diff --git a/.gitignore b/.gitignore
index e766aa5..f8649bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/libselinux-3.2.tar.gz
+SOURCES/libselinux-3.3.tar.gz
diff --git a/.libselinux.metadata b/.libselinux.metadata
index c81fb15..db6fb6a 100644
--- a/.libselinux.metadata
+++ b/.libselinux.metadata
@@ -1 +1 @@
-59d7e9a2db64ba994e2da976b4374871535cd196 SOURCES/libselinux-3.2.tar.gz
+70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz
diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
new file mode 100644
index 0000000..ed63a8c
--- /dev/null
+++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -0,0 +1,1333 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ libselinux/include/selinux/label.h            |   6 +-
+ libselinux/include/selinux/restorecon.h       |   4 +-
+ libselinux/man/man3/selabel_digest.3          |   4 +-
+ libselinux/man/man3/selabel_open.3            |   2 +-
+ libselinux/man/man3/selinux_restorecon.3      |  16 +-
+ .../man/man3/selinux_restorecon_xattr.3       |   2 +-
+ libselinux/src/Makefile                       |   2 +-
+ libselinux/src/label_file.c                   |  40 +--
+ libselinux/src/label_internal.h               |  10 +-
+ libselinux/src/label_support.c                |   8 +-
+ libselinux/src/selinux_restorecon.c           |  24 +-
+ libselinux/src/sha1.c                         | 220 -------------
+ libselinux/src/sha1.h                         |  85 -----
+ libselinux/src/sha256.c                       | 294 ++++++++++++++++++
+ libselinux/src/sha256.h                       |  89 ++++++
+ libselinux/utils/selabel_digest.c             |  26 +-
+ .../selabel_get_digests_all_partial_matches.c |  28 +-
+ 17 files changed, 469 insertions(+), 391 deletions(-)
+ delete mode 100644 libselinux/src/sha1.c
+ delete mode 100644 libselinux/src/sha1.h
+ create mode 100644 libselinux/src/sha256.c
+ create mode 100644 libselinux/src/sha256.h
+
+diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
+index e8983606d93b..a35d84d63b0a 100644
+--- a/libselinux/include/selinux/label.h
++++ b/libselinux/include/selinux/label.h
+@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ 					 const char *key, const char **aliases, int type);
+ 
+ /**
+- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
+  *		    generate the digest. The SELABEL_OPT_DIGEST option must
+  *		    be set in selabel_open() to initiate the digest generation.
+  * @handle: specifies backend instance to query
+- * @digest: returns a pointer to the SHA1 digest.
++ * @digest: returns a pointer to the SHA256 digest.
+  * @digest_len: returns length of digest in bytes.
+- * @specfiles: a list of specfiles used in the SHA1 digest generation.
++ * @specfiles: a list of specfiles used in the SHA256 digest generation.
+  *	       The list is NULL terminated and will hold @num_specfiles entries.
+  * @num_specfiles: number of specfiles in the list.
+  *
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index 466de39aac72..ca8ce768587a 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
+  * restorecon_flags options
+  */
+ /*
+- * Force the checking of labels even if the stored SHA1 digest
+- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
++ * Force the checking of labels even if the stored SHA256 digest
++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
+  */
+ #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
+ /*
+diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
+index 56a008f00df0..5f7c42533d0e 100644
+--- a/libselinux/man/man3/selabel_digest.3
++++ b/libselinux/man/man3/selabel_digest.3
+@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
+ .BR selabel_digest ()
+ performs an operation on the handle
+ .IR hnd ,
+-returning the results of the SHA1 digest pointed to by
++returning the results of the SHA256 digest pointed to by
+ .IR digest ,
+ whose length will be
+ .IR digest_len .
+-The list of specfiles used in the SHA1 digest calculation is returned in
++The list of specfiles used in the SHA256 digest calculation is returned in
+ .I specfiles
+ with the number of entries in
+ .IR num_specfiles .
+diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
+index 971ebc1acd41..2cf2eb8a1410 100644
+--- a/libselinux/man/man3/selabel_open.3
++++ b/libselinux/man/man3/selabel_open.3
+@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
+ Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+ .TP
+ .B SELABEL_OPT_DIGEST
+-A non-null value for this option enables the generation of an SHA1 digest of
++A non-null value for this option enables the generation of an SHA256 digest of
+ the spec files loaded as described in
+ .BR selabel_digest (3)
+ .
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index ad637406a30d..c4576fe79ff6 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -28,7 +28,7 @@ If this is a directory and the
+ .B SELINUX_RESTORECON_RECURSE
+ has been set (for descending through directories), then
+ .BR selinux_restorecon ()
+-will write an SHA1 digest of specfile entries calculated by
++will write an SHA256 digest of specfile entries calculated by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute of
+ .IR security.sehash
+@@ -47,7 +47,7 @@ will take place.
+ .br
+ The
+ .IR restorecon_flags
+-that can be used to manage the usage of the SHA1 digest are:
++that can be used to manage the usage of the SHA256 digest are:
+ .RS
+ .B SELINUX_RESTORECON_SKIP_DIGEST
+ .br
+@@ -65,8 +65,8 @@ Do not check or update any extended attribute
+ entries.
+ .sp
+ .B SELINUX_RESTORECON_IGNORE_DIGEST
+-force the checking of labels even if the stored SHA1 digest matches the
+-specfile entries SHA1 digest. The specfile entries digest will be written to the
++force the checking of labels even if the stored SHA256 digest matches the
++specfile entries SHA256 digest. The specfile entries digest will be written to the
+ .IR security.sehash
+ extended attribute once relabeling has been completed successfully provided the
+ .B SELINUX_RESTORECON_NOCHANGE
+@@ -84,7 +84,7 @@ default specfile context.
+ .sp
+ .B SELINUX_RESTORECON_RECURSE
+ change file and directory labels recursively (descend directories)
+-and if successful write an SHA1 digest of the specfile entries to an
++and if successful write an SHA256 digest of the specfile entries to an
+ extended attribute as described in the
+ .B NOTES
+ section.
+@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
+ same inode have different contexts, as errors.
+ .RE
+ .sp
+-The behavior regarding the checking and updating of the SHA1 digest described
++The behavior regarding the checking and updating of the SHA256 digest described
+ above is the default behavior. It is possible to change this by first calling
+ .BR selabel_open (3)
+ and not enabling the
+@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+ .B SELINUX_RESTORECON_RECURSE
+ flag is set)
+ .BR selinux_restorecon ()
+-will write a calculated SHA1 digest of the specfile entries returned by
++will write a calculated SHA256 digest of the specfile entries returned by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute named
+ .IR security.sehash
+@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
+ .BR selinux_restorecon ()
+ is run again with the
+ .B SELINUX_RESTORECON_RECURSE
+-flag set, new SHA1 digests will be calculated and all files automatically
++flag set, new SHA256 digests will be calculated and all files automatically
+ relabeled depending on the settings of the
+ .B SELINUX_RESTORECON_SET_SPECFILE_CTX
+ flag (provided
+diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
+index c56326814b94..098c840fc59b 100644
+--- a/libselinux/man/man3/selinux_restorecon_xattr.3
++++ b/libselinux/man/man3/selinux_restorecon_xattr.3
+@@ -119,7 +119,7 @@ By default
+ .BR selinux_restorecon_xattr (3)
+ will use the default set of specfiles described in
+ .BR files_contexts (5)
+-to calculate the SHA1 digests to be used for comparison.
++to calculate the SHA256 digests to be used for comparison.
+ To change this default behavior
+ .BR selabel_open (3)
+ must be called specifying the required
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 52c40f018f51..674a5ed3a6f8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+ 	-DBUILD_HOST
+ SRCS= callbacks.c freecon.c label.c label_file.c \
+ 	label_backends_android.c regex.c label_support.c \
+-	matchpathcon.c setrans_client.c sha1.c booleans.c
++	matchpathcon.c setrans_client.c sha256.c booleans.c
+ else
+ LABEL_BACKEND_ANDROID=y
+ endif
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 2e28d0474d73..c1306c9979e7 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -1005,7 +1005,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
+ 
+ /*
+  * Returns true if the digest of all partial matched contexts is the same as
+- * the one saved by setxattr, otherwise returns false. The length of the SHA1
++ * the one saved by setxattr, otherwise returns false. The length of the SHA256
+  * digest will always be returned. The caller must free any returned digests.
+  */
+ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -1014,39 +1014,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+ 					    uint8_t **xattr_digest,
+ 					    size_t *digest_len)
+ {
+-	uint8_t read_digest[SHA1_HASH_SIZE];
++	uint8_t read_digest[SHA256_HASH_SIZE];
+ 	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
+-				     read_digest, SHA1_HASH_SIZE
++				     read_digest, SHA256_HASH_SIZE
+ #ifdef __APPLE__
+ 				     , 0, 0
+ #endif /* __APPLE __ */
+ 				    );
+-	uint8_t hash_digest[SHA1_HASH_SIZE];
++	uint8_t hash_digest[SHA256_HASH_SIZE];
+ 	bool status = selabel_hash_all_partial_matches(rec, pathname,
+ 						       hash_digest);
+ 
+ 	*xattr_digest = NULL;
+ 	*calculated_digest = NULL;
+-	*digest_len = SHA1_HASH_SIZE;
++	*digest_len = SHA256_HASH_SIZE;
+ 
+-	if (read_size == SHA1_HASH_SIZE) {
+-		*xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
++	if (read_size == SHA256_HASH_SIZE) {
++		*xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ 		if (!*xattr_digest)
+ 			goto oom;
+ 
+-		memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
++		memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
+ 	}
+ 
+ 	if (status) {
+-		*calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
++		*calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ 		if (!*calculated_digest)
+ 			goto oom;
+ 
+-		memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
++		memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
+ 	}
+ 
+-	if (status && read_size == SHA1_HASH_SIZE &&
+-	    memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
++	if (status && read_size == SHA256_HASH_SIZE &&
++	    memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
+ 		return true;
+ 
+ 	return false;
+@@ -1066,22 +1066,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+ 		return false;
+ 	}
+ 
+-	Sha1Context context;
+-	Sha1Initialise(&context);
++	Sha256Context context;
++	Sha256Initialise(&context);
+ 	size_t i;
+ 	for (i = 0; i < total_matches; i++) {
+ 		char* regex_str = matches[i]->regex_str;
+ 		mode_t mode = matches[i]->mode;
+ 		char* ctx_raw = matches[i]->lr.ctx_raw;
+ 
+-		Sha1Update(&context, regex_str, strlen(regex_str) + 1);
+-		Sha1Update(&context, &mode, sizeof(mode_t));
+-		Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
++		Sha256Update(&context, regex_str, strlen(regex_str) + 1);
++		Sha256Update(&context, &mode, sizeof(mode_t));
++		Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
+ 	}
+ 
+-	SHA1_HASH sha1_hash;
+-	Sha1Finalise(&context, &sha1_hash);
+-	memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
++	SHA256_HASH sha256_hash;
++	Sha256Finalise(&context, &sha256_hash);
++	memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
+ 
+ 	free(matches);
+ 	return true;
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 782c6aa8cc0c..304e8d96490a 100644
+--- a/libselinux/src/label_internal.h
++++ b/libselinux/src/label_internal.h
+@@ -13,7 +13,7 @@
+ #include <stdio.h>
+ #include <selinux/selinux.h>
+ #include <selinux/label.h>
+-#include "sha1.h"
++#include "sha256.h"
+ 
+ #if defined(ANDROID) || defined(__APPLE__)
+ // Android and Mac do not have fgets_unlocked()
+@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+  */
+ 
+ /*
+- * Calculate an SHA1 hash of all the files used to build the specs.
++ * Calculate an SHA256 hash of all the files used to build the specs.
+  * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
+  * calculate the hash the hashbuf will hold a concatenation of all the files
+  * used. This is released once the value has been calculated.
+  */
+-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
+ #define DIGEST_FILES_MAX 8
+ struct selabel_digest {
+-	unsigned char *digest;	/* SHA1 digest of specfiles */
++	unsigned char *digest;	/* SHA256 digest of specfiles */
+ 	unsigned char *hashbuf;	/* buffer to hold specfiles */
+ 	size_t hashbuf_size;	/* buffer size */
+ 	size_t specfile_cnt;	/* how many specfiles processed */
+@@ -110,7 +110,7 @@ struct selabel_handle {
+ 	 */
+ 	char *spec_file;
+ 
+-	/* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
++	/* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
+ 	struct selabel_digest *digest;
+ };
+ 
+diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
+index 94ed6e4273cb..f53d73b609ab 100644
+--- a/libselinux/src/label_support.c
++++ b/libselinux/src/label_support.c
+@@ -115,15 +115,15 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+ /* Once all the specfiles are in the hash_buf, generate the hash. */
+ void  digest_gen_hash(struct selabel_digest *digest)
+ {
+-	Sha1Context context;
++	Sha256Context context;
+ 
+ 	/* If SELABEL_OPT_DIGEST not set then just return */
+ 	if (!digest)
+ 		return;
+ 
+-	Sha1Initialise(&context);
+-	Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
+-	Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
++	Sha256Initialise(&context);
++	Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
++	Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
+ 	free(digest->hashbuf);
+ 	digest->hashbuf = NULL;
+ 	return;
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 04d956504952..100c77108a27 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -37,7 +37,7 @@
+ #include "callbacks.h"
+ #include "selinux_internal.h"
+ #include "label_file.h"
+-#include "sha1.h"
++#include "sha256.h"
+ 
+ #define STAR_COUNT 1024
+ 
+@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
+ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 			   bool delete_all)
+ {
+-	char *sha1_buf = NULL;
++	char *sha256_buf = NULL;
+ 	size_t i, digest_len = 0;
+ 	int rc, digest_result;
+ 	bool match;
+@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	}
+ 
+ 	/* Convert entry to a hex encoded string. */
+-	sha1_buf = malloc(digest_len * 2 + 1);
+-	if (!sha1_buf) {
++	sha256_buf = malloc(digest_len * 2 + 1);
++	if (!sha256_buf) {
+ 		free(xattr_digest);
+ 		free(calculated_digest);
+ 		goto oom;
+ 	}
+ 
+ 	for (i = 0; i < digest_len; i++)
+-		sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
++		sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
+ 
+ 	digest_result = match ? MATCH : NOMATCH;
+ 
+@@ -344,7 +344,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	/* Now add entries to link list. */
+ 	new_entry = malloc(sizeof(struct dir_xattr));
+ 	if (!new_entry) {
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 	new_entry->next = NULL;
+@@ -352,15 +352,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	new_entry->directory = strdup(directory);
+ 	if (!new_entry->directory) {
+ 		free(new_entry);
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 
+-	new_entry->digest = strdup(sha1_buf);
++	new_entry->digest = strdup(sha256_buf);
+ 	if (!new_entry->digest) {
+ 		free(new_entry->directory);
+ 		free(new_entry);
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 
+@@ -374,7 +374,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 		dir_xattr_last = new_entry;
+ 	}
+ 
+-	free(sha1_buf);
++	free(sha256_buf);
+ 	return 0;
+ 
+ oom:
+@@ -741,7 +741,7 @@ err:
+ 
+ struct dir_hash_node {
+ 	char *path;
+-	uint8_t digest[SHA1_HASH_SIZE];
++	uint8_t digest[SHA256_HASH_SIZE];
+ 	struct dir_hash_node *next;
+ };
+ /*
+@@ -1091,7 +1091,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 			if (setxattr(current->path,
+ 			    RESTORECON_PARTIAL_MATCH_DIGEST,
+ 			    current->digest,
+-			    SHA1_HASH_SIZE, 0) < 0) {
++			    SHA256_HASH_SIZE, 0) < 0) {
+ 				selinux_log(SELINUX_ERROR,
+ 					    "setxattr failed: %s: %m\n",
+ 					    current->path);
+diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
+deleted file mode 100644
+index a848467785f3..000000000000
+--- a/libselinux/src/sha1.c
++++ /dev/null
+@@ -1,220 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  LibSha1
+-//
+-//  Implementation of SHA1 hash function.
+-//  Original author:  Steve Reid <sreid@sea-to-sky.net>
+-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-//  and Ralph Giles <giles@ghostscript.com>
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-//  Modified to:
+-//    - stop symbols being exported for libselinux shared library - October 2015
+-//								       Richard Haines <richard_c_haines@btinternet.com>
+-//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
+-//      Fixes:
+-//        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
+-//             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;
+-//                                                                     William Roberts <william.c.roberts@intel.com>
+-//    - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include "sha1.h"
+-#include <memory.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-typedef union
+-{
+-    uint8_t     c [64];
+-    uint32_t    l [16];
+-} CHAR64LONG16;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  INTERNAL FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+-
+-// blk0() and blk() perform the initial expand.
+-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+-    |(rol(block->l[i],8)&0x00FF00FF))
+-
+-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+-    ^block->l[(i+2)&15]^block->l[i&15],1))
+-
+-// (R0+R1), R2, R3, R4 are the different operations used in SHA1
+-#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
+-#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
+-#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
+-
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TransformFunction
+-//
+-//  Hash a single 512-bit block. This is the core of the algorithm
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-static
+-void
+-    TransformFunction
+-    (
+-        uint32_t            state[5],
+-        const uint8_t       buffer[64]
+-    )
+-{
+-    uint32_t            a;
+-    uint32_t            b;
+-    uint32_t            c;
+-    uint32_t            d;
+-    uint32_t            e;
+-    CHAR64LONG16        workspace;
+-    CHAR64LONG16*       block = &workspace;
+-
+-    memcpy(block, buffer, 64);
+-
+-    // Copy context->state[] to working vars
+-    a = state[0];
+-    b = state[1];
+-    c = state[2];
+-    d = state[3];
+-    e = state[4];
+-
+-    // 4 rounds of 20 operations each. Loop unrolled.
+-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+-
+-    // Add the working vars back into context.state[]
+-    state[0] += a;
+-    state[1] += b;
+-    state[2] += c;
+-    state[3] += d;
+-    state[4] += e;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Initialise
+-//
+-//  Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Initialise
+-    (
+-        Sha1Context*                Context
+-    )
+-{
+-    // SHA1 initialization constants
+-    Context->State[0] = 0x67452301;
+-    Context->State[1] = 0xEFCDAB89;
+-    Context->State[2] = 0x98BADCFE;
+-    Context->State[3] = 0x10325476;
+-    Context->State[4] = 0xC3D2E1F0;
+-    Context->Count[0] = 0;
+-    Context->Count[1] = 0;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Update
+-//
+-//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Update
+-    (
+-        Sha1Context*        Context,
+-        const void*         Buffer,
+-        uint32_t            BufferSize
+-    )
+-{
+-    uint32_t    i;
+-    uint32_t    j;
+-
+-    j = (Context->Count[0] >> 3) & 63;
+-    if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
+-    {
+-        Context->Count[1]++;
+-    }
+-
+-    Context->Count[1] += (BufferSize >> 29);
+-    if ((j + BufferSize) > 63)
+-    {
+-        i = 64 - j;
+-        memcpy(&Context->Buffer[j], Buffer, i);
+-        TransformFunction(Context->State, Context->Buffer);
+-        for (; i + 63 < BufferSize; i += 64)
+-        {
+-            TransformFunction(Context->State, (const uint8_t*)Buffer + i);
+-        }
+-        j = 0;
+-    }
+-    else
+-    {
+-        i = 0;
+-    }
+-
+-    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-//  calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Finalise
+-    (
+-        Sha1Context*                Context,
+-        SHA1_HASH*                  Digest
+-    )
+-{
+-    uint32_t    i;
+-    uint8_t     finalcount[8];
+-
+-    for (i = 0; i < 8; i++)
+-    {
+-        finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
+-         >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent
+-    }
+-    Sha1Update(Context, (const uint8_t*)"\x80", 1);
+-    while ((Context->Count[0] & 504) != 448)
+-    {
+-        Sha1Update(Context, (const uint8_t*)"\0", 1);
+-    }
+-
+-    Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()
+-    for (i = 0; i < SHA1_HASH_SIZE; i++)
+-    {
+-        Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+-    }
+-}
+diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
+deleted file mode 100644
+index f83a6e7ed7ba..000000000000
+--- a/libselinux/src/sha1.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  LibSha1
+-//
+-//  Implementation of SHA1 hash function.
+-//  Original author:  Steve Reid <sreid@sea-to-sky.net>
+-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-//  and Ralph Giles <giles@ghostscript.com>
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#ifndef _sha1_h_
+-#define _sha1_h_
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include <stdint.h>
+-#include <stdio.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
+-typedef struct
+-{
+-    uint32_t        State[5];
+-    uint32_t        Count[2];
+-    uint8_t         Buffer[64];
+-} Sha1Context;
+-
+-#define SHA1_HASH_SIZE           ( 160 / 8 )
+-
+-typedef struct
+-{
+-    uint8_t      bytes [SHA1_HASH_SIZE];
+-} SHA1_HASH;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Initialise
+-//
+-//  Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Initialise
+-    (
+-        Sha1Context*                Context
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Update
+-//
+-//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Update
+-    (
+-        Sha1Context*        Context,
+-        const void*         Buffer,
+-        uint32_t            BufferSize
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-//  calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Finalise
+-    (
+-        Sha1Context*                Context,
+-        SHA1_HASH*                  Digest
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-#endif //_sha1_h_
+diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
+new file mode 100644
+index 000000000000..fe2aeef07f53
+--- /dev/null
++++ b/libselinux/src/sha256.c
+@@ -0,0 +1,294 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include "sha256.h"
++#include <memory.h>
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  MACROS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
++
++#define MIN(x, y) ( ((x)<(y))?(x):(y) )
++
++#define STORE32H(x, y)                                                                     \
++     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
++       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
++
++#define LOAD32H(x, y)                            \
++     { x = ((uint32_t)((y)[0] & 255)<<24) | \
++           ((uint32_t)((y)[1] & 255)<<16) | \
++           ((uint32_t)((y)[2] & 255)<<8)  | \
++           ((uint32_t)((y)[3] & 255)); }
++
++#define STORE64H(x, y)                                                                     \
++   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
++     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
++     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
++     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  CONSTANTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// The K array
++static const uint32_t K[64] = {
++    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
++    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
++    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
++    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
++    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
++    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
++    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
++    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
++    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
++    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++#define BLOCK_SIZE          64
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  INTERNAL FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// Various logical functions
++#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
++#define Maj( x, y, z )    (((x | y) & z) | (x & y))
++#define S( x, n )         ror((x),(n))
++#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
++#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
++#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
++#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
++#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
++
++#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
++     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
++     t1 = Sigma0(a) + Maj(a, b, c);                    \
++     d += t0;                                          \
++     h  = t0 + t1;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  TransformFunction
++//
++//  Compress 512-bits
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++static
++void
++    TransformFunction
++    (
++        Sha256Context*      Context,
++        uint8_t const*      Buffer
++    )
++{
++    uint32_t    S[8];
++    uint32_t    W[64];
++    uint32_t    t0;
++    uint32_t    t1;
++    uint32_t    t;
++    int         i;
++
++    // Copy state into S
++    for( i=0; i<8; i++ )
++    {
++        S[i] = Context->state[i];
++    }
++
++    // Copy the state into 512-bits into W[0..15]
++    for( i=0; i<16; i++ )
++    {
++        LOAD32H( W[i], Buffer + (4*i) );
++    }
++
++    // Fill W[16..63]
++    for( i=16; i<64; i++ )
++    {
++        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
++    }
++
++    // Compress
++    for( i=0; i<64; i++ )
++    {
++        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
++        t = S[7];
++        S[7] = S[6];
++        S[6] = S[5];
++        S[5] = S[4];
++        S[4] = S[3];
++        S[3] = S[2];
++        S[2] = S[1];
++        S[1] = S[0];
++        S[0] = t;
++    }
++
++    // Feedback
++    for( i=0; i<8; i++ )
++    {
++        Context->state[i] = Context->state[i] + S[i];
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    )
++{
++    Context->curlen = 0;
++    Context->length = 0;
++    Context->state[0] = 0x6A09E667UL;
++    Context->state[1] = 0xBB67AE85UL;
++    Context->state[2] = 0x3C6EF372UL;
++    Context->state[3] = 0xA54FF53AUL;
++    Context->state[4] = 0x510E527FUL;
++    Context->state[5] = 0x9B05688CUL;
++    Context->state[6] = 0x1F83D9ABUL;
++    Context->state[7] = 0x5BE0CD19UL;
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    )
++{
++    uint32_t n;
++
++    if( Context->curlen > sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    while( BufferSize > 0 )
++    {
++        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
++        {
++           TransformFunction( Context, (uint8_t*)Buffer );
++           Context->length += BLOCK_SIZE * 8;
++           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
++           BufferSize -= BLOCK_SIZE;
++        }
++        else
++        {
++           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
++           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
++           Context->curlen += n;
++           Buffer = (uint8_t*)Buffer + n;
++           BufferSize -= n;
++           if( Context->curlen == BLOCK_SIZE )
++           {
++              TransformFunction( Context, Context->buf );
++              Context->length += 8*BLOCK_SIZE;
++              Context->curlen = 0;
++           }
++       }
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    )
++{
++    int i;
++
++    if( Context->curlen >= sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    // Increase the length of the message
++    Context->length += Context->curlen * 8;
++
++    // Append the '1' bit
++    Context->buf[Context->curlen++] = (uint8_t)0x80;
++
++    // if the length is currently above 56 bytes we append zeros
++    // then compress.  Then we can fall back to padding zeros and length
++    // encoding like normal.
++    if( Context->curlen > 56 )
++    {
++        while( Context->curlen < 64 )
++        {
++            Context->buf[Context->curlen++] = (uint8_t)0;
++        }
++        TransformFunction(Context, Context->buf);
++        Context->curlen = 0;
++    }
++
++    // Pad up to 56 bytes of zeroes
++    while( Context->curlen < 56 )
++    {
++        Context->buf[Context->curlen++] = (uint8_t)0;
++    }
++
++    // Store length
++    STORE64H( Context->length, Context->buf+56 );
++    TransformFunction( Context, Context->buf );
++
++    // Copy output
++    for( i=0; i<8; i++ )
++    {
++        STORE32H( Context->state[i], Digest->bytes+(4*i) );
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    )
++{
++    Sha256Context context;
++
++    Sha256Initialise( &context );
++    Sha256Update( &context, Buffer, BufferSize );
++    Sha256Finalise( &context, Digest );
++}
+diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
+new file mode 100644
+index 000000000000..406ed869cd82
+--- /dev/null
++++ b/libselinux/src/sha256.h
+@@ -0,0 +1,89 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#pragma once
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include <stdint.h>
++#include <stdio.h>
++
++typedef struct
++{
++    uint64_t    length;
++    uint32_t    state[8];
++    uint32_t    curlen;
++    uint8_t     buf[64];
++} Sha256Context;
++
++#define SHA256_HASH_SIZE           ( 256 / 8 )
++
++typedef struct
++{
++    uint8_t      bytes [SHA256_HASH_SIZE];
++} SHA256_HASH;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    );
+diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
+index 49408a0ba8d8..67befadd23c5 100644
+--- a/libselinux/utils/selabel_digest.c
++++ b/libselinux/utils/selabel_digest.c
+@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 		"Where:\n\t"
+ 		"-b  The backend - \"file\", \"media\", \"x\", \"db\" or "
+ 			"\"prop\"\n\t"
+-		"-v  Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
+-		"    on the list of specfiles to compare the SHA1 digests.\n\t"
++		"-v  Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
++		"    on the list of specfiles to compare the SHA256 digests.\n\t"
+ 		"-B  Use base specfiles only (valid for \"-b file\" only).\n\t"
+ 		"-i  Do not request a digest.\n\t"
+ 		"-f  Optional file containing the specs (defaults to\n\t"
+@@ -62,12 +62,12 @@ int main(int argc, char **argv)
+ 	int backend = 0, rc, opt, validate = 0;
+ 	char *baseonly = NULL, *file = NULL, *digest = (char *)1;
+ 	char **specfiles = NULL;
+-	unsigned char *sha1_digest = NULL;
++	unsigned char *sha256_digest = NULL;
+ 	size_t i, num_specfiles;
+ 
+ 	char cmd_buf[4096];
+ 	char *cmd_ptr;
+-	char *sha1_buf;
++	char *sha256_buf;
+ 
+ 	struct selabel_handle *hnd;
+ 	struct selinux_opt selabel_option[] = {
+@@ -137,7 +137,7 @@ int main(int argc, char **argv)
+ 		return -1;
+ 	}
+ 
+-	rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
++	rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
+ 							    &num_specfiles);
+ 
+ 	if (rc) {
+@@ -152,19 +152,19 @@ int main(int argc, char **argv)
+ 		goto err;
+ 	}
+ 
+-	sha1_buf = malloc(digest_len * 2 + 1);
+-	if (!sha1_buf) {
++	sha256_buf = malloc(digest_len * 2 + 1);
++	if (!sha256_buf) {
+ 		fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
+ 						    strerror(errno));
+ 		rc = -1;
+ 		goto err;
+ 	}
+ 
+-	printf("SHA1 digest: ");
++	printf("SHA256 digest: ");
+ 	for (i = 0; i < digest_len; i++)
+-		sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
++		sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
+ 
+-	printf("%s\n", sha1_buf);
++	printf("%s\n", sha256_buf);
+ 	printf("calculated using the following specfile(s):\n");
+ 
+ 	if (specfiles) {
+@@ -177,13 +177,13 @@ int main(int argc, char **argv)
+ 			cmd_ptr += strlen(specfiles[i]) + 1;
+ 			printf("%s\n", specfiles[i]);
+ 		}
+-		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
++		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
+ 
+ 		if (validate)
+-			rc = run_check_digest(cmd_buf, sha1_buf);
++			rc = run_check_digest(cmd_buf, sha256_buf);
+ 	}
+ 
+-	free(sha1_buf);
++	free(sha256_buf);
+ err:
+ 	selabel_close(hnd);
+ 	return rc;
+diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+index e28833d2ce97..900f018c0091 100644
+--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 		"-v  Validate file_contxts entries against loaded policy.\n\t"
+ 		"-r  Recursively descend directories.\n\t"
+ 		"-f  Optional file_contexts file (defaults to current policy).\n\t"
+-		"path  Path to check current SHA1 digest against file_contexts entries.\n\n"
+-		"This will check the directory selinux.sehash SHA1 digest for "
++		"path  Path to check current SHA256 digest against file_contexts entries.\n\n"
++		"This will check the directory selinux.sehash SHA256 digest for "
+ 		"<path> against\na newly generated digest based on the "
+ 		"file_context entries for that node\n(using the regx, mode "
+ 		"and path entries).\n", progname);
+@@ -37,7 +37,7 @@ int main(int argc, char **argv)
+ 	char *paths[2] = { NULL, NULL };
+ 	uint8_t *xattr_digest = NULL;
+ 	uint8_t *calculated_digest = NULL;
+-	char *sha1_buf = NULL;
++	char *sha256_buf = NULL;
+ 
+ 	struct selabel_handle *hnd;
+ 	struct selinux_opt selabel_option[] = {
+@@ -105,27 +105,27 @@ int main(int argc, char **argv)
+ 							 &xattr_digest,
+ 							 &digest_len);
+ 
+-			sha1_buf = calloc(1, digest_len * 2 + 1);
+-			if (!sha1_buf) {
++			sha256_buf = calloc(1, digest_len * 2 + 1);
++			if (!sha256_buf) {
+ 				fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
+ 					    strerror(errno));
+ 				return -1;
+ 			}
+ 
+ 			if (status) { /* They match */
+-				printf("xattr and file_contexts SHA1 digests match for: %s\n",
++				printf("xattr and file_contexts SHA256 digests match for: %s\n",
+ 				       ftsent->fts_path);
+ 
+ 				if (calculated_digest) {
+ 					for (i = 0; i < digest_len; i++)
+-						sprintf((&sha1_buf[i * 2]),
++						sprintf((&sha256_buf[i * 2]),
+ 							"%02x",
+ 							calculated_digest[i]);
+-					printf("SHA1 digest: %s\n", sha1_buf);
++					printf("SHA256 digest: %s\n", sha256_buf);
+ 				}
+ 			} else {
+ 				if (!calculated_digest) {
+-					printf("No SHA1 digest available for: %s\n",
++					printf("No SHA256 digest available for: %s\n",
+ 					       ftsent->fts_path);
+ 					printf("as file_context entry is \"<<none>>\"\n");
+ 					goto cleanup;
+@@ -135,25 +135,25 @@ int main(int argc, char **argv)
+ 				       ftsent->fts_path);
+ 
+ 				for (i = 0; i < digest_len; i++)
+-					sprintf((&sha1_buf[i * 2]), "%02x",
++					sprintf((&sha256_buf[i * 2]), "%02x",
+ 						calculated_digest[i]);
+-				printf("generated SHA1 digest: %s\n", sha1_buf);
++				printf("generated SHA256 digest: %s\n", sha256_buf);
+ 
+ 				if (!xattr_digest) {
+ 					printf("however there is no selinux.sehash xattr entry.\n");
+ 				} else {
+ 					printf("however it does NOT match the current entry of:\n");
+ 					for (i = 0; i < digest_len; i++)
+-						sprintf((&sha1_buf[i * 2]),
++						sprintf((&sha256_buf[i * 2]),
+ 							"%02x",
+ 							xattr_digest[i]);
+-					printf("%s\n", sha1_buf);
++					printf("%s\n", sha256_buf);
+ 				}
+ 			}
+ 			cleanup:
+ 			free(xattr_digest);
+ 			free(calculated_digest);
+-			free(sha1_buf);
++			free(sha256_buf);
+ 			break;
+ 		}
+ 		default:
+-- 
+2.32.0
+
diff --git a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch b/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
deleted file mode 100644
index 3d123e5..0000000
--- a/SOURCES/0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From f63263c2d002fc8a4e681ea1a1b1db1e455acc49 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Thu, 22 Apr 2021 08:43:56 +0200
-Subject: [PATCH] libselinux: do not duplicate make target when going into
- subdirectory
-
-When running "make install-pywrap", make displays:
-
-    make[1]: Entering directory '/root/selinux/libselinux'
-    make -C src install-pywrap install-pywrap
-    make[2]: Entering directory '/root/selinux/libselinux/src'
-
-The duplicated "install-pywrap" is not expected. Remove it from the
-Makefile.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libselinux/Makefile | 14 +++++++-------
- 1 file changed, 7 insertions(+), 7 deletions(-)
-
-diff --git a/libselinux/Makefile b/libselinux/Makefile
-index ac16c15e8d0a..439bc6a9b7fd 100644
---- a/libselinux/Makefile
-+++ b/libselinux/Makefile
-@@ -50,24 +50,24 @@ all install relabel clean distclean indent:
- 	done
- 
- swigify: all
--	$(MAKE) -C src swigify $@
-+	$(MAKE) -C src $@
- 
- pywrap: 
--	$(MAKE) -C src pywrap $@
-+	$(MAKE) -C src $@
- 
- rubywrap: 
--	$(MAKE) -C src rubywrap $@
-+	$(MAKE) -C src $@
- 
- install-pywrap: 
--	$(MAKE) -C src install-pywrap $@
-+	$(MAKE) -C src $@
- 
- install-rubywrap: 
--	$(MAKE) -C src install-rubywrap $@
-+	$(MAKE) -C src $@
- 
- clean-pywrap:
--	$(MAKE) -C src clean-pywrap $@
-+	$(MAKE) -C src $@
- 
- clean-rubywrap:
--	$(MAKE) -C src clean-rubywrap $@
-+	$(MAKE) -C src $@
- 
- test:
--- 
-2.32.0
-
diff --git a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch b/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch
deleted file mode 100644
index 9eb5b1b..0000000
--- a/SOURCES/0002-libselinux-selinux_check_passwd_access_internal-resp.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From a88d24522fe74100478122c298aa4ace1af876fd Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:12:38 +0200
-Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect
- deny_unknown
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-`selinux_check_passwd_access_internal()`, and thereby
-`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
-respect the policy defined setting of `deny_unknown`, like
-`selinux_check_access(3)` does.
-This means in case the security class `passwd` is not defined, success
-is returned instead of failure, i.e. permission denied.
-
-Most policies should define the `passwd` class and the two affected
-public functions are marked deprecated.
-
-Align the behavior with `selinux_check_access(3)` and respect
-the deny_unknown setting in case the security class is not defined.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/checkAccess.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
-index b337ea64f977..022cd6b5ecab 100644
---- a/libselinux/src/checkAccess.c
-+++ b/libselinux/src/checkAccess.c
-@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
- 		passwd_class = string_to_security_class("passwd");
- 		if (passwd_class == 0) {
- 			freecon(user_context);
--			return 0;
-+			if (security_deny_unknown() == 0)
-+				return 0;
-+			return -1;
- 		}
- 
- 		retval = security_compute_av_raw(user_context,
--- 
-2.32.0
-
diff --git a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch b/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
deleted file mode 100644
index 4fc315c..0000000
--- a/SOURCES/0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From f1bc162cc272e01631e8f6d890fae71e1cb96e03 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Fri, 30 Apr 2021 21:37:02 +0200
-Subject: [PATCH] libselinux: silence -Wstringop-overflow warning from gcc
- 10.3.1
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When building libselinux on Fedora 33 with gcc 10.3.1, the compiler
-reports:
-
-    label_file.c: In function ‘lookup_all.isra’:
-    label_file.c:940:4: error: ‘strncpy’ specified bound depends on the
-    length of the source argument [-Werror=stringop-overflow=]
-      940 |    strncpy(clean_key, key, len - 1);
-          |    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-    label_file.c:927:8: note: length computed here
-      927 |  len = strlen(key);
-          |        ^~~~~~~~~~~
-    cc1: all warnings being treated as errors
-
-As clean_key is the result of malloc(len), there is no issue here. But
-using strncpy can be considered as strange, because the size of the
-string is already known and the NUL terminator is always added later, in
-function ‘lookup_all.isra.
-
-Replace strncpy with memcpy to silence this gcc false-positive warning.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/label_file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 726394ca4332..cfce23e0119e 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -909,7 +909,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
- 			if (!clean_key)
- 				goto finish;
- 
--			strncpy(clean_key, key, len - 1);
-+			memcpy(clean_key, key, len - 1);
- 		}
- 
- 		clean_key[len - 1] = '\0';
--- 
-2.32.0
-
diff --git a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch b/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
deleted file mode 100644
index 4041dc4..0000000
--- a/SOURCES/0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From ae34b3ca3c605f8648b10722330ef3fbc872f3d6 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:35 +0200
-Subject: [PATCH] libselinux: sidtab_hash(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not discard the const qualifier of the function argument, and drop
-the redundant local variable `keyp`.
-
-avc_sidtab.c: In function ‘sidtab_hash’:
-avc_sidtab.c:23:9: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-   23 |  keyp = (char *)key;
-      |         ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc_sidtab.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 9669264d651a..8dc875608762 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -15,14 +15,13 @@
- 
- static inline unsigned sidtab_hash(const char * key)
- {
--	char *p, *keyp;
-+	const char *p;
- 	unsigned int size;
- 	unsigned int val;
- 
- 	val = 0;
--	keyp = (char *)key;
--	size = strlen(keyp);
--	for (p = keyp; (unsigned int)(p - keyp) < size; p++)
-+	size = strlen(key);
-+	for (p = key; (unsigned int)(p - key) < size; p++)
- 		val =
- 		    (val << 4 | (val >> (8 * sizeof(unsigned int) - 4))) ^ (*p);
- 	return val & (SIDTAB_SIZE - 1);
--- 
-2.32.0
-
diff --git a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch b/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
deleted file mode 100644
index c370725..0000000
--- a/SOURCES/0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From d23421c65a4e53bef900d9e015833015fa123765 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:40 +0200
-Subject: [PATCH] libselinux: selinux_file_context_cmp(): do not discard const
- qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-matchpathcon.c: In function ‘selinux_file_context_cmp’:
-matchpathcon.c:487:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-  487 |  rest_a = strchr((char *)a, ':');
-      |                  ^
-matchpathcon.c:488:18: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-  488 |  rest_b = strchr((char *)b, ':');
-      |                  ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchpathcon.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 2ec66650cae0..9e1fab593266 100644
---- a/libselinux/src/matchpathcon.c
-+++ b/libselinux/src/matchpathcon.c
-@@ -477,15 +477,15 @@ void matchpathcon_checkmatches(char *str __attribute__((unused)))
- int selinux_file_context_cmp(const char * a,
- 			     const char * b)
- {
--	char *rest_a, *rest_b;	/* Rest of the context after the user */
-+	const char *rest_a, *rest_b;	/* Rest of the context after the user */
- 	if (!a && !b)
- 		return 0;
- 	if (!a)
- 		return -1;
- 	if (!b)
- 		return 1;
--	rest_a = strchr((char *)a, ':');
--	rest_b = strchr((char *)b, ':');
-+	rest_a = strchr(a, ':');
-+	rest_b = strchr(b, ':');
- 	if (!rest_a && !rest_b)
- 		return 0;
- 	if (!rest_a)
--- 
-2.32.0
-
diff --git a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch b/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch
deleted file mode 100644
index 0dca8cd..0000000
--- a/SOURCES/0006-libselinux-label_common-do-not-discard-const-qualifi.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 3950b1afedd1a5247dcb0eb4acffc3fe045a9fb3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:42 +0200
-Subject: [PATCH] libselinux: label_common(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-As the const qualifier is discarded in label_common(), do not return a
-const qualified pointer pointer from the local function `lookup_all()`.
-
-label_file.c: In function ‘lookup_common’:
-label_file.c:994:24: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-  994 |  struct spec *result = (struct spec*)matches[0];
-      |                        ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index cfce23e0119e..b080fcf1305b 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -845,7 +845,7 @@ static void closef(struct selabel_handle *rec)
- // Finds all the matches of |key| in the given context. Returns the result in
- // the allocated array and updates the match count. If match_count is NULL,
- // stops early once the 1st match is found.
--static const struct spec **lookup_all(struct selabel_handle *rec,
-+static struct spec **lookup_all(struct selabel_handle *rec,
-                                       const char *key,
-                                       int type,
-                                       bool partial,
-@@ -861,7 +861,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
- 	unsigned int sofar = 0;
- 	char *sub = NULL;
- 
--	const struct spec **result = NULL;
-+	struct spec **result = NULL;
- 	if (match_count) {
- 		*match_count = 0;
- 		result = calloc(data->nspec, sizeof(struct spec*));
-@@ -987,11 +987,11 @@ static struct spec *lookup_common(struct selabel_handle *rec,
-                                   const char *key,
-                                   int type,
-                                   bool partial) {
--	const struct spec **matches = lookup_all(rec, key, type, partial, NULL);
-+	struct spec **matches = lookup_all(rec, key, type, partial, NULL);
- 	if (!matches) {
- 		return NULL;
- 	}
--	struct spec *result = (struct spec*)matches[0];
-+	struct spec *result = matches[0];
- 	free(matches);
- 	return result;
- }
-@@ -1054,7 +1054,7 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
- 	assert(digest);
- 
- 	size_t total_matches;
--	const struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
-+	struct spec **matches = lookup_all(rec, key, 0, true, &total_matches);
- 	if (!matches) {
- 		return false;
- 	}
--- 
-2.32.0
-
diff --git a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch b/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
deleted file mode 100644
index a60225c..0000000
--- a/SOURCES/0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
+++ /dev/null
@@ -1,85 +0,0 @@
-From 7ca82e0db464052c1ed51e77b2d61ede82dfe3ee Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:44 +0200
-Subject: [PATCH] libselinux: Sha1Finalise(): do not discard const qualifier
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mark the argument `Buffer` of `Sha1Update()` const, since it is not
-modified.
-
-sha1.c: In function ‘Sha1Finalise’:
-sha1.c:208:25: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-  208 |     Sha1Update(Context, (uint8_t*)"\x80", 1);
-      |                         ^
-sha1.c:211:29: warning: cast discards ‘const’ qualifier from pointer target type [-Wcast-qual]
-  211 |         Sha1Update(Context, (uint8_t*)"\0", 1);
-      |                             ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/sha1.c | 10 +++++-----
- libselinux/src/sha1.h |  2 +-
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-index 9a8ce01dceda..664bbcf26eef 100644
---- a/libselinux/src/sha1.c
-+++ b/libselinux/src/sha1.c
-@@ -151,7 +151,7 @@ void
-     Sha1Update
-     (
-         Sha1Context*        Context,
--        void*               Buffer,
-+        const void*         Buffer,
-         uint32_t            BufferSize
-     )
- {
-@@ -172,7 +172,7 @@ void
-         TransformFunction(Context->State, Context->Buffer);
-         for (; i + 63 < BufferSize; i += 64)
-         {
--            TransformFunction(Context->State, (uint8_t*)Buffer + i);
-+            TransformFunction(Context->State, (const uint8_t*)Buffer + i);
-         }
-         j = 0;
-     }
-@@ -181,7 +181,7 @@ void
-         i = 0;
-     }
- 
--    memcpy(&Context->Buffer[j], &((uint8_t*)Buffer)[i], BufferSize - i);
-+    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
- }
- 
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-@@ -205,10 +205,10 @@ void
-         finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
-          >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent
-     }
--    Sha1Update(Context, (uint8_t*)"\x80", 1);
-+    Sha1Update(Context, (const uint8_t*)"\x80", 1);
-     while ((Context->Count[0] & 504) != 448)
-     {
--        Sha1Update(Context, (uint8_t*)"\0", 1);
-+        Sha1Update(Context, (const uint8_t*)"\0", 1);
-     }
- 
-     Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()
-diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
-index eac3c195351a..f83a6e7ed7ba 100644
---- a/libselinux/src/sha1.h
-+++ b/libselinux/src/sha1.h
-@@ -64,7 +64,7 @@ void
-     Sha1Update
-     (
-         Sha1Context*        Context,
--        void*               Buffer,
-+        const void*         Buffer,
-         uint32_t            BufferSize
-     );
- 
--- 
-2.32.0
-
diff --git a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch b/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
deleted file mode 100644
index 39366bd..0000000
--- a/SOURCES/0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 11194b982bb32c05548c38e4c81b1f166083f7e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:46 +0200
-Subject: [PATCH] libselinux: sefcontext_compile: mark local variable static
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `policy_file` is only used in sefcontext_compile.c.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/sefcontext_compile.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/utils/sefcontext_compile.c b/libselinux/utils/sefcontext_compile.c
-index dcb0085ad67e..6c32172d9944 100644
---- a/libselinux/utils/sefcontext_compile.c
-+++ b/libselinux/utils/sefcontext_compile.c
-@@ -14,7 +14,7 @@
- #include "../src/label_file.h"
- #include "../src/regex.h"
- 
--const char *policy_file;
-+static const char *policy_file;
- static int ctx_err;
- 
- static int validate_context(char **ctxp)
--- 
-2.32.0
-
diff --git a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch b/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
deleted file mode 100644
index 39a1ea4..0000000
--- a/SOURCES/0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 533e9d6ce07c8909c9c020cd6920a2384f7eee22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:48 +0200
-Subject: [PATCH] libselinux: avcstat: use standard length modifier for
- unsigned long long
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The format width specifier `L` is only standardized for floating point
-types. Use `ll` for fixed-width data types.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/avcstat.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c
-index da2392870c51..cc9a48dd4c3a 100644
---- a/libselinux/utils/avcstat.c
-+++ b/libselinux/utils/avcstat.c
-@@ -205,7 +205,7 @@ int main(int argc, char **argv)
- 			die("unable to parse \'%s\': no data", avcstatfile);
- 
- 		if (cumulative || !i)
--			printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
-+			printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
- 			       tot.lookups, tot.hits, tot.misses,
- 			       tot.allocations, tot.reclaims, tot.frees);
- 		else {
-@@ -215,7 +215,7 @@ int main(int argc, char **argv)
- 			rel.allocations = tot.allocations - last.allocations;
- 			rel.reclaims = tot.reclaims - last.reclaims;
- 			rel.frees = tot.frees - last.frees;
--			printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
-+			printf("%10llu %10llu %10llu %10llu %10llu %10llu\n",
- 			       rel.lookups, rel.hits, rel.misses,
- 			       rel.allocations, rel.reclaims, rel.frees);
- 		}
--- 
-2.32.0
-
diff --git a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch b/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
deleted file mode 100644
index 28b1188..0000000
--- a/SOURCES/0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 7464272caa1a69e3fc7971d1d80b6afd4785abef Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:51 +0200
-Subject: [PATCH] libselinux: selinux_restorecon: mark local variable static
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `dir_xattr_list` is only used inside `selinux_restorecon.c`.
-
-selinux_restorecon.c:65:19: warning: no previous extern declaration for non-static variable 'dir_xattr_list' [-Wmissing-variable-declarations]
-struct dir_xattr *dir_xattr_list;
-                  ^
-selinux_restorecon.c:65:1: note: declare 'static' if the variable is not intended to be used outside of this translation unit
-struct dir_xattr *dir_xattr_list;
-^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_restorecon.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 63fb8dc53c28..249c361fa988 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -62,7 +62,7 @@ static uint64_t fc_count = 0;	/* Number of files processed so far */
- static uint64_t efile_count;	/* Estimated total number of files */
- 
- /* Store information on directories with xattr's. */
--struct dir_xattr *dir_xattr_list;
-+static struct dir_xattr *dir_xattr_list;
- static struct dir_xattr *dir_xattr_last;
- 
- /* restorecon_flags for passing to restorecon_sb() */
--- 
-2.32.0
-
diff --git a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch b/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
deleted file mode 100644
index 5187561..0000000
--- a/SOURCES/0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From d0c02882b7fdcf5e6478f9a82ac2946174f4bca4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:53 +0200
-Subject: [PATCH] libselinux: selabel_get_digests_all_partial_matches: free
- memory after FTS_D block
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Free all memory from `selabel_get_digests_all_partial_matches()` in case
-of success and failure.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- .../utils/selabel_get_digests_all_partial_matches.c    | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index 0c2edc67771d..e28833d2ce97 100644
---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
-+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -128,7 +128,7 @@ int main(int argc, char **argv)
- 					printf("No SHA1 digest available for: %s\n",
- 					       ftsent->fts_path);
- 					printf("as file_context entry is \"<<none>>\"\n");
--					break;
-+					goto cleanup;
- 				}
- 
- 				printf("The file_context entries for: %s\n",
-@@ -149,11 +149,11 @@ int main(int argc, char **argv)
- 							xattr_digest[i]);
- 					printf("%s\n", sha1_buf);
- 				}
--
--				free(xattr_digest);
--				free(calculated_digest);
--				free(sha1_buf);
- 			}
-+			cleanup:
-+			free(xattr_digest);
-+			free(calculated_digest);
-+			free(sha1_buf);
- 			break;
- 		}
- 		default:
--- 
-2.32.0
-
diff --git a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch b/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
deleted file mode 100644
index 4a6f921..0000000
--- a/SOURCES/0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d0e16077d4ded64bbc878d29e0dc22b1f5e0912f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:55 +0200
-Subject: [PATCH] libselinux: getconlist: free memory on multiple level
- arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not leak memory if the program argument `l` got passed more than
-once.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/getconlist.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
-index 76654b75151a..0bb2846937ca 100644
---- a/libselinux/utils/getconlist.c
-+++ b/libselinux/utils/getconlist.c
-@@ -26,6 +26,7 @@ int main(int argc, char **argv)
- 	while ((opt = getopt(argc, argv, "l:")) > 0) {
- 		switch (opt) {
- 		case 'l':
-+			free(level);
- 			level = strdup(optarg);
- 			if (!level) {
- 				fprintf(stderr, "memory allocation failure: %d(%s)\n",
--- 
-2.32.0
-
diff --git a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch b/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
deleted file mode 100644
index a78e2ec..0000000
--- a/SOURCES/0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 319429ba3358c32a566f2c59898d01f2f36fdc95 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:57 +0200
-Subject: [PATCH] libselinux: exclude_non_seclabel_mounts(): drop unused
- variable
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `num` is never read from.
-
-Found by clang-analyer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_restorecon.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 249c361fa988..6fb9e1ff486d 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -230,7 +230,6 @@ static int exclude_non_seclabel_mounts(void)
- 	struct utsname uts;
- 	FILE *fp;
- 	size_t len;
--	ssize_t num;
- 	int index = 0, found = 0, nfile = 0;
- 	char *mount_info[4];
- 	char *buf = NULL, *item;
-@@ -245,7 +244,7 @@ static int exclude_non_seclabel_mounts(void)
- 	if (!fp)
- 		return 0;
- 
--	while ((num = getline(&buf, &len, fp)) != -1) {
-+	while (getline(&buf, &len, fp) != -1) {
- 		found = 0;
- 		index = 0;
- 		item = strtok(buf, " ");
--- 
-2.32.0
-
diff --git a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch b/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch
deleted file mode 100644
index e1df68b..0000000
--- a/SOURCES/0014-libselinux-context_new-drop-dead-assignment.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 782fa6ea38f323c60fc437577af515ce44627452 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:10:59 +0200
-Subject: [PATCH] libselinux: context_new(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `i` is not used inside this loop, and it later
-unconditionally set to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/context.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/context.c b/libselinux/src/context.c
-index ce4258806c53..b2144c7cf76c 100644
---- a/libselinux/src/context.c
-+++ b/libselinux/src/context.c
-@@ -37,7 +37,7 @@ context_t context_new(const char *str)
- 	}
- 	n->current_str = n->component[0] = n->component[1] = n->component[2] =
- 	    n->component[3] = 0;
--	for (i = count = 0, p = str; *p; p++) {
-+	for (count = 0, p = str; *p; p++) {
- 		switch (*p) {
- 		case ':':
- 			count++;
--- 
-2.32.0
-
diff --git a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch b/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch
deleted file mode 100644
index 0f9fadd..0000000
--- a/SOURCES/0015-libselinux-label_x-init-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 9c26043af6e4947e0e3e7fb789452da0c66e11c9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:01 +0200
-Subject: [PATCH] libselinux: label_x::init(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `lineno` is only used in the preceding loop and is always
-set prior that to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_x.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/label_x.c b/libselinux/src/label_x.c
-index 9674529931a7..e9fa063fafff 100644
---- a/libselinux/src/label_x.c
-+++ b/libselinux/src/label_x.c
-@@ -146,7 +146,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- 			if (process_line(path, line_buf, pass, ++lineno, rec))
- 				goto finish;
- 		}
--		lineno = 0;
- 
- 		if (pass == 0) {
- 			if (data->nspec == 0) {
--- 
-2.32.0
-
diff --git a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch b/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch
deleted file mode 100644
index 3fd23ed..0000000
--- a/SOURCES/0016-libselinux-label_media-init-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 04335ab146d18f5865bed3516d5cbc9057a3df89 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:03 +0200
-Subject: [PATCH] libselinux: label_media::init(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `lineno` is only used in the preceding loop and it always
-set prior that to 0.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_media.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/label_media.c b/libselinux/src/label_media.c
-index d202e5d5ab83..eb27deaf510e 100644
---- a/libselinux/src/label_media.c
-+++ b/libselinux/src/label_media.c
-@@ -119,7 +119,6 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- 			if (process_line(path, line_buf, pass, ++lineno, rec))
- 				goto finish;
- 		}
--		lineno = 0;
- 
- 		if (pass == 0) {
- 			if (data->nspec == 0) {
--- 
-2.32.0
-
diff --git a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch b/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch
deleted file mode 100644
index ff787d6..0000000
--- a/SOURCES/0017-libselinux-setexecfilecon-drop-dead-assignment.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 411c5a54587b1459528fb8e6b66d0bebf1a5fb39 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:05 +0200
-Subject: [PATCH] libselinux: setexecfilecon(): drop dead assignment
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The variable `rc` is always unconditionally assigned by the next call of
-`setexeccon()` and never read in between.
-
-Found by clang-analyzer.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/setexecfilecon.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/libselinux/src/setexecfilecon.c b/libselinux/src/setexecfilecon.c
-index e72ba0d98880..2c6505a96a48 100644
---- a/libselinux/src/setexecfilecon.c
-+++ b/libselinux/src/setexecfilecon.c
-@@ -37,7 +37,6 @@ int setexecfilecon(const char *filename, const char *fallback_type)
- 		newcon = strdup(context_str(con));
- 		if (!newcon)
- 			goto out;
--		rc = 0;
- 	}
- 
- 	rc = setexeccon(newcon);
--- 
-2.32.0
-
diff --git a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch b/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
deleted file mode 100644
index eeecd9c..0000000
--- a/SOURCES/0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From db69a3d3622005d3ffd62498eac8da1ded264874 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:07 +0200
-Subject: [PATCH] libselinux: getdefaultcon: free memory on multiple same
- arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not leak memory if program arguments get specified more than once.
-
-Found by clang-anlyzer.
-
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'level' [unix.Malloc]
-                fprintf(stderr,
-                ^~~~~~~~~~~~~~~
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'role' [unix.Malloc]
-                fprintf(stderr,
-                ^~~~~~~~~~~~~~~
-getdefaultcon.c:52:3: warning: Potential leak of memory pointed to by 'service' [unix.Malloc]
-                fprintf(stderr,
-                ^~~~~~~~~~~~~~~
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/utils/getdefaultcon.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/libselinux/utils/getdefaultcon.c b/libselinux/utils/getdefaultcon.c
-index 96a5a8c23656..957c1cb2e307 100644
---- a/libselinux/utils/getdefaultcon.c
-+++ b/libselinux/utils/getdefaultcon.c
-@@ -28,12 +28,15 @@ int main(int argc, char **argv)
- 	while ((opt = getopt(argc, argv, "l:r:s:v")) > 0) {
- 		switch (opt) {
- 		case 'l':
-+			free(level);
- 			level = strdup(optarg);
- 			break;
- 		case 'r':
-+			free(role);
- 			role = strdup(optarg);
- 			break;
- 		case 's':
-+			free(service);
- 			service = strdup(optarg);
- 			break;
- 		case 'v':
--- 
-2.32.0
-
diff --git a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch b/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
deleted file mode 100644
index e9e5446..0000000
--- a/SOURCES/0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From 6e5d16a012e1845774da106846b87090d39ea8f3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:09 +0200
-Subject: [PATCH] libselinux: store_stem(): do not free possible non-heap
- object
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-GCC 11 complains:
-
-In file included from label_file.c:24:
-In function ‘store_stem’,
-    inlined from ‘load_mmap’ at label_file.c:277:12,
-    inlined from ‘process_file’ at label_file.c:551:5:
-label_file.h:289:25: error: ‘free’ called on pointer ‘*mmap_area.next_addr’ with nonzero offset 4 [-Werror=free-nonheap-object]
-  289 |                         free(buf);
-      |                         ^~~~~~~~~
-
-Free the pointer on failure at the caller instead of inside `store_stem()`.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.h | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
-index baed3341b6b3..9f6337012216 100644
---- a/libselinux/src/label_file.h
-+++ b/libselinux/src/label_file.h
-@@ -286,7 +286,6 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len)
- 		tmp_arr = realloc(data->stem_arr,
- 				  sizeof(*tmp_arr) * alloc_stems);
- 		if (!tmp_arr) {
--			free(buf);
- 			return -1;
- 		}
- 		data->alloc_stems = alloc_stems;
-@@ -308,6 +307,7 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
- 	int stem_len = get_stem_from_spec(buf);
- 	int stemid;
- 	char *stem;
-+	int r;
- 
- 	if (!stem_len)
- 		return -1;
-@@ -321,7 +321,11 @@ static inline int find_stem_from_spec(struct saved_data *data, const char *buf)
- 	if (!stem)
- 		return -1;
- 
--	return store_stem(data, stem, stem_len);
-+	r = store_stem(data, stem, stem_len);
-+	if (r < 0)
-+		free(stem);
-+
-+	return r;
- }
- 
- /* This will always check for buffer over-runs and either read the next entry
--- 
-2.32.0
-
diff --git a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch b/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch
deleted file mode 100644
index 22c4c0c..0000000
--- a/SOURCES/0020-libselinux-matchmediacon-close-file-on-error.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 0280a2a70c35c5c319f82f37a685424706b03ad4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:11 +0200
-Subject: [PATCH] libselinux: matchmediacon(): close file on error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by Infer.
-
-matchmediacon.c:25: error: Resource Leak
-  resource of type `_IO_FILE` acquired to `return` by call to `fopen()` at line 21, column 16 is not released after line 25, column 4.
-  23. 	while (!feof_unlocked(infile)) {
-  24. 		if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
-  25. 			return -1;
-         ^
-  26. 		}
-  27. 		if (current_line[strlen(current_line) - 1])
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchmediacon.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/libselinux/src/matchmediacon.c b/libselinux/src/matchmediacon.c
-index 23d01af476d2..d3d9504348e1 100644
---- a/libselinux/src/matchmediacon.c
-+++ b/libselinux/src/matchmediacon.c
-@@ -22,6 +22,7 @@ int matchmediacon(const char *media, char ** con)
- 		return -1;
- 	while (!feof_unlocked(infile)) {
- 		if (!fgets_unlocked(current_line, sizeof(current_line), infile)) {
-+			fclose(infile);
- 			return -1;
- 		}
- 		if (current_line[strlen(current_line) - 1])
--- 
-2.32.0
-
diff --git a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch b/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch
deleted file mode 100644
index 905d7fb..0000000
--- a/SOURCES/0021-libselinux-init_selinux_config-free-resources-on-err.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 9ab27e21800e8b5589eef0fa9242042567e9bc78 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:13 +0200
-Subject: [PATCH] libselinux: init_selinux_config(): free resources on error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by Infer.
-
-selinux_config.c:181: error: Resource Leak
-  resource of type `_IO_FILE` acquired by call to `fopen()` at line 165, column 7 is not released after line 181, column 6.
-  179. 				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
-  180. 				if (!type)
-  181. 					return;
-            ^
-  182. 				end = type + strlen(type) - 1;
-  183. 				while ((end > type) &&
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/selinux_config.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
-index 6c5238953cb1..97f81a8b61ce 100644
---- a/libselinux/src/selinux_config.c
-+++ b/libselinux/src/selinux_config.c
-@@ -177,8 +177,11 @@ static void init_selinux_config(void)
- 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
- 					 sizeof(SELINUXTYPETAG) - 1)) {
- 				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
--				if (!type)
-+				if (!type) {
-+					free(line_buf);
-+					fclose(fp);
- 					return;
-+				}
- 				end = type + strlen(type) - 1;
- 				while ((end > type) &&
- 				       (isspace(*end) || iscntrl(*end))) {
-@@ -187,6 +190,8 @@ static void init_selinux_config(void)
- 				}
- 				if (setpolicytype(type) != 0) {
- 					free(type);
-+					free(line_buf);
-+					fclose(fp);
- 					return;
- 				}
- 				free(type);
--- 
-2.32.0
-
diff --git a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch b/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
deleted file mode 100644
index 7b4243c..0000000
--- a/SOURCES/0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From bc0a0327ca6e47400e161f6d1e70e08cb350a36f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:15 +0200
-Subject: [PATCH] libselinux: label_file::init(): do not pass NULL to strdup
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If any of the build flags `BUILD_HOST` or `ANDROID` is set and the
-caller did not pass an option of type `SELABEL_OPT_PATH`, the variable
-`path` might be not set.
-Add a check to avoid calling `strdup()` with a NULL pointer.
-
-Found by cppcheck.
-
-src/label_file.c:759:26: warning: Possible null pointer dereference: path [nullPointer]
- rec->spec_file = strdup(path);
-                         ^
-src/label_file.c:713:21: note: Assignment 'path=NULL', assigned value is 0
- const char *path = NULL;
-                    ^
-src/label_file.c:759:26: note: Null pointer dereference
- rec->spec_file = strdup(path);
-                         ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index b080fcf1305b..4268b52c84cc 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -756,6 +756,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
- 	}
- 
- #endif
-+
-+	if (!path)
-+		goto finish;
-+
- 	rec->spec_file = strdup(path);
- 
- 	/*
--- 
-2.32.0
-
diff --git a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch b/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
deleted file mode 100644
index 463fc49..0000000
--- a/SOURCES/0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 65f1ccbecc30d31e66126e470d404b757eb9898e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:17 +0200
-Subject: [PATCH] libselinux: matchpathcon: free memory on realloc failure
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case `realloc()` fails and returns NULL, free the passed array,
-instead of just setting the size helper variables to 0.
-
-Also free the string contents in `free_array_elts()` of the array
-`con_array`, instead of just the array of pointers.
-
-Found by cppcheck.
-
-src/matchpathcon.c:86:4: error: Common realloc mistake: 'con_array' nulled but not freed upon failure [memleakOnRealloc]
-   con_array = (char **)realloc(con_array, sizeof(char*) *
-   ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/matchpathcon.c | 26 ++++++++++++++++----------
- 1 file changed, 16 insertions(+), 10 deletions(-)
-
-diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
-index 9e1fab593266..075a3fb3ffcb 100644
---- a/libselinux/src/matchpathcon.c
-+++ b/libselinux/src/matchpathcon.c
-@@ -78,17 +78,30 @@ static pthread_once_t once = PTHREAD_ONCE_INIT;
- static pthread_key_t destructor_key;
- static int destructor_key_initialized = 0;
- 
-+static void free_array_elts(void)
-+{
-+	int i;
-+	for (i = 0; i < con_array_used; i++)
-+		free(con_array[i]);
-+	free(con_array);
-+
-+	con_array_size = con_array_used = 0;
-+	con_array = NULL;
-+}
-+
- static int add_array_elt(char *con)
- {
-+	char **tmp;
- 	if (con_array_size) {
- 		while (con_array_used >= con_array_size) {
- 			con_array_size *= 2;
--			con_array = (char **)realloc(con_array, sizeof(char*) *
-+			tmp = (char **)realloc(con_array, sizeof(char*) *
- 						     con_array_size);
--			if (!con_array) {
--				con_array_size = con_array_used = 0;
-+			if (!tmp) {
-+				free_array_elts();
- 				return -1;
- 			}
-+			con_array = tmp;
- 		}
- 	} else {
- 		con_array_size = 1000;
-@@ -105,13 +118,6 @@ static int add_array_elt(char *con)
- 	return con_array_used++;
- }
- 
--static void free_array_elts(void)
--{
--	con_array_size = con_array_used = 0;
--	free(con_array);
--	con_array = NULL;
--}
--
- void set_matchpathcon_invalidcon(int (*f) (const char *p, unsigned l, char *c))
- {
- 	myinvalidcon = f;
--- 
-2.32.0
-
diff --git a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch b/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
deleted file mode 100644
index 205b477..0000000
--- a/SOURCES/0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From e1999379dfc6d12abb9fa454ac01d4239baf361f Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:19 +0200
-Subject: [PATCH] libselinux: label_db::db_init(): open file with CLOEXEC mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Open the file stream with the `e` flag, so that the underlying file
-descriptor gets closed on an exec in a potential sibling thread.
-
-Also drop the flag `b`, since it is ignored on POSIX systems.
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_db.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
-index fba96c92299f..94c05c6d4397 100644
---- a/libselinux/src/label_db.c
-+++ b/libselinux/src/label_db.c
-@@ -277,7 +277,7 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
- 	if (!path)
- 		path = selinux_sepgsql_context_path();
- 
--	if ((filp = fopen(path, "rb")) == NULL) {
-+	if ((filp = fopen(path, "re")) == NULL) {
- 		free(catalog);
- 		return NULL;
- 	}
--- 
-2.32.0
-
diff --git a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch b/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch
deleted file mode 100644
index b680c7b..0000000
--- a/SOURCES/0025-libselinux-drop-redundant-casts-to-the-same-type.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 8827610e5045b9bce7d2fe24058548f938921ccf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:22 +0200
-Subject: [PATCH] libselinux: drop redundant casts to the same type
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/audit2why.c            | 2 +-
- libselinux/src/avc_sidtab.c           | 2 +-
- libselinux/src/is_customizable_type.c | 2 +-
- libselinux/src/selinux_restorecon.c   | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libselinux/src/audit2why.c b/libselinux/src/audit2why.c
-index d56b56eb2a1a..029f874f4702 100644
---- a/libselinux/src/audit2why.c
-+++ b/libselinux/src/audit2why.c
-@@ -275,7 +275,7 @@ static int __policy_init(const char *init_path)
- 	}
- 
- 	sepol_bool_iterate(avc->handle, avc->policydb,
--			   load_booleans, (void *)NULL);
-+			   load_booleans, NULL);
- 
- 	/* Initialize the sidtab for subsequent use by sepol_context_to_sid
- 	   and sepol_compute_av_reason. */
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 8dc875608762..8c81cf65d2ef 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -56,7 +56,7 @@ int sidtab_insert(struct sidtab *s, const char * ctx)
- 		rc = -1;
- 		goto out;
- 	}
--	newctx = (char *) strdup(ctx);
-+	newctx = strdup(ctx);
- 	if (!newctx) {
- 		rc = -1;
- 		avc_free(newnode);
-diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
-index 92876f4d9371..1b17860c3622 100644
---- a/libselinux/src/is_customizable_type.c
-+++ b/libselinux/src/is_customizable_type.c
-@@ -38,7 +38,7 @@ static int get_customizable_type_list(char *** retlist)
- 			while (fgets_unlocked(buf, selinux_page_size, fp)
- 			       && i < ctr) {
- 				buf[strlen(buf) - 1] = 0;
--				list[i] = (char *) strdup(buf);
-+				list[i] = strdup(buf);
- 				if (!list[i]) {
- 					unsigned int j;
- 					for (j = 0; j < i; j++)
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 6fb9e1ff486d..999aa924ba32 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -1152,7 +1152,7 @@ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
- 	unsigned char *fc_digest;
- 	size_t num_specfiles, fc_digest_len;
- 
--	fc_sehandle = (struct selabel_handle *) hndl;
-+	fc_sehandle = hndl;
- 	if (!fc_sehandle)
- 		return;
- 
--- 
-2.32.0
-
diff --git a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch b/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
deleted file mode 100644
index 9ba272e..0000000
--- a/SOURCES/0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From b1a4603c9208982e33291fe6dc5aa78148762530 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:24 +0200
-Subject: [PATCH] libselinux: sidtab_sid_stats(): unify parameter name
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-libselinux/src/avc_sidtab.h:32:6: warning: function 'sidtab_sid_stats' has a definition with different parameter names [readability-inconsistent-declaration-parameter-name]
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
-     ^
-libselinux/src/avc_sidtab.c:103:6: note: the definition seen here
-void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
-     ^
-libselinux/src/avc_sidtab.h:32:6: note: differing parameters are named here: ('s'), in definition: ('h')
-void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen) ;
-     ^                               ~
-                                     h
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc_sidtab.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 8c81cf65d2ef..f179d8558a45 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -100,7 +100,7 @@ sidtab_context_to_sid(struct sidtab *s,
- 	return rc;
- }
- 
--void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
-+void sidtab_sid_stats(struct sidtab *s, char *buf, int buflen)
- {
- 	int i, chain_len, slots_used, max_chain_len;
- 	struct sidtab_node *cur;
-@@ -108,7 +108,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
- 	slots_used = 0;
- 	max_chain_len = 0;
- 	for (i = 0; i < SIDTAB_SIZE; i++) {
--		cur = h->htable[i];
-+		cur = s->htable[i];
- 		if (cur) {
- 			slots_used++;
- 			chain_len = 0;
-@@ -124,7 +124,7 @@ void sidtab_sid_stats(struct sidtab *h, char *buf, int buflen)
- 
- 	snprintf(buf, buflen,
- 		 "%s:  %u SID entries and %d/%d buckets used, longest "
--		 "chain length %d\n", avc_prefix, h->nel, slots_used,
-+		 "chain length %d\n", avc_prefix, s->nel, slots_used,
- 		 SIDTAB_SIZE, max_chain_len);
- }
- 
--- 
-2.32.0
-
diff --git a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch b/SOURCES/0027-libselinux-regex-unify-parameter-names.patch
deleted file mode 100644
index 5781ab6..0000000
--- a/SOURCES/0027-libselinux-regex-unify-parameter-names.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e057080fcc148b3b1fc613c100340c325bde6c7e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:26 +0200
-Subject: [PATCH] libselinux: regex: unify parameter names
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Use the same parameter names as in the header `regex.h`.
-
-Found by clang-tidy.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/regex.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
-index 770bc3ea1310..73987d9f1063 100644
---- a/libselinux/src/regex.c
-+++ b/libselinux/src/regex.c
-@@ -319,7 +319,7 @@ char const *regex_version(void)
- }
- 
- int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex,
--		    int unused __attribute__((unused)), bool *regex_compiled)
-+		    int do_load_precompregex __attribute__((unused)), bool *regex_compiled)
- {
- 	int rc;
- 	uint32_t entry_len;
-@@ -387,7 +387,7 @@ static inline pcre_extra *get_pcre_extra(struct regex_data *regex)
- }
- 
- int regex_writef(struct regex_data *regex, FILE *fp,
--		 int unused __attribute__((unused)))
-+		 int do_write_precompregex __attribute__((unused)))
- {
- 	int rc;
- 	size_t len;
--- 
-2.32.0
-
diff --git a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch b/SOURCES/0028-libselinux-label_file.c-fix-indent.patch
deleted file mode 100644
index f072b85..0000000
--- a/SOURCES/0028-libselinux-label_file.c-fix-indent.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 2657e3ccbd01f09ea4c637c2d8cf23646507475a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 3 May 2021 17:11:31 +0200
-Subject: [PATCH] libselinux: label_file.c: fix indent
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Found by clang-tidy.
-
-libselinux/src/label_file.c:374:4: warning: different indentation for 'if' and corresponding 'else' [readability-misleading-indentation]
-                 else
-                 ^
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/label_file.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 4268b52c84cc..56f499faef97 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -371,7 +371,7 @@ end_arch_check:
- 
- 		if (stem_id < 0 || stem_id >= (int32_t)stem_map_len)
- 			spec->stem_id = -1;
--		 else
-+		else
- 			spec->stem_id = stem_map[stem_id];
- 
- 		/* retrieve the hasMetaChars bit */
--- 
-2.32.0
-
diff --git a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch b/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch
deleted file mode 100644
index 1142019..0000000
--- a/SOURCES/0029-libselinux-avc_destroy-3-closes-status-page.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From a2304cef5780d72ef0eb927b799337982c599ca9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:46 +0200
-Subject: [PATCH] libselinux: avc_destroy(3) closes status page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Mention in the manpage of avc_destroy(3) that it does close the SELinux
-status page, which might have been opened manually by the client
-application.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/man/man3/avc_open.3 | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
-index 3090dd5077c7..55683bb6594b 100644
---- a/libselinux/man/man3/avc_open.3
-+++ b/libselinux/man/man3/avc_open.3
-@@ -26,6 +26,9 @@ initializes the userspace AVC and must be called before any other AVC operation
- destroys the userspace AVC, freeing all internal memory structures.  After this call has been made, 
- .BR avc_open ()
- must be called again before any AVC operations can be performed.
-+.BR avc_destroy ()
-+also closes the SELinux status page, which might have been opened manually by
-+.BR selinux_status_open (3).
- 
- .BR avc_reset ()
- flushes the userspace AVC, causing it to forget any cached access decisions.  The userspace AVC normally calls this function automatically when needed, see
--- 
-2.32.0
-
diff --git a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch b/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch
deleted file mode 100644
index 953b991..0000000
--- a/SOURCES/0030-libselinux-make-selinux_status_open-3-reentrant.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From c5a699046f4a08a554d2da9121924fc80bf27cba Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:47 +0200
-Subject: [PATCH] libselinux: make selinux_status_open(3) reentrant
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Do not mmap the status page again if `selinux_status_open(3)` has already
-been called with success.
-
-`selinux_status_open(3)` might be called unintentionally multiple times,
-e.g. once to manually be able to call `selinux_status_getenforce(3)` and
-once indirectly through `selinux_check_access(3)`
-(since libselinux 3.2).
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/sestatus.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
-index 12b015e088ea..531a522c0f48 100644
---- a/libselinux/src/sestatus.c
-+++ b/libselinux/src/sestatus.c
-@@ -282,6 +282,10 @@ int selinux_status_open(int fallback)
- 	long		pagesize;
- 	uint32_t	seqno;
- 
-+	if (selinux_status != NULL) {
-+		return 0;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
--- 
-2.32.0
-
diff --git a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch b/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
deleted file mode 100644
index a952d93..0000000
--- a/SOURCES/0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3cef4110bee88ac81dfb5e62c2a8b7902248abba Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Mon, 10 May 2021 12:56:48 +0200
-Subject: [PATCH] libselinux: do not use status page fallback mode internally
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Currently `avc_init_internal()`, called by `avc_open(3)` and
-`avc_init(3)`, does open the SELinux status page with fallback mode
-enabled.
-
-Quote from man:selinux_status_open(3):
-    In this case, this function tries to open a netlink socket using
-    .BR avc_netlink_open (3) and overwrite corresponding callbacks
-    (setenforce and policyload).  Thus, we need to pay attention to the
-    interaction with these interfaces, when fallback mode is enabled.
-
-Calling `selinux_status_open` internally in fallback mode is bad, cause
-it overrides callbacks from client applications or the internal
-fallback-callbacks get overridden by client applications.
-Note that `avc_open(3)` gets called under the hood by
-`selinux_check_access(3)` without checking for failure.
-Also the status page is available since Linux 2.6.37, so failures of
-`selinux_status_open(3)` in non-fallback mode should only be caused by
-policies not allowing the client process to open/read/map
-the /sys/fs/selinux/status file.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
----
- libselinux/src/avc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
-index 8314d7ba3de6..daaedbc6a6fd 100644
---- a/libselinux/src/avc.c
-+++ b/libselinux/src/avc.c
-@@ -214,7 +214,7 @@ static int avc_init_internal(const char *prefix,
- 		avc_enforcing = rc;
- 	}
- 
--	rc = selinux_status_open(1);
-+	rc = selinux_status_open(0);
- 	if (rc < 0) {
- 		avc_log(SELINUX_ERROR,
- 			"%s: could not open selinux status page: %d (%s)\n",
--- 
-2.32.0
-
diff --git a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch b/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
deleted file mode 100644
index 00ade44..0000000
--- a/SOURCES/0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From ed2e4db2f9941e01e65248ce5f0a9e49f3efd130 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 1 Jun 2021 17:05:23 +0200
-Subject: [PATCH] libselinux: selinux_status_open: return 1 in fallback mode
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In case of a recurring call to `selinux_status_open(3)`, which
-previously has been opened in fallback mode, return `1` according to its
-documentation.
-
-Fixes: c5a699046f4 ("libselinux: make selinux_status_open(3) reentrant")
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/sestatus.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
-index 531a522c0f48..89c1f6216702 100644
---- a/libselinux/src/sestatus.c
-+++ b/libselinux/src/sestatus.c
-@@ -283,7 +283,7 @@ int selinux_status_open(int fallback)
- 	uint32_t	seqno;
- 
- 	if (selinux_status != NULL) {
--		return 0;
-+		return (selinux_status == MAP_FAILED) ? 1 : 0;
- 	}
- 
- 	if (!selinux_mnt) {
--- 
-2.32.0
-
diff --git a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch b/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch
deleted file mode 100644
index c1b4851..0000000
--- a/SOURCES/0033-libselinux-improve-getcon-3-man-page.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From ea02e0acfaab93219359448a66edff365aef4ca5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 1 Jun 2021 17:35:09 +0200
-Subject: [PATCH] libselinux: improve getcon(3) man page
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Improve formatting of section DESCRIPTION by adding list points.
-Mention errno is set on failure.
-Mention the returned context might be NULL if SELinux is not enabled.
-Align setcon/_raw parameter by adding const.
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/man/man3/getcon.3 | 41 +++++++++++++++++++++++++-----------
- 1 file changed, 29 insertions(+), 12 deletions(-)
-
-diff --git a/libselinux/man/man3/getcon.3 b/libselinux/man/man3/getcon.3
-index 67872a4dede6..e7e394f305b7 100644
---- a/libselinux/man/man3/getcon.3
-+++ b/libselinux/man/man3/getcon.3
-@@ -7,7 +7,7 @@ freecon, freeconary \- free memory associated with SELinux security contexts
- getpeercon \- get security context of a peer socket
- 
- setcon \- set current security context of a process
--.
-+
- .SH "SYNOPSIS"
- .B #include <selinux/selinux.h>
- .sp
-@@ -31,30 +31,39 @@ setcon \- set current security context of a process
- .sp
- .BI "void freeconary(char **" con );
- .sp
--.BI "int setcon(char *" context );
-+.BI "int setcon(const char *" context );
- .sp
--.BI "int setcon_raw(char *" context );
--.
-+.BI "int setcon_raw(const char *" context );
-+
- .SH "DESCRIPTION"
-+.TP
- .BR getcon ()
- retrieves the context of the current process, which must be free'd with
--freecon.
-+.BR freecon ().
- 
-+.TP
- .BR getprevcon ()
- same as getcon but gets the context before the last exec.
- 
-+.TP
- .BR getpidcon ()
--returns the process context for the specified PID.
-+returns the process context for the specified PID, which must be free'd with
-+.BR freecon ().
- 
-+.TP
- .BR getpeercon ()
--retrieves context of peer socket, and set
--.BI * context
--to refer to it, which must be free'd with
-+retrieves the context of the peer socket, which must be free'd with
- .BR freecon ().
- 
-+.TP
- .BR freecon ()
- frees the memory allocated for a security context.
- 
-+If
-+.I con
-+is NULL, no operation is performed.
-+
-+.TP
- .BR freeconary ()
- frees the memory allocated for a context array.
- 
-@@ -62,6 +71,7 @@ If
- .I con
- is NULL, no operation is performed.
- 
-+.TP
- .BR setcon ()
- sets the current security context of the process to a new value.  Note
- that use of this function requires that the entire application be
-@@ -110,6 +120,8 @@ context and the
- .BR setcon ()
- will fail if it is not allowed by policy.
- 
-+.TP
-+.BR *_raw()
- .BR getcon_raw (),
- .BR getprevcon_raw (),
- .BR getpidcon_raw (),
-@@ -118,9 +130,14 @@ and
- .BR setcon_raw ()
- behave identically to their non-raw counterparts but do not perform context
- translation.
--.
-+
- .SH "RETURN VALUE"
--On error \-1 is returned.  On success 0 is returned.
--.
-+On error \-1 is returned with errno set.  On success 0 is returned.
-+
-+.SH "NOTES"
-+The retrieval functions might return success and set
-+.I *context
-+to NULL if and only if SELinux is not enabled.
-+
- .SH "SEE ALSO"
- .BR selinux "(8), " setexeccon "(3)"
--- 
-2.32.0
-
diff --git a/SOURCES/0034-libselinux-fix-typo.patch b/SOURCES/0034-libselinux-fix-typo.patch
deleted file mode 100644
index 3d9d604..0000000
--- a/SOURCES/0034-libselinux-fix-typo.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From fa4de3c9d85a310248bae516ed4535773885845b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
-Date: Tue, 8 Jun 2021 17:36:44 +0200
-Subject: [PATCH] libselinux: fix typo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
-Acked-by: Petr Lautrbach <plautrba@redhat.com>
----
- libselinux/src/regex.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/libselinux/src/regex.h b/libselinux/src/regex.h
-index 10c3df7856e1..2dfa25342034 100644
---- a/libselinux/src/regex.h
-+++ b/libselinux/src/regex.h
-@@ -44,7 +44,7 @@ struct mmap_area;
- char const *regex_arch_string(void) ;
- 
- /**
-- * regex_verison returns the version string of the underlying regular
-+ * regex_version returns the version string of the underlying regular
-  * regular expressions library. In the case of PCRE it just returns the
-  * result of pcre_version(). In the case of PCRE2, the very first time this
-  * function is called it allocates a buffer large enough to hold the version
--- 
-2.32.0
-
diff --git a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch b/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
deleted file mode 100644
index fdaabab..0000000
--- a/SOURCES/0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 70b31e75fe157f4cfa5afc6589c0605868017028 Mon Sep 17 00:00:00 2001
-From: Topi Miettinen <toiwoton@gmail.com>
-Date: Sat, 12 Jun 2021 12:07:38 +0300
-Subject: [PATCH] selinux.8: document how mount flag nosuid affects SELinux
-
-Using mount flag `nosuid` also affects SELinux domain transitions but
-this has not been documented well.
-
-Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
----
- libselinux/man/man8/selinux.8 | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
-index 0ef014609a36..5842150bfc72 100644
---- a/libselinux/man/man8/selinux.8
-+++ b/libselinux/man/man8/selinux.8
-@@ -94,6 +94,13 @@ and reboot.
- also has this capability.  The
- .BR restorecon / fixfiles
- commands are also available for relabeling files.
-+
-+Please note that using mount flag
-+.I nosuid
-+also disables SELinux domain transitions, unless permission
-+.I nosuid_transition
-+is used in the policy to allow this, which in turn needs also policy capability
-+.IR nnp_nosuid_transition .
- .
- .SH AUTHOR
- This manual page was written by Dan Walsh <dwalsh@redhat.com>.
--- 
-2.32.0
-
diff --git a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch b/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
deleted file mode 100644
index 2953a46..0000000
--- a/SOURCES/0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 4859b738136ef8889fbb71a166cfec8d313ba4e0 Mon Sep 17 00:00:00 2001
-From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
-Date: Thu, 1 Jul 2021 19:06:19 +0200
-Subject: [PATCH] libselinux/utils/getseuser.c: fix build with gcc 4.8
-
-Fix the following build failure with gcc 4.8 which is raised since
-version 3.2 and
-https://github.com/SELinuxProject/selinux/commit/156dd0de5cad31e7d437c64e11a8aef027f0a691
-
-getseuser.c:53:2: error: 'for' loop initial declarations are only allowed in C99 mode
-  for (int i = 0; i < n; i++)
-  ^
-
-Fixes:
- - http://autobuild.buildroot.org/results/37eb0952a763256fbf6ef3c668f6c95fbdf2dd35
-
-Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
----
- libselinux/utils/getseuser.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/libselinux/utils/getseuser.c b/libselinux/utils/getseuser.c
-index ce1b7b27dbd9..34f2e887ffa0 100644
---- a/libselinux/utils/getseuser.c
-+++ b/libselinux/utils/getseuser.c
-@@ -9,7 +9,7 @@ int main(int argc, char **argv)
- {
- 	char *seuser = NULL, *level = NULL;
- 	char **contextlist;
--	int rc, n;
-+	int rc, n, i;
- 
- 	if (argc != 3) {
- 		fprintf(stderr, "usage:  %s linuxuser fromcon\n", argv[0]);
-@@ -50,7 +50,7 @@ int main(int argc, char **argv)
- 	if (n == 0)
- 		printf("no valid context found\n");
- 
--	for (int i = 0; i < n; i++)
-+	for (i = 0; i < n; i++)
- 		printf("Context %d\t%s\n", i, contextlist[i]);
- 
- 	freeconary(contextlist);
--- 
-2.32.0
-
diff --git a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch b/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch
deleted file mode 100644
index bf958ac..0000000
--- a/SOURCES/0037-libselinux-silence-Wextra-semi-stmt-warning.patch
+++ /dev/null
@@ -1,191 +0,0 @@
-From 40543dceedc1510d0d27177f564db0f232689803 Mon Sep 17 00:00:00 2001
-From: Nicolas Iooss <nicolas.iooss@m4x.org>
-Date: Sat, 3 Jul 2021 16:31:18 +0200
-Subject: [PATCH] libselinux: silence -Wextra-semi-stmt warning
-
-On Ubuntu 20.04, when building with clang -Werror -Wextra-semi-stmt
-(which is not the default build configuration), the compiler reports:
-
-      sha1.c:90:21: error: empty expression statement has no effect;
-      remove unnecessary ';' to silence this warning
-      [-Werror,-Wextra-semi-stmt]
-          R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
-                          ^
-      In file included from selinux_restorecon.c:39:
-      ./label_file.h:458:15: error: empty expression statement has no
-      effect; remove unnecessary ';' to silence this warning
-      [-Werror,-Wextra-semi-stmt]
-                                  lineno);
-                                        ^
-
-Introduce "do { } while (0)" blocks to silence such warnings.
-
-Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
----
- libselinux/src/avc_internal.h                | 22 +++++++++++++-------
- libselinux/src/label_internal.h              | 10 +++++----
- libselinux/src/load_policy.c                 |  2 +-
- libselinux/src/procattr.c                    |  4 ++--
- libselinux/src/sha1.c                        | 11 +++++-----
- libselinux/utils/matchpathcon.c              |  2 +-
- libselinux/utils/selabel_lookup_best_match.c |  2 +-
- 7 files changed, 31 insertions(+), 22 deletions(-)
-
-diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
-index da67affc9307..a9a4aa0b3c42 100644
---- a/libselinux/src/avc_internal.h
-+++ b/libselinux/src/avc_internal.h
-@@ -85,10 +85,12 @@ static inline void avc_free(void *ptr)
- 
- /* this is a macro in order to use the variadic capability. */
- #define avc_log(type, format...) \
--  if (avc_func_log) \
--    avc_func_log(format); \
--  else \
--    selinux_log(type, format);
-+  do { \
-+    if (avc_func_log) \
-+      avc_func_log(format); \
-+    else \
-+      selinux_log(type, format); \
-+  } while (0)
- 
- static inline void avc_suppl_audit(void *ptr, security_class_t class,
- 				   char *buf, size_t len)
-@@ -137,14 +139,18 @@ static inline void avc_free_lock(void *lock)
- #ifdef AVC_CACHE_STATS
- 
- #define avc_cache_stats_incr(field) \
--  cache_stats.field ++;
-+  do { \
-+    cache_stats.field ++; \
-+  } while (0)
- #define avc_cache_stats_add(field, num) \
--  cache_stats.field += num;
-+  do { \
-+    cache_stats.field += num; \
-+  } while (0)
- 
- #else
- 
--#define avc_cache_stats_incr(field)
--#define avc_cache_stats_add(field, num)
-+#define avc_cache_stats_incr(field) do {} while (0)
-+#define avc_cache_stats_add(field, num) do {} while (0)
- 
- #endif
- 
-diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 361b443cb9c4..782c6aa8cc0c 100644
---- a/libselinux/src/label_internal.h
-+++ b/libselinux/src/label_internal.h
-@@ -128,10 +128,12 @@ extern int myprintf_compat;
- extern void __attribute__ ((format(printf, 1, 2)))
- (*myprintf) (const char *fmt, ...) ;
- 
--#define COMPAT_LOG(type, fmt...) if (myprintf_compat)	  \
--		myprintf(fmt);				  \
--	else						  \
--		selinux_log(type, fmt);
-+#define COMPAT_LOG(type, fmt...) do {			\
-+	if (myprintf_compat)				\
-+		myprintf(fmt);				\
-+	else						\
-+		selinux_log(type, fmt);			\
-+	} while (0)
- 
- extern int
- compat_validate(struct selabel_handle *rec,
-diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
-index 0034fa53d6e6..5857b821e80e 100644
---- a/libselinux/src/load_policy.c
-+++ b/libselinux/src/load_policy.c
-@@ -80,7 +80,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
- 	if (libsepolh) {
- 		usesepol = 1;
- 		dlerror();
--#define DLERR() if ((errormsg = dlerror())) goto dlclose;
-+#define DLERR() do { if ((errormsg = dlerror())) goto dlclose; } while (0)
- 		vers_max = dlsym(libsepolh, "sepol_policy_kern_vers_max");
- 		DLERR();
- 		vers_min = dlsym(libsepolh, "sepol_policy_kern_vers_min");
-diff --git a/libselinux/src/procattr.c b/libselinux/src/procattr.c
-index 840570525f5f..6552ee01bca8 100644
---- a/libselinux/src/procattr.c
-+++ b/libselinux/src/procattr.c
-@@ -146,7 +146,7 @@ static int getprocattrcon_raw(char ** context,
- 		default:
- 			errno = ENOENT;
- 			return -1;
--	};
-+	}
- 
- 	if (prev_context && prev_context != UNSET) {
- 		*context = strdup(prev_context);
-@@ -240,7 +240,7 @@ static int setprocattrcon_raw(const char * context,
- 		default:
- 			errno = ENOENT;
- 			return -1;
--	};
-+	}
- 
- 	if (!context && !*prev_context)
- 		return 0;
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-index 664bbcf26eef..a848467785f3 100644
---- a/libselinux/src/sha1.c
-+++ b/libselinux/src/sha1.c
-@@ -16,6 +16,7 @@
- //        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
- //             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;
- //                                                                     William Roberts <william.c.roberts@intel.com>
-+//    - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
- 
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-@@ -49,11 +50,11 @@ typedef union
-     ^block->l[(i+2)&15]^block->l[i&15],1))
- 
- // (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i)  z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30);
--#define R1(v,w,x,y,z,i)  z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30);
--#define R2(v,w,x,y,z,i)  z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30);
--#define R3(v,w,x,y,z,i)  z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30);
--#define R4(v,w,x,y,z,i)  z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30);
-+#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
-+#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
-+#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
-+#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
-+#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
- 
- 
- ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
-index a07e160dee71..1d713c01f81c 100644
---- a/libselinux/utils/matchpathcon.c
-+++ b/libselinux/utils/matchpathcon.c
-@@ -65,7 +65,7 @@ static mode_t string_to_mode(char *s)
- 		return S_IFREG;
- 	default:
- 		return -1;
--	};
-+	}
- 	return -1;
- }
- 
-diff --git a/libselinux/utils/selabel_lookup_best_match.c b/libselinux/utils/selabel_lookup_best_match.c
-index 6a7174233667..2cddc6cde051 100644
---- a/libselinux/utils/selabel_lookup_best_match.c
-+++ b/libselinux/utils/selabel_lookup_best_match.c
-@@ -47,7 +47,7 @@ static mode_t string_to_mode(char *s)
- 		return S_IFSOCK;
- 	case 'f':
- 		return S_IFREG;
--	};
-+	}
- 	return 0;
- }
- 
--- 
-2.32.0
-
diff --git a/SOURCES/0038-sha1-sha256.patch b/SOURCES/0038-sha1-sha256.patch
deleted file mode 100644
index b49047f..0000000
--- a/SOURCES/0038-sha1-sha256.patch
+++ /dev/null
@@ -1,1333 +0,0 @@
-From 697f19f787686e423f7e92ccbbdf29fb486791f0 Mon Sep 17 00:00:00 2001
-From: Petr Lautrbach <plautrba@redhat.com>
-Date: Fri, 30 Jul 2021 11:58:33 +0200
-Subject: [PATCH] Use SHA-2 instead of SHA-1
-
-The use of SHA-1 in RHEL9 is deprecated
----
- libselinux/include/selinux/label.h            |   6 +-
- libselinux/include/selinux/restorecon.h       |   4 +-
- libselinux/man/man3/selabel_digest.3          |   4 +-
- libselinux/man/man3/selabel_open.3            |   2 +-
- libselinux/man/man3/selinux_restorecon.3      |  16 +-
- .../man/man3/selinux_restorecon_xattr.3       |   2 +-
- libselinux/src/Makefile                       |   2 +-
- libselinux/src/label_file.c                   |  40 +--
- libselinux/src/label_internal.h               |  10 +-
- libselinux/src/label_support.c                |   8 +-
- libselinux/src/selinux_restorecon.c           |  24 +-
- libselinux/src/sha1.c                         | 220 -------------
- libselinux/src/sha1.h                         |  85 -----
- libselinux/src/sha256.c                       | 294 ++++++++++++++++++
- libselinux/src/sha256.h                       |  89 ++++++
- libselinux/utils/selabel_digest.c             |  26 +-
- .../selabel_get_digests_all_partial_matches.c |  28 +-
- 17 files changed, 469 insertions(+), 391 deletions(-)
- delete mode 100644 libselinux/src/sha1.c
- delete mode 100644 libselinux/src/sha1.h
- create mode 100644 libselinux/src/sha256.c
- create mode 100644 libselinux/src/sha256.h
-
-diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
-index e8983606d93b..a35d84d63b0a 100644
---- a/libselinux/include/selinux/label.h
-+++ b/libselinux/include/selinux/label.h
-@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
- 					 const char *key, const char **aliases, int type);
- 
- /**
-- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
-+ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
-  *		    generate the digest. The SELABEL_OPT_DIGEST option must
-  *		    be set in selabel_open() to initiate the digest generation.
-  * @handle: specifies backend instance to query
-- * @digest: returns a pointer to the SHA1 digest.
-+ * @digest: returns a pointer to the SHA256 digest.
-  * @digest_len: returns length of digest in bytes.
-- * @specfiles: a list of specfiles used in the SHA1 digest generation.
-+ * @specfiles: a list of specfiles used in the SHA256 digest generation.
-  *	       The list is NULL terminated and will hold @num_specfiles entries.
-  * @num_specfiles: number of specfiles in the list.
-  *
-diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
-index 466de39aac72..ca8ce768587a 100644
---- a/libselinux/include/selinux/restorecon.h
-+++ b/libselinux/include/selinux/restorecon.h
-@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
-  * restorecon_flags options
-  */
- /*
-- * Force the checking of labels even if the stored SHA1 digest
-- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
-+ * Force the checking of labels even if the stored SHA256 digest
-+ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
-  */
- #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
- /*
-diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
-index 56a008f00df0..5f7c42533d0e 100644
---- a/libselinux/man/man3/selabel_digest.3
-+++ b/libselinux/man/man3/selabel_digest.3
-@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
- .BR selabel_digest ()
- performs an operation on the handle
- .IR hnd ,
--returning the results of the SHA1 digest pointed to by
-+returning the results of the SHA256 digest pointed to by
- .IR digest ,
- whose length will be
- .IR digest_len .
--The list of specfiles used in the SHA1 digest calculation is returned in
-+The list of specfiles used in the SHA256 digest calculation is returned in
- .I specfiles
- with the number of entries in
- .IR num_specfiles .
-diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
-index 971ebc1acd41..2cf2eb8a1410 100644
---- a/libselinux/man/man3/selabel_open.3
-+++ b/libselinux/man/man3/selabel_open.3
-@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
- Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
- .TP
- .B SELABEL_OPT_DIGEST
--A non-null value for this option enables the generation of an SHA1 digest of
-+A non-null value for this option enables the generation of an SHA256 digest of
- the spec files loaded as described in
- .BR selabel_digest (3)
- .
-diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
-index ad637406a30d..c4576fe79ff6 100644
---- a/libselinux/man/man3/selinux_restorecon.3
-+++ b/libselinux/man/man3/selinux_restorecon.3
-@@ -28,7 +28,7 @@ If this is a directory and the
- .B SELINUX_RESTORECON_RECURSE
- has been set (for descending through directories), then
- .BR selinux_restorecon ()
--will write an SHA1 digest of specfile entries calculated by
-+will write an SHA256 digest of specfile entries calculated by
- .BR selabel_get_digests_all_partial_matches (3)
- to an extended attribute of
- .IR security.sehash
-@@ -47,7 +47,7 @@ will take place.
- .br
- The
- .IR restorecon_flags
--that can be used to manage the usage of the SHA1 digest are:
-+that can be used to manage the usage of the SHA256 digest are:
- .RS
- .B SELINUX_RESTORECON_SKIP_DIGEST
- .br
-@@ -65,8 +65,8 @@ Do not check or update any extended attribute
- entries.
- .sp
- .B SELINUX_RESTORECON_IGNORE_DIGEST
--force the checking of labels even if the stored SHA1 digest matches the
--specfile entries SHA1 digest. The specfile entries digest will be written to the
-+force the checking of labels even if the stored SHA256 digest matches the
-+specfile entries SHA256 digest. The specfile entries digest will be written to the
- .IR security.sehash
- extended attribute once relabeling has been completed successfully provided the
- .B SELINUX_RESTORECON_NOCHANGE
-@@ -84,7 +84,7 @@ default specfile context.
- .sp
- .B SELINUX_RESTORECON_RECURSE
- change file and directory labels recursively (descend directories)
--and if successful write an SHA1 digest of the specfile entries to an
-+and if successful write an SHA256 digest of the specfile entries to an
- extended attribute as described in the
- .B NOTES
- section.
-@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
- same inode have different contexts, as errors.
- .RE
- .sp
--The behavior regarding the checking and updating of the SHA1 digest described
-+The behavior regarding the checking and updating of the SHA256 digest described
- above is the default behavior. It is possible to change this by first calling
- .BR selabel_open (3)
- and not enabling the
-@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
- .B SELINUX_RESTORECON_RECURSE
- flag is set)
- .BR selinux_restorecon ()
--will write a calculated SHA1 digest of the specfile entries returned by
-+will write a calculated SHA256 digest of the specfile entries returned by
- .BR selabel_get_digests_all_partial_matches (3)
- to an extended attribute named
- .IR security.sehash
-@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
- .BR selinux_restorecon ()
- is run again with the
- .B SELINUX_RESTORECON_RECURSE
--flag set, new SHA1 digests will be calculated and all files automatically
-+flag set, new SHA256 digests will be calculated and all files automatically
- relabeled depending on the settings of the
- .B SELINUX_RESTORECON_SET_SPECFILE_CTX
- flag (provided
-diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
-index c56326814b94..098c840fc59b 100644
---- a/libselinux/man/man3/selinux_restorecon_xattr.3
-+++ b/libselinux/man/man3/selinux_restorecon_xattr.3
-@@ -119,7 +119,7 @@ By default
- .BR selinux_restorecon_xattr (3)
- will use the default set of specfiles described in
- .BR files_contexts (5)
--to calculate the SHA1 digests to be used for comparison.
-+to calculate the SHA256 digests to be used for comparison.
- To change this default behavior
- .BR selabel_open (3)
- must be called specifying the required
-diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 52c40f018f51..674a5ed3a6f8 100644
---- a/libselinux/src/Makefile
-+++ b/libselinux/src/Makefile
-@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
- 	-DBUILD_HOST
- SRCS= callbacks.c freecon.c label.c label_file.c \
- 	label_backends_android.c regex.c label_support.c \
--	matchpathcon.c setrans_client.c sha1.c booleans.c
-+	matchpathcon.c setrans_client.c sha256.c booleans.c
- else
- LABEL_BACKEND_ANDROID=y
- endif
-diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 56f499faef97..db5d7553aab2 100644
---- a/libselinux/src/label_file.c
-+++ b/libselinux/src/label_file.c
-@@ -1002,7 +1002,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
- 
- /*
-  * Returns true if the digest of all partial matched contexts is the same as
-- * the one saved by setxattr, otherwise returns false. The length of the SHA1
-+ * the one saved by setxattr, otherwise returns false. The length of the SHA256
-  * digest will always be returned. The caller must free any returned digests.
-  */
- static bool get_digests_all_partial_matches(struct selabel_handle *rec,
-@@ -1011,39 +1011,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
- 					    uint8_t **xattr_digest,
- 					    size_t *digest_len)
- {
--	uint8_t read_digest[SHA1_HASH_SIZE];
-+	uint8_t read_digest[SHA256_HASH_SIZE];
- 	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
--				     read_digest, SHA1_HASH_SIZE
-+				     read_digest, SHA256_HASH_SIZE
- #ifdef __APPLE__
- 				     , 0, 0
- #endif /* __APPLE __ */
- 				    );
--	uint8_t hash_digest[SHA1_HASH_SIZE];
-+	uint8_t hash_digest[SHA256_HASH_SIZE];
- 	bool status = selabel_hash_all_partial_matches(rec, pathname,
- 						       hash_digest);
- 
- 	*xattr_digest = NULL;
- 	*calculated_digest = NULL;
--	*digest_len = SHA1_HASH_SIZE;
-+	*digest_len = SHA256_HASH_SIZE;
- 
--	if (read_size == SHA1_HASH_SIZE) {
--		*xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
-+	if (read_size == SHA256_HASH_SIZE) {
-+		*xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
- 		if (!*xattr_digest)
- 			goto oom;
- 
--		memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
-+		memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
- 	}
- 
- 	if (status) {
--		*calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
-+		*calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
- 		if (!*calculated_digest)
- 			goto oom;
- 
--		memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
-+		memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
- 	}
- 
--	if (status && read_size == SHA1_HASH_SIZE &&
--	    memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
-+	if (status && read_size == SHA256_HASH_SIZE &&
-+	    memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
- 		return true;
- 
- 	return false;
-@@ -1063,22 +1063,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
- 		return false;
- 	}
- 
--	Sha1Context context;
--	Sha1Initialise(&context);
-+	Sha256Context context;
-+	Sha256Initialise(&context);
- 	size_t i;
- 	for (i = 0; i < total_matches; i++) {
- 		char* regex_str = matches[i]->regex_str;
- 		mode_t mode = matches[i]->mode;
- 		char* ctx_raw = matches[i]->lr.ctx_raw;
- 
--		Sha1Update(&context, regex_str, strlen(regex_str) + 1);
--		Sha1Update(&context, &mode, sizeof(mode_t));
--		Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
-+		Sha256Update(&context, regex_str, strlen(regex_str) + 1);
-+		Sha256Update(&context, &mode, sizeof(mode_t));
-+		Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
- 	}
- 
--	SHA1_HASH sha1_hash;
--	Sha1Finalise(&context, &sha1_hash);
--	memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
-+	SHA256_HASH sha256_hash;
-+	Sha256Finalise(&context, &sha256_hash);
-+	memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
- 
- 	free(matches);
- 	return true;
-diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 782c6aa8cc0c..304e8d96490a 100644
---- a/libselinux/src/label_internal.h
-+++ b/libselinux/src/label_internal.h
-@@ -13,7 +13,7 @@
- #include <stdio.h>
- #include <selinux/selinux.h>
- #include <selinux/label.h>
--#include "sha1.h"
-+#include "sha256.h"
- 
- #if defined(ANDROID) || defined(__APPLE__)
- // Android and Mac do not have fgets_unlocked()
-@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
-  */
- 
- /*
-- * Calculate an SHA1 hash of all the files used to build the specs.
-+ * Calculate an SHA256 hash of all the files used to build the specs.
-  * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
-  * calculate the hash the hashbuf will hold a concatenation of all the files
-  * used. This is released once the value has been calculated.
-  */
--#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
-+#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
- #define DIGEST_FILES_MAX 8
- struct selabel_digest {
--	unsigned char *digest;	/* SHA1 digest of specfiles */
-+	unsigned char *digest;	/* SHA256 digest of specfiles */
- 	unsigned char *hashbuf;	/* buffer to hold specfiles */
- 	size_t hashbuf_size;	/* buffer size */
- 	size_t specfile_cnt;	/* how many specfiles processed */
-@@ -110,7 +110,7 @@ struct selabel_handle {
- 	 */
- 	char *spec_file;
- 
--	/* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
-+	/* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
- 	struct selabel_digest *digest;
- };
- 
-diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
-index 94ed6e4273cb..f53d73b609ab 100644
---- a/libselinux/src/label_support.c
-+++ b/libselinux/src/label_support.c
-@@ -115,15 +115,15 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
- /* Once all the specfiles are in the hash_buf, generate the hash. */
- void  digest_gen_hash(struct selabel_digest *digest)
- {
--	Sha1Context context;
-+	Sha256Context context;
- 
- 	/* If SELABEL_OPT_DIGEST not set then just return */
- 	if (!digest)
- 		return;
- 
--	Sha1Initialise(&context);
--	Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
--	Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
-+	Sha256Initialise(&context);
-+	Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
-+	Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
- 	free(digest->hashbuf);
- 	digest->hashbuf = NULL;
- 	return;
-diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index 999aa924ba32..10211a888cf6 100644
---- a/libselinux/src/selinux_restorecon.c
-+++ b/libselinux/src/selinux_restorecon.c
-@@ -37,7 +37,7 @@
- #include "callbacks.h"
- #include "selinux_internal.h"
- #include "label_file.h"
--#include "sha1.h"
-+#include "sha256.h"
- 
- #define STAR_COUNT 1024
- 
-@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
- static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 			   bool delete_all)
- {
--	char *sha1_buf = NULL;
-+	char *sha256_buf = NULL;
- 	size_t i, digest_len = 0;
- 	int rc, digest_result;
- 	bool match;
-@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 	}
- 
- 	/* Convert entry to a hex encoded string. */
--	sha1_buf = malloc(digest_len * 2 + 1);
--	if (!sha1_buf) {
-+	sha256_buf = malloc(digest_len * 2 + 1);
-+	if (!sha256_buf) {
- 		free(xattr_digest);
- 		free(calculated_digest);
- 		goto oom;
- 	}
- 
- 	for (i = 0; i < digest_len; i++)
--		sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
-+		sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
- 
- 	digest_result = match ? MATCH : NOMATCH;
- 
-@@ -345,7 +345,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 	/* Now add entries to link list. */
- 	new_entry = malloc(sizeof(struct dir_xattr));
- 	if (!new_entry) {
--		free(sha1_buf);
-+		free(sha256_buf);
- 		goto oom;
- 	}
- 	new_entry->next = NULL;
-@@ -353,15 +353,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 	new_entry->directory = strdup(directory);
- 	if (!new_entry->directory) {
- 		free(new_entry);
--		free(sha1_buf);
-+		free(sha256_buf);
- 		goto oom;
- 	}
- 
--	new_entry->digest = strdup(sha1_buf);
-+	new_entry->digest = strdup(sha256_buf);
- 	if (!new_entry->digest) {
- 		free(new_entry->directory);
- 		free(new_entry);
--		free(sha1_buf);
-+		free(sha256_buf);
- 		goto oom;
- 	}
- 
-@@ -375,7 +375,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
- 		dir_xattr_last = new_entry;
- 	}
- 
--	free(sha1_buf);
-+	free(sha256_buf);
- 	return 0;
- 
- oom:
-@@ -742,7 +742,7 @@ err:
- 
- struct dir_hash_node {
- 	char *path;
--	uint8_t digest[SHA1_HASH_SIZE];
-+	uint8_t digest[SHA256_HASH_SIZE];
- 	struct dir_hash_node *next;
- };
- /*
-@@ -1085,7 +1085,7 @@ int selinux_restorecon(const char *pathname_orig,
- 			if (setxattr(current->path,
- 			    RESTORECON_PARTIAL_MATCH_DIGEST,
- 			    current->digest,
--			    SHA1_HASH_SIZE, 0) < 0) {
-+			    SHA256_HASH_SIZE, 0) < 0) {
- 				selinux_log(SELINUX_ERROR,
- 					    "setxattr failed: %s: %s\n",
- 					    current->path,
-diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
-deleted file mode 100644
-index a848467785f3..000000000000
---- a/libselinux/src/sha1.c
-+++ /dev/null
-@@ -1,220 +0,0 @@
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  LibSha1
--//
--//  Implementation of SHA1 hash function.
--//  Original author:  Steve Reid <sreid@sea-to-sky.net>
--//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
--//  and Ralph Giles <giles@ghostscript.com>
--//  Modified by WaterJuice retaining Public Domain license.
--//
--//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--//  Modified to:
--//    - stop symbols being exported for libselinux shared library - October 2015
--//								       Richard Haines <richard_c_haines@btinternet.com>
--//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
--//      Fixes:
--//        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
--//             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;
--//                                                                     William Roberts <william.c.roberts@intel.com>
--//    - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  IMPORTS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include "sha1.h"
--#include <memory.h>
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  TYPES
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--typedef union
--{
--    uint8_t     c [64];
--    uint32_t    l [16];
--} CHAR64LONG16;
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  INTERNAL FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
--
--// blk0() and blk() perform the initial expand.
--#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
--    |(rol(block->l[i],8)&0x00FF00FF))
--
--#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
--    ^block->l[(i+2)&15]^block->l[i&15],1))
--
--// (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
--#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
--#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
--
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  TransformFunction
--//
--//  Hash a single 512-bit block. This is the core of the algorithm
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--static
--void
--    TransformFunction
--    (
--        uint32_t            state[5],
--        const uint8_t       buffer[64]
--    )
--{
--    uint32_t            a;
--    uint32_t            b;
--    uint32_t            c;
--    uint32_t            d;
--    uint32_t            e;
--    CHAR64LONG16        workspace;
--    CHAR64LONG16*       block = &workspace;
--
--    memcpy(block, buffer, 64);
--
--    // Copy context->state[] to working vars
--    a = state[0];
--    b = state[1];
--    c = state[2];
--    d = state[3];
--    e = state[4];
--
--    // 4 rounds of 20 operations each. Loop unrolled.
--    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
--    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
--    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
--    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
--    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
--    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
--    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
--    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
--    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
--    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
--    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
--    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
--    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
--    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
--    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
--    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
--    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
--    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
--    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
--    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
--
--    // Add the working vars back into context.state[]
--    state[0] += a;
--    state[1] += b;
--    state[2] += c;
--    state[3] += d;
--    state[4] += e;
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  PUBLIC FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Initialise
--//
--//  Initialises an SHA1 Context. Use this to initialise/reset a context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Initialise
--    (
--        Sha1Context*                Context
--    )
--{
--    // SHA1 initialization constants
--    Context->State[0] = 0x67452301;
--    Context->State[1] = 0xEFCDAB89;
--    Context->State[2] = 0x98BADCFE;
--    Context->State[3] = 0x10325476;
--    Context->State[4] = 0xC3D2E1F0;
--    Context->Count[0] = 0;
--    Context->Count[1] = 0;
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Update
--//
--//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
--//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Update
--    (
--        Sha1Context*        Context,
--        const void*         Buffer,
--        uint32_t            BufferSize
--    )
--{
--    uint32_t    i;
--    uint32_t    j;
--
--    j = (Context->Count[0] >> 3) & 63;
--    if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
--    {
--        Context->Count[1]++;
--    }
--
--    Context->Count[1] += (BufferSize >> 29);
--    if ((j + BufferSize) > 63)
--    {
--        i = 64 - j;
--        memcpy(&Context->Buffer[j], Buffer, i);
--        TransformFunction(Context->State, Context->Buffer);
--        for (; i + 63 < BufferSize; i += 64)
--        {
--            TransformFunction(Context->State, (const uint8_t*)Buffer + i);
--        }
--        j = 0;
--    }
--    else
--    {
--        i = 0;
--    }
--
--    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
--}
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Finalise
--//
--//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
--//  calling this, Sha1Initialised must be used to reuse the context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Finalise
--    (
--        Sha1Context*                Context,
--        SHA1_HASH*                  Digest
--    )
--{
--    uint32_t    i;
--    uint8_t     finalcount[8];
--
--    for (i = 0; i < 8; i++)
--    {
--        finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
--         >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent
--    }
--    Sha1Update(Context, (const uint8_t*)"\x80", 1);
--    while ((Context->Count[0] & 504) != 448)
--    {
--        Sha1Update(Context, (const uint8_t*)"\0", 1);
--    }
--
--    Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()
--    for (i = 0; i < SHA1_HASH_SIZE; i++)
--    {
--        Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
--    }
--}
-diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
-deleted file mode 100644
-index f83a6e7ed7ba..000000000000
---- a/libselinux/src/sha1.h
-+++ /dev/null
-@@ -1,85 +0,0 @@
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  LibSha1
--//
--//  Implementation of SHA1 hash function.
--//  Original author:  Steve Reid <sreid@sea-to-sky.net>
--//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
--//  and Ralph Giles <giles@ghostscript.com>
--//  Modified by WaterJuice retaining Public Domain license.
--//
--//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#ifndef _sha1_h_
--#define _sha1_h_
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  IMPORTS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--#include <stdint.h>
--#include <stdio.h>
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  TYPES
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
--typedef struct
--{
--    uint32_t        State[5];
--    uint32_t        Count[2];
--    uint8_t         Buffer[64];
--} Sha1Context;
--
--#define SHA1_HASH_SIZE           ( 160 / 8 )
--
--typedef struct
--{
--    uint8_t      bytes [SHA1_HASH_SIZE];
--} SHA1_HASH;
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  PUBLIC FUNCTIONS
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Initialise
--//
--//  Initialises an SHA1 Context. Use this to initialise/reset a context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Initialise
--    (
--        Sha1Context*                Context
--    );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Update
--//
--//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
--//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Update
--    (
--        Sha1Context*        Context,
--        const void*         Buffer,
--        uint32_t            BufferSize
--    );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--//  Sha1Finalise
--//
--//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
--//  calling this, Sha1Initialised must be used to reuse the context.
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Finalise
--    (
--        Sha1Context*                Context,
--        SHA1_HASH*                  Digest
--    );
--
--///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--#endif //_sha1_h_
-diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
-new file mode 100644
-index 000000000000..fe2aeef07f53
---- /dev/null
-+++ b/libselinux/src/sha256.c
-@@ -0,0 +1,294 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  WjCryptLib_Sha256
-+//
-+//  Implementation of SHA256 hash function.
-+//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+//  Modified by WaterJuice retaining Public Domain license.
-+//
-+//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include "sha256.h"
-+#include <memory.h>
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  MACROS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
-+
-+#define MIN(x, y) ( ((x)<(y))?(x):(y) )
-+
-+#define STORE32H(x, y)                                                                     \
-+     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
-+       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
-+
-+#define LOAD32H(x, y)                            \
-+     { x = ((uint32_t)((y)[0] & 255)<<24) | \
-+           ((uint32_t)((y)[1] & 255)<<16) | \
-+           ((uint32_t)((y)[2] & 255)<<8)  | \
-+           ((uint32_t)((y)[3] & 255)); }
-+
-+#define STORE64H(x, y)                                                                     \
-+   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
-+     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
-+     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
-+     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  CONSTANTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// The K array
-+static const uint32_t K[64] = {
-+    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
-+    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
-+    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
-+    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
-+    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
-+    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
-+    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
-+    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
-+    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
-+    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
-+    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
-+    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
-+    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-+};
-+
-+#define BLOCK_SIZE          64
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  INTERNAL FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+// Various logical functions
-+#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
-+#define Maj( x, y, z )    (((x | y) & z) | (x & y))
-+#define S( x, n )         ror((x),(n))
-+#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
-+#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
-+#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
-+#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
-+#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
-+
-+#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
-+     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
-+     t1 = Sigma0(a) + Maj(a, b, c);                    \
-+     d += t0;                                          \
-+     h  = t0 + t1;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  TransformFunction
-+//
-+//  Compress 512-bits
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+static
-+void
-+    TransformFunction
-+    (
-+        Sha256Context*      Context,
-+        uint8_t const*      Buffer
-+    )
-+{
-+    uint32_t    S[8];
-+    uint32_t    W[64];
-+    uint32_t    t0;
-+    uint32_t    t1;
-+    uint32_t    t;
-+    int         i;
-+
-+    // Copy state into S
-+    for( i=0; i<8; i++ )
-+    {
-+        S[i] = Context->state[i];
-+    }
-+
-+    // Copy the state into 512-bits into W[0..15]
-+    for( i=0; i<16; i++ )
-+    {
-+        LOAD32H( W[i], Buffer + (4*i) );
-+    }
-+
-+    // Fill W[16..63]
-+    for( i=16; i<64; i++ )
-+    {
-+        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
-+    }
-+
-+    // Compress
-+    for( i=0; i<64; i++ )
-+    {
-+        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
-+        t = S[7];
-+        S[7] = S[6];
-+        S[6] = S[5];
-+        S[5] = S[4];
-+        S[4] = S[3];
-+        S[3] = S[2];
-+        S[2] = S[1];
-+        S[1] = S[0];
-+        S[0] = t;
-+    }
-+
-+    // Feedback
-+    for( i=0; i<8; i++ )
-+    {
-+        Context->state[i] = Context->state[i] + S[i];
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Initialise
-+//
-+//  Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Initialise
-+    (
-+        Sha256Context*      Context         // [out]
-+    )
-+{
-+    Context->curlen = 0;
-+    Context->length = 0;
-+    Context->state[0] = 0x6A09E667UL;
-+    Context->state[1] = 0xBB67AE85UL;
-+    Context->state[2] = 0x3C6EF372UL;
-+    Context->state[3] = 0xA54FF53AUL;
-+    Context->state[4] = 0x510E527FUL;
-+    Context->state[5] = 0x9B05688CUL;
-+    Context->state[6] = 0x1F83D9ABUL;
-+    Context->state[7] = 0x5BE0CD19UL;
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Update
-+//
-+//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Update
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        void const*         Buffer,         // [in]
-+        uint32_t            BufferSize      // [in]
-+    )
-+{
-+    uint32_t n;
-+
-+    if( Context->curlen > sizeof(Context->buf) )
-+    {
-+       return;
-+    }
-+
-+    while( BufferSize > 0 )
-+    {
-+        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
-+        {
-+           TransformFunction( Context, (uint8_t*)Buffer );
-+           Context->length += BLOCK_SIZE * 8;
-+           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
-+           BufferSize -= BLOCK_SIZE;
-+        }
-+        else
-+        {
-+           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
-+           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
-+           Context->curlen += n;
-+           Buffer = (uint8_t*)Buffer + n;
-+           BufferSize -= n;
-+           if( Context->curlen == BLOCK_SIZE )
-+           {
-+              TransformFunction( Context, Context->buf );
-+              Context->length += 8*BLOCK_SIZE;
-+              Context->curlen = 0;
-+           }
-+       }
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Finalise
-+//
-+//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+//  calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Finalise
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        SHA256_HASH*        Digest          // [out]
-+    )
-+{
-+    int i;
-+
-+    if( Context->curlen >= sizeof(Context->buf) )
-+    {
-+       return;
-+    }
-+
-+    // Increase the length of the message
-+    Context->length += Context->curlen * 8;
-+
-+    // Append the '1' bit
-+    Context->buf[Context->curlen++] = (uint8_t)0x80;
-+
-+    // if the length is currently above 56 bytes we append zeros
-+    // then compress.  Then we can fall back to padding zeros and length
-+    // encoding like normal.
-+    if( Context->curlen > 56 )
-+    {
-+        while( Context->curlen < 64 )
-+        {
-+            Context->buf[Context->curlen++] = (uint8_t)0;
-+        }
-+        TransformFunction(Context, Context->buf);
-+        Context->curlen = 0;
-+    }
-+
-+    // Pad up to 56 bytes of zeroes
-+    while( Context->curlen < 56 )
-+    {
-+        Context->buf[Context->curlen++] = (uint8_t)0;
-+    }
-+
-+    // Store length
-+    STORE64H( Context->length, Context->buf+56 );
-+    TransformFunction( Context, Context->buf );
-+
-+    // Copy output
-+    for( i=0; i<8; i++ )
-+    {
-+        STORE32H( Context->state[i], Digest->bytes+(4*i) );
-+    }
-+}
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Calculate
-+//
-+//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+//  buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Calculate
-+    (
-+        void  const*        Buffer,         // [in]
-+        uint32_t            BufferSize,     // [in]
-+        SHA256_HASH*        Digest          // [in]
-+    )
-+{
-+    Sha256Context context;
-+
-+    Sha256Initialise( &context );
-+    Sha256Update( &context, Buffer, BufferSize );
-+    Sha256Finalise( &context, Digest );
-+}
-diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
-new file mode 100644
-index 000000000000..406ed869cd82
---- /dev/null
-+++ b/libselinux/src/sha256.h
-@@ -0,0 +1,89 @@
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  WjCryptLib_Sha256
-+//
-+//  Implementation of SHA256 hash function.
-+//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
-+//  Modified by WaterJuice retaining Public Domain license.
-+//
-+//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#pragma once
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  IMPORTS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+#include <stdint.h>
-+#include <stdio.h>
-+
-+typedef struct
-+{
-+    uint64_t    length;
-+    uint32_t    state[8];
-+    uint32_t    curlen;
-+    uint8_t     buf[64];
-+} Sha256Context;
-+
-+#define SHA256_HASH_SIZE           ( 256 / 8 )
-+
-+typedef struct
-+{
-+    uint8_t      bytes [SHA256_HASH_SIZE];
-+} SHA256_HASH;
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  PUBLIC FUNCTIONS
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Initialise
-+//
-+//  Initialises a SHA256 Context. Use this to initialise/reset a context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Initialise
-+    (
-+        Sha256Context*      Context         // [out]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Update
-+//
-+//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
-+//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Update
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        void const*         Buffer,         // [in]
-+        uint32_t            BufferSize      // [in]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Finalise
-+//
-+//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
-+//  calling this, Sha256Initialised must be used to reuse the context.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Finalise
-+    (
-+        Sha256Context*      Context,        // [in out]
-+        SHA256_HASH*        Digest          // [out]
-+    );
-+
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+//  Sha256Calculate
-+//
-+//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
-+//  buffer.
-+////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-+void
-+    Sha256Calculate
-+    (
-+        void  const*        Buffer,         // [in]
-+        uint32_t            BufferSize,     // [in]
-+        SHA256_HASH*        Digest          // [in]
-+    );
-diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
-index 49408a0ba8d8..67befadd23c5 100644
---- a/libselinux/utils/selabel_digest.c
-+++ b/libselinux/utils/selabel_digest.c
-@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
- 		"Where:\n\t"
- 		"-b  The backend - \"file\", \"media\", \"x\", \"db\" or "
- 			"\"prop\"\n\t"
--		"-v  Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
--		"    on the list of specfiles to compare the SHA1 digests.\n\t"
-+		"-v  Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
-+		"    on the list of specfiles to compare the SHA256 digests.\n\t"
- 		"-B  Use base specfiles only (valid for \"-b file\" only).\n\t"
- 		"-i  Do not request a digest.\n\t"
- 		"-f  Optional file containing the specs (defaults to\n\t"
-@@ -62,12 +62,12 @@ int main(int argc, char **argv)
- 	int backend = 0, rc, opt, validate = 0;
- 	char *baseonly = NULL, *file = NULL, *digest = (char *)1;
- 	char **specfiles = NULL;
--	unsigned char *sha1_digest = NULL;
-+	unsigned char *sha256_digest = NULL;
- 	size_t i, num_specfiles;
- 
- 	char cmd_buf[4096];
- 	char *cmd_ptr;
--	char *sha1_buf;
-+	char *sha256_buf;
- 
- 	struct selabel_handle *hnd;
- 	struct selinux_opt selabel_option[] = {
-@@ -137,7 +137,7 @@ int main(int argc, char **argv)
- 		return -1;
- 	}
- 
--	rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
-+	rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
- 							    &num_specfiles);
- 
- 	if (rc) {
-@@ -152,19 +152,19 @@ int main(int argc, char **argv)
- 		goto err;
- 	}
- 
--	sha1_buf = malloc(digest_len * 2 + 1);
--	if (!sha1_buf) {
-+	sha256_buf = malloc(digest_len * 2 + 1);
-+	if (!sha256_buf) {
- 		fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
- 						    strerror(errno));
- 		rc = -1;
- 		goto err;
- 	}
- 
--	printf("SHA1 digest: ");
-+	printf("SHA256 digest: ");
- 	for (i = 0; i < digest_len; i++)
--		sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
-+		sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
- 
--	printf("%s\n", sha1_buf);
-+	printf("%s\n", sha256_buf);
- 	printf("calculated using the following specfile(s):\n");
- 
- 	if (specfiles) {
-@@ -177,13 +177,13 @@ int main(int argc, char **argv)
- 			cmd_ptr += strlen(specfiles[i]) + 1;
- 			printf("%s\n", specfiles[i]);
- 		}
--		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
-+		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
- 
- 		if (validate)
--			rc = run_check_digest(cmd_buf, sha1_buf);
-+			rc = run_check_digest(cmd_buf, sha256_buf);
- 	}
- 
--	free(sha1_buf);
-+	free(sha256_buf);
- err:
- 	selabel_close(hnd);
- 	return rc;
-diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index e28833d2ce97..900f018c0091 100644
---- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
-+++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
- 		"-v  Validate file_contxts entries against loaded policy.\n\t"
- 		"-r  Recursively descend directories.\n\t"
- 		"-f  Optional file_contexts file (defaults to current policy).\n\t"
--		"path  Path to check current SHA1 digest against file_contexts entries.\n\n"
--		"This will check the directory selinux.sehash SHA1 digest for "
-+		"path  Path to check current SHA256 digest against file_contexts entries.\n\n"
-+		"This will check the directory selinux.sehash SHA256 digest for "
- 		"<path> against\na newly generated digest based on the "
- 		"file_context entries for that node\n(using the regx, mode "
- 		"and path entries).\n", progname);
-@@ -37,7 +37,7 @@ int main(int argc, char **argv)
- 	char *paths[2] = { NULL, NULL };
- 	uint8_t *xattr_digest = NULL;
- 	uint8_t *calculated_digest = NULL;
--	char *sha1_buf = NULL;
-+	char *sha256_buf = NULL;
- 
- 	struct selabel_handle *hnd;
- 	struct selinux_opt selabel_option[] = {
-@@ -105,27 +105,27 @@ int main(int argc, char **argv)
- 							 &xattr_digest,
- 							 &digest_len);
- 
--			sha1_buf = calloc(1, digest_len * 2 + 1);
--			if (!sha1_buf) {
-+			sha256_buf = calloc(1, digest_len * 2 + 1);
-+			if (!sha256_buf) {
- 				fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
- 					    strerror(errno));
- 				return -1;
- 			}
- 
- 			if (status) { /* They match */
--				printf("xattr and file_contexts SHA1 digests match for: %s\n",
-+				printf("xattr and file_contexts SHA256 digests match for: %s\n",
- 				       ftsent->fts_path);
- 
- 				if (calculated_digest) {
- 					for (i = 0; i < digest_len; i++)
--						sprintf((&sha1_buf[i * 2]),
-+						sprintf((&sha256_buf[i * 2]),
- 							"%02x",
- 							calculated_digest[i]);
--					printf("SHA1 digest: %s\n", sha1_buf);
-+					printf("SHA256 digest: %s\n", sha256_buf);
- 				}
- 			} else {
- 				if (!calculated_digest) {
--					printf("No SHA1 digest available for: %s\n",
-+					printf("No SHA256 digest available for: %s\n",
- 					       ftsent->fts_path);
- 					printf("as file_context entry is \"<<none>>\"\n");
- 					goto cleanup;
-@@ -135,25 +135,25 @@ int main(int argc, char **argv)
- 				       ftsent->fts_path);
- 
- 				for (i = 0; i < digest_len; i++)
--					sprintf((&sha1_buf[i * 2]), "%02x",
-+					sprintf((&sha256_buf[i * 2]), "%02x",
- 						calculated_digest[i]);
--				printf("generated SHA1 digest: %s\n", sha1_buf);
-+				printf("generated SHA256 digest: %s\n", sha256_buf);
- 
- 				if (!xattr_digest) {
- 					printf("however there is no selinux.sehash xattr entry.\n");
- 				} else {
- 					printf("however it does NOT match the current entry of:\n");
- 					for (i = 0; i < digest_len; i++)
--						sprintf((&sha1_buf[i * 2]),
-+						sprintf((&sha256_buf[i * 2]),
- 							"%02x",
- 							xattr_digest[i]);
--					printf("%s\n", sha1_buf);
-+					printf("%s\n", sha256_buf);
- 				}
- 			}
- 			cleanup:
- 			free(xattr_digest);
- 			free(calculated_digest);
--			free(sha1_buf);
-+			free(sha256_buf);
- 			break;
- 		}
- 		default:
--- 
-2.32.0
-
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
index cdb5158..0d93511 100644
--- a/SPECS/libselinux.spec
+++ b/SPECS/libselinux.spec
@@ -1,59 +1,22 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.2-3
+%define libsepolver 3.3-1
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 3.2
-Release: 6%{?dist}
+Version: 3.3
+Release: 1%{?dist}
 License: Public Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/libselinux-3.2.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N 3.2 -- libselinux
+# $ git format-patch -N 3.3 -- libselinux
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-libselinux-do-not-duplicate-make-target-when-going-i.patch
-Patch0002: 0002-libselinux-selinux_check_passwd_access_internal-resp.patch
-Patch0003: 0003-libselinux-silence-Wstringop-overflow-warning-from-g.patch
-Patch0004: 0004-libselinux-sidtab_hash-do-not-discard-const-qualifie.patch
-Patch0005: 0005-libselinux-selinux_file_context_cmp-do-not-discard-c.patch
-Patch0006: 0006-libselinux-label_common-do-not-discard-const-qualifi.patch
-Patch0007: 0007-libselinux-Sha1Finalise-do-not-discard-const-qualifi.patch
-Patch0008: 0008-libselinux-sefcontext_compile-mark-local-variable-st.patch
-Patch0009: 0009-libselinux-avcstat-use-standard-length-modifier-for-.patch
-Patch0010: 0010-libselinux-selinux_restorecon-mark-local-variable-st.patch
-Patch0011: 0011-libselinux-selabel_get_digests_all_partial_matches-f.patch
-Patch0012: 0012-libselinux-getconlist-free-memory-on-multiple-level-.patch
-Patch0013: 0013-libselinux-exclude_non_seclabel_mounts-drop-unused-v.patch
-Patch0014: 0014-libselinux-context_new-drop-dead-assignment.patch
-Patch0015: 0015-libselinux-label_x-init-drop-dead-assignment.patch
-Patch0016: 0016-libselinux-label_media-init-drop-dead-assignment.patch
-Patch0017: 0017-libselinux-setexecfilecon-drop-dead-assignment.patch
-Patch0018: 0018-libselinux-getdefaultcon-free-memory-on-multiple-sam.patch
-Patch0019: 0019-libselinux-store_stem-do-not-free-possible-non-heap-.patch
-Patch0020: 0020-libselinux-matchmediacon-close-file-on-error.patch
-Patch0021: 0021-libselinux-init_selinux_config-free-resources-on-err.patch
-Patch0022: 0022-libselinux-label_file-init-do-not-pass-NULL-to-strdu.patch
-Patch0023: 0023-libselinux-matchpathcon-free-memory-on-realloc-failu.patch
-Patch0024: 0024-libselinux-label_db-db_init-open-file-with-CLOEXEC-m.patch
-Patch0025: 0025-libselinux-drop-redundant-casts-to-the-same-type.patch
-Patch0026: 0026-libselinux-sidtab_sid_stats-unify-parameter-name.patch
-Patch0027: 0027-libselinux-regex-unify-parameter-names.patch
-Patch0028: 0028-libselinux-label_file.c-fix-indent.patch
-Patch0029: 0029-libselinux-avc_destroy-3-closes-status-page.patch
-Patch0030: 0030-libselinux-make-selinux_status_open-3-reentrant.patch
-Patch0031: 0031-libselinux-do-not-use-status-page-fallback-mode-inte.patch
-Patch0032: 0032-libselinux-selinux_status_open-return-1-in-fallback-.patch
-Patch0033: 0033-libselinux-improve-getcon-3-man-page.patch
-Patch0034: 0034-libselinux-fix-typo.patch
-Patch0035: 0035-selinux.8-document-how-mount-flag-nosuid-affects-SEL.patch
-Patch0036: 0036-libselinux-utils-getseuser.c-fix-build-with-gcc-4.8.patch
-Patch0037: 0037-libselinux-silence-Wextra-semi-stmt-warning.patch
-Patch0038: 0038-sha1-sha256.patch
+Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
@@ -250,6 +213,15 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Fri Oct  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688