diff --git a/.checkpolicy.metadata b/.checkpolicy.metadata
index 65fa1fd..5c8e70c 100644
--- a/.checkpolicy.metadata
+++ b/.checkpolicy.metadata
@@ -1 +1 @@
-d0cd01d4f3a775f9c93ceb26e13b33cc84f344e6 SOURCES/checkpolicy-2.1.12.tgz
+730c4a8848e33f5033e3f906f7a8944f52f82989 SOURCES/checkpolicy-2.5.tar.gz
diff --git a/.gitignore b/.gitignore
index 058522e..c4e105f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/checkpolicy-2.1.12.tgz
+SOURCES/checkpolicy-2.5.tar.gz
diff --git a/SOURCES/checkpolicy-rhat.patch b/SOURCES/checkpolicy-rhat.patch
deleted file mode 100644
index e5759bf..0000000
--- a/SOURCES/checkpolicy-rhat.patch
+++ /dev/null
@@ -1,92 +0,0 @@
-diff --git a/checkpolicy/checkmodule.8 b/checkpolicy/checkmodule.8
-index 40f73c5..2a7ab5c 100644
---- a/checkpolicy/checkmodule.8
-+++ b/checkpolicy/checkmodule.8
-@@ -3,7 +3,7 @@
- checkmodule \- SELinux policy module compiler
- .SH SYNOPSIS
- .B checkmodule
--.I "[-h] [-b] [-m] [-M] [-U handle_unknown ] [-V] [-o output_file] [input_file]"
-+.I "[\-h] [\-b] [\-m] [\-M] [\-U handle_unknown ] [\-V] [\-o output_file] [input_file]"
- .SH "DESCRIPTION"
- This manual page describes the
- .BR checkmodule
-@@ -12,7 +12,7 @@ command.
- .B checkmodule
- is a program that checks and compiles a SELinux security policy module
- into a binary representation.  It can generate either a base policy
--module (default) or a non-base policy module (-m option); typically,
-+module (default) or a non-base policy module (\-m option); typically,
- you would build a non-base policy module to add to an existing module
- store that already has a base module provided by the base policy.  Use
- semodule_package to combine this module with its optional file
-@@ -48,7 +48,7 @@ Specify how the kernel should handle unknown classes or permissions (deny, allow
- .SH EXAMPLE
- .nf
- # Build a MLS/MCS-enabled non-base policy module.
--$ checkmodule -M -m httpd.te -o httpd.mod
-+$ checkmodule \-M \-m httpd.te \-o httpd.mod
- .fi
- 
- .SH "SEE ALSO"
-diff --git a/checkpolicy/checkpolicy.8 b/checkpolicy/checkpolicy.8
-index 6826938..0086bdc 100644
---- a/checkpolicy/checkpolicy.8
-+++ b/checkpolicy/checkpolicy.8
-@@ -3,7 +3,7 @@
- checkpolicy \- SELinux policy compiler
- .SH SYNOPSIS
- .B checkpolicy
--.I "[-b] [-d] [-M] [-c policyvers] [-o output_file] [input_file]"
-+.I "[\-b] [\-d] [\-M] [\-c policyvers] [\-o output_file] [input_file]"
- .br
- .SH "DESCRIPTION"
- This manual page describes the
-@@ -14,7 +14,7 @@ command.
- is a program that checks and compiles a SELinux security policy configuration
- into a binary representation that can be loaded into the kernel.  If no 
- input file name is specified, checkpolicy will attempt to read from
--policy.conf or policy, depending on whether the -b flag is specified.
-+policy.conf or policy, depending on whether the \-b flag is specified.
- 
- .SH OPTIONS
- .TP
-diff --git a/checkpolicy/checkpolicy.c b/checkpolicy/checkpolicy.c
-index 544f235..292f568 100644
---- a/checkpolicy/checkpolicy.c
-+++ b/checkpolicy/checkpolicy.c
-@@ -402,7 +402,7 @@ int main(int argc, char **argv)
- 		{"binary", no_argument, NULL, 'b'},
- 		{"debug", no_argument, NULL, 'd'},
- 		{"version", no_argument, NULL, 'V'},
--		{"handle-unknown", optional_argument, NULL, 'U'},
-+		{"handle-unknown", required_argument, NULL, 'U'},
- 		{"mls", no_argument, NULL, 'M'},
- 		{"help", no_argument, NULL, 'h'},
- 		{NULL, 0, NULL, 0}
-diff --git a/checkpolicy/policy_scan.l b/checkpolicy/policy_scan.l
-index bba7667..ab046cc 100644
---- a/checkpolicy/policy_scan.l
-+++ b/checkpolicy/policy_scan.l
-@@ -240,7 +240,7 @@ HIGH				{ return(HIGH); }
- low |
- LOW				{ return(LOW); }
- "/"({alnum}|[_\.\-/])*	        { return(PATH); }
--\"({alnum}|[_\.\-\+\~])+\"	{ return(FILENAME); }
-+\"({alnum}|[_\.\-\+\~\: ])+\"	{ return(FILENAME); }
- {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
- {alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
- {digit}+|0x{hexval}+            { return(NUMBER); }
-diff --git a/checkpolicy/test/Makefile b/checkpolicy/test/Makefile
-index 0731e89..63b4d24 100644
---- a/checkpolicy/test/Makefile
-+++ b/checkpolicy/test/Makefile
-@@ -3,7 +3,7 @@
- #
- PREFIX ?= $(DESTDIR)/usr
- BINDIR=$(PREFIX)/bin
--LIBDIR=$(PREFIX)/lib
-+LIBDIR ?= $(PREFIX)/lib
- INCLUDEDIR ?= $(PREFIX)/include
- 
- CFLAGS ?= -g -Wall -W -Werror -O2 -pipe
diff --git a/SOURCES/checkpolicy-rhel.patch b/SOURCES/checkpolicy-rhel.patch
new file mode 100644
index 0000000..4b922a1
--- /dev/null
+++ b/SOURCES/checkpolicy-rhel.patch
@@ -0,0 +1,198 @@
+diff --git checkpolicy-2.5/Android.mk checkpolicy-2.5/Android.mk
+index 98f5168..3b7ff8a 100644
+--- checkpolicy-2.5/Android.mk
++++ checkpolicy-2.5/Android.mk
+@@ -12,10 +12,6 @@ common_cflags := \
+ 	-Wall -Wshadow -O2 \
+ 	-pipe -fno-strict-aliasing \
+ 
+-ifeq ($(HOST_OS),darwin)
+-common_cflags += -DDARWIN
+-endif
+-
+ common_includes := \
+ 	$(LOCAL_PATH)/ \
+ 	$(LOCAL_PATH)/../libsepol/include/ \
+diff --git checkpolicy-2.5/ChangeLog checkpolicy-2.5/ChangeLog
+index dfe4908..f2216ec 100644
+--- checkpolicy-2.5/ChangeLog
++++ checkpolicy-2.5/ChangeLog
+@@ -1,3 +1,11 @@
++	* Extend checkpolicy pathname matching, from Stephen Smalley.
++	* Fix typos in test/dispol, from Petr Lautrbach.
++	* Set flex as default lexer, from Julien Pivotto.
++	* Fix checkmodule output message, from Petr Lautrbach.
++	* Build policy on systems not supporting DCCP protocol, from Richard Haines.
++	* Fail if module name different than output base filename, from James Carter
++	* Add support for portcon dccp protocol, from Richard Haines
++
+ 2.5 2016-02-23
+ 	* Add neverallow support for ioctl extended permissions, from Jeff Vander Stoep.
+ 	* fix double free on name-based type transitions, from Stephen Smalley.
+diff --git checkpolicy-2.5/Makefile checkpolicy-2.5/Makefile
+index e5fae3d..53a3074 100644
+--- checkpolicy-2.5/Makefile
++++ checkpolicy-2.5/Makefile
+@@ -8,6 +8,7 @@ LIBDIR ?= $(PREFIX)/lib
+ INCLUDEDIR ?= $(PREFIX)/include
+ TARGETS = checkpolicy checkmodule
+ 
++LEX = flex
+ YACC = bison -y
+ 
+ CFLAGS ?= -g -Wall -Werror -Wshadow -O2 -pipe -fno-strict-aliasing
+diff --git checkpolicy-2.5/checkmodule.c checkpolicy-2.5/checkmodule.c
+index 5957d29..53cc5a0 100644
+--- checkpolicy-2.5/checkmodule.c
++++ checkpolicy-2.5/checkmodule.c
+@@ -19,6 +19,7 @@
+ #include <stdio.h>
+ #include <errno.h>
+ #include <sys/mman.h>
++#include <libgen.h>
+ 
+ #include <sepol/module_to_cil.h>
+ #include <sepol/policydb/policydb.h>
+@@ -258,6 +259,25 @@ int main(int argc, char **argv)
+ 		}
+ 	}
+ 
++	if (policy_type != POLICY_BASE && outfile) {
++		char *mod_name = modpolicydb.name;
++		char *out_path = strdup(outfile);
++		if (out_path == NULL) {
++			fprintf(stderr, "%s:  out of memory\n", argv[0]);
++			exit(1);
++		}
++		char *out_name = basename(out_path);
++		char *separator = strrchr(out_name, '.');
++		if (separator) {
++			*separator = '\0';
++		}
++		if (strcmp(mod_name, out_name) != 0) {
++			fprintf(stderr,	"%s:  Module name %s is different than the output base filename %s\n", argv[0], mod_name, out_name);
++			exit(1);
++		}
++		free(out_path);
++	}
++
+ 	if (modpolicydb.policy_type == POLICY_BASE && !cil) {
+ 		/* Verify that we can successfully expand the base module. */
+ 		policydb_t kernpolicydb;
+@@ -294,7 +314,7 @@ int main(int argc, char **argv)
+ 
+ 		if (!cil) {
+ 			printf("%s:  writing binary representation (version %d) to %s\n",
+-				   argv[0], policyvers, file);
++				   argv[0], policyvers, outfile);
+ 
+ 			if (write_binary_policy(&modpolicydb, outfp) != 0) {
+ 				fprintf(stderr, "%s:  error writing %s\n", argv[0], outfile);
+diff --git checkpolicy-2.5/checkpolicy.c checkpolicy-2.5/checkpolicy.c
+index 9da661e..2d68316 100644
+--- checkpolicy-2.5/checkpolicy.c
++++ checkpolicy-2.5/checkpolicy.c
+@@ -64,13 +64,16 @@
+ #include <sys/stat.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifndef IPPROTO_DCCP
++#define IPPROTO_DCCP 33
++#endif
+ #include <arpa/inet.h>
+ #include <fcntl.h>
+ #include <stdio.h>
+ #include <errno.h>
+ #include <sys/mman.h>
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ #include <ctype.h>
+ #endif
+ 
+@@ -919,6 +922,8 @@ int main(int argc, char **argv)
+ 				protocol = IPPROTO_TCP;
+ 			else if (!strcmp(ans, "udp") || !strcmp(ans, "UDP"))
+ 				protocol = IPPROTO_UDP;
++			else if (!strcmp(ans, "dccp") || !strcmp(ans, "DCCP"))
++				protocol = IPPROTO_DCCP;
+ 			else {
+ 				printf("unknown protocol\n");
+ 				break;
+diff --git checkpolicy-2.5/policy_define.c checkpolicy-2.5/policy_define.c
+index ee20fea..100e517 100644
+--- checkpolicy-2.5/policy_define.c
++++ checkpolicy-2.5/policy_define.c
+@@ -36,6 +36,9 @@
+ #include <string.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
++#ifndef IPPROTO_DCCP
++#define IPPROTO_DCCP 33
++#endif
+ #include <arpa/inet.h>
+ #include <stdlib.h>
+ #include <limits.h>
+@@ -4876,6 +4879,8 @@ int define_port_context(unsigned int low, unsigned int high)
+ 		protocol = IPPROTO_TCP;
+ 	} else if ((strcmp(id, "udp") == 0) || (strcmp(id, "UDP") == 0)) {
+ 		protocol = IPPROTO_UDP;
++	} else if ((strcmp(id, "dccp") == 0) || (strcmp(id, "DCCP") == 0)) {
++		protocol = IPPROTO_DCCP;
+ 	} else {
+ 		yyerror2("unrecognized protocol %s", id);
+ 		free(newc);
+@@ -5135,7 +5140,7 @@ int define_ipv6_node_context(void)
+ 
+ 	memset(newc, 0, sizeof(ocontext_t));
+ 
+-#ifdef DARWIN
++#ifdef __APPLE__
+ 	memcpy(&newc->u.node6.addr[0], &addr.s6_addr[0], 16);
+ 	memcpy(&newc->u.node6.mask[0], &mask.s6_addr[0], 16);
+ #else
+diff --git checkpolicy-2.5/policy_scan.l checkpolicy-2.5/policy_scan.l
+index 22da338..2f7f221 100644
+--- checkpolicy-2.5/policy_scan.l
++++ checkpolicy-2.5/policy_scan.l
+@@ -249,9 +249,9 @@ high |
+ HIGH				{ return(HIGH); }
+ low |
+ LOW				{ return(LOW); }
+-"/"({alnum}|[_\.\-/])*	        { return(PATH); }
+-\""/"[ !#-~]*\" 		{ return(QPATH); }
+-\"({alnum}|[_\.\-\+\~\: ])+\"	{ return(FILENAME); }
++"/"[^ \n\r\t\f]*	        { return(PATH); }
++\""/"[^\"\n]*\" 		{ return(QPATH); }
++\"[^"/"\"\n]+\"	{ return(FILENAME); }
+ {letter}({alnum}|[_\-])*([\.]?({alnum}|[_\-]))*	{ return(IDENTIFIER); }
+ {digit}+|0x{hexval}+            { return(NUMBER); }
+ {alnum}*{letter}{alnum}*        { return(FILESYSTEM); }
+diff --git checkpolicy-2.5/test/dispol.c checkpolicy-2.5/test/dispol.c
+index 86f5688..a78ce81 100644
+--- checkpolicy-2.5/test/dispol.c
++++ checkpolicy-2.5/test/dispol.c
+@@ -252,11 +252,11 @@ int display_cond_expressions(policydb_t * p, FILE * fp)
+ int display_handle_unknown(policydb_t * p, FILE * out_fp)
+ {
+ 	if (p->handle_unknown == ALLOW_UNKNOWN)
+-		fprintf(out_fp, "Allow unknown classes and permisions\n");
++		fprintf(out_fp, "Allow unknown classes and permissions\n");
+ 	else if (p->handle_unknown == DENY_UNKNOWN)
+-		fprintf(out_fp, "Deny unknown classes and permisions\n");
++		fprintf(out_fp, "Deny unknown classes and permissions\n");
+ 	else if (p->handle_unknown == REJECT_UNKNOWN)
+-		fprintf(out_fp, "Reject unknown classes and permisions\n");
++		fprintf(out_fp, "Reject unknown classes and permissions\n");
+ 	return 0;
+ }
+ 
+@@ -349,7 +349,7 @@ int menu(void)
+ 	printf("\nSelect a command:\n");
+ 	printf("1)  display unconditional AVTAB\n");
+ 	printf("2)  display conditional AVTAB (entirely)\n");
+-	printf("3)  display conditional AVTAG (only ENABLED rules)\n");
++	printf("3)  display conditional AVTAB (only ENABLED rules)\n");
+ 	printf("4)  display conditional AVTAB (only DISABLED rules)\n");
+ 	printf("5)  display conditional bools\n");
+ 	printf("6)  display conditional expressions\n");
diff --git a/SPECS/checkpolicy.spec b/SPECS/checkpolicy.spec
index 40162a4..a8fa080 100644
--- a/SPECS/checkpolicy.spec
+++ b/SPECS/checkpolicy.spec
@@ -1,13 +1,14 @@
-%define libselinuxver 2.1.13-1
-%define libsepolver 2.1.9-1
+%define libselinuxver 2.5-5
+%define libsepolver 2.5-6
 Summary: SELinux policy compiler
 Name: checkpolicy
-Version: 2.1.12
-Release: 6%{?dist}
+Version: 2.5
+Release: 4%{?dist}
 License: GPLv2
 Group: Development/System
-Source: http://www.nsa.gov/selinux/archives/%{name}-%{version}.tgz
-Patch: checkpolicy-rhat.patch
+Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20160223/checkpolicy-2.5.tar.gz
+# HEAD e7ab0f8b86a3f6234f264d3bf98ccfb070ebaca7
+Patch1: checkpolicy-rhel.patch
 
 BuildRoot: %{_tmppath}/%{name}-buildroot
 BuildRequires: byacc bison flex flex-static libsepol-static >= %{libsepolver} libselinux-devel  >= %{libselinuxver} 
@@ -27,8 +28,8 @@ This package contains checkpolicy, the SELinux policy compiler.
 Only required for building policies. 
 
 %prep
-%setup -q
-%patch -p2 -b .rhat
+%setup -q -n checkpolicy-2.5
+%patch1 -p1 -b .rhel
 
 %build
 make clean
@@ -48,6 +49,8 @@ rm -rf ${RPM_BUILD_ROOT}
 
 %files
 %defattr(-,root,root)
+%{!?_licensedir:%global license %%doc}
+%license COPYING
 %{_bindir}/checkpolicy
 %{_bindir}/checkmodule
 %{_mandir}/man8/checkpolicy.8.gz
@@ -56,6 +59,22 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_bindir}/sedispol
 
 %changelog
+* Thu Aug 11 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-4
+- Extend checkpolicy pathname matching
+
+* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix typos in test/dispol
+- Set flex as default lexer
+- Fix checkmodule output message
+- Build policy on systems not supporting DCCP protocol
+- Fail if module name different than output base filename
+
+* Mon Apr 11 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-2
+- Add support for portcon dccp protocol
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.12-6
 - Mass rebuild 2014-01-24