+
+	for (id = 1; ; id++) {
+		if ((class = policydb->p_class_val_to_name[id - 1]) == NULL) {
+			ERR(NULL, "could not convert %s to class id", class_name);
+			return STATUS_ERR;
+		}
+		if ((strcmp(class, class_name)) == 0) {
+			*tclass = id;
+			return STATUS_SUCCESS;
+		}
+	}
+}
+
+/*
+ * Return access vertor bit associated with the class / permission string.
+ */
+int hidden sepol_perm_name_to_av(sepol_security_class_t tclass,
+					const char *perm_name,
+					sepol_access_vector_t *av)
+{
+	class_datum_t *tclass_datum;
+	perm_datum_t *base_perm;
+	perm_datum_t *common_perm;
+
+	if (!tclass || tclass > policydb->p_classes.nprim) {
+		ERR(NULL, "unrecognized class %d", tclass);
+		return -EINVAL;
+	}
+	tclass_datum = policydb->class_val_to_struct[tclass - 1];
+
+	base_perm = (perm_datum_t *)
+			hashtab_search(tclass_datum->permissions.table,
+			(hashtab_key_t)perm_name);
+	if (base_perm != NULL) {
+		*av = 0x1 << (base_perm->s.value - 1);
+		return STATUS_SUCCESS;
+	}
+
+	common_perm = (perm_datum_t *)
+			hashtab_search(tclass_datum->comdatum->permissions.table,
+			(hashtab_key_t)perm_name);
+	if (common_perm != NULL) {
+		*av = 0x1 << (common_perm->s.value - 1);
+		return STATUS_SUCCESS;
+	}	
+
+	ERR(NULL, "could not convert %s to av bit", perm_name);
+   	return STATUS_ERR;
+}
+
+/*
  * Write the security context string representation of 
  * the context associated with `sid' into a dynamically
  * allocated string of the correct size.  Set `*scontext'
@@ -1337,7 +1839,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
 			rc = context_struct_compute_av(fromcon, &usercon,
 						       SECCLASS_PROCESS,
 						       PROCESS__TRANSITION,
-						       &avd, &reason);
+						       &avd, &reason, NULL);
 			if (rc || !(avd.allowed & PROCESS__TRANSITION))
 				continue;
 			rc = sepol_sidtab_context_to_sid(sidtab, &usercon,