diff --git libselinux-2.8/man/man3/selinux_boolean_sub.3 libselinux-2.8/man/man3/selinux_boolean_sub.3
index 308c268..a29a38d 100644
--- libselinux-2.8/man/man3/selinux_boolean_sub.3
+++ libselinux-2.8/man/man3/selinux_boolean_sub.3
@@ -1,6 +1,6 @@
 .TH "selinux_boolean_sub" "3" "11 June 2012" "dwalsh@redhat.com" "SELinux API documentation"
 .SH "NAME"
-selinux_boolean_sub \-
+selinux_boolean_sub \- Search the translated name for a boolean_name record
 .
 .SH "SYNOPSIS"
 .B #include <selinux/selinux.h>
@@ -12,7 +12,7 @@ selinux_boolean_sub \-
 searches the
 .I \%/etc/selinux/{POLICYTYPE}/booleans.subs_dist
 file
-for a maching boolean_name record.  If the record exists the boolean substitution name is returned.  If not
+for a matching boolean_name record.  If the record exists the boolean substitution name is returned.  If not
 .BR \%selinux_boolean_sub ()
 returns the original
 .IR \%boolean_name .
diff --git libselinux-2.8/man/man3/selinux_restorecon_xattr.3 libselinux-2.8/man/man3/selinux_restorecon_xattr.3
index 7280c95..516d266 100644
--- libselinux-2.8/man/man3/selinux_restorecon_xattr.3
+++ libselinux-2.8/man/man3/selinux_restorecon_xattr.3
@@ -119,7 +119,7 @@ By default
 .BR selinux_restorecon_xattr (3)
 will use the default set of specfiles described in
 .BR files_contexts (5)
-to calculate the initial SHA1 digest to be used for comparision.
+to calculate the initial SHA1 digest to be used for comparison.
 To change this default behavior
 .BR selabel_open (3)
 must be called specifying the required
diff --git libselinux-2.8/man/man5/selabel_file.5 libselinux-2.8/man/man5/selabel_file.5
index e738824..e97bd82 100644
--- libselinux-2.8/man/man5/selabel_file.5
+++ libselinux-2.8/man/man5/selabel_file.5
@@ -92,7 +92,7 @@ The optional local and distribution substitution files that perform any path ali
 .RE
 .sp
 The default file context series of files are:
-.RS
+.RS 6
 .I /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts
 .br
 .I  /etc/selinux/{SELINUXTYPE}/contexts/files/file_contexts.local
diff --git libselinux-2.8/man/man8/selinux.8 libselinux-2.8/man/man8/selinux.8
index e37aee6..bf23b65 100644
--- libselinux-2.8/man/man8/selinux.8
+++ libselinux-2.8/man/man8/selinux.8
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
 .BR sepolicy (8),
 .BR system-config-selinux (8),
 .BR togglesebool (8),
-.BR restorecon (8),
 .BR fixfiles (8),
+.BR restorecon (8),
 .BR setfiles (8),
 .BR semanage (8),
 .BR sepolicy (8)
+.BR seinfo (8),
+.BR sesearch (8)
 
 Every confined service on the system has a man page in the following format:
 .br
diff --git libselinux-2.8/src/audit2why.c libselinux-2.8/src/audit2why.c
index 0331fdf..5a1e69a 100644
--- libselinux-2.8/src/audit2why.c
+++ libselinux-2.8/src/audit2why.c
@@ -354,7 +354,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
 	/* iterate over items of the list, grabbing strings, and parsing
 	   for numbers */
 	for (i=0; i<numlines; i++){
-		char *permstr;
+		const char *permstr;
 
 		/* grab the string object from the next element of the list */
 		strObj = PyList_GetItem(listObj, i); /* Can't fail */
diff --git libselinux-2.8/src/avc_sidtab.c libselinux-2.8/src/avc_sidtab.c
index 9669264..c775430 100644
--- libselinux-2.8/src/avc_sidtab.c
+++ libselinux-2.8/src/avc_sidtab.c
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
 	int hvalue, rc = 0;
 	struct sidtab_node *cur;
 
+	if (! ctx) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	*sid = NULL;
 	hvalue = sidtab_hash(ctx);
 
diff --git libselinux-2.8/src/booleans.c libselinux-2.8/src/booleans.c
index b3ea362..a6d46fe 100644
--- libselinux-2.8/src/booleans.c
+++ libselinux-2.8/src/booleans.c
@@ -55,6 +55,7 @@ int security_get_boolean_names(char ***names, int *len)
 	snprintf(path, sizeof path, "%s%s", selinux_mnt, SELINUX_BOOL_DIR);
 	*len = scandir(path, &namelist, &filename_select, alphasort);
 	if (*len <= 0) {
+		errno = ENOENT;
 		return -1;
 	}
 
diff --git libselinux-2.8/src/canonicalize_context.c libselinux-2.8/src/canonicalize_context.c
index ba4c9a2..c815872 100644
--- libselinux-2.8/src/canonicalize_context.c
+++ libselinux-2.8/src/canonicalize_context.c
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
 	size_t size;
 	int fd, ret;
 
+	if (! con) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	if (!selinux_mnt) {
 		errno = ENOENT;
 		return -1;
diff --git libselinux-2.8/src/checkAccess.c libselinux-2.8/src/checkAccess.c
index 8de5747..16bfcfb 100644
--- libselinux-2.8/src/checkAccess.c
+++ libselinux-2.8/src/checkAccess.c
@@ -89,8 +89,10 @@ int selinux_check_passwd_access(access_vector_t requested)
 		int retval;
 
 		passwd_class = string_to_security_class("passwd");
-		if (passwd_class == 0)
+		if (passwd_class == 0) {
+			freecon(user_context);
 			return 0;
+		}
 
 		retval = security_compute_av_raw(user_context,
 						     user_context,
diff --git libselinux-2.8/src/check_context.c libselinux-2.8/src/check_context.c
index 8a7997f..5be8434 100644
--- libselinux-2.8/src/check_context.c
+++ libselinux-2.8/src/check_context.c
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
 	char path[PATH_MAX];
 	int fd, ret;
 
+	if (! con) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	if (!selinux_mnt) {
 		errno = ENOENT;
 		return -1;
diff --git libselinux-2.8/src/compute_av.c libselinux-2.8/src/compute_av.c
index 1d05e7b..d9095cc 100644
--- libselinux-2.8/src/compute_av.c
+++ libselinux-2.8/src/compute_av.c
@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon,
 		return -1;
 	}
 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git libselinux-2.8/src/compute_create.c libselinux-2.8/src/compute_create.c
index 0975aea..3e6a48c 100644
--- libselinux-2.8/src/compute_create.c
+++ libselinux-2.8/src/compute_create.c
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
 		return -1;
 	}
 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git libselinux-2.8/src/compute_member.c libselinux-2.8/src/compute_member.c
index 4e2d221..d1dd977 100644
--- libselinux-2.8/src/compute_member.c
+++ libselinux-2.8/src/compute_member.c
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
 		return -1;
 	}
 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git libselinux-2.8/src/compute_relabel.c libselinux-2.8/src/compute_relabel.c
index 49f77ef..c3db7c0 100644
--- libselinux-2.8/src/compute_relabel.c
+++ libselinux-2.8/src/compute_relabel.c
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
 		return -1;
 	}
 
+	if ((! scon) || (! tcon)) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git libselinux-2.8/src/compute_user.c libselinux-2.8/src/compute_user.c
index 7b88121..401fd10 100644
--- libselinux-2.8/src/compute_user.c
+++ libselinux-2.8/src/compute_user.c
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
 		return -1;
 	}
 
+	if (! scon) {
+		errno=EINVAL;
+		return -1;
+	}
+
 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
 	fd = open(path, O_RDWR | O_CLOEXEC);
 	if (fd < 0)
diff --git libselinux-2.8/src/fsetfilecon.c libselinux-2.8/src/fsetfilecon.c
index 52707d0..0cbe12d 100644
--- libselinux-2.8/src/fsetfilecon.c
+++ libselinux-2.8/src/fsetfilecon.c
@@ -9,8 +9,12 @@
 
 int fsetfilecon_raw(int fd, const char * context)
 {
-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			 0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
 	if (rc < 0 && errno == ENOTSUP) {
 		char * ccontext = NULL;
 		int err = errno;
diff --git libselinux-2.8/src/label_db.c libselinux-2.8/src/label_db.c
index c46d0a1..fa481e0 100644
--- libselinux-2.8/src/label_db.c
+++ libselinux-2.8/src/label_db.c
@@ -283,10 +283,12 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
 	}
 	if (fstat(fileno(filp), &sb) < 0) {
 		free(catalog);
+    fclose(filp);
 		return NULL;
 	}
 	if (!S_ISREG(sb.st_mode)) {
 		free(catalog);
+    fclose(filp);
 		errno = EINVAL;
 		return NULL;
 	}
@@ -340,6 +342,7 @@ out_error:
 		free(spec->lr.ctx_trans);
 	}
 	free(catalog);
+	fclose(filp);
 
 	return NULL;
 }
diff --git libselinux-2.8/src/label_file.c libselinux-2.8/src/label_file.c
index 560d8c3..21c8d36 100644
--- libselinux-2.8/src/label_file.c
+++ libselinux-2.8/src/label_file.c
@@ -317,8 +317,10 @@ end_arch_check:
 			goto out;
 		}
 		rc = next_entry(str_buf, mmap_area, entry_len);
-		if (rc < 0)
+		if (rc < 0) {
+			free(str_buf);
 			goto out;
+		}
 
 		if (str_buf[entry_len - 1] != '\0') {
 			free(str_buf);
diff --git libselinux-2.8/src/load_policy.c libselinux-2.8/src/load_policy.c
index e9f1264..20052be 100644
--- libselinux-2.8/src/load_policy.c
+++ libselinux-2.8/src/load_policy.c
@@ -262,8 +262,10 @@ checkbool:
 			rc = security_get_boolean_names(&names, &len);
 			if (!rc) {
 				values = malloc(sizeof(int) * len);
-				if (!values)
+				if (!values) {
+					free(names);
 					goto unmap;
+				}
 				for (i = 0; i < len; i++)
 					values[i] =
 						security_get_boolean_active(names[i]);
diff --git libselinux-2.8/src/lsetfilecon.c libselinux-2.8/src/lsetfilecon.c
index 1d3b28a..ea6d70b 100644
--- libselinux-2.8/src/lsetfilecon.c
+++ libselinux-2.8/src/lsetfilecon.c
@@ -9,8 +9,13 @@
 
 int lsetfilecon_raw(const char *path, const char * context)
 {
-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			 0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+
+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
 	if (rc < 0 && errno == ENOTSUP) {
 		char * ccontext = NULL;
 		int err = errno;
diff --git libselinux-2.8/src/selinux_config.c libselinux-2.8/src/selinux_config.c
index 292728f..b06cb63 100644
--- libselinux-2.8/src/selinux_config.c
+++ libselinux-2.8/src/selinux_config.c
@@ -177,8 +177,7 @@ static void init_selinux_config(void)
 
 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
 					 sizeof(SELINUXTYPETAG) - 1)) {
-				selinux_policytype = type =
-				    strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
 				if (!type)
 					return;
 				end = type + strlen(type) - 1;
@@ -187,6 +186,11 @@ static void init_selinux_config(void)
 					*end = 0;
 					end--;
 				}
+				if (setpolicytype(type) != 0) {
+					free(type);
+					return;
+				}
+				free(type);
 				continue;
 			} else if (!strncmp(buf_p, SETLOCALDEFS,
 					    sizeof(SETLOCALDEFS) - 1)) {
@@ -212,13 +216,10 @@ static void init_selinux_config(void)
 		fclose(fp);
 	}
 
-	if (!type) {
-		selinux_policytype = type = strdup(SELINUXDEFAULT);
-		if (!type)
-			return;
-	}
+	if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0)
+		return;
 
-	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1)
+	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1)
 		return;
 
 	for (i = 0; i < NEL; i++)
diff --git libselinux-2.8/src/selinux_restorecon.c libselinux-2.8/src/selinux_restorecon.c
index ced4115..8fa4875 100644
--- libselinux-2.8/src/selinux_restorecon.c
+++ libselinux-2.8/src/selinux_restorecon.c
@@ -350,12 +350,19 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
 	new_entry->next = NULL;
 
 	new_entry->directory = strdup(directory);
-	if (!new_entry->directory)
+	if (!new_entry->directory) {
+		free(new_entry);
+		free(sha1_buf);
 		goto oom;
+	}
 
 	new_entry->digest = strdup(sha1_buf);
-	if (!new_entry->digest)
+	if (!new_entry->digest) {
+		free(new_entry->directory);
+		free(new_entry);
+		free(sha1_buf);
 		goto oom;
+	}
 
 	new_entry->result = digest_result;
 
@@ -671,8 +678,8 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
 				selinux_log(SELINUX_INFO,
 				 "%s not reset as customized by admin to %s\n",
 							    pathname, curcon);
-				goto out;
 			}
+			goto out;
 		}
 
 		if (!flags->set_specctx && curcon) {
@@ -849,6 +856,7 @@ int selinux_restorecon(const char *pathname_orig,
 
 	if (lstat(pathname, &sb) < 0) {
 		if (flags.ignore_noent && errno == ENOENT) {
+			free(xattr_value);
 			free(pathdnamer);
 			free(pathname);
 			return 0;
diff --git libselinux-2.8/src/setfilecon.c libselinux-2.8/src/setfilecon.c
index d05969c..3f0200e 100644
--- libselinux-2.8/src/setfilecon.c
+++ libselinux-2.8/src/setfilecon.c
@@ -9,8 +9,12 @@
 
 int setfilecon_raw(const char *path, const char * context)
 {
-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
-			0);
+	int rc;
+	if (! context) {
+		errno=EINVAL;
+		return -1;
+	}
+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
 	if (rc < 0 && errno == ENOTSUP) {
 		char * ccontext = NULL;
 		int err = errno;
diff --git libselinux-2.8/utils/matchpathcon.c libselinux-2.8/utils/matchpathcon.c
index 67e4a43..9756d7d 100644
--- libselinux-2.8/utils/matchpathcon.c
+++ libselinux-2.8/utils/matchpathcon.c
@@ -14,7 +14,7 @@
 static __attribute__ ((__noreturn__)) void usage(const char *progname)
 {
 	fprintf(stderr,
-		"usage:  %s [-N] [-n] [-f file_contexts] [ -P policy_root_path ] [-p prefix] [-Vq] path...\n",
+		"usage:  %s [-V] [-N] [-n] [-m type] [-f file_contexts_file] [-p prefix] [-P policy_root_path] filepath...\n",
 		progname);
 	exit(1);
 }