30 changed files with 986 additions and 2129 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,204 @@
-SOURCES/libsepol-2.9.tar.gz
+libsepol-1.1.1.tgz
 libsepol-1.2.1.tgz
 libsepol-1.2.1.1.tgz
 libsepol-1.3.2.tgz
 libsepol-1.3.3.tgz
 libsepol-1.3.5.tgz
 libsepol-1.3.6.tgz
 libsepol-1.3.7.tgz
 libsepol-1.3.8.tgz
 libsepol-1.4.tgz
 libsepol-1.5.1.tgz
 libsepol-1.5.2.tgz
 libsepol-1.5.3.tgz
 libsepol-1.5.5.tgz
 libsepol-1.5.6.tgz
 libsepol-1.5.7.tgz
 libsepol-1.5.8.tgz
 libsepol-1.5.9.tgz
 libsepol-1.5.10.tgz
 libsepol-1.6.tgz
 libsepol-1.7.tgz
 libsepol-1.7.2.tgz
 libsepol-1.7.3.tgz
 libsepol-1.7.5.tgz
 libsepol-1.7.6.tgz
 libsepol-1.7.7.tgz
 libsepol-1.7.9.tgz
 VERSION
 libsepol-1.7.10.tgz
 libsepol-1.7.11.tgz
 libsepol-1.7.12.tgz
 libsepol-1.7.13.tgz
 libsepol-1.7.14.tgz
 libsepol-1.7.15.tgz
 libsepol-1.7.17.tgz
 libsepol-1.7.19.tgz
 libsepol-1.7.20.tgz
 libsepol-1.7.22.tgz
 libsepol-1.7.24.tgz
 libsepol-1.9.1.tgz
 libsepol-1.9.2.tgz
 libsepol-1.9.3.tgz
 libsepol-1.9.4.tgz
 libsepol-1.9.5.tgz
 libsepol-1.9.6.tgz
 libsepol-1.9.7.tgz
 libsepol-1.9.8.tgz
 libsepol-1.9.10.tgz
 libsepol-1.9.11.tgz
 libsepol-1.19.12.tgz
 libsepol-1.9.12.tgz
 libsepol-1.9.14.tgz
 libsepol-1.9.14.1.tgz
 libsepol-1.9.17.tgz
 libsepol-1.9.18.tgz
 libsepol-1.9.19.tgz
 libsepol-1.9.21.tgz
 libsepol-1.9.23.tgz
 libsepol-1.9.25.tgz
 libsepol-1.9.26.tgz
 libsepol-1.9.30.tgz
 libsepol-1.9.32.tgz
 libsepol-1.9.33.tgz
 libsepol-1.9.34.tgz
 libsepol-1.9.35.tgz
 libsepol-1.9.36.tgz
 libsepol-1.9.37.tgz
 libsepol-1.9.38.tgz
 libsepol-1.9.39.tgz
 libsepol-1.9.40.tgz
 libsepol-1.9.41.tgz
 libsepol-1.9.42.tgz
 libsepol-1.10.tgz
 libsepol-1.11.1.tgz
 libsepol-1.11.2.tgz
 libsepol-1.11.4.tgz
 libsepol-1.11.5.tgz
 libsepol-1.11.7.tgz
 libsepol-1.11.8.tgz
 libsepol-1.11.9.tgz
 libsepol-1.11.10.tgz
 libsepol-1.11.11.tgz
 libsepol-1.11.12.tgz
 libsepol-1.11.13.tgz
 libsepol-1.11.14.tgz
 libsepol-1.11.17.tgz
 libsepol-1.11.18.tgz
 libsepol-1.11.19.tgz
 libsepol-1.11.20.tgz
 libsepol-1.12.tgz
 libsepol-1.12.1.tgz
 libsepol-1.12.2.tgz
 libsepol-1.12.3.tgz
 libsepol-1.12.4.tgz
 libsepol-1.12.5.tgz
 libsepol-1.12.6.tgz
 libsepol-1.12.8.tgz
 libsepol-1.12.9.tgz
 libsepol-1.12.10.tgz
 libsepol-1.12.11.tgz
 libsepol-1.12.12.tgz
 libsepol-1.12.14.tgz
 libsepol-1.12.17.tgz
 libsepol-1.12.19.tgz
 libsepol-1.12.21.tgz
 libsepol-1.12.23.tgz
 libsepol-1.12.24.tgz
 libsepol-1.12.25.tgz
 libsepol-1.12.26.tgz
 libsepol-1.12.27.tgz
 libsepol-1.12.28.tgz
 libsepol-1.14.tgz
 libsepol-1.15.1.tgz
 libsepol-1.15.2.tgz
 libsepol-1.15.3.tgz
 libsepol-1.16.0.tgz
 libsepol-2.0.1.tgz
 libsepol-2.0.2.tgz
 libsepol-2.0.3.tgz
 libsepol-2.0.4.tgz
 libsepol-2.0.5.tgz
 libsepol-2.0.6.tgz
 libsepol-2.0.7.tgz
 libsepol-2.0.9.tgz
 libsepol-2.0.10.tgz
 libsepol-2.0.11.tgz
 libsepol-2.0.14.tgz
 libsepol-2.0.15.tgz
 libsepol-2.0.16.tgz
 libsepol-2.0.18.tgz
 libsepol-2.0.19.tgz
 libsepol-2.0.20.tgz
 libsepol-2.0.21.tgz
 libsepol-2.0.23.tgz
 libsepol-2.0.25.tgz
 libsepol-2.0.26.tgz
 libsepol-2.0.28.tgz
 libsepol-2.0.29.tgz
 libsepol-2.0.30.tgz
 libsepol-2.0.31.tgz
 libsepol-2.0.32.tgz
 libsepol-2.0.33.tgz
 libsepol-2.0.34.tgz
 libsepol-2.0.35.tgz
 libsepol-2.0.36.tgz
 libsepol-2.0.37.tgz
 libsepol-2.0.38.tgz
 libsepol-2.0.39.tgz
 libsepol-2.0.40.tgz
 libsepol-2.0.41.tgz
 /libsepol-2.0.42.tgz
 /libsepol-2.0.43.tgz
 /libsepol-2.0.44.tgz
 /libsepol-2.0.45.tgz
 /libsepol-2.1.0.tgz
 /libsepol-2.1.1.tgz
 /libsepol-2.1.2.tgz
 /libsepol-2.1.3.tgz
 /libsepol-2.1.4.tgz
 /libsepol-2.1.5.tgz
 /libsepol-2.1.7.tgz
 /libsepol-2.1.8.tgz
 /libsepol-2.1.9.tgz
 /libsepol-2.2.tgz
 /libsepol-2.3.tgz
 /libsepol-2.4.tar.gz
 /libsepol-2.5-rc1.tar.gz
 /libsepol-2.5.tar.gz
 /libsepol-2.6.tar.gz
 /libsepol-2.7.tar.gz
 /libsepol-2.8-rc1.tar.gz
 /libsepol-2.8-rc3.tar.gz
 /libsepol-2.8.tar.gz
 /libsepol-2.9-rc1.tar.gz
 /libsepol-2.9-rc2.tar.gz
 /libsepol-2.9.tar.gz
 /libsepol-3.0-rc1.tar.gz
 /libsepol-3.0.tar.gz
 /libsepol-3.1.tar.gz
 /libsepol-3.2-rc1.tar.gz
 /libsepol-3.2-rc2.tar.gz
 /libsepol-3.2.tar.gz
 /libsepol-3.3-rc2.tar.gz
 /libsepol-3.3-rc3.tar.gz
 /libsepol-3.3.tar.gz
 /libsepol-3.4-rc1.tar.gz
 /libsepol-3.4-rc2.tar.gz
 /libsepol-3.4-rc3.tar.gz
 /libsepol-3.4.tar.gz
 /libsepol-3.5-rc1.tar.gz
 /libsepol-3.5-rc2.tar.gz
 /libsepol-3.5-rc3.tar.gz
 /libsepol-3.5.tar.gz
 /libsepol-3.6-rc1.tar.gz
 /libsepol-3.6-rc2.tar.gz
 /libsepol-3.6.tar.gz
 /libsepol-3.7.tar.gz
 /libsepol-3.7.tar.gz.asc
 /libsepol-3.8-rc1.tar.gz
 /libsepol-3.8-rc1.tar.gz.asc
 /libsepol-3.8-rc3.tar.gz
 /libsepol-3.8-rc3.tar.gz.asc
 /libsepol-3.8.tar.gz
 /libsepol-3.8.tar.gz.asc
--- a/.libsepol.metadata
+++ b/.libsepol.metadata
@ -1 +0,0 @@
 b2447a0b2ea8dd45737535c3e407c950f16dcca5 SOURCES/libsepol-2.9.tar.gz
--- a/SOURCES/0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch
+++ b/SOURCES/0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch
@ -1,50 +0,0 @@
 From 2b2f42f9311ede75c3fe61d356094999e8e161b9 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:24:29 -0400
 Subject: [PATCH] libsepol/cil: Fix out-of-bound read of file context pattern
 ending with "\"
 Based on patch by Nicolas Iooss, who writes:
  OSS-Fuzz found a Heap-buffer-overflow in the CIL compiler when trying
  to compile the following policy:
    (sid SID)
    (sidorder(SID))
    (filecon "\" any ())
    (filecon "" any ())
  When cil_post_fc_fill_data() processes "\", it goes beyond the NUL
  terminator of the string. Fix this by returning when '\0' is read
  after a backslash.
 To be consistent with the function compute_diffdata() in
 refpolicy/support/fc_sort.py, also increment str_len in this case.
 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28484
 Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_post.c | 7 +++++++
 1 file changed, 7 insertions(+)
 diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
 index 0b09cecc..bdeaa7c6 100644
 --- a/libsepol/cil/src/cil_post.c
 +++ b/libsepol/cil/src/cil_post.c
@@ -179,6 +179,13 @@ void cil_post_fc_fill_data(struct fc_data *fc, char *path)
 			break;
 		case '\\':
 			c++;
 +			if (path[c] == '\0') {
 +				if (!fc->meta) {
 +					fc->stem_len++;
 +				}
 +				fc->str_len++;
 +				return;
 +			}
 			/* FALLTHRU */
 		default:
 			if (!fc->meta) {
 -- 
 2.30.2
--- a/SOURCES/0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch
+++ b/SOURCES/0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch
@ -1,100 +0,0 @@
 From 5012fee580f5e4744166462855767949311f9154 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:01 -0400
 Subject: [PATCH] libsepol/cil: Destroy classperms list when resetting
 classpermission
 Nicolas Iooss reports:
  A few months ago, OSS-Fuzz found a crash in the CIL compiler, which
  got reported as
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28648 (the title
  is misleading, or is caused by another issue that conflicts with the
  one I report in this message). Here is a minimized CIL policy which
  reproduces the issue:
  (class CLASS (PERM))
  (classorder (CLASS))
  (sid SID)
  (sidorder (SID))
  (user USER)
  (role ROLE)
  (type TYPE)
  (category CAT)
  (categoryorder (CAT))
  (sensitivity SENS)
  (sensitivityorder (SENS))
  (sensitivitycategory SENS (CAT))
  (allow TYPE self (CLASS (PERM)))
  (roletype ROLE TYPE)
  (userrole USER ROLE)
  (userlevel USER (SENS))
  (userrange USER ((SENS)(SENS (CAT))))
  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
  (classpermission CLAPERM)
  (optional OPT
      (roletype nonexistingrole nonexistingtype)
      (classpermissionset CLAPERM (CLASS (PERM)))
  )
  The CIL policy fuzzer (which mimics secilc built with clang Address
  Sanitizer) reports:
  ==36541==ERROR: AddressSanitizer: heap-use-after-free on address
  0x603000004f98 at pc 0x56445134c842 bp 0x7ffe2a256590 sp
  0x7ffe2a256588
  READ of size 8 at 0x603000004f98 thread T0
      #0 0x56445134c841 in __cil_verify_classperms
  /selinux/libsepol/src/../cil/src/cil_verify.c:1620:8
      #1 0x56445134a43e in __cil_verify_classpermission
  /selinux/libsepol/src/../cil/src/cil_verify.c:1650:9
      #2 0x56445134a43e in __cil_pre_verify_helper
  /selinux/libsepol/src/../cil/src/cil_verify.c:1715:8
      #3 0x5644513225ac in cil_tree_walk_core
  /selinux/libsepol/src/../cil/src/cil_tree.c:272:9
      #4 0x564451322ab1 in cil_tree_walk
  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
      #5 0x5644513226af in cil_tree_walk_core
  /selinux/libsepol/src/../cil/src/cil_tree.c:284:9
      #6 0x564451322ab1 in cil_tree_walk
  /selinux/libsepol/src/../cil/src/cil_tree.c:316:7
      #7 0x5644512b88fd in cil_pre_verify
  /selinux/libsepol/src/../cil/src/cil_post.c:2510:7
      #8 0x5644512b88fd in cil_post_process
  /selinux/libsepol/src/../cil/src/cil_post.c:2524:7
      #9 0x5644511856ff in cil_compile
  /selinux/libsepol/src/../cil/src/cil.c:564:7
 The classperms list of a classpermission rule is created and filled
 in when classpermissionset rules are processed, so it doesn't own any
 part of the list and shouldn't retain any of it when it is reset.
 Destroy the classperms list (without destroying the data in it)  when
 resetting a classpermission rule.
 Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 Signed-off-by: James Carter <jwcart2@gmail.com>
 (cherry-picked from SElinuxProject
 commit:  f34d3d30c8325e4847a6b696fe7a3936a8a361f3)
 ---
 libsepol/cil/src/cil_reset_ast.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
 index 43e6b88e..73e1fcf0 100644
 --- a/libsepol/cil/src/cil_reset_ast.c
 +++ b/libsepol/cil/src/cil_reset_ast.c
@@ -52,7 +52,7 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
 		return;
 	}
 -	cil_reset_classperms_list(cp->classperms);
 +	cil_list_destroy(&cp->classperms, CIL_FALSE);
 }
 static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
 -- 
 2.30.2
--- a/SOURCES/0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch
+++ b/SOURCES/0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch
@ -1,39 +0,0 @@
 From 8c8a21d4ca75e4b767d3dfaa181a83e4c0e1f3a1 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:04 -0400
 Subject: [PATCH] libsepol/cil: Destroy classperm list when resetting map perms
 Map perms share the same struct as regular perms, but only the
 map perms use the classperms field. This field is a pointer to a
 list of classperms that is created and added to when resolving
 classmapping rules, so the map permission doesn't own any of the
 data in the list and this list should be destroyed when the AST is
 reset.
 When resetting a perm, destroy the classperms list without destroying
 the data in the list.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 (cherry-picked from SElinuxProject
 commit: 2d35fcc7e9e976a2346b1de20e54f8663e8a6cba)
 ---
 libsepol/cil/src/cil_reset_ast.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
 index 73e1fcf0..f321b396 100644
 --- a/libsepol/cil/src/cil_reset_ast.c
 +++ b/libsepol/cil/src/cil_reset_ast.c
@@ -34,7 +34,7 @@ static void cil_reset_class(struct cil_class *class)
 static void cil_reset_perm(struct cil_perm *perm)
 {
 -	cil_reset_classperms_list(perm->classperms);
 +	cil_list_destroy(&perm->classperms, CIL_FALSE);
 }
 static inline void cil_reset_classperms(struct cil_classperms *cp)
 -- 
 2.30.2
--- a/SOURCES/0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch
+++ b/SOURCES/0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch
@ -1,42 +0,0 @@
 From 52bf0fe9ce922229e8bb3b99faa7c7dce2c3531f Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:06 -0400
 Subject: [PATCH] libsepol/cil: cil_reset_classperms_set() should not reset
 classpermission
 In struct cil_classperms_set, the set field is a pointer to a
 struct cil_classpermission which is looked up in the symbol table.
 Since the cil_classperms_set does not create the cil_classpermission,
 it should not reset it.
 Set the set field to NULL instead of resetting the classpermission
 that it points to.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 (cherry-picked from SElinuxProject
 commit: c49a8ea09501ad66e799ea41b8154b6770fec2c8)
 ---
 libsepol/cil/src/cil_reset_ast.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
 index f321b396..7bf0391b 100644
 --- a/libsepol/cil/src/cil_reset_ast.c
 +++ b/libsepol/cil/src/cil_reset_ast.c
@@ -57,7 +57,11 @@ static void cil_reset_classpermission(struct cil_classpermission *cp)
 static void cil_reset_classperms_set(struct cil_classperms_set *cp_set)
 {
 -	cil_reset_classpermission(cp_set->set);
 +	if (cp_set == NULL) {
 +		return;
 +	}
 +
 +	cp_set->set = NULL;
 }
 static inline void cil_reset_classperms_list(struct cil_list *cp_list)
 -- 
 2.30.2
--- a/SOURCES/0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch
+++ b/SOURCES/0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch
@ -1,32 +0,0 @@
 From 6beea9f422cb452c01a24619247b559b67a4aeec Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:08 -0400
 Subject: [PATCH] libsepol/cil: Set class field to NULL when resetting struct
 cil_classperms
 The class field of a struct cil_classperms points to the class looked
 up in the symbol table, so that field should be set to NULL when
 the cil_classperms is reset.
 Set the class field to NULL when resetting the struct cil_classperms.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_reset_ast.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/libsepol/cil/src/cil_reset_ast.c b/libsepol/cil/src/cil_reset_ast.c
 index 7bf0391b..e86ee3b8 100644
 --- a/libsepol/cil/src/cil_reset_ast.c
 +++ b/libsepol/cil/src/cil_reset_ast.c
@@ -43,6 +43,7 @@ static inline void cil_reset_classperms(struct cil_classperms *cp)
 		return;
 	}
 +	cp->class = NULL;
 	cil_list_destroy(&cp->perms, CIL_FALSE);
 }
 -- 
 2.30.2
--- a/SOURCES/0006-libsepol-cil-More-strict-verification-of-constraint-.patch
+++ b/SOURCES/0006-libsepol-cil-More-strict-verification-of-constraint-.patch
@ -1,42 +0,0 @@
 From e42e31d865be8dbb5ea1b99ffab434fcfec14df2 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:11 -0400
 Subject: [PATCH] libsepol/cil: More strict verification of constraint leaf
 expressions
 In constraint expressions u1, u3, r1, r3, t1, and t3 are never
 allowed on the right side of an expression, but there were no checks
 to verify that they were not used on the right side. The result was
 that the expression "(eq t1 t1)" would be silently turned into
 "(eq t1 t2)" when the binary policy was created.
 Verify that u1, u3, r1, r3, t1, and t3 are not used on the right
 side of a constraint expression.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_verify.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
 index 1036d73c..3972b1e9 100644
 --- a/libsepol/cil/src/cil_verify.c
 +++ b/libsepol/cil/src/cil_verify.c
@@ -227,7 +227,13 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl
 			}
 		}
 	} else {
 -		if (r_flavor == CIL_CONS_U2) {
 +		if (r_flavor == CIL_CONS_U1 || r_flavor == CIL_CONS_R1 || r_flavor == CIL_CONS_T1) {
 +			cil_log(CIL_ERR, "u1, r1, and t1 are not allowed on the right side\n");
 +			goto exit;
 +		} else if (r_flavor == CIL_CONS_U3 || r_flavor == CIL_CONS_R3 || r_flavor == CIL_CONS_T3) {
 +			cil_log(CIL_ERR, "u3, r3, and t3 are not allowed on the right side\n");
 +			goto exit;
 +		} else if (r_flavor == CIL_CONS_U2) {
 			if (op != CIL_EQ && op != CIL_NEQ) {
 				cil_log(CIL_ERR, "u2 on the right side must be used with eq or neq as the operator\n");
 				goto exit;
 -- 
 2.30.2
--- a/SOURCES/0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch
+++ b/SOURCES/0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch
@ -1,194 +0,0 @@
 From 5edd2126ad3dc30f75f0ec9f73cd609bbe432c29 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:12 -0400
 Subject: [PATCH] libsepol/cil: Exit with an error if declaration name is a
 reserved word
 When CIL parses sets or conditional expressions, any identifier that
 matches an operator name will always be taken as an operator. If a
 declaration has the same name as an operator, then there is the
 possibility of causing either confusion or a syntax error if it is
 used in an expression. The potential for problems is much greater
 than any possible advantage in allowing a declaration to share the
 name of a reserved word.
 Create a new function, __cil_is_reserved_name() that is called when
 an identifier is declared and its name is being validated. In this
 function, check if the declaration has the same name as a reserved
 word for an expression operator that can be used with the identifer's
 flavor and exit with an error if it does.
 Also, move the check for types, type aliases, and type attributes
 matching the reserved word "self" to this new function.
 Finally, change the name of the function __cil_verify_name() to
 cil_verify_name(), since this function is neither static nor a
 helper function.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c | 28 ++---------------
 libsepol/cil/src/cil_verify.c    | 52 +++++++++++++++++++++++++++++++-
 libsepol/cil/src/cil_verify.h    |  2 +-
 3 files changed, 54 insertions(+), 28 deletions(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index b90b0f60..fe7b7777 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -110,7 +110,7 @@ int cil_gen_node(struct cil_db *db, struct cil_tree_node *ast_node, struct cil_s
 	symtab_t *symtab = NULL;
 	struct cil_symtab_datum *prev;
 -	rc = __cil_verify_name((const char*)key);
 +	rc = cil_verify_name((const char*)key, nflavor);
 	if (rc != SEPOL_OK) {
 		goto exit;
 	}
@@ -1919,12 +1919,6 @@ int cil_gen_roleattribute(struct cil_db *db, struct cil_tree_node *parse_current
 		goto exit;
 	}
 -	if (parse_current->next->data == CIL_KEY_SELF) {
 -		cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF);
 -		rc = SEPOL_ERR;
 -		goto exit;
 -	}
 -
 	cil_roleattribute_init(&attr);
 	key = parse_current->next->data;
@@ -2303,12 +2297,6 @@ int cil_gen_type(struct cil_db *db, struct cil_tree_node *parse_current, struct
 		goto exit;
 	}
 -	if (parse_current->next->data == CIL_KEY_SELF) {
 -		cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF);
 -		rc = SEPOL_ERR;
 -		goto exit;
 -	}
 -
 	cil_type_init(&type);
 	key = parse_current->next->data;
@@ -2357,12 +2345,6 @@ int cil_gen_typeattribute(struct cil_db *db, struct cil_tree_node *parse_current
 		goto exit;
 	}
 -	if (parse_current->next->data == CIL_KEY_SELF) {
 -		cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF);
 -		rc = SEPOL_ERR;
 -		goto exit;
 -	}
 -
 	cil_typeattribute_init(&attr);
 	key = parse_current->next->data;
@@ -3064,12 +3046,6 @@ int cil_gen_alias(struct cil_db *db, struct cil_tree_node *parse_current, struct
 		goto exit;
 	}
 -	if (flavor == CIL_TYPEALIAS && parse_current->next->data == CIL_KEY_SELF) {
 -		cil_log(CIL_ERR, "The keyword '%s' is reserved\n", CIL_KEY_SELF);
 -		rc = SEPOL_ERR;
 -		goto exit;
 -	}
 -
 	cil_alias_init(&alias);
 	key = parse_current->next->data;
@@ -5294,7 +5270,7 @@ int cil_gen_macro(struct cil_db *db, struct cil_tree_node *parse_current, struct
 		param->str =  current_item->cl_head->next->data;
 -		rc = __cil_verify_name(param->str);
 +		rc = cil_verify_name(param->str, param->flavor);
 		if (rc != SEPOL_OK) {
 			cil_destroy_param(param);
 			goto exit;
 diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
 index 3972b1e9..ea95c2cb 100644
 --- a/libsepol/cil/src/cil_verify.c
 +++ b/libsepol/cil/src/cil_verify.c
@@ -47,7 +47,51 @@
 #include "cil_verify.h"
 -int __cil_verify_name(const char *name)
 +static int __cil_is_reserved_name(const char *name, enum cil_flavor flavor)
 +{
 +	switch (flavor) {
 +	case CIL_BOOL:
 +	case CIL_TUNABLE:
 +		if ((name == CIL_KEY_EQ) || (name == CIL_KEY_NEQ))
 +			return CIL_TRUE;
 +		break;
 +	case CIL_PERM:
 +	case CIL_MAP_PERM:
 +	case CIL_USER:
 +	case CIL_USERATTRIBUTE:
 +	case CIL_ROLE:
 +	case CIL_ROLEATTRIBUTE:
 +		if (name == CIL_KEY_ALL)
 +			return CIL_TRUE;
 +		break;
 +	case CIL_TYPE:
 +	case CIL_TYPEATTRIBUTE:
 +	case CIL_TYPEALIAS:
 +		if ((name == CIL_KEY_ALL) || (name == CIL_KEY_SELF))
 +			return CIL_TRUE;
 +		break;
 +	case CIL_CAT:
 +	case CIL_CATSET:
 +	case CIL_CATALIAS:
 +	case CIL_PERMISSIONX:
 +		if ((name == CIL_KEY_ALL) || (name == CIL_KEY_RANGE))
 +			return CIL_TRUE;
 +		break;
 +	default:
 +		/* All of these are not used in expressions */
 +		return CIL_FALSE;
 +		break;
 +	}
 +
 +	/* Everything not under the default case is also checked for these */
 +	if ((name == CIL_KEY_AND) || (name == CIL_KEY_OR) || (name == CIL_KEY_NOT) || (name == CIL_KEY_XOR)) {
 +		return CIL_TRUE;
 +	}
 +
 +	return CIL_FALSE;
 +}
 +
 +int cil_verify_name(const char *name, enum cil_flavor flavor)
 {
 	int rc = SEPOL_ERR;
 	int len;
@@ -77,6 +121,12 @@ int __cil_verify_name(const char *name)
 			goto exit;
 		}
 	}
 +
 +	if (__cil_is_reserved_name(name, flavor)) {
 +		cil_log(CIL_ERR, "Name %s is a reserved word\n", name);
 +		goto exit;
 +	}
 +
 	return SEPOL_OK;
 exit:
 diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h
 index bda1565f..e4b98919 100644
 --- a/libsepol/cil/src/cil_verify.h
 +++ b/libsepol/cil/src/cil_verify.h
@@ -56,7 +56,7 @@ struct cil_args_verify {
 	int *pass;
 };
 -int __cil_verify_name(const char *name);
 +int cil_verify_name(const char *name, enum cil_flavor flavor);
 int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[], int len);
 int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor);
 int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor);
 -- 
 2.30.2
--- a/SOURCES/0008-libsepol-cil-Allow-permission-expressions-when-using.patch
+++ b/SOURCES/0008-libsepol-cil-Allow-permission-expressions-when-using.patch
@ -1,75 +0,0 @@
 From d6863cc6e4f472444a7944c9ea95333e587efd73 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Thu, 8 Apr 2021 13:32:14 -0400
 Subject: [PATCH] libsepol/cil: Allow permission expressions when using map
 classes
 The following policy will cause a segfault:
  (class CLASS (PERM))
  (class C (P1 P2 P3))
  (classorder (CLASS C))
  (sid SID)
  (sidorder (SID))
  (user USER)
  (role ROLE)
  (type TYPE)
  (category CAT)
  (categoryorder (CAT))
  (sensitivity SENS)
  (sensitivityorder (SENS))
  (sensitivitycategory SENS (CAT))
  (allow TYPE self (CLASS (PERM)))
  (roletype ROLE TYPE)
  (userrole USER ROLE)
  (userlevel USER (SENS))
  (userrange USER ((SENS)(SENS (CAT))))
  (sidcontext SID (USER ROLE TYPE ((SENS)(SENS))))
  (classmap CM (PM1 PM2 PM3))
  (classmapping CM PM1 (C (P1)))
  (classmapping CM PM2 (C (P2)))
  (classmapping CM PM3 (C (P3)))
  (allow TYPE self (CM (and (all) (not PM2))))
 The problem is that, while permission expressions are allowed for
 normal classes, map classes are expected to only have permission
 lists and no check is done to verify that only a permission list
 is being used.
 When the above policy is parsed, the "and" and "all" are seen as
 expression operators, but when the map permissions are converted to
 normal class and permissions, the permission expression is assumed
 to be a list of datums and since the operators are not datums a
 segfault is the result.
 There is no reason to limit map classes to only using a list of
 permissions and, in fact, it would be better to be able to use them
 in the same way normal classes are used.
 Allow permissions expressions to be used for map classes by first
 evaluating the permission expression and then converting the
 resulting list to normal classes and permissions.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_post.c | 4 ++++
 1 file changed, 4 insertions(+)
 diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c
 index bdeaa7c6..a820d5ba 100644
 --- a/libsepol/cil/src/cil_post.c
 +++ b/libsepol/cil/src/cil_post.c
@@ -2138,6 +2138,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db
 				}
 			} else { /* MAP */
 				struct cil_list_item *i = NULL;
 +				rc = __evaluate_classperms(cp, db);
 +				if (rc != SEPOL_OK) {
 +					goto exit;
 +				}
 				cil_list_for_each(i, cp->perms) {
 					struct cil_perm *cmp = i->data;
 					rc = __evaluate_classperms_list(cmp->classperms, db);
 -- 
 2.30.2
--- a/SOURCES/0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch
+++ b/SOURCES/0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch
@ -1,219 +0,0 @@
 From 6b6a787188804cad4f7f853e95eb0a58dea7ad62 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:12 -0400
 Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when building
 AST
 Reorder checks for invalid rules in the blocks of tunableifs,
 in-statements, macros, and booleanifs when building the AST for
 consistency.
 Order the checks in the same order the blocks will be resolved in,
 so tuanbleif, in-statement, macro, booleanif, and then non-block
 rules.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c | 100 +++++++++++++++----------------
 1 file changed, 50 insertions(+), 50 deletions(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index fe7b7777..6d5a57fa 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -49,10 +49,10 @@
 struct cil_args_build {
 	struct cil_tree_node *ast;
 	struct cil_db *db;
 -	struct cil_tree_node *macro;
 -	struct cil_tree_node *boolif;
 	struct cil_tree_node *tunif;
 	struct cil_tree_node *in;
 +	struct cil_tree_node *macro;
 +	struct cil_tree_node *boolif;
 };
 int cil_fill_list(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **list)
@@ -6075,10 +6075,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	struct cil_tree_node *ast_current = NULL;
 	struct cil_db *db = NULL;
 	struct cil_tree_node *ast_node = NULL;
 -	struct cil_tree_node *macro = NULL;
 -	struct cil_tree_node *boolif = NULL;
 	struct cil_tree_node *tunif = NULL;
 	struct cil_tree_node *in = NULL;
 +	struct cil_tree_node *macro = NULL;
 +	struct cil_tree_node *boolif = NULL;
 	int rc = SEPOL_ERR;
 	if (parse_current == NULL || finished == NULL || extra_args == NULL) {
@@ -6088,10 +6088,10 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	args = extra_args;
 	ast_current = args->ast;
 	db = args->db;
 -	macro = args->macro;
 -	boolif = args->boolif;
 	tunif = args->tunif;
 	in = args->in;
 +	macro = args->macro;
 +	boolif = args->boolif;
 	if (parse_current->parent->cl_head != parse_current) {
 		/* ignore anything that isn't following a parenthesis */
@@ -6108,13 +6108,31 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 		goto exit;
 	}
 +	if (tunif != NULL) {
 +		if (parse_current->data == CIL_KEY_TUNABLE) {
 +			rc = SEPOL_ERR;
 +			cil_tree_log(parse_current, CIL_ERR, "Found tunable");
 +			cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
 +			goto exit;
 +		}
 +	}
 +
 +	if (in != NULL) {
 +		if (parse_current->data == CIL_KEY_IN) {
 +			rc = SEPOL_ERR;
 +			cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
 +			cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
 +			goto exit;
 +		}
 +	}
 +
 	if (macro != NULL) {
 -		if (parse_current->data == CIL_KEY_MACRO ||
 -			parse_current->data == CIL_KEY_TUNABLE ||
 +		if (parse_current->data == CIL_KEY_TUNABLE ||
 			parse_current->data == CIL_KEY_IN ||
 			parse_current->data == CIL_KEY_BLOCK ||
 			parse_current->data == CIL_KEY_BLOCKINHERIT ||
 -			parse_current->data == CIL_KEY_BLOCKABSTRACT) {
 +			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
 +			parse_current->data == CIL_KEY_MACRO) {
 			rc = SEPOL_ERR;
 			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in macros", (char *)parse_current->data);
 			goto exit;
@@ -6122,15 +6140,15 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	}
 	if (boolif != NULL) {
 -		if (parse_current->data != CIL_KEY_CONDTRUE &&
 +		if (parse_current->data != CIL_KEY_TUNABLEIF &&
 +			parse_current->data != CIL_KEY_CALL &&
 +			parse_current->data != CIL_KEY_CONDTRUE &&
 			parse_current->data != CIL_KEY_CONDFALSE &&
 -			parse_current->data != CIL_KEY_AUDITALLOW &&
 -			parse_current->data != CIL_KEY_TUNABLEIF &&
 			parse_current->data != CIL_KEY_ALLOW &&
 			parse_current->data != CIL_KEY_DONTAUDIT &&
 +			parse_current->data != CIL_KEY_AUDITALLOW &&
 			parse_current->data != CIL_KEY_TYPETRANSITION &&
 -			parse_current->data != CIL_KEY_TYPECHANGE &&
 -			parse_current->data != CIL_KEY_CALL) {
 +			parse_current->data != CIL_KEY_TYPECHANGE) {
 			rc = SEPOL_ERR;
 			cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
 			if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
@@ -6144,24 +6162,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 		}
 	}
 -	if (tunif != NULL) {
 -		if (parse_current->data == CIL_KEY_TUNABLE) {
 -			rc = SEPOL_ERR;
 -			cil_tree_log(parse_current, CIL_ERR, "Found tunable");
 -			cil_log(CIL_ERR, "Tunables cannot be defined within tunableif statement\n");
 -			goto exit;
 -		}
 -	}
 -
 -	if (in != NULL) {
 -		if (parse_current->data == CIL_KEY_IN) {
 -			rc = SEPOL_ERR;
 -			cil_tree_log(parse_current, CIL_ERR, "Found in-statement");
 -			cil_log(CIL_ERR, "in-statements cannot be defined within in-statements\n");
 -			goto exit;
 -		}
 -	}
 -
 	cil_tree_node_init(&ast_node);
 	ast_node->parent = ast_current;
@@ -6447,14 +6447,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	if (rc == SEPOL_OK) {
 		if (ast_current->cl_head == NULL) {
 -			if (ast_current->flavor == CIL_MACRO) {
 -				args->macro = ast_current;
 -			}
 -
 -			if (ast_current->flavor == CIL_BOOLEANIF) {
 -				args->boolif = ast_current;
 -			}
 -
 			if (ast_current->flavor == CIL_TUNABLEIF) {
 				args->tunif = ast_current;
 			}
@@ -6463,6 +6455,14 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 				args->in = ast_current;
 			}
 +			if (ast_current->flavor == CIL_MACRO) {
 +				args->macro = ast_current;
 +			}
 +
 +			if (ast_current->flavor == CIL_BOOLEANIF) {
 +				args->boolif = ast_current;
 +			}
 +
 			ast_current->cl_head = ast_node;
 		} else {
 			ast_current->cl_tail->next = ast_node;
@@ -6498,14 +6498,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
 	args->ast = ast->parent;
 -	if (ast->flavor == CIL_MACRO) {
 -		args->macro = NULL;
 -	}
 -
 -	if (ast->flavor == CIL_BOOLEANIF) {
 -		args->boolif = NULL;
 -	}
 -
 	if (ast->flavor == CIL_TUNABLEIF) {
 		args->tunif = NULL;
 	}
@@ -6514,6 +6506,14 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
 		args->in = NULL;
 	}
 +	if (ast->flavor == CIL_MACRO) {
 +		args->macro = NULL;
 +	}
 +
 +	if (ast->flavor == CIL_BOOLEANIF) {
 +		args->boolif = NULL;
 +	}
 +
 	// At this point we no longer have any need for parse_current or any of its
 	// siblings; they have all been converted to the appropriate AST node. The
 	// full parse tree will get deleted elsewhere, but in an attempt to
@@ -6538,10 +6538,10 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
 	extra_args.ast = ast;
 	extra_args.db = db;
 -	extra_args.macro = NULL;
 -	extra_args.boolif = NULL;
 	extra_args.tunif = NULL;
 	extra_args.in = NULL;
 +	extra_args.macro = NULL;
 +	extra_args.boolif = NULL;
 	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args);
 	if (rc != SEPOL_OK) {
 -- 
 2.30.2
--- a/SOURCES/0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch
+++ b/SOURCES/0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch
@ -1,91 +0,0 @@
 From 34f3ecbcffaa0ede0252d015d381cef847432fa0 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:13 -0400
 Subject: [PATCH] libsepol/cil: Cleanup build AST helper functions
 Since parse_current, finished, and extra_args can never be NULL,
 remove the useless check and directly assign local variables from
 extra_args.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c | 44 ++++++++------------------------
 1 file changed, 10 insertions(+), 34 deletions(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index 6d5a57fa..b7245dbc 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -6071,28 +6071,16 @@ void cil_destroy_src_info(struct cil_src_info *info)
 int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *finished, void *extra_args)
 {
 -	struct cil_args_build *args = NULL;
 -	struct cil_tree_node *ast_current = NULL;
 -	struct cil_db *db = NULL;
 +	struct cil_args_build *args = extra_args;
 +	struct cil_db *db = args->db;
 +	struct cil_tree_node *ast_current = args->ast;
 +	struct cil_tree_node *tunif = args->tunif;
 +	struct cil_tree_node *in = args->in;
 +	struct cil_tree_node *macro = args->macro;
 +	struct cil_tree_node *boolif = args->boolif;
 	struct cil_tree_node *ast_node = NULL;
 -	struct cil_tree_node *tunif = NULL;
 -	struct cil_tree_node *in = NULL;
 -	struct cil_tree_node *macro = NULL;
 -	struct cil_tree_node *boolif = NULL;
 	int rc = SEPOL_ERR;
 -	if (parse_current == NULL || finished == NULL || extra_args == NULL) {
 -		goto exit;
 -	}
 -
 -	args = extra_args;
 -	ast_current = args->ast;
 -	db = args->db;
 -	tunif = args->tunif;
 -	in = args->in;
 -	macro = args->macro;
 -	boolif = args->boolif;
 -
 	if (parse_current->parent->cl_head != parse_current) {
 		/* ignore anything that isn't following a parenthesis */
 		rc = SEPOL_OK;
@@ -6480,20 +6468,11 @@ exit:
 int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args)
 {
 -	int rc = SEPOL_ERR;
 -	struct cil_tree_node *ast = NULL;
 -	struct cil_args_build *args = NULL;
 -
 -	if (extra_args == NULL) {
 -		goto exit;
 -	}
 -
 -	args = extra_args;
 -	ast = args->ast;
 +	struct cil_args_build *args = extra_args;
 +	struct cil_tree_node *ast = args->ast;
 	if (ast->flavor == CIL_ROOT) {
 -		rc = SEPOL_OK;
 -		goto exit;
 +		return SEPOL_OK;
 	}
 	args->ast = ast->parent;
@@ -6522,9 +6501,6 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
 	cil_tree_children_destroy(parse_current->parent);
 	return SEPOL_OK;
 -
 -exit:
 -	return rc;
 }
 int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct cil_tree_node *ast)
 -- 
 2.30.2
--- a/SOURCES/0011-libsepol-cil-Create-new-first-child-helper-function-.patch
+++ b/SOURCES/0011-libsepol-cil-Create-new-first-child-helper-function-.patch
@ -1,98 +0,0 @@
 From 3e82b1e527fab1fb1dbcad8c70bdb59810a98783 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:14 -0400
 Subject: [PATCH] libsepol/cil: Create new first child helper function for
 building AST
 In order to find statements not allowed in tunableifs, in-statements,
 macros, and booleanifs, there are tree node pointers that point to
 each of these kinds of statements when its block is being parsed.
 If the pointer is non-NULL, then the rule being parsed is in the block
 of that kind of statement.
 The tree node pointers were being updated at the wrong point which
 prevented an invalid statement from being found if it was the first
 statement in the block of a tunableif, in-statement, macro, or
 booleanif.
 Create a first child helper function for walking the parse tree and
 in that function set the appropriate tree node pointer if the
 current AST node is a tunableif, in-statement, macro, or booleanif.
 This also makes the code symmetrical with the last child helper
 where the tree node pointers are set to NULL.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c | 42 +++++++++++++++++++-------------
 1 file changed, 25 insertions(+), 17 deletions(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index b7245dbc..ceb55324 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -6435,22 +6435,6 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	if (rc == SEPOL_OK) {
 		if (ast_current->cl_head == NULL) {
 -			if (ast_current->flavor == CIL_TUNABLEIF) {
 -				args->tunif = ast_current;
 -			}
 -
 -			if (ast_current->flavor == CIL_IN) {
 -				args->in = ast_current;
 -			}
 -
 -			if (ast_current->flavor == CIL_MACRO) {
 -				args->macro = ast_current;
 -			}
 -
 -			if (ast_current->flavor == CIL_BOOLEANIF) {
 -				args->boolif = ast_current;
 -			}
 -
 			ast_current->cl_head = ast_node;
 		} else {
 			ast_current->cl_tail->next = ast_node;
@@ -6466,6 +6450,30 @@ exit:
 	return rc;
 }
 +int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_node *parse_current, void *extra_args)
 +{
 +	struct cil_args_build *args = extra_args;
 +	struct cil_tree_node *ast = args->ast;
 +
 +	if (ast->flavor == CIL_TUNABLEIF) {
 +		args->tunif = ast;
 +	}
 +
 +	if (ast->flavor == CIL_IN) {
 +		args->in = ast;
 +	}
 +
 +	if (ast->flavor == CIL_MACRO) {
 +		args->macro = ast;
 +	}
 +
 +	if (ast->flavor == CIL_BOOLEANIF) {
 +		args->boolif = ast;
 +	}
 +
 +	return SEPOL_OK;
 +}
 +
 int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void *extra_args)
 {
 	struct cil_args_build *args = extra_args;
@@ -6519,7 +6527,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
 	extra_args.macro = NULL;
 	extra_args.boolif = NULL;
 -	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, NULL, __cil_build_ast_last_child_helper, &extra_args);
 +	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args);
 	if (rc != SEPOL_OK) {
 		goto exit;
 	}
 -- 
 2.30.2
--- a/SOURCES/0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch
+++ b/SOURCES/0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch
@ -1,47 +0,0 @@
 From 628f0f60995c2ed6d2de72bda34e6a62668be74b Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Mon, 16 Nov 2020 17:06:59 -0500
 Subject: [PATCH] libsepol/cil: Remove unused field from struct
 cil_args_resolve
 When resolving names, the struct cil_args_resolve is passed to the
 various resolve functions. The field last_resolved_name is not used.
 Remove the last_resolved_name field from struct cil_args_resolve.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 4 ----
 1 file changed, 4 deletions(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index ea08087d..ed876260 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -51,7 +51,6 @@ struct cil_args_resolve {
 	struct cil_db *db;
 	enum cil_pass pass;
 	uint32_t *changed;
 -	char *last_resolved_name;
 	struct cil_tree_node *optstack;
 	struct cil_tree_node *boolif;
 	struct cil_tree_node *macro;
@@ -3907,7 +3906,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	extra_args.db = db;
 	extra_args.pass = pass;
 	extra_args.changed = &changed;
 -	extra_args.last_resolved_name = NULL;
 	extra_args.optstack = NULL;
 	extra_args.boolif= NULL;
 	extra_args.macro = NULL;
@@ -4236,7 +4234,5 @@ exit:
 		*datum = NULL;
 	}
 -	args->last_resolved_name = name;
 -
 	return rc;
 }
 -- 
 2.30.2
--- a/SOURCES/0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch
+++ b/SOURCES/0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch
@ -1,115 +0,0 @@
 From d668f8e3a0a0361c03881ae3f00509196eaee064 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Mon, 8 Feb 2021 11:23:42 -0500
 Subject: [PATCH] libsepol/cil: Destroy disabled optional blocks after pass is
 complete
 Nicolas Iooss reports:
  I am continuing to investigate OSS-Fuzz crashes and the following one
  is quite complex. Here is a CIL policy which triggers a
  heap-use-after-free error in the CIL compiler:
  (class CLASS (PERM2))
  (classorder (CLASS))
  (classpermission CLSPRM)
  (optional o
      (mlsvalidatetrans x (domby l1 h1))
      (common CLSCOMMON (PERM1))
      (classcommon CLASS CLSCOMMON)
  )
  (classpermissionset CLSPRM (CLASS (PERM1)))
  The issue is that the mlsvalidatetrans fails to resolve in pass
  CIL_PASS_MISC3, which comes after the resolution of classcommon (in
  pass CIL_PASS_MISC2). So:
  * In pass CIL_PASS_MISC2, the optional block still exists, the
  classcommon is resolved and class CLASS is linked with common
  CLSCOMMON.
  * In pass CIL_PASS_MISC3, the optional block is destroyed, including
  the common CLSCOMMON.
  * When classpermissionset is resolved, function cil_resolve_classperms
  uses "common_symtab = &class->common->perms;", which has been freed.
  The use-after-free issue occurs in __cil_resolve_perms (in
  libsepol/cil/src/cil_resolve_ast.c):
    // common_symtab was freed
    rc = cil_symtab_get_datum(common_symtab, curr->data, &perm_datum);
 The fundamental problem here is that when the optional block is
 disabled it is immediately destroyed in the middle of the pass, so
 the class has not been reset and still refers to the now destroyed
 common when the classpermissionset is resolved later in the same pass.
 Added a list, disabled_optionals, to struct cil_args_resolve which is
 passed when resolving the tree. When optionals are disabled, they are
 now added to this list and then are destroyed after the tree has been
 reset between passes.
 Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 Signed-off-by: James Carter <jwcart2@gmail.com>
 Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index ed876260..979fa17d 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -51,6 +51,7 @@ struct cil_args_resolve {
 	struct cil_db *db;
 	enum cil_pass pass;
 	uint32_t *changed;
 +	struct cil_list *disabled_optionals;
 	struct cil_tree_node *optstack;
 	struct cil_tree_node *boolif;
 	struct cil_tree_node *macro;
@@ -3854,7 +3855,7 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext
 		if (((struct cil_optional *)parent->data)->enabled == CIL_FALSE) {
 			*(args->changed) = CIL_TRUE;
 -			cil_tree_children_destroy(parent);
 +			cil_list_append(args->disabled_optionals, CIL_NODE, parent);
 		}
 		/* pop off the stack */
@@ -3917,6 +3918,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	extra_args.in_list = NULL;
 	extra_args.blockstack = NULL;
 +	cil_list_init(&extra_args.disabled_optionals, CIL_NODE);
 	cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM);
 	cil_list_init(&extra_args.classorder_lists, CIL_LIST_ITEM);
 	cil_list_init(&extra_args.unordered_classorder_lists, CIL_LIST_ITEM);
@@ -3984,6 +3986,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 		}
 		if (changed && (pass > CIL_PASS_CALL1)) {
 +			struct cil_list_item *item;
 			/* Need to re-resolve because an optional was disabled that contained
 			 * one or more declarations. We only need to reset to the call1 pass 
 			 * because things done in the preceeding passes aren't allowed in 
@@ -4012,6 +4015,11 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 				cil_log(CIL_ERR, "Failed to reset declarations\n");
 				goto exit;
 			}
 +			cil_list_for_each(item, extra_args.disabled_optionals) {
 +				cil_tree_children_destroy(item->data);
 +			}
 +			cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE);
 +			cil_list_init(&extra_args.disabled_optionals, CIL_NODE);
 		}
 		/* reset the arguments */
@@ -4040,6 +4048,7 @@ exit:
 	__cil_ordered_lists_destroy(&extra_args.catorder_lists);
 	__cil_ordered_lists_destroy(&extra_args.sensitivityorder_lists);
 	__cil_ordered_lists_destroy(&extra_args.unordered_classorder_lists);
 +	cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE);
 	cil_list_destroy(&extra_args.in_list, CIL_FALSE);
 	return rc;
 -- 
 2.30.2
--- a/SOURCES/0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch
+++ b/SOURCES/0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch
@ -1,63 +0,0 @@
 From 8d7ed6eb2c396d64b1a8f6d516cb9f6f86ba2ece Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Wed, 4 Mar 2020 16:28:11 -0500
 Subject: [PATCH] libsepol/cil: Check if name is a macro parameter first
 Type transition file names are stored in a symbol table. Before the
 name is added, the symbol table is searched to see if the name had
 already been inserted. If it has, then the already existing datum is
 returned. If it has not, then the name is added if either the
 typetransition rule does not occur in a macro or the name is not one
 of the macro parameters.
 Checking for a previous insertion before checking if the name is a
 macro parameter can cause a macro parameter to be treated as the
 actual name if a previous type transition file name is the same as
 the parameter.
 Now check the name to see if it a macro paramter before checking for
 its existence in the symbol table.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index 979fa17d..ae334620 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -76,14 +76,6 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
 	enum cil_sym_index sym_index;
 	struct cil_symtab_datum *datum = NULL;
 -	cil_flavor_to_symtab_index(CIL_NAME, &sym_index);
 -	symtab = &((struct cil_root *)db->ast->root->data)->symtab[sym_index];
 -
 -	cil_symtab_get_datum(symtab, key, &datum);
 -	if (datum != NULL) {
 -		return (struct cil_name *)datum;
 -	}
 -
 	if (parent->flavor == CIL_CALL) {
 		struct cil_call *call = parent->data;
 		macro = call->macro;	
@@ -99,6 +91,14 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
 		}
 	}
 +	cil_flavor_to_symtab_index(CIL_NAME, &sym_index);
 +	symtab = &((struct cil_root *)db->ast->root->data)->symtab[sym_index];
 +
 +	cil_symtab_get_datum(symtab, key, &datum);
 +	if (datum != NULL) {
 +		return (struct cil_name *)datum;
 +	}
 +
 	cil_name_init(&name);
 	cil_symtab_insert(symtab, key, (struct cil_symtab_datum *)name, ast_node);
 	cil_list_append(db->names, CIL_NAME, name);
 -- 
 2.30.2
--- a/SOURCES/0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch
+++ b/SOURCES/0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch
@ -1,42 +0,0 @@
 From 7cb30b316eda0b2aa8adeaba28a8afe15fc58c28 Mon Sep 17 00:00:00 2001
 From: Nicolas Iooss <nicolas.iooss@m4x.org>
 Date: Sun, 14 Mar 2021 19:25:58 +0100
 Subject: [PATCH] libsepol/cil: fix NULL pointer dereference in
 __cil_insert_name
 OSS-Fuzz found a Null-dereference in __cil_insert_name when trying to
 compile the following policy:
    (macro MACRO ()
        (classmap CLASS (PERM))
        (type TYPE)
        (typetransition TYPE TYPE CLASS "name" TYPE)
    )
    (call MACRO)
 When using a macro with no argument, macro->params is NULL and
 cil_list_for_each(item, macro->params) dereferenced a NULL pointer.
 Fix this by checking that macro->params is not NULL before using it.
 Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28565
 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index ae334620..91e08633 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -82,7 +82,7 @@ static struct cil_name * __cil_insert_name(struct cil_db *db, hashtab_key_t key,
 	} else if (parent->flavor == CIL_MACRO) {
 		macro = parent->data;
 	}
 -	if (macro != NULL) {
 +	if (macro != NULL && macro->params != NULL) {
 		struct cil_list_item *item;
 		cil_list_for_each(item, macro->params) {
 			if (((struct cil_param*)item->data)->str == key) {
 -- 
 2.30.2
--- a/SOURCES/0016-libsepol-cil-Report-disabling-an-optional-block-only.patch
+++ b/SOURCES/0016-libsepol-cil-Report-disabling-an-optional-block-only.patch
@ -1,43 +0,0 @@
 From 2f9ce13779d3b92198e60cdbd3d19e7c08b5457f Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@tycho.nsa.gov>
 Date: Fri, 1 Nov 2019 09:50:53 -0400
 Subject: [PATCH] libsepol/cil: Report disabling an optional block only at high
 verbose levels
 Since failing to resolve a statement in an optional block is normal,
 only display messages about the statement failing to resolve and the
 optional block being disabled at the highest verbosity level.
 These messages are now only at log level CIL_INFO instead of CIL_WARN.
 Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index 91e08633..dab8b276 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3765,14 +3765,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 		enum cil_log_level lvl = CIL_ERR;
 		if (optstack != NULL) {
 -			lvl = CIL_WARN;
 +			lvl = CIL_INFO;
 			struct cil_optional *opt = (struct cil_optional *)optstack->data;
 			struct cil_tree_node *opt_node = opt->datum.nodes->head->data;
 -			cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name);
 			/* disable an optional if something failed to resolve */
 			opt->enabled = CIL_FALSE;
 +			cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
 +			cil_tree_log(opt_node, lvl, "Disabling optional '%s'", opt->datum.name);
 			rc = SEPOL_OK;
 +			goto exit;
 		}
 		cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
 -- 
 2.30.2
--- a/SOURCES/0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch
+++ b/SOURCES/0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch
@ -1,249 +0,0 @@
 From 599c1422479ae9dd9501c43680bf4a1667e7c951 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:15 -0400
 Subject: [PATCH] libsepol/cil: Use AST to track blocks and optionals when
 resolving
 When resolving the AST, block and optional stacks are used to
 determine if the current rule being resolved is in a block or
 an optional. There is no need to do this since the parent node
 pointers can be used when exiting a block or an optional to
 determine if resolution is still within a block or an optional.
 When entering either a block or an optional, update the appropriate
 tree node pointer. When finished with the last child of a block or
 optional, set the appropriate pointer to NULL. If a parent of the
 same kind is found when the parent node pointers are followed back
 to the root node, then set the pointer to that tree node.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 107 +++++++++--------------------
 1 file changed, 32 insertions(+), 75 deletions(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index dab8b276..e0379782 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -52,10 +52,10 @@ struct cil_args_resolve {
 	enum cil_pass pass;
 	uint32_t *changed;
 	struct cil_list *disabled_optionals;
 -	struct cil_tree_node *optstack;
 +	struct cil_tree_node *optional;
 	struct cil_tree_node *boolif;
 	struct cil_tree_node *macro;
 -	struct cil_tree_node *blockstack;
 +	struct cil_tree_node *block;
 	struct cil_list *sidorder_lists;
 	struct cil_list *classorder_lists;
 	struct cil_list *unordered_classorder_lists;
@@ -3692,16 +3692,16 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	int rc = SEPOL_ERR;
 	struct cil_args_resolve *args = extra_args;
 	enum cil_pass pass = args->pass;
 -	struct cil_tree_node *optstack = args->optstack;
 +	struct cil_tree_node *optional = args->optional;
 	struct cil_tree_node *boolif = args->boolif;
 -	struct cil_tree_node *blockstack = args->blockstack;
 +	struct cil_tree_node *block = args->block;
 	struct cil_tree_node *macro = args->macro;
 	if (node == NULL) {
 		goto exit;
 	}
 -	if (optstack != NULL) {
 +	if (optional != NULL) {
 		if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
 			/* tuanbles and macros are not allowed in optionals*/
 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
@@ -3710,7 +3710,7 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 		}
 	}
 -	if (blockstack != NULL) {
 +	if (block != NULL) {
 		if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) {
 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node));
 			rc = SEPOL_ERR;
@@ -3764,11 +3764,11 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	if (rc == SEPOL_ENOENT) {
 		enum cil_log_level lvl = CIL_ERR;
 -		if (optstack != NULL) {
 +		if (optional != NULL) {
 			lvl = CIL_INFO;
 -			struct cil_optional *opt = (struct cil_optional *)optstack->data;
 -			struct cil_tree_node *opt_node = opt->datum.nodes->head->data;
 +			struct cil_optional *opt = (struct cil_optional *)optional->data;
 +			struct cil_tree_node *opt_node = NODE(opt);;
 			/* disable an optional if something failed to resolve */
 			opt->enabled = CIL_FALSE;
 			cil_tree_log(node, lvl, "Failed to resolve %s statement", cil_node_to_string(node));
@@ -3791,39 +3791,18 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex
 {
 	int rc = SEPOL_ERR;
 	struct cil_args_resolve *args = extra_args;
 -	struct cil_tree_node *optstack = NULL;
 	struct cil_tree_node *parent = NULL;
 -	struct cil_tree_node *blockstack = NULL;
 -	struct cil_tree_node *new = NULL;
 	if (current == NULL || extra_args == NULL) {
 		goto exit;
 	}
 -	optstack = args->optstack;
 	parent = current->parent;
 -	blockstack = args->blockstack;
 -	if (parent->flavor == CIL_OPTIONAL || parent->flavor == CIL_BLOCK) {
 -		/* push this node onto a stack */
 -		cil_tree_node_init(&new);
 -
 -		new->data = parent->data;
 -		new->flavor = parent->flavor;
 -
 -		if (parent->flavor == CIL_OPTIONAL) {
 -			if (optstack != NULL) {
 -				optstack->parent = new;
 -				new->cl_head = optstack;
 -			}
 -			args->optstack = new;
 -		} else if (parent->flavor == CIL_BLOCK) {
 -			if (blockstack != NULL) {
 -				blockstack->parent = new;
 -				new->cl_head = blockstack;
 -			}
 -			args->blockstack = new;
 -		}
 +	if (parent->flavor == CIL_BLOCK) {
 +		args->block = parent;
 +	} else if (parent->flavor == CIL_OPTIONAL) {
 +		args->optional = parent;
 	} else if (parent->flavor == CIL_BOOLEANIF) {
 		args->boolif = parent;
 	} else if (parent->flavor == CIL_MACRO) {
@@ -3842,7 +3821,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext
 	int rc = SEPOL_ERR;
 	struct cil_args_resolve *args = extra_args;
 	struct cil_tree_node *parent = NULL;
 -	struct cil_tree_node *blockstack = NULL;
 	if (current == NULL ||  extra_args == NULL) {
 		goto exit;
@@ -3853,30 +3831,31 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext
 	if (parent->flavor == CIL_MACRO) {
 		args->macro = NULL;
 	} else if (parent->flavor == CIL_OPTIONAL) {
 -		struct cil_tree_node *optstack;
 -
 +		struct cil_tree_node *n = parent->parent;
 		if (((struct cil_optional *)parent->data)->enabled == CIL_FALSE) {
 			*(args->changed) = CIL_TRUE;
 			cil_list_append(args->disabled_optionals, CIL_NODE, parent);
 		}
 -
 -		/* pop off the stack */
 -		optstack = args->optstack;
 -		args->optstack = optstack->cl_head;
 -		if (optstack->cl_head) {
 -			optstack->cl_head->parent = NULL;
 +		args->optional = NULL;
 +		while (n && n->flavor != CIL_ROOT) {
 +			if (n->flavor == CIL_OPTIONAL) {
 +				args->optional = n;
 +				break;
 +			}
 +			n = n->parent;
 		}
 -		free(optstack);
 	} else if (parent->flavor == CIL_BOOLEANIF) {
 		args->boolif = NULL;
 	} else if (parent->flavor == CIL_BLOCK) {
 -		/* pop off the stack */
 -		blockstack = args->blockstack;
 -		args->blockstack = blockstack->cl_head;
 -		if (blockstack->cl_head) {
 -			blockstack->cl_head->parent = NULL;
 +		struct cil_tree_node *n = parent->parent;
 +		args->block = NULL;
 +		while (n && n->flavor != CIL_ROOT) {
 +			if (n->flavor == CIL_BLOCK) {
 +				args->block = n;
 +				break;
 +			}
 +			n = n->parent;
 		}
 -		free(blockstack);
 	}
 	return SEPOL_OK;
@@ -3885,16 +3864,6 @@ exit:
 	return rc;
 }
 -static void cil_destroy_tree_node_stack(struct cil_tree_node *curr)
 -{
 -	struct cil_tree_node *next;
 -	while (curr != NULL) {
 -		next = curr->cl_head;
 -		free(curr);
 -		curr = next;
 -	}
 -}
 -
 int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 {
 	int rc = SEPOL_ERR;
@@ -3909,7 +3878,8 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	extra_args.db = db;
 	extra_args.pass = pass;
 	extra_args.changed = &changed;
 -	extra_args.optstack = NULL;
 +	extra_args.block = NULL;
 +	extra_args.optional = NULL;
 	extra_args.boolif= NULL;
 	extra_args.macro = NULL;
 	extra_args.sidorder_lists = NULL;
@@ -3918,7 +3888,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	extra_args.catorder_lists = NULL;
 	extra_args.sensitivityorder_lists = NULL;
 	extra_args.in_list = NULL;
 -	extra_args.blockstack = NULL;
 	cil_list_init(&extra_args.disabled_optionals, CIL_NODE);
 	cil_list_init(&extra_args.sidorder_lists, CIL_LIST_ITEM);
@@ -4022,17 +3991,7 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 			}
 			cil_list_destroy(&extra_args.disabled_optionals, CIL_FALSE);
 			cil_list_init(&extra_args.disabled_optionals, CIL_NODE);
 -		}
 -
 -		/* reset the arguments */
 -		changed = 0;
 -		while (extra_args.optstack != NULL) {
 -			cil_destroy_tree_node_stack(extra_args.optstack);
 -			extra_args.optstack = NULL;
 -		}
 -		while (extra_args.blockstack!= NULL) {
 -			cil_destroy_tree_node_stack(extra_args.blockstack);
 -			extra_args.blockstack = NULL;
 +			changed = 0;
 		}
 	}
@@ -4043,8 +4002,6 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	rc = SEPOL_OK;
 exit:
 -	cil_destroy_tree_node_stack(extra_args.optstack);
 -	cil_destroy_tree_node_stack(extra_args.blockstack);
 	__cil_ordered_lists_destroy(&extra_args.sidorder_lists);
 	__cil_ordered_lists_destroy(&extra_args.classorder_lists);
 	__cil_ordered_lists_destroy(&extra_args.catorder_lists);
 -- 
 2.30.2
--- a/SOURCES/0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch
+++ b/SOURCES/0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch
@ -1,175 +0,0 @@
 From 88f4d1c0b93d6a359d7fc7b2116de0da32c74ca5 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:16 -0400
 Subject: [PATCH] libsepol/cil: Reorder checks for invalid rules when resolving
 AST
 Reorder checks for invalid rules in the blocks of tunableifs,
 in-statements, macros, and booleanifs when resolving the AST for
 consistency.
 Order the checks in the same order the blocks will be resolved in,
 so tuanbleif, in-statement, macro, booleanif, and then non-block
 rules.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_resolve_ast.c | 76 +++++++++++++++---------------
 1 file changed, 39 insertions(+), 37 deletions(-)
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index e0379782..c520c44a 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -52,10 +52,10 @@ struct cil_args_resolve {
 	enum cil_pass pass;
 	uint32_t *changed;
 	struct cil_list *disabled_optionals;
 +	struct cil_tree_node *block;
 +	struct cil_tree_node *macro;
 	struct cil_tree_node *optional;
 	struct cil_tree_node *boolif;
 -	struct cil_tree_node *macro;
 -	struct cil_tree_node *block;
 	struct cil_list *sidorder_lists;
 	struct cil_list *classorder_lists;
 	struct cil_list *unordered_classorder_lists;
@@ -3692,50 +3692,52 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	int rc = SEPOL_ERR;
 	struct cil_args_resolve *args = extra_args;
 	enum cil_pass pass = args->pass;
 -	struct cil_tree_node *optional = args->optional;
 -	struct cil_tree_node *boolif = args->boolif;
 	struct cil_tree_node *block = args->block;
 	struct cil_tree_node *macro = args->macro;
 +	struct cil_tree_node *optional = args->optional;
 +	struct cil_tree_node *boolif = args->boolif;
 	if (node == NULL) {
 		goto exit;
 	}
 -	if (optional != NULL) {
 -		if (node->flavor == CIL_TUNABLE || node->flavor == CIL_MACRO) {
 -			/* tuanbles and macros are not allowed in optionals*/
 -			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
 +	if (block != NULL) {
 +		if (node->flavor == CIL_CAT ||
 +		    node->flavor == CIL_SENS) {
 +			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node));
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 	}
 -	if (block != NULL) {
 -		if (node->flavor == CIL_CAT || node->flavor == CIL_SENS) {
 -			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in blocks", cil_node_to_string(node));
 +	if (macro != NULL) {
 +		if (node->flavor == CIL_BLOCK ||
 +		    node->flavor == CIL_BLOCKINHERIT ||
 +		    node->flavor == CIL_BLOCKABSTRACT ||
 +		    node->flavor == CIL_MACRO) {
 +			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node));
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 	}
 -	if (macro != NULL) {
 -		if (node->flavor == CIL_BLOCKINHERIT ||
 -			node->flavor == CIL_BLOCK ||
 -			node->flavor == CIL_BLOCKABSTRACT ||
 -			node->flavor == CIL_MACRO) {
 -			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in macros", cil_node_to_string(node));
 +	if (optional != NULL) {
 +		if (node->flavor == CIL_TUNABLE ||
 +		    node->flavor == CIL_MACRO) {
 +			/* tuanbles and macros are not allowed in optionals*/
 +			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
 			rc = SEPOL_ERR;
 			goto exit;
 		}
 	}
 	if (boolif != NULL) {
 -		if (!(node->flavor == CIL_CONDBLOCK ||
 -			node->flavor == CIL_AVRULE ||
 -			node->flavor == CIL_TYPE_RULE ||
 -			node->flavor == CIL_CALL ||
 -			node->flavor == CIL_TUNABLEIF ||
 -			node->flavor == CIL_NAMETYPETRANSITION)) {
 +		if (!(node->flavor == CIL_TUNABLEIF ||
 +		      node->flavor == CIL_CALL ||
 +		      node->flavor == CIL_CONDBLOCK ||
 +		      node->flavor == CIL_AVRULE ||
 +		      node->flavor == CIL_TYPE_RULE ||
 +		      node->flavor == CIL_NAMETYPETRANSITION)) {
 			if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
 				cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node));
 			} else {
@@ -3801,12 +3803,12 @@ int __cil_resolve_ast_first_child_helper(struct cil_tree_node *current, void *ex
 	if (parent->flavor == CIL_BLOCK) {
 		args->block = parent;
 +	} else if (parent->flavor == CIL_MACRO) {
 +		args->macro = parent;
 	} else if (parent->flavor == CIL_OPTIONAL) {
 		args->optional = parent;
 	} else if (parent->flavor == CIL_BOOLEANIF) {
 		args->boolif = parent;
 -	} else if (parent->flavor == CIL_MACRO) {
 -		args->macro = parent;
 	}
 	return SEPOL_OK;
@@ -3828,7 +3830,17 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext
 	parent = current->parent;
 -	if (parent->flavor == CIL_MACRO) {
 +	if (parent->flavor == CIL_BLOCK) {
 +		struct cil_tree_node *n = parent->parent;
 +		args->block = NULL;
 +		while (n && n->flavor != CIL_ROOT) {
 +			if (n->flavor == CIL_BLOCK) {
 +				args->block = n;
 +				break;
 +			}
 +			n = n->parent;
 +		}
 +	} else if (parent->flavor == CIL_MACRO) {
 		args->macro = NULL;
 	} else if (parent->flavor == CIL_OPTIONAL) {
 		struct cil_tree_node *n = parent->parent;
@@ -3846,16 +3858,6 @@ int __cil_resolve_ast_last_child_helper(struct cil_tree_node *current, void *ext
 		}
 	} else if (parent->flavor == CIL_BOOLEANIF) {
 		args->boolif = NULL;
 -	} else if (parent->flavor == CIL_BLOCK) {
 -		struct cil_tree_node *n = parent->parent;
 -		args->block = NULL;
 -		while (n && n->flavor != CIL_ROOT) {
 -			if (n->flavor == CIL_BLOCK) {
 -				args->block = n;
 -				break;
 -			}
 -			n = n->parent;
 -		}
 	}
 	return SEPOL_OK;
@@ -3879,9 +3881,9 @@ int cil_resolve_ast(struct cil_db *db, struct cil_tree_node *current)
 	extra_args.pass = pass;
 	extra_args.changed = &changed;
 	extra_args.block = NULL;
 +	extra_args.macro = NULL;
 	extra_args.optional = NULL;
 	extra_args.boolif= NULL;
 -	extra_args.macro = NULL;
 	extra_args.sidorder_lists = NULL;
 	extra_args.classorder_lists = NULL;
 	extra_args.unordered_classorder_lists = NULL;
 -- 
 2.30.2
--- a/SOURCES/0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch
+++ b/SOURCES/0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch
@ -1,86 +0,0 @@
 From dadf1e9ad66318fdd814cf06af2b83741467a3d8 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:17 -0400
 Subject: [PATCH] libsepol/cil: Sync checks for invalid rules in booleanifs
 When building the AST, typemember rules in a booleanif block will
 be incorrectly called invalid. They are allowed in the kernel
 policy and should be allowed in CIL.
 When resolving the AST, if a neverallow rule is copied into a
 booleanif block, it will not be considered an invalid rule, even
 though this is not allowed in the kernel policy.
 Update the booleanif checks to allow typemember rules and to not
 allow neverallow rules in booleanifs. Also use the same form of
 conditional for the checks when building and resolving the AST.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c   |  3 ++-
 libsepol/cil/src/cil_resolve_ast.c | 23 +++++++++++++++--------
 2 files changed, 17 insertions(+), 9 deletions(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index ceb55324..3a91be03 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -6136,7 +6136,8 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 			parse_current->data != CIL_KEY_DONTAUDIT &&
 			parse_current->data != CIL_KEY_AUDITALLOW &&
 			parse_current->data != CIL_KEY_TYPETRANSITION &&
 -			parse_current->data != CIL_KEY_TYPECHANGE) {
 +			parse_current->data != CIL_KEY_TYPECHANGE &&
 +			parse_current->data != CIL_KEY_TYPEMEMBER) {
 			rc = SEPOL_ERR;
 			cil_tree_log(parse_current, CIL_ERR, "Found %s", (char*)parse_current->data);
 			if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index c520c44a..06b6ab48 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3689,7 +3689,7 @@ exit:
 int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args)
 {
 -	int rc = SEPOL_ERR;
 +	int rc = SEPOL_OK;
 	struct cil_args_resolve *args = extra_args;
 	enum cil_pass pass = args->pass;
 	struct cil_tree_node *block = args->block;
@@ -3732,18 +3732,25 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	}
 	if (boolif != NULL) {
 -		if (!(node->flavor == CIL_TUNABLEIF ||
 -		      node->flavor == CIL_CALL ||
 -		      node->flavor == CIL_CONDBLOCK ||
 -		      node->flavor == CIL_AVRULE ||
 -		      node->flavor == CIL_TYPE_RULE ||
 -		      node->flavor == CIL_NAMETYPETRANSITION)) {
 +		if (node->flavor != CIL_TUNABLEIF &&
 +			node->flavor != CIL_CALL &&
 +			node->flavor != CIL_CONDBLOCK &&
 +			node->flavor != CIL_AVRULE &&
 +			node->flavor != CIL_TYPE_RULE &&
 +			node->flavor != CIL_NAMETYPETRANSITION) {
 +			rc = SEPOL_ERR;
 +		} else if (node->flavor == CIL_AVRULE) {
 +			struct cil_avrule *rule = node->data;
 +			if (rule->rule_kind == CIL_AVRULE_NEVERALLOW) {
 +				rc = SEPOL_ERR;
 +			}
 +		}
 +		if (rc == SEPOL_ERR) {
 			if (((struct cil_booleanif*)boolif->data)->preserved_tunable) {
 				cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs (tunableif treated as a booleanif)", cil_node_to_string(node));
 			} else {
 				cil_tree_log(node, CIL_ERR, "%s statement is not allowed in booleanifs", cil_node_to_string(node));
 			}
 -			rc = SEPOL_ERR;
 			goto exit;
 		}
 	}
 -- 
 2.30.2
--- a/SOURCES/0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch
+++ b/SOURCES/0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch
@ -1,151 +0,0 @@
 From 0e420cc6f6debc2050229ea537b592c963b81a7c Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Tue, 30 Mar 2021 13:39:18 -0400
 Subject: [PATCH] libsepol/cil: Check for statements not allowed in optional
 blocks
 While there are some checks for invalid statements in an optional
 block when resolving the AST, there are no checks when building the
 AST.
 OSS-Fuzz found the following policy which caused a null dereference
 in cil_tree_get_next_path().
  (blockinherit b3)
  (sid SID)
  (sidorder(SID))
  (optional o
    (ibpkeycon :(1 0)s)
    (block b3
      (filecon""block())
      (filecon""block())))
 The problem is that the blockinherit copies block b3 before
 the optional block is disabled. When the optional is disabled,
 block b3 is deleted along with everything else in the optional.
 Later, when filecon statements with the same path are found an
 error message is produced and in trying to find out where the block
 was copied from, the reference to the deleted block is used. The
 error handling code assumes (rightly) that if something was copied
 from a block then that block should still exist.
 It is clear that in-statements, blocks, and macros cannot be in an
 optional, because that allows nodes to be copied from the optional
 block to somewhere outside even though the optional could be disabled
 later. When optionals are disabled the AST is reset and the
 resolution is restarted at the point of resolving macro calls, so
 anything resolved before macro calls will never be re-resolved.
 This includes tunableifs, in-statements, blockinherits,
 blockabstracts, and macro definitions. Tunable declarations also
 cannot be in an optional block because they are needed to resolve
 tunableifs. It should be fine to allow blockinherit statements in
 an optional, because that is copying nodes from outside the optional
 to the optional and if the optional is later disabled, everything
 will be deleted anyway.
 Check and quit with an error if a tunable declaration, in-statement,
 block, blockabstract, or macro definition is found within an
 optional when either building or resolving the AST.
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 libsepol/cil/src/cil_build_ast.c   | 32 ++++++++++++++++++++++++++++++
 libsepol/cil/src/cil_resolve_ast.c |  4 +++-
 2 files changed, 35 insertions(+), 1 deletion(-)
 diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
 index 3a91be03..4f72884c 100644
 --- a/libsepol/cil/src/cil_build_ast.c
 +++ b/libsepol/cil/src/cil_build_ast.c
@@ -52,6 +52,7 @@ struct cil_args_build {
 	struct cil_tree_node *tunif;
 	struct cil_tree_node *in;
 	struct cil_tree_node *macro;
 +	struct cil_tree_node *optional;
 	struct cil_tree_node *boolif;
 };
@@ -6077,6 +6078,7 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 	struct cil_tree_node *tunif = args->tunif;
 	struct cil_tree_node *in = args->in;
 	struct cil_tree_node *macro = args->macro;
 +	struct cil_tree_node *optional = args->optional;
 	struct cil_tree_node *boolif = args->boolif;
 	struct cil_tree_node *ast_node = NULL;
 	int rc = SEPOL_ERR;
@@ -6127,6 +6129,18 @@ int __cil_build_ast_node_helper(struct cil_tree_node *parse_current, uint32_t *f
 		}
 	}
 +	if (optional != NULL) {
 +		if (parse_current->data == CIL_KEY_TUNABLE ||
 +			parse_current->data == CIL_KEY_IN ||
 +			parse_current->data == CIL_KEY_BLOCK ||
 +			parse_current->data == CIL_KEY_BLOCKABSTRACT ||
 +			parse_current->data == CIL_KEY_MACRO) {
 +			rc = SEPOL_ERR;
 +			cil_tree_log(parse_current, CIL_ERR, "%s is not allowed in optionals", (char *)parse_current->data);
 +			goto exit;
 +		}
 +	}
 +
 	if (boolif != NULL) {
 		if (parse_current->data != CIL_KEY_TUNABLEIF &&
 			parse_current->data != CIL_KEY_CALL &&
@@ -6468,6 +6482,10 @@ int __cil_build_ast_first_child_helper(__attribute__((unused)) struct cil_tree_n
 		args->macro = ast;
 	}
 +	if (ast->flavor == CIL_OPTIONAL) {
 +		args->optional = ast;
 +	}
 +
 	if (ast->flavor == CIL_BOOLEANIF) {
 		args->boolif = ast;
 	}
@@ -6498,6 +6516,19 @@ int __cil_build_ast_last_child_helper(struct cil_tree_node *parse_current, void
 		args->macro = NULL;
 	}
 +	if (ast->flavor == CIL_OPTIONAL) {
 +		struct cil_tree_node *n = ast->parent;
 +		args->optional = NULL;
 +		/* Optionals can be nested */
 +		while (n && n->flavor != CIL_ROOT) {
 +			if (n->flavor == CIL_OPTIONAL) {
 +				args->optional = n;
 +				break;
 +			}
 +			n = n->parent;
 +		}
 +	}
 +
 	if (ast->flavor == CIL_BOOLEANIF) {
 		args->boolif = NULL;
 	}
@@ -6526,6 +6557,7 @@ int cil_build_ast(struct cil_db *db, struct cil_tree_node *parse_tree, struct ci
 	extra_args.tunif = NULL;
 	extra_args.in = NULL;
 	extra_args.macro = NULL;
 +	extra_args.optional = NULL;
 	extra_args.boolif = NULL;
 	rc = cil_tree_walk(parse_tree, __cil_build_ast_node_helper, __cil_build_ast_first_child_helper, __cil_build_ast_last_child_helper, &extra_args);
 diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
 index 06b6ab48..8ffab438 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -3723,8 +3723,10 @@ int __cil_resolve_ast_node_helper(struct cil_tree_node *node, uint32_t *finished
 	if (optional != NULL) {
 		if (node->flavor == CIL_TUNABLE ||
 +			node->flavor == CIL_IN ||
 +			node->flavor == CIL_BLOCK ||
 +			node->flavor == CIL_BLOCKABSTRACT ||
 		    node->flavor == CIL_MACRO) {
 -			/* tuanbles and macros are not allowed in optionals*/
 			cil_tree_log(node, CIL_ERR, "%s statement is not allowed in optionals", cil_node_to_string(node));
 			rc = SEPOL_ERR;
 			goto exit;
 -- 
 2.30.2
--- a/18
+++ b/18
@ -0,0 +1,18 @@
 srpm libsepol
 mcd $BUILDDIR/t-libsepol
 rsync -av $SRC/libsepol*/ ./
 make $J \
    CC=${TARGET}-gcc \
    AS=${TARGET}-as \
    AR=${TARGET}-ar \
    STRIP=${TARGET}-strip \
    RANLIB=${TARGET}-ranlib \
    CFLAGS="" \
    TLSFLAGS="" \
    all
 ARGS="DESTDIR=${ROOTFS}"
 if [ "$SUFFIX" = "64" ]
 then
    ARGS="$ARGS LIBDIR=${ROOTFS}/usr/lib64 SHLIBDIR=${ROOTFS}/usr/lib64"
 fi
 make $J $ARGS install
--- a/bachradsusi.gpg
+++ b/bachradsusi.gpg
@ -0,0 +1,438 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBE97JQcBEAC/aeBxbuToAJokMiVxtMVFoUMgCbcVQDB21YhMq4i5a/HDzFno
 qVPhQjGViGTKXQYR7SnT8CCfC3ggG7hqU0oaWKN3D003V6e/ivTJwMKrQRFqf5/A
 vN7ELulXFxEt/ZjYmvTukpW5Li2AU7JBD0aO243Ld9jYdZOZn2zdfA8IpnE9Bmm3
 K/LO1Xb2F9ujF9faI5/IlJvdUFk3uiCKTSvM8kGwOmAwBI921Z5x/CYvy5kKEazU
 lUxMqECl+Tu2YS6NDhWYNkifAIZ7lsUvGjW3/wfh7AvmAQyt/CxOXu9LL2nGzFhw
 CIS4jVIxy5bDswNfHcaMX7B5WEyqTPtjzPAEMiLL4yHJZrHDPd26QHSaqtilVA4K
 AeTYbME8iZIdacquFEq02PO9qAM21O48OknCTSolF7z6nBkk6l26W3EL+Gz5I2Et
 3S9pab3FMjiiKVavM6UA5D0DQkNxxDn9blDXZyhX4HFrk+NnoETcGYFymPbbijgi
 kFC4339/Z1aK31aJLkxiana5mqLthD4jCeg3B8Cp5IurqPr8QEh3FH8ZZhtdx2fX
 TXHTmGQF/lXG4tg1eH5cb6wWGU93wD+5mf6czJlUZTY+kdevKtZCQnA0/2ENCOFW
 Jdm/oMTUw6ozPd474ctzWKeO78e8yMvZst/Zp3Gq6SD9kcoPgiuMQ+BOkwARAQAB
 tCRQZXRyIExhdXRyYmFjaCA8cGxhdXRyYmFAcmVkaGF0LmNvbT6JAjgEEwECACIF
 Ak97JQcCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEGOorUuYLENzy1MP
 /2c4fH8eXWbqoot/vLE+hJ14k0leYOQhVSo4lNlxRlbKNd5MQSX/QjkQgJNECbB3
 LM0KxE/zwVOZ+umvmxLxNskOxjubE6NzoF7Sm9ydoqjwzenIpR9BVtg71mfjBOoL
 PNrst7tHRE5btSnnnOS9ddt/y9JOIvQpkjtBTI2TfVcp2b4Domg7i4qU/hJ7hu45
 5oAi6rPPkr0pcGiDKTqi46l7+9orsj9Mxs1XTmrTMMB/eV6PCU7Fo4WJNXS8SXd3
 sEVxXvpyYjUTTnDuewjT1q8NL7anrsckS16WYSVGKzRhqtP1Vudt1F/D5cWKVqQp
 vQl/XW/uQS2IsgEWsbRmIAEZIUOy4TnuF494C/A+1BbJBdUr4Nl9zPH2bjrJeqYk
 TsvGQr1icgO4pUg5oC456htkqCxCuPRqqrGDAZBx54TldgPwvCo31+aPQJlOlWvI
 uWD/depp0De3oTK9FDnHh3swE0vyn4Ht96+vM+KNnDYgJ1FEaw1efYePFACobvEB
 o2ZpLbnDyqAT4MzfHpHSbwzUOk52ZOnkl/KrUIOxhXtf4dxRS6J70Rzb+HWS3rY/
 LgaMO5Q0BJfbvknguKmE8dO8jx0pTlVER9ujqp+bVPXmFMha1j8vyGhJ3eLJZaRL
 k3jgfRjiUUb4lNp+hXpvBwIYeFWl5kFVKg2aPywgnnFWiEYEExECAAYFAlBq4WgA
 CgkQ4J/vJdlkhKxmjQCfevlawFaGTx58nDFN+4j/2U6uaGcAn2g1sZcTUrEEYHdL
 byAyw1GNLksOiF4EEBEIAAYFAk99mCMACgkQ/2iSBAM3HxDivAD+Lu8U54iGgL5+
 h9KpeV+ZlHgIpj4cD+BVL85L6AQ3GP0A/1TwZ1tS6Ag3ut2G6AL2wewR3v9Mgu68
 E0M5esz5of4oiQEcBBMBAgAGBQJPh9ZuAAoJEBliWhMliBCHMSUH/30V/E930OTT
 oWeq+QKkTJuMF0lrA5NaAy+xWtrynMKoiAuM0KFNGPfrPehkoxR4D+MKXH+xh0j2
 bHl6fXOHJCKZLhCtsC/o8j7kkjIJjixBlwYMul21rxecke7Zt4XpxHARJx4208Lk
 ztpzOd7ZnDP6KYav3itpxK8Eyj4g8N2omoTQ2Dcd+sCa0jgRkyskpPxdt0fK0D04
 XW7b1LZkxwzwrAGSpjAZVzpKBXANcSmUQDAaIhGvYSKoiwVe2eaE5lUmvAaJQaTr
 Ud/LCIwFofTLSaBRX8fEOe+UwvW36VtynPyETyROeTMp//Cm5e2CQVPoDv79soyi
 E/oUW9DFDhCJARwEEwECAAYFAk+Oe6EACgkQlGXZM5TcxIlIRwf/VjfbN3eVf648
 vXvDctsXfucl37i6Yue2COJiGYuZOrN7wYxVvH2to8P3V53YV9OqDpJl2NXUro1V
 iUjFHuIKp23VbtyBAYsrLeTMmHLjnXlaUPSr6JUDHUQhCF34BTk17e9y7tXlEshF
 YVyPlGum7JhyarHB2rRdjQk8kyTqmQ4yHjw/nP/HlvVxdgb+mTmudTPVBafOT1R9
 MJ/SN2x4bclT4cQ0hjNEy/TsFzVduQj8yNOMFG9r6p1Vb+u1wn3BTANIh55R9aDh
 3JFFIV/jBTkxukxR5iyGQiR53nl0e0qnQFxpfhFGclh0RktjrHZ3DBAzcuYXp540
 Vu9aq9QuPIkCHAQQAQIABgUCT4bdRgAKCRDCPZG7HYJE34FtEACfqPwWSItk1lNX
 E0HOM1YuHXFfMGURF1AotskJatwtjGy9oDUQkjfsPROnWjgH9s0xD2UmlTrjJfWi
 BdH0kTLiExVUOmvnM9VFMRhYxQZMwiHecm4FZ5IWUz4e05oGCkHFbMswXEoEG+qq
 btOfLNpX67yy/JM6We+8PiXV/c2vaErpH5S8YChb5wD9lEWNM2aPBOUmbzONM1/f
 EFd8AF6fUVYN7htuyG1n5zTv+oowmO2c0terJRGmMgVuLugIEnKKhaQ+H1K6bdZJ
 7mX4xxx5izEyYeYhi9DhBHSwCLhWR+Yilqkc5U0nrF+3Z+Cb9THHppi071OIQ7pX
 rGsQSpDzGRXCw0nKEBm0Li13re8cOoHMlPD0RHWZEIRZGSYX1YKBtVuv4kpSq8GN
 85lZSDKGRNtbJBS7Qj4vyOlOrBO1eyyd4lepQCe2Ri3gU97rek52tOM+fAIibz7V
 b4a0qbbphrz6PVMbDGiBxM92+YpdDyZGyL7wJ4g6DhRRcEUQahlZ1n7y+YQ60ETs
 zt7+kD08Zi2BoJpiMHsFfoas2pot7VePFxGutwvq0p+OHSVlwkLgOaORPHumLA8u
 J3BGlJTHsErUB2EEgdc/Tv1vsZzEI3Zi+hqw1gcbke21Ii8aDfshbeKW9hYJAhnW
 m8VdF3n80UX5Eg56iybrLCjEyiAEYYkCHAQQAQIABgUCT7yYRAAKCRBOBfZjp6Qb
 nnyTD/4gVbq8H5ka7fVdSAnX65/kFn5xkqGzbpCkjcqe/5uI2CvdYtjeQ4K6sm7I
 5RLoyu/EE/JPbCRHiucsEak42WAZSRte/Wn2yTQpIb0mQ0wXJvuM+Hx7DSx2R12P
 9rIZ4mGo/rEtdG7Y9Vog9M/XGx7w5IqSw2DF2yiYQJXsOzHjphfYB8JfoqjW/73k
 n4E2IRJtCuWhfiJZJ+GEGceSBIredH3o01ThtbAeh/gzPRF3FU1361zyA1sXtmGe
 qwnhNL1spHRlpub3cvAXQ8RSYrNdiFZB5zohNt+iL+qzVWaUJo+vYZal1Co5/roI
 HN5nJef8kp1ngaYKvf1hIVvsdQsilVQIXKFWMd47aU6W8gPr1W2+U4yw+q+OXari
 eo7gpH7/OvMSe/3wOhGVD8KJrMwAVnr3M4wo2CM6zlwxPGdltQI+IxDD8NTGTmNT
 rRARYRQaFQyqd1SrVt4sSkeoegrpOG4oWXya/v4SeXHD4vt8vvvX3A4szB73a355
 IfbyRXDER3EfFfW5c+BnR3bxhfATTE6T0AKz1Gq30Xm2ycTGYCAZ2yBKewaegTpx
 3O/E6APTXUnVWTIPQay8T4iVUiLFs7W1UFMY/RvmIvKKFIQWcm5O0L+27PJK+YSx
 Uoo1Ivt1pclTuetbRbN8VnR3K9Pp5uZ4KLz6ZkffmJg2sOSu74kCHAQSAQgABgUC
 WWMlagAKCRAyfirUINN1OOtFD/4jW0ZMGigpruCnvY0nr47rA12X6dJ6+KIBE+XB
 QxuaQRjM5u44geksDwrqZ0nXrNvsa4SVwAhKVOrgMJVdzvUa1m2yeNCFHOTjln6Q
 GjZ5f3a6aj6n/X5tlPptdklUr9ucEwXVd5fFMpWAiwaqZt38I2u0Pi+/qHDt0kLy
 RSukmRPzRuS/kO1ugGO4aoO+sanVDl2Pq6LIwubL1Unk2HUerg8VCAyQrxYtZtHc
 coyhmBTlAb+EmZnUVbQZ3Uy3eA89OuNTBhJWCk8vqROFm257MiH6gvG/V8CTrJfz
 lpE+s9E6kxXhXpQWZUwtwWObq7vrJVkJhRwBsO9N2erxe+biBauFErYQPw3bg6xL
 1BJLxDWnKUlMWs5o+h7lyjp+1B/gbnnlrUIlpW8IKVZRHwRUPGRN07SbbEO1lDk5
 uJDMk+r2KrOUNVYCEp794P014xodkLvB8X7ml6tcABE4V9d4uVDX3SsktOLMvtWg
 nL6xWMoBYiVOXi3Rsm8vESBOb8JFQL/ItciUyAioM4Zjq5eqotVq90HMBO9kqcjC
 YsYEs6RACRmyE+TNmzGoucIPTwPEi5Ib4gj+LG6iPOBprk5DSjD7F0/wnQPoq8PY
 HIufb4+PgOXKf/ROQXDRLeD6eZBtPcDUJOgW19m7QcXZ8fvo6B91COe9jTF/H/i3
 A7NjR4kCHAQTAQgABgUCUQZ8hwAKCRDZsFd72T6Y/MoUD/9xxmXbPL2Zto6qECXs
 Q1GFuydiYlURxDsVUiuc1tSgEoDb8XcXl37l/IKX1QmcpvHMPzeT0g8sNwIXSnL6
 BNCnFcfrd0tEz8uBPxVnzMiGwaHP1kB6Vs6sNV31+CJcTz8BHHbOdXZnhHqXSb02
 SonqAYeWVSlE08Ejvq0HIWRn6NIGdGqv6icBExryJjS3ZChRFpvgAJwsVO5f6BKH
 oZnEn79uQR4XPHwuxRbm4hf6iYEbOhE7Hod6kTzS9vYIhyuTFTz5Kz/YxlMoZX/j
 TIYsX0nZ3r+Tshur8iUXJhKvvXVlGyrGO2HXfEuIpJqEx4/qM9jUNP0EE7aPzZ6f
 BP7Xq49Dx9lnZuSQ1jeXxEEpO+AND2xmnjCHr3EfgYZrrhCSxMQhvJh7wypkzu30
 D41BHPOPSotmM7WLceHWmYui0Wuq9X2hom5jq11XwACEtmNiP/odXjF0ovfK0d8l
 j/kivgrXAZdN/ONJapVSLkRMS71S6eln+urR9HfswEfM7IPt0cRwN1oNIhXmK14+
 XBWvvwvalfuxG2UfxD8K0JXMwARlpGlV8lXpuzDV8EcrvLipKpqiQWaJer64kaQb
 8qHEtT6+JNoGkymohrfeVagxKmPzDWR4v1a9lgZwY1FTRHNVPM0P8LWlN9q0CrYc
 poBwkhTMV1YJ1OBSrkM9IM2vsokCMwQTAQgAHRYhBGMZHOlBgwmGicq4237xN+yT
 Ww6vBQJjLRkzAAoJEH7xN+yTWw6vZSYP/36Bt4QhRtIh6HPWbHraFSl4omnuISu6
 lTHsqhik81nbIUiLZ5e/KN6ONSgD2jfMVQOLiPTQFOoxVZvOjaHmHvMuF7BCbr90
 Afh1qXW9txuPbVkhtC6hqIMn87b8UHEnt1l5MiafQnPHhoociqaqwfls/iu0nJGu
 Jf5eVMXpdeWRk+ckGkqP+tXp/0G933jibSdYqwG1Tsw9D98xnGV3a/+zIqRtJflp
 HPEjHPT6rVKAZxk7gkYSSsv6ONBwZHqwe9W1I+U4t6OPkGo5kNbMPBORB6/7B2Qo
 LHx3+KYZs1j6glI+F/8IX2+JSFs07saMnsDhE7w5FzmwWV2JcUt42RSf8DVub438
 jgA/Ht5yPROEJ87de78aD/t/gPq/Gm3bnUz1BW0jxBidjqg1qPOMYjC7n4dH8X0N
 cRfX6tWOdSXmDBbPg/vQi6CEIhsGVisKlnrgYi1wDZExU6UVMnBNvllUu9PXye+7
 51cIbrb+fwAWiwmu+AsL0qsjxZYo+9ozOLh9wLUhxOY5MZM82alN/mlUGzEiXN3R
 i7D3rDrNFHdI4LGGLbO2hjPYrG4hdNHS+6WbU6qYcpBEhrqBtnUjoVqIKP2boBLR
 ara7hHqVO120s8kgGtf/AoYpggD0H4qqUy4EFNjVdcL5T08w6ldQIYo7CEa1iHFt
 ML4bsPcJh8lciQIzBBIBCAAdFiEEcQCq365ubpQNLgrWVeRaWujKfIoFAmMsvIwA
 CgkQVeRaWujKfIqNXA//fjCpyIPPd6RnJhagWH8XCp5NB4cCT+LqAIR5yZfz1QE8
 Qbzpoobz9ysgXZ5XjLp/lbVffGyg986j0wUtSW1+g3kJcYXBUKjSWoBwwmZgyZky
 95U+uklY8CdPjSeuzr2I5X/LogHNH1378d9aEmQXBfX1uW5g4Aqgnl0OOgkCVzgs
 FFOO2o1j6svrrDVG52/mwXhNRm0yYK/hFB8T3PO2IvMQGDGJLHl6N5Kl7P2jtkyF
 Isi4AEzJeop/2GJYXQ+VkUTSNRKQj8oOS5qe9/0RkF9uqeamoc81n2But8MZN2fv
 R7ug2EuG2LHp9/pwu5ekohXmY8EtMbVbU7TYKgduK0FMBaK36jXN4Bapakfxr1z5
 pwdDjN4QiqUefBQlG1CJ6fGrqbdAupzRRDqN974rs5HafnbxioYRYjoo4H0zC8XN
 UwgmA2wrwIIY/cyNCSnUuT8yVAnroPiFgmMoL8RM7C5pHQYh0u3fXPfvNBswjXmR
 pJ6mhTqG6SS4qIaPhqoZqA1iyA6+Ua3YLBDT5wqvuqNMnfLtLUvMuridmlj97cRc
 srQIr022NdpafDQVAiVhZO0CRyFd/++XT35iiDoiv20+LewC0VVza466AE1fkAme
 rKlurlET8U/+U0JB6IP77ErjMgCzotV8e1DJkp/M37nMeNzazAb//ovsdkNM6P6J
 AjMEEwEIAB0WIQRFaBEoRJtl+IDGF5c6hKlGtLpirgUCYy3RvAAKCRA6hKlGtLpi
 rvhHD/99Lvgf+CjbhwC87CoKX84MyAyBlYACCSuySQBnEsVigz8sCVyTYDx52h1h
 /SEj7XfTylAfIl1CjUedH4w3hk+7IN4scmhf5eeEMvQd8q+Q/hWQcXIUpwgKOcVD
 NbUgYcbakJAPtilK1CeQvDdBD+aYoMsJTsII/f7FJzwjPM1XGf5EoODUC8BtQf/W
 KAVoESwwAUwN6Y5XeYSwMqu1s7IHs3yNYLV8C6A7EQPVaVVlORqI+33rKyqAhK5X
 ErNvAREQPYJMfRnQlIW7alSORwdG0JBgVLgV+jvoFo4a1AQImHDDtKxs2X5BCVG1
 I687uYDBy5Assl/VxRMIUpx5+zWvXyDZX/6nlL7AMokTlyosgP4iiifBS+5KMhan
 phMgnDXYIJE10V46Bdw2tjd7wMKey6BcKgfbZSvU5z+SuVnQXCyl3/blRML54I5o
 EomXPg6lgVxSb6BBnaJXzx4JKgLer5uom1OGsLgPMqEHRoO3bucr2xFdtq1Zegw4
 9S3qDhQ3bn8pg9JlYwmAAhBd3Xy5cPv01mV6ompOQ38SlMCJzcAGASdMw5scaxUl
 7MloV2Nl32HIzPjK47bF7aVOFX7Tz+rEFLmJCchqmUSdxi42rJyHKVRqiAlNfZ9S
 9FeaEfU+vBxOHsLNqVO7ErvrTafT5fjphZqvUTqZGCUiJUjPnYkCMwQTAQgAHRYh
 BOJeJUyO5NMDVUv1r+xwGh2klMXrBQJjL1NOAAoJEOxwGh2klMXrYaIP/ifHM9eU
 UT6JD0m6Oa3P3T161NhOvNqr71LDSztClsWo3XX0+ZK3wpjoC6vKqgx0Cc8OL1S2
 GqwCaxb5JqWpsoqR3NW6bTqTTUGREj/e0JHDeBzv57OEUTe4ea7qzqjhCX6iyzHa
 qDP9fiAogMQ7uT2oCghDV5yo4JUrG5brw8GkMLEvRSs2BEv7xFAySRaGwNj+oziZ
 VzL7sBzp1bCr5cwNZVYxoo3VAv6FUcExp1TydxzPVB8/VvxOa4zrht+hFTn6mjUi
 NHBc7DYECgh4jlDR6TnAdvpg0FsujTXiN6A0obOUl9jGz2uFmdY+2ojlVtzqKXoP
 +PDz8o2zMrRoQYkni9VyIc536E4OFIhfO6CrThMjJjPNn22Tq+fzRYkWTrlJom9b
 nOldQ1BdUXQt2QNigdzqjhZTIgF5OEOTERh80dvwIbZ+7vN00BOsuncR5GUBQerU
 F6+SksVRAaOg2lyoDdxUQ+Z28RU8R/n7VjMV8ctFkQvHHLBqKkpET8LRh0C/jSNh
 gB8zLPc3Oa4wTf2xZWO58S18esbYMr74vRYrsACbmwxH5Tz+L6Br70Fmcz608+IQ
 ESKW3657gemZgFud3AGokzKG5AuWykSinydiZbK8MRGLsdfPUojaVIgXFqnWKtkH
 At9gkD8YbqGYzuVwBnljBNRdTUMk0ClgV6pjuQINBFom2R0BEAC9k1Ky6AIe9sPP
 xrgsrXRe0dyYcoHufzeU3jFssl3+S4cRuvYCzdZfRfdjfHa4n+CxTaOd7xkefwJg
 GpaR9KJbu8dqHm61GIiS5ZbMCRU8FAW6ohVeDqEwFrPAzZjtO41OTpeXCrPu5H5A
 Tg/kDnabzlD2H8JWAqr0DYRRhFtJUihXUey9zK03wSjUi5E1+YHUC/fOpbS+msNN
 945CeQNBN4Ljap9Q183Fkh0Wm4Q8C0OS1WN8a0XtqSALRCGAZ+EV6UrmQVP9PCC4
 /J0hoKQPv2bfpBAsrUGAO3Fnsw7804i2TY7O3JA8gGDYX6fwOVJMUXdD7FX7LM2P
 pESqAdPrjqmPqHT8cPfq27GYgqHv3N4hP9Rjt9wxmHYFbJT0YCHw2ZMiAO/VcvvN
 miGr590ZFiQEb1MJN1r+h5UDE1CtF6nTieirSXi9oMilHlo2NY5nAItv/T9PKk4X
 +kaH3UoicMxrkT34tACGwxi4VIRYWL+ZquxE+bwXqAvbGJ0p3XbyREURCaO96J/2
 w951EvZErpFRQu4zzClmoMiNbwkQ8QdesSaqjMirlHyFI8T9BZrXbPazdVNUwfyR
 LFil1q/kgXjXeJDoje73UiyGhqhlVOlEbunGzCwEBzrtQdPTDeFQr476/4pe0v4u
 gdNYkL/gY8Izodn47d1XH68AuRSrzwARAQABiQI2BBgBCgAgFiEE6FPBhIsBhc9C
 hk3zY6itS5gsQ3MFAlom2R0CGyAACgkQY6itS5gsQ3PQSA/8CZGTxQDbD2oLkGb6
 tyECIs5A1RsfwJ9aj0R/HuEO39ki8yM88fwi8F5AfzNcmYwp0rxyYDDYM0itObSv
 A9WBB8YFZ2PKT1YHrwTzWbne+spmQYDRdFt+0Kx0JLvgv7SYvQ1jNdCazixH1SAM
 9O+Tn5oFybVHjRavWsQYHp1CvXY5kOHOEDHhz37pGwFvyVyFdSYS5PWT0+0XU/g6
 Uq2HeFCurhUGuDXJ6WA6Ipvmu0vbi8GpyeiWCRoG76sqbBfQ7dd0oDMUHitewWGq
 LP1Kioke9hu5p9CbkjYwGZjJWZEV6WHxOmICfFcBRPeIJyO8Kfa/vVBfQZj9fhqs
 3sHSfAGIdKIB3tX0qKhMRdu/QoM14YQ1yK80JTUUOcrKLDt6QJinF1UQ/OcYQqGB
 CXaRk1OKGFuuij16QudnX56+aYbNPltf7cLs1O7aodQcRxmMSgxSE/2ckthPYBsX
 PWuDMYZCb3e6JMWsdnCI7iPpoPFAJmId7SWJebXZxntoX6YwZ7Tx58/QMLEqxMfE
 ExQTAFg8/owvxCG12KaharLr4GpLx0aU39QEJenG1LqGLwiQh9Vxsejw+MkebZJE
 6zhs7XBpenrd5c9OFOtb/Goxwal/6UXz7a62jZ7wDNpJw9xOfC3/eX/56+6dLVef
 RFj/LOIu9reM4boTiY2dmGj1QC25Ag0EWibSSgEQAMhQB2Q329FSozPk7V6dYBO+
 jDBMr1jHWvNMCR/2DkwXfDAKK3haSWSqr51/wua9skFRezQvc9PhgvOIJi1jsxRf
 xNoM82a2OpYJdj16FG5RVQ/ApojiywNvp1YPJbmq4DfXSuUA6q+OephsFLrx2cPY
 nyDQaI6mrqTBecET4cdQTZK0nKKUPj3U2bI96zTBIYK8Kr7GMKXm8R1eV8bktwHT
 HyDjI7hN5EjZViYqZYDQ3jt2vC1Aj6XpFw5K7Sv6f0l91zyjfcu6Llsfo8xtRhAl
 lub8EBuO6ljJ5uWqDgjqTOkDXcIAUkhUCg8ztweR15zgJQQ/On0XDcHLtyi7zuQd
 xNaKYKkD3oROTqce+YbNN3qnP4bV0qa0JLlTOrE/0/zmif7Q1zYOidcmMgGeF6Gp
 pGQkkxY4gSKet8kD8h4AZXGlpFu4e9sue1ENDRmgWaqSzIWudMRZ3z0/s9EGNNiW
 60nwJ1NBoySeQEmnwMzAHXneRM9pRGQ1S3/CKttq/0eWEH3Y/Td9xi4DNvTXcvgJ
 uUUwoclWP2PCPg3zE+EQ1q/Kt2oYrT8NcemM9EO8btNzJ/Y1wSDLFAFNikHwYjTM
 86jWoeGhSM3fD9HJjfqoB41gDKvNIVlhQavhe6df4+AoCo/mGosLYAPFaHHdkmqn
 eT0Y0BnTRIS9yLcO8CBVABEBAAGJBGwEGAEIACAWIQToU8GEiwGFz0KGTfNjqK1L
 mCxDcwUCWibSSgIbAgJACRBjqK1LmCxDc8F0IAQZAQgAHRYhBNalthyaVTQWgpLb
 Z74iCR4+9iJ1BQJaJtJKAAoJEL4iCR4+9iJ1D2AP/1VMC8KOmzPYyiFY+1xHu2rv
 siB0f80GH1jXwDSM/IKvsH1axCD0hMV5sSi52epCov37czSlR3MpQjo0xK32wJB9
 26AgbzJYZO48qulDUXUhPWJ9bxiyIcxI/3KEspY1RMoWv8AfYA/qSma1cSdT4IMo
 SGJzPh3RyrUpeFP5QT02oGa5TuSQPiJwy/b9u+RVOi1SSqzHMJdKzZehGays65Pd
 jC8Xtf4ipdYRBr6mIyUISOB+FBkY2MttFzNDUBdDrOepyjStQLZ1vUXnYKIiSRHX
 o3XTW/W8fh72o26zeDbQcALywQMZqnwtrZluzKHZxF07whKmXvw9pUHXX6hbJDvm
 GVMxnB/F6grPNi/V+Bv75sKOdImgnJBUp1Jz7288SPbNQwrqFKV2ZD3f0PFmolFj
 Cz/Oc+UUk+swfnsT3pV6LClTThsOH8WlKJYxZLneX75HuVx4CmT+qv6GlFQuixjc
 H0LtsbbSjAx7J2LRNVtfI+2DfMcIi8KJxe69MAKGqqxDyDPSWeFrs0MHmyD6/6m+
 GTovgUT5jOZbR6GVKelW054bmby0zQevWnRieANVeFoFsnwclJnqKIRzQiGod1p1
 b8HhSCw4nOeOQSifaOf3zcnFhYyByDMOtl3/AqGoLp/61u3Bk9h+BP4VPR3RUWzc
 ggjmxJM0MrLzjaSXSedjzuQQAIq9g35FGpnaB8d/EjufED1TVSOkvNK/qJ+dD4Xz
 f5RvnbprofMnzfEyy8jJ1Vqc3QZQU3IDQt/Un2ZywX0OboKGAIn/gyfwdkpnxJ0j
 JoxRBuMplNpfNBw+oe0nFuozO9idFozKM+SWoE051/jvGHp1FqEPLnAAGeSbWB0L
 RlAsnMjc5u6+SKHeFGRKYg7U0sO7ZKbVIT4ZmRnsQLDakHwbAgfcIakh9Whj0Ou5
 r78Cs+DcM3XAdtZ04d81jV5TsveR8/Cn473c6dvPIfnA2P4uClTCaCDv+jXG2f9a
 FIuJhYCO+TdYs7qjAsXWngJUebRFiHbfSuYDw92/eqLdKD1Hoff4MnW5YOtDpp6E
 sdCDuINeRtUtnidw2vIPezX+xdmycXIq9Fb+GvKrIDsKu0VO8HObVviLa/RE11ds
 EHYlrarj4mqzS2MhvmU79Bazg9rDDB4WVs502n3uJaf6Sod/+ke1c3ff7AUPox2n
 pjH/bVmkZJsOq5EqcvlH3m2FZUHSFWS/yTR1rPuJoHBMHVc4OPlTuSqT3qmKL2vb
 vD1l3D4zHZs1paRLddYXiaex4qPU/0YpP61XU070MmFGYE8Z43TbMPHu/6LYBpw9
 p5Vj3VZwn2edNl4LGx+05hIABzM23I7JoQ44uPoTbohmYXF/DUGJ6h2LYdp81AVC
 lSFWuQINBE97JQcBEACpbBqvDl8J65jEhPjOWczcDVB+WfG7GBHB7T6RxSNFIahy
 mDqzx73zZD6n4NnZogPDPopYdRJ56u5AfF0bDZlgebl8+VEgPHGoay74Gf6k0B+c
 pEkp5PaWQHHEqXINotVg29hTsf1u0sb+yjgcc+9WHw3MtpChsgk8Rc5N8Xvr1FJc
 L+xynSvUCcLIwfgvLHYPPBYGIRpvz4ek/zgHvaGftDfnyMwrMbgi8kadrSb7PQgc
 eWeTL7CQN1B88TPJFqKt/QxMdXaPy+Cr3P4XVy5V3/QEVFUizrtCCqJgxHMAeCP5
 QxwYEWmA2zxUzGA/t/QUDFbccKt2BdpdKBFtHLliE+yn9FHw98JayjhAJxxeCkrp
 MED9N2aGHI1q44sbmeLKQ8EuIbCamfq7fqLXgkEy8jgivv2J9YfXejjjEobGLkss
 Jlxaq9JeQgFEVl6f0jJ0PgkYPd11RxTcVLy4RB417cxc9LHcoKdAtcgBTcZXPPYO
 L+eM9S7rTvFTna9IdF4bbnJFNjHDMhb/9XomxxBsekpTUXEm2DGoTpO2W/jwWcZY
 LVrdhikkkF8b88EdWk94fUTcFA90I+Ch0YbS8XGM/WIklrMGa0JpA4OQW5oMhKDn
 gqAcV7gxRYt6ylBPVh94/AIMz++wmfqBxETFP8HMgTVEApLBLjwru9B/4lRStwAR
 AQABiQIfBBgBAgAJBQJPeyUHAhsMAAoJEGOorUuYLENzegsQAL6NuhGuzQf2GELc
 O5J8/BW2yF9sxHWDLrw0Pntq8D35kgGfZLB52tN3DI4NwL0vE931bXC7ovi4kHPS
 sazv+WPUckYfJ7qskWVD1yDtHsADduwudJpAflfZ4VIvMJqJ7FUw5Fy9ennw/Idp
 H7LC+ubn6XT6Kh9oKvVmp+BQEOsdisjVw848Thik+gS08WvAjK9m+g7++FFwKy08
 5iXuuqZpvi94eU1QPvzxzzRZz6M4gQaz+pCq/5yf6I+Hu8G+5nq2foFN+G7FRkx7
 KJmJ3SAEsG3M23V9MKWON49ZbhTe5xW+1at/TKKoNGzNIYs07jApR2/E4J57yMWj
 zsAqg77hTDRiV0jhHl0DJw3RHFi3z+SrK+6ie6mrq8WEPj62q9qdM8dFs+y5X3UT
 x0nxly7GjOxxhi+Nt83PAG2wVFpqmhVLuyPnruvxzyrVFc8Dvx46DiKCzt4PPK/Y
 +jnVIQ7Jr2Jm2ZCpzZZT5QNJuDp46mKHlNBkvSy3q3+pM6cM8vKSuCFd9+dw3dX/
 GptLebMrPOvLVDl4Bm9hSmG7rLpJy8U8Ns8pYSS1zaxHM8KqMaPuS/Zlx1SRIj/E
 afefnHd5fIlmsH9C2O5fb18SFjmD14FCLcVTG7bwh3ZfbGo9sOJSShPxppPW2OoT
 jwfANmj1cSg/VFr1d4HAEc83jFgumQINBGNZjyYBEACk7biPgvCVldNWq1CwVoJa
 /Fvc4T49tqxcc/sY4uVlGo6oSi4fQcXE9XKPPBuRLmvpmMWvODQLzPxJMWUfJq6L
 yYFmX2U9VRTcyITdmJs8itkEaDwq8BtXkeQfUDAVSFy6V6/uvVmNWD7pGXqJE1Gx
 uV44Ihlh6v2YyqSzDG/rZur771hke8VZmlKMVMs1RSeOBA3nUmvZQ58+uqkhJNYq
 OeQhxGIxDOHo7QhzTG+SlX+uQq6mzACKygVJJl33toaUwVAX5R02a0u67A5wC0wh
 AoLSHInc3P7ayivWV/iESAz+gMIkuvJWns/Ak14J7MTGgjD6rle7PNMsPDCCwQSc
 qA8F0x4OChCixbZGZn6Mr0u8+01VCEe2IjJwVUfFI/G4n1FZ1RAdqjkHfZJeD20L
 GHSbjJLcnqLLFx3LDpI5dAxo5K2kFvz0VowrB58aHoofW8/g8yZygGQ4Zpw4JnpU
 maPnMTiD5yvnFzEihM5L9DuaWqSK3sb9qzoaXABYRYI7OmX4B5nmMzFteHHq0tMt
 aKWf0HkAsCP0BLJcS9Oc1/0I0+gC4oKLRD8a4+kaEpNr6BXvWnj7Y1h0Zr/CZS6+
 gi34CxWMl2Q34OSqtS37mzzBu+UZxffPR0aV2RXcEpc0c5HW550Thq1NF9EmFOoy
 eG4J2ox9JRANZXLh/i7mNwARAQABtCVQZXRyIExhdXRyYmFjaCA8bGF1dHJiYWNo
 QHJlZGhhdC5jb20+iQJXBBMBCABBFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZ
 jyYCGwMFCQPCZwAFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQvDkF8jUX
 nPGeAA//ScQ3kJMqI6FRULXo0aF7CpafPXVWdvj+mfQMlZzuGwXXTmM42T0DXnXR
 BSjstWkmOXP/UqkN7bNeXH/S3D3GCJ2l0qx8Qp6fP0FloJIbemyxNtzl7yvAE7kW
 vuBuLvUdm23cntv49gAzj+ElDqCxtT6A6qaqM6r7DLUvw+G+r6gkeu1hNQbtRpEK
 9Dt8tHriQyI410qFRMbi3QxU+iTJ79HXwrXiYpX7V7T+ugiU9lgIiC/hWJCo6SY4
 knt9E6zhegUWN6zErl2HY8FBM2P9eHOTqToEOAhKeM1fXZvxe3m49fGq/spmRM1R
 UUl1V9WFEaMiLg/Z2rmbD8LX9YtfYlQCbEwyX2nkIP1QIcr/DEfcmCA2MXCQCgsq
 I/2XS3BTLPyjuqAYnXxrk+T/Cydcg4W3ZBYI/wT56GH02TQzB/wJsn0cW6EMG46V
 SDY/mZ2/gwi54G/Pqb2R3ZC9I7wQ6/FFxuu8myI/QVmEiTlvTxBoyOdNlliBQxCk
 Dczs1rxd/o8Wfjo1vwRHW84jZrCP3xr7xPJWuzsrmPU8kFHTgepGoY+4b/h3jGwl
 V103RpRUK4JidwHsmYDVk6pgeUH69hf0iVcbFfKiViFTR+DwjbAOxTdsFgsYYn+7
 hBj2l+pV/uzeA0akL2dkgfJc9pAf6ItRUnGC+RlntZ0Pf2NbwIS5Ag0EY1mPJgEQ
 AMRQDbNHBQ376nDF8miBZOAV1txpmbHc5D/X63PNapP0P1/I7SfcJU9D3wX8c4vm
 xkjEYtH23s4lmT1VLsU7PisS3MacRemm9pL2bD53hs9XQEuU9OtJsZn1ZJ+Ynh6i
 5sfW1bG3OiV/TWgYXW66GwE1hn9PuP8arodUmhEft+64G2u8Xtxr5yqlQJEUThV6
 280OJrxVbduaMi5C6UNeeGE5wuhfrQ0TNYZiwQ4KYbU3QhlWhHVjJlJ5hCLiktwF
 DyR24P+wlTIziWA407mo2enQT+mz3bO7Paf4mBionGsJMoADqBThf4B69BxjJ7Yg
 7oQVIZ7560YIRRmNo4tk5Mhep11OtQgZjZJR6MhWDaUO17w1qScrOPRj6G1IXP1R
 5NarydJpLyAVb/5WFZ5jxUGMGtq3mYn4nKbbHUg2WzvCJvPctDE6EV2vaiRy5N1f
 QjsHgSa29F2feh14p4ngFCmHjpdbcdjfv6rWL8tgkSpQlDdeHRRd1q03TKAg/byP
 auAHKzvV+iWlmw1f6KBWjeTn0fofmk9eeQ+P1j0a3/XTxMOjB34SzqPRWzmLPLF6
 YmujBK2gymM+JLirJFFzao1i4lgmxqkDhQoNYHXmVYEd7w+/qUYbfKwO9eJOWzuU
 WajxvJ1Vgv6z4CPy9if0gwfhrx0OOcIpBE/xZU+SwQQpABEBAAGJAjwEGAEIACYW
 IQS4aChHdk32DfUtmSy8OQXyNRec8QUCY1mPJgIbDAUJA8JnAAAKCRC8OQXyNRec
 8a+qD/4whGQ9J+td1iLFMpNRAqvuGtTnM6shZJNnC5CB56Cu7ElIpr74sk0R98Ia
 1pJlBcLALbYSrqwluZaLiRVDPdub6tGSRVssqQdZcKThz33waTru9IfLhCrRSNd0
 ZMHJaOG1ErU0noWw2d4ifVJK+vvuvMeEyNm4H5pZOYzYeikqVUYzS143cSzMEwtv
 PSdP5JkTQi4WNF09khH1D+QpJoXEgVEQla7Sr955Zdt3q5OlpYxxw+X62vslZ2OM
 iKZ14kWVSRbVQ+WdnjtRYS4vivB6ko9QL770jZ131hKhC/BcWpEYSjfPpVua2oKb
 ccKHXheIFEJ06kGkMeeoQPxmzPRBYIw/E+d5sZp7YXDyBGOAxBeiOaOnZ8vLBzy7
 2HFng3oB3hkVGTTHq+PsHdSSaRME3QrNpDsaGeSjw62FG3I4zK985GtrXAHEzN/F
 fd17srl4mcRQ+8QM/a+XbF/8ugjE/RHhhFf8sWVAPutYzVE8lF+uqcduPuq/rTcU
 BuzSVjnSRfXWqCokjh+ypUpHNUO8fZDzkTLuE5rwMG1xpPueDBTzvoGDQRqc2eoX
 pJnDBmdlz83zHsoR2gIHcdqyc/hCV+fTvR8E0v9ZG3Jr6RFgWdD008PsGxUevIDg
 MAYFwasZSTofEnzg49/WeIFU1rGB5HZVlmOJKZnKRuBiTakEP7kCDQRjWY9xARAA
 rEkjlUH4hoSQAkVJCWWk+nF+daAP5IszrGEQH7TyOVwXbRZndSPFSUqKU2kEgHbM
 m+wFYoZe95h9tjDh2sLCs338pVu5Chhz3dNseTF7/rbckw2rCU+JbalEiwck7tKL
 qobvbh77jnrbQnkrZNc+nMeHHLrYyc5gHW6cSn4UlU42MKmTlSeOG4Ly9wXhgaKC
 heIXNX3U/D682Tffl7Gopcm7pPZF92dwY4nIpCxU2ATimkSyulbhzk2CjZ1JYUJ1
 LHctMHm9F0LEGtc1GxDShzVZP8dOWpDs9BBwZDLXxCzC4rvZ+z5BJCDFbuNTKZQ5
 JEoW2sM8yP1LLZGXz44hsab1aPrvB3vcdS5ETP6bqT5267ZiotdhUifU/pTV5ze4
 7wNuaZenQtGd9olyh2dAqOk2DQrcBQFA0gRp55b4U62hLTYXxT+7jEbSVAxeXDPR
 qPvqh/4kVn86llYjV6dAoASN1wWz423QH3u4ZK+S6g8HZ0HrY2+NBYgqthb6H/X6
 FiF5VcHWstkk967g4Xt0PgN/rlCtpXh4WK9sScX/CFdOURsHlb78ZN2LexaYaVBq
 QuqvfHaAPJaIElXqMheZ8aYrO6Df4yzJ+6eTs3s4PqM6EMir5waFonx5Gh50X4xL
 9p7IVqgNPhQsU8Z5U5hGYbmUH766GtENv4CI1upFA1cAEQEAAYkCPAQYAQgAJhYh
 BLhoKEd2TfYN9S2ZLLw5BfI1F5zxBQJjWY9xAhsgBQkDwmcAAAoJELw5BfI1F5zx
 4cMP+wbjKu2xCr63oyn+lo7NqMDLBYl4zHunYTZhG/egDakVWp5Ikj5/k3i+hVSY
 fUyUhqQ/b/H096ropB7GA6EzS44GS+hLMdQOJOmEbjvAP/9dJDX2FQnYZzaA2f/e
 Ikgaw283oOLnmYz0x7YAW/oxlnPn+7Sg7DGGqqn3nKofDUUrowfX0tQGwkGmJJqQ
 gOH/ZfU4t51UCKzF6hWRbberBI8ezp24vYngA2kGef1fCUC+EIFhoYcdHHCtC1Ti
 KmOUaeB9ZMiVXkP60fmCLKObwcKTyYpAFPqM05xgsMPFaXN+fQ7YVAGpCdthk53N
 5Go+QqehwLoJk77CHZxIWJIf43p3UiuH1FsuXF7OdExzIhUSiUum6MoCI8BpVwn9
 uSKfXKLOdGDR6IJI8jqdC9LYoXqxZtDhpcqD70hFWJwJzZg+U2SvxZyhOqwtKXtD
 TDtee3yGzPacSAJD7mFURc/DRi62UBMiFcqO1YW/5LgC4yjtzo7MTQPkaGbQLduH
 IlCKa8pHWPqaLFdMawwqNrTNHWXCD4XxijJYwdAue3NUG/utekNm82mqnbbWw/AX
 URIzefQsbyqiNYMztudJ9hAS8yCdkfb9SKVIvWYPQ77tHltOZF7K/NzOGeJaJr8l
 vqZCfXpWmOduTpWaD2kIvU2Kx7gB4jXdMa2ai9N+/Hdr3lLouQINBGNZj8YBEADg
 Y6HOawiThxQVI+0uvAAU9yisew1SSVO6mAsQtZM7s7BpLA3RGPj3UGojZIeejA+k
 fq7A+PVLBhz/kSBTtw9/s3o4rlqNzz7SLaix6XKWCpHOBs84n3/LF6u9KMMVk9vT
 sjKz8iDF9mBR2bmCfLvEk0HDiMyApv5SbOsZMB8k5PWyK8HYPyMI5umEaOsaC3tA
 eihO3nzAxEf3oZl53J1pIw+ecdrQLbWbH0aqKngfCddD8Q0oMr/Iwly3W49+5eqJ
 oelR9/dut/dg0a3Nn1wIGYRzC62CCsF5IZwKdyPh7nilEUFpA5Vlz+HfIFch2LfR
 F3Q/GZD8fKzKxhjDIdgyaWSTsMbityKxX2G/pcjshyMsZT7I3Hx7SwQfFro58s2D
 FsFLEZgBhJv+nW/HckeedaveXmXdHKjtsa8+rvGADti4wohOl+N5tbpYW3/zR3AY
 qlh47hG0ikUJ8Tusnu865j3Z5mE+KqS68ypRVBMRrdJl2lGPDCnXGhl2720VPNMC
 /jB2Mgm/L1mvQM1jPfdC3KgokDAH5NMzKvav6A71aLSUJli3UdkGHkX5d5urs3k3
 WmCt7XeTb30MBvNzBcSYTbw2UGIRE8G0CFc3wtiWWiQKPeFXYhn0+COCoW/EXpIC
 VaAuMPMgcsldM13bKGyGo3NngsNEdopNFfr0KKW5XwARAQABiQRyBBgBCAAmFiEE
 uGgoR3ZN9g31LZksvDkF8jUXnPEFAmNZj8YCGwIFCQPCZwACQAkQvDkF8jUXnPHB
 dCAEGQEIAB0WIQQb4sD/CJSWIxAv0lZGlYgcJUUI0QUCY1mPxgAKCRBGlYgcJUUI
 0ZkHD/9TlRvAaZETf+pv4/IceeL3KHwj5lrC/gojXxN0AjhAXljLSRCu0EyICxZy
 3158h4k0vwjdv8699yHEN97PdF84m81mqxOz+juKBRHFK/EwAAgOdSlzGnUYgNkm
 mCROFWtjeneNWaFdEnq9MItx1OascPeyxnWMjq7LLYMSESP4tgUV5KdlaVAXR6q/
 833u27/NodkDcNH2UK+IyT+Kt/uCOoIIL4ttxo/PvZTphzV8n6s0sJJE3/BrRxgv
 CTkVU6zosyJsyau8/vayQYGPuBuEQVs4Tr+vZ42izbkHgElcZv9oYjJsxaqZqqMz
 fWPte7m6Pl/pvtmlhPmpZ+ej7y8SRysBV+3aHNXaE1J3sIOmYxighlgZapSjHl/A
 9N/KXdoLAjIZtBAOQ2ZFyRz/c2+VUqJgwiwdxoaFaYn2eUM+HSTbZfdGXBS/yyZL
 YsM+L4M2aizQvDIRXzy8vG0vpHQEvPlXL0Gg0gyk0fox0OsAP5CfXmHC/AvYOHM8
 y81X2QqDf33Au1RIgog4cLqq2wpXEARWbAj0BAMIeJoCDCu9Mz2juK1ui2wr8AZ0
 42PCUgZK6CdUI18AsvApUhPsNunF7ZOc5mFMuaEGjjWJvrTG3qyrCY73ySBiGXWo
 92ZB7FXu2MzgujPBEigByqeF6IV2x0EBHw/VrcxXq6Slgmik6G0SD/48l5mGCxM0
 Wr91raB9zQlwDbtD3PCbjA6DtkMrRyAq+81g75N6uiztGPCVw9n1HoGOSjN1hAhe
 SgQQlcXbDLpzfdPFowDEHclFFfUODCIOuF+FgmxlAz5Exr9JkJdozBFqRZ4iF/tf
 E5sHB0rzeUcY3J6VjTsjULjE4GSg5trsOc8GHUnFn9wwwkf9nR/Mr1RYcX0GkTcy
 iUskw+AoRz6svOfAWIDJY450wgD0MHZK08IfUUsYTGecoXcvWf/hITtv/Af5MpQA
 wuGEDltVDeu9EAu65SZlMkkMuQD1h3KOQjUJ6nY4a4M2CQ51ggs/c+vsemxsuYlG
 vSuhrfXt6HGD3dhsOEeyEvIcjjpP1Ku5mqrPhqXFli1swfohhYGGVO+fM7G3l7wF
 kAIi0B1szn0K13qRqBIwjnWL+orP1KLzvczCH6yD0FZY90CDdMtM0VB6AqT4BFh6
 5+ygjA4YiA7fFYBm8510ybUcNfzU3gUIJ5pF8MdGizO54tCPSK6U+iVRY4qfCFdu
 IiOZ7FUUn78VIxQUMYMrozy7kn/0PQZa7KKRbXJ8sg0sgrQapwpgUjdMwuYZPGGv
 1Jw5/+WUGWMbGxmlpHcEOmsPZpITH557M/kHyk9Ud0iKwciBI2mGLxiafCuLrUY4
 TknzOqbZgjdllcUG4cDBEQuBO/GSj1LUfpkCDQRnKRF7ARAAo5H9/6cStbyjWFeb
 G6qDn6pT+4v1rlbRZo0rYwWkDmEAjOZMRC9SJipTCdQeNFlv6HEiiCvl3bmZIqrZ
 +zvLI6U1+2dH7k06xNqIFLTV0zbr+tUkOwspg5nr59KsuNP01WBS0ELzunO/zHj+
 BOEdPg1KvB0IQFtqAwaAfuny67YvTr9O7Yz07ZCfTxPtHf6FJ80FPeRa0LoZYnW4
 UmSGtm1f59VD9+qe4yhRtNanamXUKjf8BTw0rQwjoJhVT5Mg0Z6hW6fhFrD57Lgd
 8fBi5ZHHUlR4z1+nqGCUoHlHjc0JVyK8j8fofKafow/79ITaOqBzv+P3psY9ecBg
 7wGaOHrqzRzRxAfKYRO2IaFHRGnsEE8FnwSEL00uPVxpiiTavrLJFEjku9GmP3OY
 3rbwIPXbw1m9mZG1yAVbSEEf58WSWeoBp0O6qrwAdIbdgUX4BkQ8bX5MtUjXp5tm
 0StmjQiZ7O91cg0VuWtrfj/I4E3xtloNzhtG2QLI4s7iAL1orhClxEuZRO9alUCS
 cnRvhmw2Dh6sB6i56evcZdUFwxMXOByxfWr0fxX4QlR8jYqMPj7UMNj2PccTBOQX
 umIW2cdGEeni9vrE9cLfZRSNCwPWAXWtr1zQW54Jx5DjCGHobQk53Z7kE+MZVAje
 gOaT0u50cljBNfJootuln4+gbGMAEQEAAbQlUGV0ciBMYXV0cmJhY2ggPGxhdXRy
 YmFjaEByZWRoYXQuY29tPokCVwQTAQgAQRYhBGjSGCM0KhNoOus+TvtMaFtdwcE+
 BQJnKRF7AhsDBQkDwmcABQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEPtM
 aFtdwcE+doMQAI5mnNA8aH0dfeOZnz/NrMwY6H7jK/+lYatCx05e1TfK+zz9feRK
 sxgP3Pjj0p9igo3jIdPcN5/YnlmVEeplDmSiKOOdendviy+sA8sukMo07Q+m1pYW
 NzFtyiZd+c44mp9I1l7h6rktIY9XDedrlAkNog1VlUet9eNpmgXt2OmJNDmYftWc
 KIpyw/ZLaubjRcAmxwsn7I6dWnT66Ffg9H8trcRlWipVWP8imO0EIpwC8RbhuNgk
 xjt/cVf3CEpzokF4n0k3nqYmt90NNtGc0kG5QAlTvlUuHpNWzuzvdAPtMy3KEaXI
 fu3IEZeIKCxSgWXTm7zRKUn0F6jKAsLXhK/WOA1Aa7NdAUwMxrEndfNoqBrusaLD
 lpzWU7USv2YT+Pf3aQ7u1szg2J8V5eqRP+E8wwe54RNCgQrcDgUq5abyncsvull3
 GqJvzvZC7/Q3Th/g5Wc+dRaGBz0O9FBuRPQwjrnB932xW1fDf17cScpVKAvV/jwn
 tpWXf7nSv2M0o9fihnTBl4d2c2EBKtTdp5W0IpeRl5uLad3AYoouP6RoZ+/Id/Zg
 NeaQKH/ZlCxk5S9GLzYhm665ysOYRkh7NfoThRtvAqAeDcTKWGDG1nQok2KKOSyq
 S81PT2AlMz7A26R0vsH/9lQ1uZFIhIGbxZXlGERZwXd1s+lgfWTbB5K+iQIzBBAB
 CAAdFiEEuGgoR3ZN9g31LZksvDkF8jUXnPEFAmcpGAUACgkQvDkF8jUXnPFdGQ/+
 L7uA7EMB+Yh0urhZuOltZSNtge6b+UbLZTd8DRsf044e+Z0NJWdQ2saLBptGhIcn
 as4Qd0gS+QkWB7lMrJ31uux15ZBjFsGtyqK+VoH8JIPvV8Mr5XojqA+UYUpXP6ns
 ILrdkUvNzpeA51IxYuVMWcut8SUVYzjD11YG1P8LFzydsImaYe7se+RE85F3/2Po
 kZNe0d0Gh36uyfJSND80XrrxLpROgabQgHNG0drL/DHjdoa3F0V5EUoG7NBwUrmB
 RlWKYCLUFfW+8mQn6RVK8JIV9WaHrzi/KAZLonZb5dCjO0e+Ol16pyUofLA8SN7B
 aqjens8ho297GtE3darkXmj5p3p4YPur/D+oZCNIH+BYMsht46VtE3v6V10P8KA2
 6MgNo5qME1Q0kC1DUYi68cPeDgrQBMWa+nF+m9i2aGeAyi3qDhZu03JLhOYAhv45
 OVRawm9vFqyKiBRANVogTRr+ch4zywaapwfVLQ+xiwVLqlT5n/iIzWCQ0hA15eKZ
 gJV0kTXL4OWKBeJqSNnnLVm4AhZ2OpKHMsjE7BEopvCe9JZWFIrjtQ9TrriByOx0
 3anWkmm7b4lZ1HKDOI/Cxyz8BZvYizo7hSOdGjLrFBTD/Wk0swvpzB4NKh5I6N7k
 gppXMTaWp36+KmQx66JzaZjepGl1VMNFdgiP6Sw6pO+5Ag0EZykRewEQAK4EY+06
 GeuX4wLlUqAMWCnbFELuhBZGWFLEIvP6WJS1WOvee45RVcpVfYMp3AqymiNRahAl
 RMtSQ9YtXSdlBPkhtNcoV/hqjcNywMdbsy+Rs27pRk/DJVC0yVL4ABrSSlwhfNa4
 6X4ZvPr8GGDvjAUhK6NXQ7WrZJxYR9/U0nqRGtGuPBLhFey1H60n5axP8+2f9pFC
 NbDJ13HbrhVju+RUeE8Gq5WJI5dea5SfYnXFERsT/zO+pw7ZaaSDmWKR1a88P6Bk
 DD7e63ZIaAa849M/Dz+OgzNEgbyRjvgbO0OEIrS2x61lGoW7F9prEgzj97NIiBu6
 qpNCYJefkpfPENrk+wmOUthJfh6E7uphlliQams6dqXAc3Z+xBN9jFf74RpzVmIP
 K/MFNr0EcUMFgURpBtaTrk4dGMh++v5i4qKxxwJHf4RsGCDsgH9ZZDemKz5q8uFN
 TI1kbTnsKNt+d7L45U+3/mRm4l22g8eu+AvD6R4GfKjsyzEFCyGK7TmVYj0Y+EGR
 9+YbRQ1GahXqtrR/aLC09LSyxQTqYfKU8KusnoceEbBOigEZUNPybpzibwHl1VEV
 9crR5eT8MPHgs8xdpjQ7gRuPi12fvc83unpUsNIHSCxZqXoilGsz2+zpX2si3PxB
 tK/tTo6ZFRLijhHs250Y1agp4MyXYq91A2VTABEBAAGJAjwEGAEIACYWIQRo0hgj
 NCoTaDrrPk77TGhbXcHBPgUCZykRewIbDAUJA8JnAAAKCRD7TGhbXcHBPozGD/0Y
 fkktGwGq2vPZUI/Fscv+VnEqVt94dBnS0/6GyYvhI7Tf81v+72URlQeX8TUQox9B
 8d3Aru5b2+iSkPcvH70PbY8jt/yTwHtSlFzf6+YPIl+oyTz7DoiILSjrO51ntl8g
 KmIb8Q9W74xV6VFIJ4m8rH04MKFpIlzUDq660JYQIGtOUFugSfg7aLVU/0j4WKKE
 KfAfg93wYTKKd+JgRFy4FZPriem7HvlUSi2VKffdrrUF/PX35X74iKdPQoEADZi8
 KkMZULDtyQ6ZOu2hiDpArjo5hDadKM314Z65VnM11hjiEhmTF3IyGBllb0qBIk0L
 nBVHuMYmiqBNJEbaqHLqIju8/RvFlYV+AMISeA7B68knbJcao13ogtDpuJ4hpgCj
 j2B1n0NWMcju0gteu1sfsIaQbWHevH2vgl5LJDCNtUJN/NoWB2Uov27wEvsongwY
 3du40TnM+5ejwf4r8D3wX+JpVCAhfr3Oc0knw14nRqFPAe1E7DNURJ8xfEV9iPRA
 swo6qoh7IIxNETUG1rywRExNt6tHsojx0Wb0I0IB7CnWRK9F6oNRp0S4kVgp+Jeh
 a9NGXFK2hn8qBD/rpUPsj/OdkiBN+C7Ai07rCNez+IKdnUfXkOJqLCOyeUwC9WPl
 uFPB9RnnghYM4xhMWf8XvSLOOk/vgPxiqR5ANLObsbkCDQRnKRLhARAAuh+b2Oxj
 9q+RRZ+pkDVf/M6P01yDmDhwtYHzi/LW8PFHC6iQlzMReyv1R5n3uCEpAZ++mdUe
 Cgo2TmFnYdpmxEgdaMIW98uqe4fuHhoXU2Mh4eiN7jyJvXQCsijCDYzifoj03HY7
 nTVjw4+BSSu9kA3/vEqU9A5YjG01MmVSMaIaTrqZqsnypK6r2exJa7YVRYwRqpLY
 C5ksikDVK9ftdfhjnsnYGS4pYyfMNSHY1KBMpHjT7wEkM+KZ2WRpjTZZ7nP9u4Lf
 fJMKgcclRgf+13CeSaJfVIhjJlxGVLkloE8XJbOeh2vkK257e9BenEFgQnyLCpGJ
 8YNsnsJVhxU1aA62dT7jmnOVMBhnGoNhMyzzfvUw0REz2VbpZBkiwZRfZ9MWUBsy
 bneH8NwzZMQQLCc/yo/jnPrmDS+tgl4CXGzBtpxPUZSMuY4tHZZ2vBb0zcfhY7P1
 CrHuylXLFzkOO/XRP3w1F8I1UqJCjdTKjdjCDF/VWtedHee1iEsSHxPGH8fHp4Qp
 rBDDwZ4NnfilYNHMDWm6U1bzhX2ynqcGArQSd1Ny/oL7JzE1qoH/nNrwVvOSSNWF
 UTXFXeLy+SOXJdFJpGP+/wV+gYfyczoUP6vmCdK1Hs15WQvKzyP/nmLS5uLilfxV
 KrxZDI6SNrS4f/XkHcGnYByFKUhq5gVN0ZcAEQEAAYkEcgQYAQgAJhYhBGjSGCM0
 KhNoOus+TvtMaFtdwcE+BQJnKRLhAhsCBQkDwmcAAkAJEPtMaFtdwcE+wXQgBBkB
 CAAdFiEEcgDrLD9eSIRjwM6ezcroySfGvjEFAmcpEuEACgkQzcroySfGvjExiQ//
 TKQ2Ci+sqNSVIcwg/k0Go1i4cA7lhKNdYRBCaIThB9jMqNg2zgPzgELBcaVJL8xw
 0E2x2ZvBejM4X+eTrmkdufcxHR8B/zBF8oPlD2pgs/zZmZEO1gq4Cdab7yIoVNNr
 foCZShxOCPR2wIixcYZtt5f7Z3zSXqkjIec6sTOedT75ZXrpQbvINeUkvOJfMCOi
 ailauvDfv8k5iJUVbP+Dx1vOc88bvewVJcbLID4HIRr/PS+k1D10zGbnF71TnxGZ
 r7anMZCSFCHJ5WV+BSwHHKtxRy+bJ1x9ML45Jcr1anTXeaHIeSKNzFBigJQSgHv0
 euegkD3Rmw+IcxNb4l536selaNR0UAwx1DC1qpjBtnE9/pXdTEsZQxq9kMrj0d+f
 VKFjOKADVIpkx7o0dZ1jmbUmdjQVyGDgHE+Emgdd726/2ftWriW2uPeUC6YZiqbt
 vBnCnwF+aV6P1nrE0BWJchLyBjDCe5Y2oXBAYF6xwpDPfMPr4oscqzPV4TWVULBi
 brtRWgSxmvinIGFx9T9wQCVfX254dqBaAEhRMImoT/YP+6evRZKqQODRhI44OG7u
 V71IVAJ8BHEBN8hxvQM3WPs1fhwMBFCyGfr/x/U4/c78R9JhxkU9VwmMbLGQP7VP
 1QgfiHqZpHMk8ZUmQn6KLeurzWcnwPFkwgFPZED8OQOMXxAAio3DhWr5KDd3mICH
 ALNY0A2ipb/JH6LSHxu0S3MLa/bF6PbqRY1+fKMT/cFVxln99rNUrX+hDRbc7qbh
 KkxvGmcnXnkcTHah9bfUghEanlKkBr1g1ik3zgEnpO/x3+X39Ov+ge92MDawV0nq
 k9R/9tS+ZD/ph72Q9kx3ZfVNSL0eWxjuwBzFW0Zwh5TAX4raSmyQCmAXi05O3YmN
 iq4arSUg5oAOMRZ+d96DsrAS4Sdtlx6/CuKTBzEaGPQLQ9wJNB0Vmd/eQWTP99KY
 cAdIwj5BJ5P0Z7+xhsVjQOntn4otnP6vN6RuDtYrS6M7TCN/ZeKCvN/G0nRac4D+
 IJX3CYYtYXgaoDuoetUWtc7O5PzHRETaBt/46ob2lzf6cT5QyVujTfz+i0rGEc63
 pvXK8mV+K7BFY/DHpdEhl1pDw2YYLbBmUthQWdsL6/TVvpMe/wZadvJ/by3AeRzQ
 eusUucuSo9UNN7Yj8u3dRhxNgsSiU96A/SFlAoB5s3Onh5K4WEVCBu/INjdi+r2B
 LJePSnA3I7VkRE9Haf1D28jtBzm3Xbft2rs3lO18FcCqw6kd7Ih3e0tZ8uUG9UDv
 qTDHTUHLAWvwrq38gKKAu2RMaU06A5kR87RcQiizxOwBIwiHuUWMU4/Hyx6fXsOD
 hEs0O6AFDarNDZGee2amKTAyZpG5Ag0EZykTxQEQAOwGV1boBD3vDLsoAT62nGxb
 SqXiBsObxnpWbNifOzM9BUGPOIpHsSH32PZGG/+LNjNdECfyyP1RysH5OT7j92Q8
 vgRQoG3X985gbOjYyZc0xvAkTSvWxOiy5CuF3X8sJ3NSerQDXwjP9qVqLVj/3FB8
 nka1HFS7KzC3Zo/kzCoxeZ3/hV3PTWIjcoJvtBSCKPZyOJxnRqWfi5BNJo3S2SR1
 mxV967zawXiZ8MeeBl6rLhOfCBtz9g+bqrXZYoenuMn5Js2mcH0haYeMSV3UWIC4
 kinzr1EJxs+L1/hVCVBNiiDc6DXcFXoz9ZVc9kjpZTOMoZVDkRkyOeen+5Sya9wK
 4teLmDLME4+pgeHCS/Wa4KrYyEWe7NpG1VTkSJnRS+fyYGTWtwEiuwT6J9U0t1d5
 hbxhM7YAhlnOEnNVmqa3Bq3yqJs9G/7gicZ7CIJ9JBHKTJzOnKfpGhxBSOgOoCOa
 WW6uVCzDqfrYPmCUIKQmanB441xJFGuHVPMLBjVjswoMKGkK3gM6KMRCDYQ53u6s
 FK+Jcl8HobBSezVIUKpKVX3IW9d506cE0FhSW/NvWJv0FIMVloyC2BpOjSWVgEwX
 tk/m3SKPsgCAcCqzi7xlloR8+E9C2xci9cdGG5faghgSjaP6j0qDww/slRPQJc5A
 DIeukkOYTCiSiDwQtblJABEBAAGJAjMEGAEIACcWIQRo0hgjNCoTaDrrPk77TGhb
 XcHBPgUCZykTxQMbIAQFCQPCZwAAADcWD/4qJRLn7TcMtRMF43Yn+dX+O13YrxBC
 T4n1QVmiPsGrUca4Vg1J+trV6IMsGrhktpiaV0qeL/km0h02m4gEDZKDyWWXdeWh
 EXFaTVy9yCpSXUWJl5gSXTSwxrqBWyWLlLLk4UT9l9sk5mMdy0JA8unobV4M/eXQ
 ggR11DL3ji7aO0hsqxyxXkJcawWjVGW5KL1EaoDKIJ/CwxOI5ipFueMIRQjQvw9A
 o/w2fq11qVXY9zknk6pFkp/RDHLes+wVHDtebZfJ9xV7Mb1mf/k03dT56GaA/U3E
 XvJ2FdgWR+zf+YMEa9MPDHYo2UNEvk9mOk247M8s+OeexdlkPgyKW5A8mtYuY/dR
 j8W6C4pLcMWa+d/vIUpm5Guw0F5q0AWk9/FbBe9HLztEevvRnuHXmfTZeto/nCAi
 Yg4pCj6p3JoN5CLebR8YtWm9AJBbX1kgVvqSU2VgwYIFsxBEz8Wu2h7z/eSCSeIg
 ARFbTlJ6cBrRkXCVyhbv0LPWWUfAUqiEtdGxrA4Xx/jKrI02JjRdW/bZkXjSka8K
 +cDlpcr9ixBWW5LkWsOdiL8jExfTGw25FA7Wd1HiHnBv36Mu/zb+0/I63d+fLq93
 e3lmmVx9qQF8p5Okf4ojY9YoIHVkLS7t9AgFjm/ucmpEGbXxyPk2Cr3l+b5R41x3
 dBW9kxiuWpZN3Q==
 =iuRK
 -----END PGP PUBLIC KEY BLOCK-----
--- a/SPECS/libsepol.spec
+++ b/SPECS/libsepol.spec
@ -1,148 +1,173 @@
-Summary: SELinux binary policy manipulation library
+* Thu Jan 30 2025 Petr Lautrbach <lautrbach@redhat.com> - 3.8-1
-Name: libsepol
+- SELinux userspace 3.8 release
 Version: 2.9
 Release: 3%{?dist}
 License: LGPLv2+
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/libsepol-2.9.tar.gz
 Patch0001: 0001-libsepol-cil-Fix-out-of-bound-read-of-file-context-p.patch
 Patch0002: 0002-libsepol-cil-Destroy-classperms-list-when-resetting-.patch
 Patch0003: 0003-libsepol-cil-Destroy-classperm-list-when-resetting-m.patch
 Patch0004: 0004-libsepol-cil-cil_reset_classperms_set-should-not-res.patch
 Patch0005: 0005-libsepol-cil-Set-class-field-to-NULL-when-resetting-.patch
 Patch0006: 0006-libsepol-cil-More-strict-verification-of-constraint-.patch
 Patch0007: 0007-libsepol-cil-Exit-with-an-error-if-declaration-name-.patch
 Patch0008: 0008-libsepol-cil-Allow-permission-expressions-when-using.patch
 Patch0009: 0009-libsepol-cil-Reorder-checks-for-invalid-rules-when-b.patch
 Patch0010: 0010-libsepol-cil-Cleanup-build-AST-helper-functions.patch
 Patch0011: 0011-libsepol-cil-Create-new-first-child-helper-function-.patch
 Patch0012: 0012-libsepol-cil-Remove-unused-field-from-struct-cil_arg.patch
 Patch0013: 0013-libsepol-cil-Destroy-disabled-optional-blocks-after-.patch
 Patch0014: 0014-libsepol-cil-Check-if-name-is-a-macro-parameter-firs.patch
 Patch0015: 0015-libsepol-cil-fix-NULL-pointer-dereference-in-__cil_i.patch
 Patch0016: 0016-libsepol-cil-Report-disabling-an-optional-block-only.patch
 Patch0017: 0017-libsepol-cil-Use-AST-to-track-blocks-and-optionals-w.patch
 Patch0018: 0018-libsepol-cil-Reorder-checks-for-invalid-rules-when-r.patch
 Patch0019: 0019-libsepol-cil-Sync-checks-for-invalid-rules-in-boolea.patch
 Patch0020: 0020-libsepol-cil-Check-for-statements-not-allowed-in-opt.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 BuildRequires: gcc
 BuildRequires: flex
-%description
+* Wed Dec 18 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc3.1
-Security-enhanced Linux is a feature of the Linux® kernel and a number
+- SELinux userspace 3.8-rc3 release
 of utilities with enhanced security functionality designed to add
 mandatory access controls to Linux.  The Security-enhanced Linux
 kernel contains new architectural components originally developed to
 improve the security of the Flask operating system. These
 architectural components provide general support for the enforcement
 of many kinds of mandatory access control policies, including those
 based on the concepts of Type Enforcement®, Role-based Access
 Control, and Multi-level Security.
-libsepol provides an API for the manipulation of SELinux binary policies.
+* Thu Dec 05 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.8-0.rc1.1
-It is used by checkpolicy (the policy compiler) and similar tools, as well
+- SELinux userspace 3.8-rc1 release
 as by programs like load_policy that need to perform specific transformations
 on binary policies such as customizing policy boolean settings.
-%package devel
+* Tue Nov 12 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-4
-Summary: Header files and libraries used to build policy manipulation tools
+- cil: Check that sym_index is within bounds (RHEL-34823)
-Requires: %{name}%{?_isa} = %{version}-%{release}
+- cil: Initialize avtab_datum on declaration (RHEL-34810)
 - mls: Do not destroy context on memory error (RHEL-34810)
 - cil/cil_post: Initialize tmp on declaration (RHEL-34810)
 - Initialize "strs" on declaration (RHEL-34810)
-%description devel
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 3.7-3
-The libsepol-devel package contains the libraries and header files
+- Bump release for October 2024 mass rebuild (RHEL-64018)
 needed for developing applications that manipulate binary policies. 
-%package static
+* Fri Aug 09 2024 Vit Mojzis <vmojzis@redhat.com> - 3.7-2
-Summary: static libraries used to build policy manipulation tools
+- sepol_compute_sid: Do not destroy uninitialized context (RHEL-34808)
 Requires: %{name}-devel%{?_isa} = %{version}-%{release}
-%description static
+* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
-The libsepol-static package contains the static libraries and header files
+- SELinux userspace 3.7 release
 needed for developing applications that manipulate binary policies. 
-%prep
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-4
-%autosetup -p 2 -n libsepol-%{version}
+- Bump release for June 2024 mass rebuild
-# sparc64 is an -fPIC arch, so we need to fix it here
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-3
-%ifarch sparc64
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 sed -i 's/fpic/fPIC/g' src/Makefile
 %endif
-%build
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.6-2
-make clean
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 make %{?_smp_mflags} CFLAGS="%{optflags}" LDFLAGS="%{?__global_ldflags}"
-%install
+* Thu Dec 14 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-1
-mkdir -p ${RPM_BUILD_ROOT}/%{_lib} 
+- SELinux userspace 3.6 release
 mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_bindir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8
 make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" install
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolbools
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolusers
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
-%post
+* Thu Nov 23 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc2.1
-/sbin/ldconfig
+- SELinux userspace 3.6-rc2 release
 exit 0
-%postun -p /sbin/ldconfig
+* Fri Nov 10 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.6-0.rc1.1
 - SELinux userspace 3.6-rc1 release
-%files static
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-2
-%{_libdir}/libsepol.a
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
-%files devel
+* Fri Feb 24 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-1
-%{_libdir}/libsepol.so
+- SELinux userspace 3.5 release
 %{_libdir}/pkgconfig/libsepol.pc
 %{_includedir}/sepol/*.h
 %{_mandir}/man3/*.3.gz
 %dir %{_includedir}/sepol
 %dir %{_includedir}/sepol/policydb
 %{_includedir}/sepol/policydb/*.h
 %dir %{_includedir}/sepol/cil
 %{_includedir}/sepol/cil/*.h
-%files
+* Mon Feb 13 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc3.1
-%{!?_licensedir:%global license %%doc}
+- SELinux userspace 3.5-rc3 release
 %license COPYING
 %{_libdir}/libsepol.so.1
-%changelog
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.5-0.rc2.1.1
-* Wed Aug 18 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 - cil: Fix out-of-bound read of file context pattern ending with "\"
 - cil: Destroy classperms list when resetting classpermission (#1983517)
 - cil: Destroy classperm list when resetting map perms (#1983521)
 - cil: cil_reset_classperms_set() should not reset classpermission (#1983525)
 - cil: Set class field to NULL when resetting struct cil_classperms
 - cil: More strict verification of constraint leaf expressions
 - cil: Exit with an error if declaration name is a reserved word
 - cil: Allow permission expressions when using map classes
 - cil: Reorder checks for invalid rules when building AST
 - cil: Cleanup build AST helper functions
 - cil: Create new first child helper function for building AST
 - cil: Remove unused field from struct cil_args_resolve
 - cil: Destroy disabled optional blocks after pass is complete
 - cil: Check if name is a macro parameter first
 - cil: fix NULL pointer dereference in __cil_insert_name
 - cil: Report disabling an optional block only at high verbose levels
 - cil: Use AST to track blocks and optionals when resolving
 - cil: Reorder checks for invalid rules when resolving AST
 - cil: Sync checks for invalid rules in booleanifs
 - cil: Check for statements not allowed in optional blocks (#1983530)
-* Wed Jan 06 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-2
+* Mon Jan 16 2023 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc2.1
- Drop unnecessary telinit (#1838257)
+- SELinux userspace 3.5-rc2 release
 * Fri Dec 23 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.5-0.rc1.1
 - SELinux userspace 3.5-rc1 release
 * Mon Nov 21 2022 Petr Lautrbach <lautrbach@redhat.com> - 3.4-4
 - Rebase on upstream f56a72ac9e86
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.4-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Wed May 25 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-2
 - rebuilt
 * Thu May 19 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-1
 - SELinux userspace 3.4 release
 * Tue May 10 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc3.1
 - SELinux userspace 3.4-rc3 release
 * Thu Apr 21 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc2.1
 - SELinux userspace 3.4-rc2 release
 * Tue Apr 12 2022 Petr Lautrbach <plautrba@redhat.com> - 3.4-0.rc1.1
 - SELinux userspace 3.4-rc1 release
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Thu Nov 11 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
 - Use correct libdir in libsepol.pc (#2018492)
 * Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
 - SELinux userspace 3.3 release
 * Thu Oct  7 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
 - SELinux userspace 3.3-rc3 release
 * Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
 - SELinux userspace 3.3-rc2 release
 * Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
 - Rebase on upstream commit 32611aea6543
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
 - SELinux userspace 3.2 release
 * Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
 - SELinux userspace 3.2-rc2 release
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
 - SELinux userspace 3.2-rc1 release
 * Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
 - Drop and obsolete libsepol-compat subpackage
 - cil: Give error for more than one true or false block
 * Fri Oct 23 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
 - Drop deprecated functions and duplicated symbols
 - Dange library version to libsepol.so.2
 - temporary ship -compat with libsepol.so.1
 - Re-enable LTO flags
 * Mon Jul 27 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-3
 - Disable LTO cflags
 - Drop telinit from % post sciptlet
 * Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 - Use set_build_flags and -fno-semantic-interposition
 * Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
 - SELinux userspace 3.1 release
 * Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Jan 28 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-2
 - Fix -fno-common issues discovered by GCC 10
 * Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
 - SELinux userspace 3.0 release
 * Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc.1
 - SELinux userspace 3.0-rc1 release
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
 - SELinux userspace 2.9 release
-* Mon Nov  5 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-2
+* Wed Mar  6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
 - SELinux userspace 2.9-rc2 release
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
 - SELinux userspace 2.9-rc1 release
 * Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
 - Fix RESOURCE_LEAK coverity scan defects
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri May 25 2018 Petr Lautrbach <plautrba@workstation> - 2.8-1
 - SELinux userspace 2.8 release
@ -1317,5 +1342,3 @@ Resolves: #555835
 * Tue Aug 10 2004 Dan Walsh <dwalsh@redhat.com> 0.3.1-1
 - Initial version
 - Created by Stephen Smalley <sds@epoch.ncsc.mil>
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/libsepol.spec
+++ b/libsepol.spec
@ -0,0 +1,113 @@
 Summary: SELinux binary policy manipulation library
 Name: libsepol
 Version: 3.8
 Release: 1%{?dist}
 License: LGPL-2.1-or-later
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libsepol-%{version}.tar.gz
 Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libsepol-%{version}.tar.gz.asc
 Source2: https://github.com/bachradsusi.gpg
 URL: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
 # $ git format-patch -N libsepol-3.8 -- libsepol
 # $ i=1; for j in 0*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 # Patch list end
 BuildRequires: make
 BuildRequires: gcc
 BuildRequires: flex
 BuildRequires: gnupg2
 Obsoletes: %{name}-compat = 3.1-4
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
 of utilities with enhanced security functionality designed to add
 mandatory access controls to Linux.  The Security-enhanced Linux
 kernel contains new architectural components originally developed to
 improve the security of the Flask operating system. These
 architectural components provide general support for the enforcement
 of many kinds of mandatory access control policies, including those
 based on the concepts of Type Enforcement®, Role-based Access
 Control, and Multi-level Security.
 libsepol provides an API for the manipulation of SELinux binary policies.
 It is used by checkpolicy (the policy compiler) and similar tools, as well
 as by programs like load_policy that need to perform specific transformations
 on binary policies such as customizing policy boolean settings.
 %package devel
 Summary: Header files and libraries used to build policy manipulation tools
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %description devel
 The libsepol-devel package contains the libraries and header files
 needed for developing applications that manipulate binary policies. 
 %package static
 Summary: static libraries used to build policy manipulation tools
 Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 %description static
 The libsepol-static package contains the static libraries and header files
 needed for developing applications that manipulate binary policies. 
 %package utils
 Summary: SELinux libsepol utilities
 Requires: %{name}%{?_isa} = %{version}-%{release}
 %description utils
 The libsepol-utils package contains the utilities
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p 2 -n libsepol-%{version}
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile
 %endif
 %build
 %set_build_flags
 CFLAGS="$CFLAGS -fno-semantic-interposition"
 %make_build LIBDIR="%{_libdir}"
 %install
 mkdir -p ${RPM_BUILD_ROOT}%{_libdir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_bindir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8
 %make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8/gen*
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 %files static
 %{_libdir}/libsepol.a
 %files devel
 %{_libdir}/libsepol.so
 %{_libdir}/pkgconfig/libsepol.pc
 %{_includedir}/sepol/*.h
 %{_mandir}/man3/*.3.gz
 %dir %{_includedir}/sepol
 %dir %{_includedir}/sepol/policydb
 %{_includedir}/sepol/policydb/*.h
 %dir %{_includedir}/sepol/cil
 %{_includedir}/sepol/cil/*.h
 %files
 %license LICENSE
 %{_libdir}/libsepol.so.2
 %files utils
 %{_bindir}/chkcon
 %{_bindir}/sepol_check_access
 %{_bindir}/sepol_compute_av
 %{_bindir}/sepol_compute_member
 %{_bindir}/sepol_compute_relabel
 %{_bindir}/sepol_validate_transition
 %{_mandir}/man8/chkcon.8.gz
 %changelog
 %autochangelog
--- a/plans/selinux.fmf
+++ b/plans/selinux.fmf
@ -0,0 +1,7 @@
 summary: selinux tests - Tier 1 | libsepol
 discover:
    how: fmf
    url: https://src.fedoraproject.org/tests/selinux
    filter: "tier: 1 | component: libsepol"
 execute:
    how: tmt
--- a/2
+++ b/2
@ -0,0 +1,2 @@
 SHA512 (libsepol-3.8.tar.gz) = 06da9bac1075b54177c3237994f3db0f9a50e16a363874df7ba11a52084bce4af9623ecfc1db1779b555dee6aab62fbfbf1cd03cf5760bd00f74ea5775897e09
 SHA512 (libsepol-3.8.tar.gz.asc) = 36577f49921e6f9bef92a5cbb7028c1ad59e8c59ce24cdcab0482e11e85150304e38ec48f488d8e78bdb611d93fa3298677b6050307c933e99cefcab6b46099a
		`@ -1 +0,0 @@`
			`b2447a0b2ea8dd45737535c3e407c950f16dcca5 SOURCES/libsepol-2.9.tar.gz`
		`@ -0,0 +1,2 @@`
							`SHA512 (libsepol-3.8.tar.gz) = 06da9bac1075b54177c3237994f3db0f9a50e16a363874df7ba11a52084bce4af9623ecfc1db1779b555dee6aab62fbfbf1cd03cf5760bd00f74ea5775897e09`
							`SHA512 (libsepol-3.8.tar.gz.asc) = 36577f49921e6f9bef92a5cbb7028c1ad59e8c59ce24cdcab0482e11e85150304e38ec48f488d8e78bdb611d93fa3298677b6050307c933e99cefcab6b46099a`