diff --git a/SOURCES/libselinux-rhel.patch b/SOURCES/libselinux-rhel.patch
index 5a06f64..05d713d 100644
--- a/SOURCES/libselinux-rhel.patch
+++ b/SOURCES/libselinux-rhel.patch
@@ -494,6 +494,19 @@ index 0000000..fed6de8
 +func main() {
 +	selinux.Test()
 +}
+diff --git libselinux-2.5/include/selinux/av_permissions.h libselinux-2.5/include/selinux/av_permissions.h
+index c1269af..631f027 100644
+--- libselinux-2.5/include/selinux/av_permissions.h
++++ libselinux-2.5/include/selinux/av_permissions.h
+@@ -876,6 +876,8 @@
+ #define NSCD__SHMEMHOST                           0x00000080UL
+ #define NSCD__GETSERV                             0x00000100UL
+ #define NSCD__SHMEMSERV                           0x00000200UL
++#define NSCD__GETNETGRP                           0x00000400UL
++#define NSCD__SHMEMNETGRP                         0x00000800UL
+ #define ASSOCIATION__SENDTO                       0x00000001UL
+ #define ASSOCIATION__RECVFROM                     0x00000002UL
+ #define ASSOCIATION__SETCONTEXT                   0x00000004UL
 diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h
 index 2262086..3d8673f 100644
 --- libselinux-2.5/include/selinux/selinux.h
@@ -706,10 +719,98 @@ index d0021ae..d94163e 100644
  MAX_STACK_SIZE=32768
  
 diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c
-index 12745b3..abe1701 100644
+index 12745b3..7aca3f0 100644
 --- libselinux-2.5/src/audit2why.c
 +++ libselinux-2.5/src/audit2why.c
-@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
+@@ -206,7 +206,7 @@ static int __policy_init(const char *init_path)
+ 				 "unable to open %s:  %s\n",
+ 				 path, strerror(errno));
+ 			PyErr_SetString( PyExc_ValueError, errormsg);
+-			return 1;
++			return -1;
+ 		}
+ 	} else {
+ 		const char *curpolicy = selinux_current_policy_path();
+@@ -215,7 +215,7 @@ static int __policy_init(const char *init_path)
+ 			snprintf(errormsg, sizeof(errormsg),
+ 				 "You must specify the -p option with the path to the policy file.\n");
+ 			PyErr_SetString( PyExc_ValueError, errormsg);
+-			return 1;
++			return -1;
+ 		}
+ 		fp = fopen(curpolicy, "r");
+ 		if (!fp) {
+@@ -224,7 +224,7 @@ static int __policy_init(const char *init_path)
+ 				 curpolicy,
+ 				 strerror(errno));
+ 			PyErr_SetString( PyExc_ValueError, errormsg);
+-			return 1;
++			return -1;
+ 		}
+ 	}
+ 
+@@ -232,7 +232,7 @@ static int __policy_init(const char *init_path)
+ 	if (!avc) {
+ 		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
+ 		fclose(fp);
+-		return 1;
++		return -1;
+ 	}
+ 
+ 	/* Set up a policydb directly so that we can mutate it later
+@@ -244,7 +244,7 @@ static int __policy_init(const char *init_path)
+ 			 "policydb_init failed: %s\n", strerror(errno));
+ 		PyErr_SetString( PyExc_RuntimeError, errormsg);
+ 		fclose(fp);
+-		return 1;
++		return -1;
+ 	}
+ 	sepol_policy_file_set_fp(pf, fp);	
+ 	if (sepol_policydb_read(avc->policydb, pf)) {
+@@ -252,7 +252,7 @@ static int __policy_init(const char *init_path)
+ 			 "invalid binary policy %s\n", path);
+ 		PyErr_SetString( PyExc_ValueError, errormsg);
+ 		fclose(fp);
+-		return 1;
++		return -1;
+ 	}
+ 	fclose(fp);
+ 	sepol_set_policydb(&avc->policydb->p);
+@@ -264,13 +264,13 @@ static int __policy_init(const char *init_path)
+ 			      avc->policydb, &cnt);
+ 	if (rc < 0) {
+ 		PyErr_SetString( PyExc_RuntimeError, "unable to get bool count\n");
+-		return 1;
++		return -1;
+ 	}
+ 
+ 	boollist = calloc(cnt, sizeof(*boollist));
+ 	if (!boollist) {
+ 		PyErr_SetString( PyExc_MemoryError, "Out of memory\n");
+-		return 1;
++		return -1;
+ 	}
+ 
+ 	sepol_bool_iterate(avc->handle, avc->policydb,
+@@ -282,7 +282,7 @@ static int __policy_init(const char *init_path)
+ 	if (rc < 0) {
+ 		PyErr_SetString( PyExc_RuntimeError, "unable to init sidtab\n");
+ 		free(boollist);
+-		return 1;
++		return -1;
+ 	}
+ 	sepol_set_sidtab(&sidtab);
+ 	return 0;
+@@ -298,6 +298,8 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
+   if (!PyArg_ParseTuple(args,(char *)"|s:policy_init",&init_path))
+     return NULL;
+   result = __policy_init(init_path);
++  if (result == -1)
++    return NULL;
+   return Py_BuildValue("i", result);
+ }
+ 
+@@ -343,8 +345,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
  	if (rc < 0)
  		RETURN(BADTCON)
  
@@ -720,7 +821,7 @@ index 12745b3..abe1701 100644
  		RETURN(BADTCLASS)
  
  	/* Convert the permission list to an AV. */
-@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
+@@ -365,8 +367,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
  		permstr = PyString_AsString( strObj );
  #endif
  		
@@ -747,6 +848,18 @@ index 9669264..c775430 100644
  	*sid = NULL;
  	hvalue = sidtab_hash(ctx);
  
+diff --git libselinux-2.5/src/booleans.c libselinux-2.5/src/booleans.c
+index 4b39a28..6a96b4a 100644
+--- libselinux-2.5/src/booleans.c
++++ libselinux-2.5/src/booleans.c
+@@ -53,6 +53,7 @@ int security_get_boolean_names(char ***names, int *len)
+ 	snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
+ 	*len = scandir(path, &namelist, &filename_select, alphasort);
+ 	if (*len <= 0) {
++		errno = ENOENT;
+ 		return -1;
+ 	}
+ 
 diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c
 index 7cf3139..364a746 100644
 --- libselinux-2.5/src/canonicalize_context.c
@@ -1076,7 +1189,7 @@ index 1d3b28a..ea6d70b 100644
  		char * ccontext = NULL;
  		int err = errno;
 diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c
-index 5b495a0..a2f2c3e 100644
+index 5b495a0..d92ed79 100644
 --- libselinux-2.5/src/matchpathcon.c
 +++ libselinux-2.5/src/matchpathcon.c
 @@ -2,6 +2,7 @@
@@ -1096,7 +1209,20 @@ index 5b495a0..a2f2c3e 100644
  	va_end(ap);
  }
  
-@@ -470,6 +471,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
+@@ -361,12 +362,6 @@ int realpath_not_final(const char *name, char *resolved_path)
+ 		goto out;
+ 	}
+ 
+-	/* strip leading // */
+-	while (tmp_path[len] && tmp_path[len] == '/' &&
+-	       tmp_path[len+1] && tmp_path[len+1] == '/') {
+-		tmp_path++;
+-		len++;
+-	}
+ 	last_component = strrchr(tmp_path, '/');
+ 
+ 	if (last_component == tmp_path) {
+@@ -470,6 +465,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
  	char * con = NULL;
  	char * fcontext = NULL;
  	int rc = 0;
@@ -1204,6 +1330,76 @@ index 46566f6..9b9145c 100644
      hidden_proto(selinux_systemd_contexts_path)
      hidden_proto(selinux_path)
      hidden_proto(selinux_check_passwd_access)
+diff --git libselinux-2.5/src/selinux_restorecon.c libselinux-2.5/src/selinux_restorecon.c
+index 17ed6fe..d2c2402 100644
+--- libselinux-2.5/src/selinux_restorecon.c
++++ libselinux-2.5/src/selinux_restorecon.c
+@@ -245,25 +245,41 @@ int selinux_restorecon(const char *pathname_orig,
+ 	 * realpath of containing dir, then appending last component name.
+ 	 */
+ 	if (userealpath) {
+-		pathbname = basename((char *)pathname_orig);
++		char *basename_cpy = strdup(pathname_orig);
++		if (!basename_cpy)
++			goto realpatherr;
++		pathbname = basename(basename_cpy);
+ 		if (!strcmp(pathbname, "/") || !strcmp(pathbname, ".") ||
+ 					    !strcmp(pathbname, "..")) {
+ 			pathname = realpath(pathname_orig, NULL);
+-			if (!pathname)
++			if (!pathname) {
++				free(basename_cpy);
+ 				goto realpatherr;
++			}
+ 		} else {
+-			pathdname = dirname((char *)pathname_orig);
++			char *dirname_cpy = strdup(pathname_orig);
++			if (!dirname_cpy) {
++				free(basename_cpy);
++				goto realpatherr;
++			}
++			pathdname = dirname(dirname_cpy);
+ 			pathdnamer = realpath(pathdname, NULL);
+-			if (!pathdnamer)
++			free(dirname_cpy);
++			if (!pathdnamer) {
++				free(basename_cpy);
+ 				goto realpatherr;
++			}
+ 			if (!strcmp(pathdnamer, "/"))
+ 				error = asprintf(&pathname, "/%s", pathbname);
+ 			else
+ 				error = asprintf(&pathname, "%s/%s",
+ 						    pathdnamer, pathbname);
+-			if (error < 0)
++			if (error < 0) {
++				free(basename_cpy);
+ 				goto oom;
++			}
+ 		}
++		free(basename_cpy);
+ 	} else {
+ 		pathname = strdup(pathname_orig);
+ 		if (!pathname)
+diff --git libselinux-2.5/src/selinuxswig_python.i libselinux-2.5/src/selinuxswig_python.i
+index 8cea18d..592d70c 100644
+--- libselinux-2.5/src/selinuxswig_python.i
++++ libselinux-2.5/src/selinuxswig_python.i
+@@ -23,7 +23,13 @@ def restorecon(path, recursive=False):
+     except OSError:
+         path = os.path.realpath(os.path.expanduser(path))
+         mode = os.lstat(path)[stat.ST_MODE]
+-        status, context = matchpathcon(path, mode)
++        try:
++            status, context = matchpathcon(path, mode)
++        except OSError as e:
++            # matchpathcon returns ENOENT when <<none>> in file context
++            if e.errno != errno.ENOENT:
++                raise
++            return
+ 
+     if status == 0:
+         try:
 diff --git libselinux-2.5/src/setexecfilecon.c libselinux-2.5/src/setexecfilecon.c
 index e72ba0d..9c821f8 100644
 --- libselinux-2.5/src/setexecfilecon.c
@@ -1274,6 +1470,19 @@ index cf7af52..8497cb4 100644
  LDLIBS += -L../src -lselinux -L$(LIBDIR)
  
  TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+diff --git libselinux-2.5/utils/matchpathcon.c libselinux-2.5/utils/matchpathcon.c
+index d1f1348..0288feb 100644
+--- libselinux-2.5/utils/matchpathcon.c
++++ libselinux-2.5/utils/matchpathcon.c
+@@ -15,7 +15,7 @@
+ static void usage(const char *progname)
+ {
+ 	fprintf(stderr,
+-		"usage:  %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
++		"usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
+ 		progname);
+ 	exit(1);
+ }
 diff --git libselinux-2.5/utils/sefcontext_compile.c libselinux-2.5/utils/sefcontext_compile.c
 index d2578b6..fd6fb78 100644
 --- libselinux-2.5/utils/sefcontext_compile.c
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
index 1821e96..44da960 100644
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@@ -10,7 +10,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.5
-Release: 6%{?dist}
+Release: 11%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 # https://github.com/SELinuxProject/selinux/wiki/Releases
@@ -18,7 +18,7 @@ Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/rele
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
-# HEAD 95ce251a24e80e884c69771a497589323be2223c
+# HEAD fac9844438fe495bd100dda199d2ed76b0003bfe
 Patch1: libselinux-rhel.patch
 BuildRequires: pkgconfig python python-devel ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre-devel xz-devel
 %if 0%{?with_python3}
@@ -253,6 +253,23 @@ rm -rf %{buildroot}
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
+* Thu Mar 23 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-11
+- Fix audit2why.init error reporting (#1435139)
+
+* Tue Mar 14 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-10
+- Add missing av_permission values (#1025931)
+- Set an appropriate errno in booleans.c (#1402140)
+- Change matchpathcon usage to match with matchpathcon manpage (#1412797)
+
+* Tue Feb 21 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-9
+- Fix pointer handling in realpath_not_final (#1404644)
+
+* Fri Jan 20 2017 Vit Mojzis <vmojzis@redhat.com> - 2.5-8
+- selinux_restorecon: fix realpath logic (#1386498)
+
+* Thu Jan 05 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
+- Keep recursing if matchpathcon returns ENOENT (#1406520)
+
 * Fri Aug 26 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-6
 - Handle NULL pcre study data