diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f8649bc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/libselinux-3.3.tar.gz
diff --git a/.libselinux.metadata b/.libselinux.metadata
new file mode 100644
index 0000000..db6fb6a
--- /dev/null
+++ b/.libselinux.metadata
@@ -0,0 +1 @@
+70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz
diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
new file mode 100644
index 0000000..ed63a8c
--- /dev/null
+++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -0,0 +1,1333 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ libselinux/include/selinux/label.h            |   6 +-
+ libselinux/include/selinux/restorecon.h       |   4 +-
+ libselinux/man/man3/selabel_digest.3          |   4 +-
+ libselinux/man/man3/selabel_open.3            |   2 +-
+ libselinux/man/man3/selinux_restorecon.3      |  16 +-
+ .../man/man3/selinux_restorecon_xattr.3       |   2 +-
+ libselinux/src/Makefile                       |   2 +-
+ libselinux/src/label_file.c                   |  40 +--
+ libselinux/src/label_internal.h               |  10 +-
+ libselinux/src/label_support.c                |   8 +-
+ libselinux/src/selinux_restorecon.c           |  24 +-
+ libselinux/src/sha1.c                         | 220 -------------
+ libselinux/src/sha1.h                         |  85 -----
+ libselinux/src/sha256.c                       | 294 ++++++++++++++++++
+ libselinux/src/sha256.h                       |  89 ++++++
+ libselinux/utils/selabel_digest.c             |  26 +-
+ .../selabel_get_digests_all_partial_matches.c |  28 +-
+ 17 files changed, 469 insertions(+), 391 deletions(-)
+ delete mode 100644 libselinux/src/sha1.c
+ delete mode 100644 libselinux/src/sha1.h
+ create mode 100644 libselinux/src/sha256.c
+ create mode 100644 libselinux/src/sha256.h
+
+diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
+index e8983606d93b..a35d84d63b0a 100644
+--- a/libselinux/include/selinux/label.h
++++ b/libselinux/include/selinux/label.h
+@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ 					 const char *key, const char **aliases, int type);
+ 
+ /**
+- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
+  *		    generate the digest. The SELABEL_OPT_DIGEST option must
+  *		    be set in selabel_open() to initiate the digest generation.
+  * @handle: specifies backend instance to query
+- * @digest: returns a pointer to the SHA1 digest.
++ * @digest: returns a pointer to the SHA256 digest.
+  * @digest_len: returns length of digest in bytes.
+- * @specfiles: a list of specfiles used in the SHA1 digest generation.
++ * @specfiles: a list of specfiles used in the SHA256 digest generation.
+  *	       The list is NULL terminated and will hold @num_specfiles entries.
+  * @num_specfiles: number of specfiles in the list.
+  *
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index 466de39aac72..ca8ce768587a 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
+  * restorecon_flags options
+  */
+ /*
+- * Force the checking of labels even if the stored SHA1 digest
+- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
++ * Force the checking of labels even if the stored SHA256 digest
++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
+  */
+ #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
+ /*
+diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
+index 56a008f00df0..5f7c42533d0e 100644
+--- a/libselinux/man/man3/selabel_digest.3
++++ b/libselinux/man/man3/selabel_digest.3
+@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
+ .BR selabel_digest ()
+ performs an operation on the handle
+ .IR hnd ,
+-returning the results of the SHA1 digest pointed to by
++returning the results of the SHA256 digest pointed to by
+ .IR digest ,
+ whose length will be
+ .IR digest_len .
+-The list of specfiles used in the SHA1 digest calculation is returned in
++The list of specfiles used in the SHA256 digest calculation is returned in
+ .I specfiles
+ with the number of entries in
+ .IR num_specfiles .
+diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
+index 971ebc1acd41..2cf2eb8a1410 100644
+--- a/libselinux/man/man3/selabel_open.3
++++ b/libselinux/man/man3/selabel_open.3
+@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
+ Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+ .TP
+ .B SELABEL_OPT_DIGEST
+-A non-null value for this option enables the generation of an SHA1 digest of
++A non-null value for this option enables the generation of an SHA256 digest of
+ the spec files loaded as described in
+ .BR selabel_digest (3)
+ .
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index ad637406a30d..c4576fe79ff6 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -28,7 +28,7 @@ If this is a directory and the
+ .B SELINUX_RESTORECON_RECURSE
+ has been set (for descending through directories), then
+ .BR selinux_restorecon ()
+-will write an SHA1 digest of specfile entries calculated by
++will write an SHA256 digest of specfile entries calculated by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute of
+ .IR security.sehash
+@@ -47,7 +47,7 @@ will take place.
+ .br
+ The
+ .IR restorecon_flags
+-that can be used to manage the usage of the SHA1 digest are:
++that can be used to manage the usage of the SHA256 digest are:
+ .RS
+ .B SELINUX_RESTORECON_SKIP_DIGEST
+ .br
+@@ -65,8 +65,8 @@ Do not check or update any extended attribute
+ entries.
+ .sp
+ .B SELINUX_RESTORECON_IGNORE_DIGEST
+-force the checking of labels even if the stored SHA1 digest matches the
+-specfile entries SHA1 digest. The specfile entries digest will be written to the
++force the checking of labels even if the stored SHA256 digest matches the
++specfile entries SHA256 digest. The specfile entries digest will be written to the
+ .IR security.sehash
+ extended attribute once relabeling has been completed successfully provided the
+ .B SELINUX_RESTORECON_NOCHANGE
+@@ -84,7 +84,7 @@ default specfile context.
+ .sp
+ .B SELINUX_RESTORECON_RECURSE
+ change file and directory labels recursively (descend directories)
+-and if successful write an SHA1 digest of the specfile entries to an
++and if successful write an SHA256 digest of the specfile entries to an
+ extended attribute as described in the
+ .B NOTES
+ section.
+@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
+ same inode have different contexts, as errors.
+ .RE
+ .sp
+-The behavior regarding the checking and updating of the SHA1 digest described
++The behavior regarding the checking and updating of the SHA256 digest described
+ above is the default behavior. It is possible to change this by first calling
+ .BR selabel_open (3)
+ and not enabling the
+@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+ .B SELINUX_RESTORECON_RECURSE
+ flag is set)
+ .BR selinux_restorecon ()
+-will write a calculated SHA1 digest of the specfile entries returned by
++will write a calculated SHA256 digest of the specfile entries returned by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute named
+ .IR security.sehash
+@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
+ .BR selinux_restorecon ()
+ is run again with the
+ .B SELINUX_RESTORECON_RECURSE
+-flag set, new SHA1 digests will be calculated and all files automatically
++flag set, new SHA256 digests will be calculated and all files automatically
+ relabeled depending on the settings of the
+ .B SELINUX_RESTORECON_SET_SPECFILE_CTX
+ flag (provided
+diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
+index c56326814b94..098c840fc59b 100644
+--- a/libselinux/man/man3/selinux_restorecon_xattr.3
++++ b/libselinux/man/man3/selinux_restorecon_xattr.3
+@@ -119,7 +119,7 @@ By default
+ .BR selinux_restorecon_xattr (3)
+ will use the default set of specfiles described in
+ .BR files_contexts (5)
+-to calculate the SHA1 digests to be used for comparison.
++to calculate the SHA256 digests to be used for comparison.
+ To change this default behavior
+ .BR selabel_open (3)
+ must be called specifying the required
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 52c40f018f51..674a5ed3a6f8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+ 	-DBUILD_HOST
+ SRCS= callbacks.c freecon.c label.c label_file.c \
+ 	label_backends_android.c regex.c label_support.c \
+-	matchpathcon.c setrans_client.c sha1.c booleans.c
++	matchpathcon.c setrans_client.c sha256.c booleans.c
+ else
+ LABEL_BACKEND_ANDROID=y
+ endif
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 2e28d0474d73..c1306c9979e7 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -1005,7 +1005,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
+ 
+ /*
+  * Returns true if the digest of all partial matched contexts is the same as
+- * the one saved by setxattr, otherwise returns false. The length of the SHA1
++ * the one saved by setxattr, otherwise returns false. The length of the SHA256
+  * digest will always be returned. The caller must free any returned digests.
+  */
+ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -1014,39 +1014,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+ 					    uint8_t **xattr_digest,
+ 					    size_t *digest_len)
+ {
+-	uint8_t read_digest[SHA1_HASH_SIZE];
++	uint8_t read_digest[SHA256_HASH_SIZE];
+ 	ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
+-				     read_digest, SHA1_HASH_SIZE
++				     read_digest, SHA256_HASH_SIZE
+ #ifdef __APPLE__
+ 				     , 0, 0
+ #endif /* __APPLE __ */
+ 				    );
+-	uint8_t hash_digest[SHA1_HASH_SIZE];
++	uint8_t hash_digest[SHA256_HASH_SIZE];
+ 	bool status = selabel_hash_all_partial_matches(rec, pathname,
+ 						       hash_digest);
+ 
+ 	*xattr_digest = NULL;
+ 	*calculated_digest = NULL;
+-	*digest_len = SHA1_HASH_SIZE;
++	*digest_len = SHA256_HASH_SIZE;
+ 
+-	if (read_size == SHA1_HASH_SIZE) {
+-		*xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
++	if (read_size == SHA256_HASH_SIZE) {
++		*xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ 		if (!*xattr_digest)
+ 			goto oom;
+ 
+-		memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
++		memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
+ 	}
+ 
+ 	if (status) {
+-		*calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
++		*calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ 		if (!*calculated_digest)
+ 			goto oom;
+ 
+-		memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
++		memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
+ 	}
+ 
+-	if (status && read_size == SHA1_HASH_SIZE &&
+-	    memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
++	if (status && read_size == SHA256_HASH_SIZE &&
++	    memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
+ 		return true;
+ 
+ 	return false;
+@@ -1066,22 +1066,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+ 		return false;
+ 	}
+ 
+-	Sha1Context context;
+-	Sha1Initialise(&context);
++	Sha256Context context;
++	Sha256Initialise(&context);
+ 	size_t i;
+ 	for (i = 0; i < total_matches; i++) {
+ 		char* regex_str = matches[i]->regex_str;
+ 		mode_t mode = matches[i]->mode;
+ 		char* ctx_raw = matches[i]->lr.ctx_raw;
+ 
+-		Sha1Update(&context, regex_str, strlen(regex_str) + 1);
+-		Sha1Update(&context, &mode, sizeof(mode_t));
+-		Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
++		Sha256Update(&context, regex_str, strlen(regex_str) + 1);
++		Sha256Update(&context, &mode, sizeof(mode_t));
++		Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
+ 	}
+ 
+-	SHA1_HASH sha1_hash;
+-	Sha1Finalise(&context, &sha1_hash);
+-	memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
++	SHA256_HASH sha256_hash;
++	Sha256Finalise(&context, &sha256_hash);
++	memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
+ 
+ 	free(matches);
+ 	return true;
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 782c6aa8cc0c..304e8d96490a 100644
+--- a/libselinux/src/label_internal.h
++++ b/libselinux/src/label_internal.h
+@@ -13,7 +13,7 @@
+ #include <stdio.h>
+ #include <selinux/selinux.h>
+ #include <selinux/label.h>
+-#include "sha1.h"
++#include "sha256.h"
+ 
+ #if defined(ANDROID) || defined(__APPLE__)
+ // Android and Mac do not have fgets_unlocked()
+@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+  */
+ 
+ /*
+- * Calculate an SHA1 hash of all the files used to build the specs.
++ * Calculate an SHA256 hash of all the files used to build the specs.
+  * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
+  * calculate the hash the hashbuf will hold a concatenation of all the files
+  * used. This is released once the value has been calculated.
+  */
+-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
+ #define DIGEST_FILES_MAX 8
+ struct selabel_digest {
+-	unsigned char *digest;	/* SHA1 digest of specfiles */
++	unsigned char *digest;	/* SHA256 digest of specfiles */
+ 	unsigned char *hashbuf;	/* buffer to hold specfiles */
+ 	size_t hashbuf_size;	/* buffer size */
+ 	size_t specfile_cnt;	/* how many specfiles processed */
+@@ -110,7 +110,7 @@ struct selabel_handle {
+ 	 */
+ 	char *spec_file;
+ 
+-	/* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
++	/* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
+ 	struct selabel_digest *digest;
+ };
+ 
+diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
+index 94ed6e4273cb..f53d73b609ab 100644
+--- a/libselinux/src/label_support.c
++++ b/libselinux/src/label_support.c
+@@ -115,15 +115,15 @@ int  read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+ /* Once all the specfiles are in the hash_buf, generate the hash. */
+ void  digest_gen_hash(struct selabel_digest *digest)
+ {
+-	Sha1Context context;
++	Sha256Context context;
+ 
+ 	/* If SELABEL_OPT_DIGEST not set then just return */
+ 	if (!digest)
+ 		return;
+ 
+-	Sha1Initialise(&context);
+-	Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
+-	Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
++	Sha256Initialise(&context);
++	Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
++	Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
+ 	free(digest->hashbuf);
+ 	digest->hashbuf = NULL;
+ 	return;
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 04d956504952..100c77108a27 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -37,7 +37,7 @@
+ #include "callbacks.h"
+ #include "selinux_internal.h"
+ #include "label_file.h"
+-#include "sha1.h"
++#include "sha256.h"
+ 
+ #define STAR_COUNT 1024
+ 
+@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
+ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 			   bool delete_all)
+ {
+-	char *sha1_buf = NULL;
++	char *sha256_buf = NULL;
+ 	size_t i, digest_len = 0;
+ 	int rc, digest_result;
+ 	bool match;
+@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	}
+ 
+ 	/* Convert entry to a hex encoded string. */
+-	sha1_buf = malloc(digest_len * 2 + 1);
+-	if (!sha1_buf) {
++	sha256_buf = malloc(digest_len * 2 + 1);
++	if (!sha256_buf) {
+ 		free(xattr_digest);
+ 		free(calculated_digest);
+ 		goto oom;
+ 	}
+ 
+ 	for (i = 0; i < digest_len; i++)
+-		sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
++		sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
+ 
+ 	digest_result = match ? MATCH : NOMATCH;
+ 
+@@ -344,7 +344,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	/* Now add entries to link list. */
+ 	new_entry = malloc(sizeof(struct dir_xattr));
+ 	if (!new_entry) {
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 	new_entry->next = NULL;
+@@ -352,15 +352,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	new_entry->directory = strdup(directory);
+ 	if (!new_entry->directory) {
+ 		free(new_entry);
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 
+-	new_entry->digest = strdup(sha1_buf);
++	new_entry->digest = strdup(sha256_buf);
+ 	if (!new_entry->digest) {
+ 		free(new_entry->directory);
+ 		free(new_entry);
+-		free(sha1_buf);
++		free(sha256_buf);
+ 		goto oom;
+ 	}
+ 
+@@ -374,7 +374,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 		dir_xattr_last = new_entry;
+ 	}
+ 
+-	free(sha1_buf);
++	free(sha256_buf);
+ 	return 0;
+ 
+ oom:
+@@ -741,7 +741,7 @@ err:
+ 
+ struct dir_hash_node {
+ 	char *path;
+-	uint8_t digest[SHA1_HASH_SIZE];
++	uint8_t digest[SHA256_HASH_SIZE];
+ 	struct dir_hash_node *next;
+ };
+ /*
+@@ -1091,7 +1091,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 			if (setxattr(current->path,
+ 			    RESTORECON_PARTIAL_MATCH_DIGEST,
+ 			    current->digest,
+-			    SHA1_HASH_SIZE, 0) < 0) {
++			    SHA256_HASH_SIZE, 0) < 0) {
+ 				selinux_log(SELINUX_ERROR,
+ 					    "setxattr failed: %s: %m\n",
+ 					    current->path);
+diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
+deleted file mode 100644
+index a848467785f3..000000000000
+--- a/libselinux/src/sha1.c
++++ /dev/null
+@@ -1,220 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  LibSha1
+-//
+-//  Implementation of SHA1 hash function.
+-//  Original author:  Steve Reid <sreid@sea-to-sky.net>
+-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-//  and Ralph Giles <giles@ghostscript.com>
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-//  Modified to:
+-//    - stop symbols being exported for libselinux shared library - October 2015
+-//								       Richard Haines <richard_c_haines@btinternet.com>
+-//    - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
+-//      Fixes:
+-//        sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
+-//             CHAR64LONG16*       block = (CHAR64LONG16*) workspace;
+-//                                                                     William Roberts <william.c.roberts@intel.com>
+-//    - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include "sha1.h"
+-#include <memory.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-typedef union
+-{
+-    uint8_t     c [64];
+-    uint32_t    l [16];
+-} CHAR64LONG16;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  INTERNAL FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+-
+-// blk0() and blk() perform the initial expand.
+-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+-    |(rol(block->l[i],8)&0x00FF00FF))
+-
+-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+-    ^block->l[(i+2)&15]^block->l[i&15],1))
+-
+-// (R0+R1), R2, R3, R4 are the different operations used in SHA1
+-#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
+-#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
+-#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
+-
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TransformFunction
+-//
+-//  Hash a single 512-bit block. This is the core of the algorithm
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-static
+-void
+-    TransformFunction
+-    (
+-        uint32_t            state[5],
+-        const uint8_t       buffer[64]
+-    )
+-{
+-    uint32_t            a;
+-    uint32_t            b;
+-    uint32_t            c;
+-    uint32_t            d;
+-    uint32_t            e;
+-    CHAR64LONG16        workspace;
+-    CHAR64LONG16*       block = &workspace;
+-
+-    memcpy(block, buffer, 64);
+-
+-    // Copy context->state[] to working vars
+-    a = state[0];
+-    b = state[1];
+-    c = state[2];
+-    d = state[3];
+-    e = state[4];
+-
+-    // 4 rounds of 20 operations each. Loop unrolled.
+-    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+-    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+-    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+-    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+-    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+-    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+-    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+-    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+-    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+-    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+-    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+-    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+-    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+-    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+-    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+-    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+-    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+-    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+-    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+-    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+-
+-    // Add the working vars back into context.state[]
+-    state[0] += a;
+-    state[1] += b;
+-    state[2] += c;
+-    state[3] += d;
+-    state[4] += e;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Initialise
+-//
+-//  Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Initialise
+-    (
+-        Sha1Context*                Context
+-    )
+-{
+-    // SHA1 initialization constants
+-    Context->State[0] = 0x67452301;
+-    Context->State[1] = 0xEFCDAB89;
+-    Context->State[2] = 0x98BADCFE;
+-    Context->State[3] = 0x10325476;
+-    Context->State[4] = 0xC3D2E1F0;
+-    Context->Count[0] = 0;
+-    Context->Count[1] = 0;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Update
+-//
+-//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Update
+-    (
+-        Sha1Context*        Context,
+-        const void*         Buffer,
+-        uint32_t            BufferSize
+-    )
+-{
+-    uint32_t    i;
+-    uint32_t    j;
+-
+-    j = (Context->Count[0] >> 3) & 63;
+-    if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
+-    {
+-        Context->Count[1]++;
+-    }
+-
+-    Context->Count[1] += (BufferSize >> 29);
+-    if ((j + BufferSize) > 63)
+-    {
+-        i = 64 - j;
+-        memcpy(&Context->Buffer[j], Buffer, i);
+-        TransformFunction(Context->State, Context->Buffer);
+-        for (; i + 63 < BufferSize; i += 64)
+-        {
+-            TransformFunction(Context->State, (const uint8_t*)Buffer + i);
+-        }
+-        j = 0;
+-    }
+-    else
+-    {
+-        i = 0;
+-    }
+-
+-    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-//  calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void 
+-    Sha1Finalise
+-    (
+-        Sha1Context*                Context,
+-        SHA1_HASH*                  Digest
+-    )
+-{
+-    uint32_t    i;
+-    uint8_t     finalcount[8];
+-
+-    for (i = 0; i < 8; i++)
+-    {
+-        finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
+-         >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent
+-    }
+-    Sha1Update(Context, (const uint8_t*)"\x80", 1);
+-    while ((Context->Count[0] & 504) != 448)
+-    {
+-        Sha1Update(Context, (const uint8_t*)"\0", 1);
+-    }
+-
+-    Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()
+-    for (i = 0; i < SHA1_HASH_SIZE; i++)
+-    {
+-        Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+-    }
+-}
+diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
+deleted file mode 100644
+index f83a6e7ed7ba..000000000000
+--- a/libselinux/src/sha1.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  LibSha1
+-//
+-//  Implementation of SHA1 hash function.
+-//  Original author:  Steve Reid <sreid@sea-to-sky.net>
+-//  Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-//  and Ralph Giles <giles@ghostscript.com>
+-//  Modified by WaterJuice retaining Public Domain license.
+-//
+-//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#ifndef _sha1_h_
+-#define _sha1_h_
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include <stdint.h>
+-#include <stdio.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
+-typedef struct
+-{
+-    uint32_t        State[5];
+-    uint32_t        Count[2];
+-    uint8_t         Buffer[64];
+-} Sha1Context;
+-
+-#define SHA1_HASH_SIZE           ( 160 / 8 )
+-
+-typedef struct
+-{
+-    uint8_t      bytes [SHA1_HASH_SIZE];
+-} SHA1_HASH;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Initialise
+-//
+-//  Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Initialise
+-    (
+-        Sha1Context*                Context
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Update
+-//
+-//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Update
+-    (
+-        Sha1Context*        Context,
+-        const void*         Buffer,
+-        uint32_t            BufferSize
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-//  Sha1Finalise
+-//
+-//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-//  calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+-    Sha1Finalise
+-    (
+-        Sha1Context*                Context,
+-        SHA1_HASH*                  Digest
+-    );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-#endif //_sha1_h_
+diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
+new file mode 100644
+index 000000000000..fe2aeef07f53
+--- /dev/null
++++ b/libselinux/src/sha256.c
+@@ -0,0 +1,294 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include "sha256.h"
++#include <memory.h>
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  MACROS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
++
++#define MIN(x, y) ( ((x)<(y))?(x):(y) )
++
++#define STORE32H(x, y)                                                                     \
++     { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255);   \
++       (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
++
++#define LOAD32H(x, y)                            \
++     { x = ((uint32_t)((y)[0] & 255)<<24) | \
++           ((uint32_t)((y)[1] & 255)<<16) | \
++           ((uint32_t)((y)[2] & 255)<<8)  | \
++           ((uint32_t)((y)[3] & 255)); }
++
++#define STORE64H(x, y)                                                                     \
++   { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255);     \
++     (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255);     \
++     (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255);     \
++     (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  CONSTANTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// The K array
++static const uint32_t K[64] = {
++    0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
++    0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
++    0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
++    0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++    0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
++    0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
++    0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
++    0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++    0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
++    0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
++    0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
++    0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++    0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++#define BLOCK_SIZE          64
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  INTERNAL FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// Various logical functions
++#define Ch( x, y, z )     (z ^ (x & (y ^ z)))
++#define Maj( x, y, z )    (((x | y) & z) | (x & y))
++#define S( x, n )         ror((x),(n))
++#define R( x, n )         (((x)&0xFFFFFFFFUL)>>(n))
++#define Sigma0( x )       (S(x, 2) ^ S(x, 13) ^ S(x, 22))
++#define Sigma1( x )       (S(x, 6) ^ S(x, 11) ^ S(x, 25))
++#define Gamma0( x )       (S(x, 7) ^ S(x, 18) ^ R(x, 3))
++#define Gamma1( x )       (S(x, 17) ^ S(x, 19) ^ R(x, 10))
++
++#define Sha256Round( a, b, c, d, e, f, g, h, i )       \
++     t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i];   \
++     t1 = Sigma0(a) + Maj(a, b, c);                    \
++     d += t0;                                          \
++     h  = t0 + t1;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  TransformFunction
++//
++//  Compress 512-bits
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++static
++void
++    TransformFunction
++    (
++        Sha256Context*      Context,
++        uint8_t const*      Buffer
++    )
++{
++    uint32_t    S[8];
++    uint32_t    W[64];
++    uint32_t    t0;
++    uint32_t    t1;
++    uint32_t    t;
++    int         i;
++
++    // Copy state into S
++    for( i=0; i<8; i++ )
++    {
++        S[i] = Context->state[i];
++    }
++
++    // Copy the state into 512-bits into W[0..15]
++    for( i=0; i<16; i++ )
++    {
++        LOAD32H( W[i], Buffer + (4*i) );
++    }
++
++    // Fill W[16..63]
++    for( i=16; i<64; i++ )
++    {
++        W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
++    }
++
++    // Compress
++    for( i=0; i<64; i++ )
++    {
++        Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
++        t = S[7];
++        S[7] = S[6];
++        S[6] = S[5];
++        S[5] = S[4];
++        S[4] = S[3];
++        S[3] = S[2];
++        S[2] = S[1];
++        S[1] = S[0];
++        S[0] = t;
++    }
++
++    // Feedback
++    for( i=0; i<8; i++ )
++    {
++        Context->state[i] = Context->state[i] + S[i];
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    )
++{
++    Context->curlen = 0;
++    Context->length = 0;
++    Context->state[0] = 0x6A09E667UL;
++    Context->state[1] = 0xBB67AE85UL;
++    Context->state[2] = 0x3C6EF372UL;
++    Context->state[3] = 0xA54FF53AUL;
++    Context->state[4] = 0x510E527FUL;
++    Context->state[5] = 0x9B05688CUL;
++    Context->state[6] = 0x1F83D9ABUL;
++    Context->state[7] = 0x5BE0CD19UL;
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    )
++{
++    uint32_t n;
++
++    if( Context->curlen > sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    while( BufferSize > 0 )
++    {
++        if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
++        {
++           TransformFunction( Context, (uint8_t*)Buffer );
++           Context->length += BLOCK_SIZE * 8;
++           Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
++           BufferSize -= BLOCK_SIZE;
++        }
++        else
++        {
++           n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
++           memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
++           Context->curlen += n;
++           Buffer = (uint8_t*)Buffer + n;
++           BufferSize -= n;
++           if( Context->curlen == BLOCK_SIZE )
++           {
++              TransformFunction( Context, Context->buf );
++              Context->length += 8*BLOCK_SIZE;
++              Context->curlen = 0;
++           }
++       }
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    )
++{
++    int i;
++
++    if( Context->curlen >= sizeof(Context->buf) )
++    {
++       return;
++    }
++
++    // Increase the length of the message
++    Context->length += Context->curlen * 8;
++
++    // Append the '1' bit
++    Context->buf[Context->curlen++] = (uint8_t)0x80;
++
++    // if the length is currently above 56 bytes we append zeros
++    // then compress.  Then we can fall back to padding zeros and length
++    // encoding like normal.
++    if( Context->curlen > 56 )
++    {
++        while( Context->curlen < 64 )
++        {
++            Context->buf[Context->curlen++] = (uint8_t)0;
++        }
++        TransformFunction(Context, Context->buf);
++        Context->curlen = 0;
++    }
++
++    // Pad up to 56 bytes of zeroes
++    while( Context->curlen < 56 )
++    {
++        Context->buf[Context->curlen++] = (uint8_t)0;
++    }
++
++    // Store length
++    STORE64H( Context->length, Context->buf+56 );
++    TransformFunction( Context, Context->buf );
++
++    // Copy output
++    for( i=0; i<8; i++ )
++    {
++        STORE32H( Context->state[i], Digest->bytes+(4*i) );
++    }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    )
++{
++    Sha256Context context;
++
++    Sha256Initialise( &context );
++    Sha256Update( &context, Buffer, BufferSize );
++    Sha256Finalise( &context, Digest );
++}
+diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
+new file mode 100644
+index 000000000000..406ed869cd82
+--- /dev/null
++++ b/libselinux/src/sha256.h
+@@ -0,0 +1,89 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  WjCryptLib_Sha256
++//
++//  Implementation of SHA256 hash function.
++//  Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++//  Modified by WaterJuice retaining Public Domain license.
++//
++//  This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#pragma once
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include <stdint.h>
++#include <stdio.h>
++
++typedef struct
++{
++    uint64_t    length;
++    uint32_t    state[8];
++    uint32_t    curlen;
++    uint8_t     buf[64];
++} Sha256Context;
++
++#define SHA256_HASH_SIZE           ( 256 / 8 )
++
++typedef struct
++{
++    uint8_t      bytes [SHA256_HASH_SIZE];
++} SHA256_HASH;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Initialise
++//
++//  Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Initialise
++    (
++        Sha256Context*      Context         // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Update
++//
++//  Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++//  calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Update
++    (
++        Sha256Context*      Context,        // [in out]
++        void const*         Buffer,         // [in]
++        uint32_t            BufferSize      // [in]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Finalise
++//
++//  Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++//  calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Finalise
++    (
++        Sha256Context*      Context,        // [in out]
++        SHA256_HASH*        Digest          // [out]
++    );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++//  Sha256Calculate
++//
++//  Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++//  buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++    Sha256Calculate
++    (
++        void  const*        Buffer,         // [in]
++        uint32_t            BufferSize,     // [in]
++        SHA256_HASH*        Digest          // [in]
++    );
+diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
+index 49408a0ba8d8..67befadd23c5 100644
+--- a/libselinux/utils/selabel_digest.c
++++ b/libselinux/utils/selabel_digest.c
+@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 		"Where:\n\t"
+ 		"-b  The backend - \"file\", \"media\", \"x\", \"db\" or "
+ 			"\"prop\"\n\t"
+-		"-v  Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
+-		"    on the list of specfiles to compare the SHA1 digests.\n\t"
++		"-v  Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
++		"    on the list of specfiles to compare the SHA256 digests.\n\t"
+ 		"-B  Use base specfiles only (valid for \"-b file\" only).\n\t"
+ 		"-i  Do not request a digest.\n\t"
+ 		"-f  Optional file containing the specs (defaults to\n\t"
+@@ -62,12 +62,12 @@ int main(int argc, char **argv)
+ 	int backend = 0, rc, opt, validate = 0;
+ 	char *baseonly = NULL, *file = NULL, *digest = (char *)1;
+ 	char **specfiles = NULL;
+-	unsigned char *sha1_digest = NULL;
++	unsigned char *sha256_digest = NULL;
+ 	size_t i, num_specfiles;
+ 
+ 	char cmd_buf[4096];
+ 	char *cmd_ptr;
+-	char *sha1_buf;
++	char *sha256_buf;
+ 
+ 	struct selabel_handle *hnd;
+ 	struct selinux_opt selabel_option[] = {
+@@ -137,7 +137,7 @@ int main(int argc, char **argv)
+ 		return -1;
+ 	}
+ 
+-	rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
++	rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
+ 							    &num_specfiles);
+ 
+ 	if (rc) {
+@@ -152,19 +152,19 @@ int main(int argc, char **argv)
+ 		goto err;
+ 	}
+ 
+-	sha1_buf = malloc(digest_len * 2 + 1);
+-	if (!sha1_buf) {
++	sha256_buf = malloc(digest_len * 2 + 1);
++	if (!sha256_buf) {
+ 		fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
+ 						    strerror(errno));
+ 		rc = -1;
+ 		goto err;
+ 	}
+ 
+-	printf("SHA1 digest: ");
++	printf("SHA256 digest: ");
+ 	for (i = 0; i < digest_len; i++)
+-		sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
++		sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
+ 
+-	printf("%s\n", sha1_buf);
++	printf("%s\n", sha256_buf);
+ 	printf("calculated using the following specfile(s):\n");
+ 
+ 	if (specfiles) {
+@@ -177,13 +177,13 @@ int main(int argc, char **argv)
+ 			cmd_ptr += strlen(specfiles[i]) + 1;
+ 			printf("%s\n", specfiles[i]);
+ 		}
+-		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
++		sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
+ 
+ 		if (validate)
+-			rc = run_check_digest(cmd_buf, sha1_buf);
++			rc = run_check_digest(cmd_buf, sha256_buf);
+ 	}
+ 
+-	free(sha1_buf);
++	free(sha256_buf);
+ err:
+ 	selabel_close(hnd);
+ 	return rc;
+diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+index e28833d2ce97..900f018c0091 100644
+--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 		"-v  Validate file_contxts entries against loaded policy.\n\t"
+ 		"-r  Recursively descend directories.\n\t"
+ 		"-f  Optional file_contexts file (defaults to current policy).\n\t"
+-		"path  Path to check current SHA1 digest against file_contexts entries.\n\n"
+-		"This will check the directory selinux.sehash SHA1 digest for "
++		"path  Path to check current SHA256 digest against file_contexts entries.\n\n"
++		"This will check the directory selinux.sehash SHA256 digest for "
+ 		"<path> against\na newly generated digest based on the "
+ 		"file_context entries for that node\n(using the regx, mode "
+ 		"and path entries).\n", progname);
+@@ -37,7 +37,7 @@ int main(int argc, char **argv)
+ 	char *paths[2] = { NULL, NULL };
+ 	uint8_t *xattr_digest = NULL;
+ 	uint8_t *calculated_digest = NULL;
+-	char *sha1_buf = NULL;
++	char *sha256_buf = NULL;
+ 
+ 	struct selabel_handle *hnd;
+ 	struct selinux_opt selabel_option[] = {
+@@ -105,27 +105,27 @@ int main(int argc, char **argv)
+ 							 &xattr_digest,
+ 							 &digest_len);
+ 
+-			sha1_buf = calloc(1, digest_len * 2 + 1);
+-			if (!sha1_buf) {
++			sha256_buf = calloc(1, digest_len * 2 + 1);
++			if (!sha256_buf) {
+ 				fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
+ 					    strerror(errno));
+ 				return -1;
+ 			}
+ 
+ 			if (status) { /* They match */
+-				printf("xattr and file_contexts SHA1 digests match for: %s\n",
++				printf("xattr and file_contexts SHA256 digests match for: %s\n",
+ 				       ftsent->fts_path);
+ 
+ 				if (calculated_digest) {
+ 					for (i = 0; i < digest_len; i++)
+-						sprintf((&sha1_buf[i * 2]),
++						sprintf((&sha256_buf[i * 2]),
+ 							"%02x",
+ 							calculated_digest[i]);
+-					printf("SHA1 digest: %s\n", sha1_buf);
++					printf("SHA256 digest: %s\n", sha256_buf);
+ 				}
+ 			} else {
+ 				if (!calculated_digest) {
+-					printf("No SHA1 digest available for: %s\n",
++					printf("No SHA256 digest available for: %s\n",
+ 					       ftsent->fts_path);
+ 					printf("as file_context entry is \"<<none>>\"\n");
+ 					goto cleanup;
+@@ -135,25 +135,25 @@ int main(int argc, char **argv)
+ 				       ftsent->fts_path);
+ 
+ 				for (i = 0; i < digest_len; i++)
+-					sprintf((&sha1_buf[i * 2]), "%02x",
++					sprintf((&sha256_buf[i * 2]), "%02x",
+ 						calculated_digest[i]);
+-				printf("generated SHA1 digest: %s\n", sha1_buf);
++				printf("generated SHA256 digest: %s\n", sha256_buf);
+ 
+ 				if (!xattr_digest) {
+ 					printf("however there is no selinux.sehash xattr entry.\n");
+ 				} else {
+ 					printf("however it does NOT match the current entry of:\n");
+ 					for (i = 0; i < digest_len; i++)
+-						sprintf((&sha1_buf[i * 2]),
++						sprintf((&sha256_buf[i * 2]),
+ 							"%02x",
+ 							xattr_digest[i]);
+-					printf("%s\n", sha1_buf);
++					printf("%s\n", sha256_buf);
+ 				}
+ 			}
+ 			cleanup:
+ 			free(xattr_digest);
+ 			free(calculated_digest);
+-			free(sha1_buf);
++			free(sha256_buf);
+ 			break;
+ 		}
+ 		default:
+-- 
+2.32.0
+
diff --git a/SOURCES/0002-label_file-fix-a-data-race.patch b/SOURCES/0002-label_file-fix-a-data-race.patch
new file mode 100644
index 0000000..0554c37
--- /dev/null
+++ b/SOURCES/0002-label_file-fix-a-data-race.patch
@@ -0,0 +1,73 @@
+From 5844f389429f26a0a62a65561fa3006feaaf6f3b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:32 +0200
+Subject: [PATCH] label_file: fix a data race
+
+The 'matches' member of 'struct spec' may be written to by different
+threads, so it needs to be accessed using the proper atomic constructs.
+Since the actual count of matches doesn't matter and is not used,
+convert this field to a bool and just atomically set/read it using GCC
+__atomic builtins (which are already being used in another place).
+
+If the compiler lacks support for __atomic builtins (which seem to have
+been introduced in GCC 4.1), just fail the compilation. I don't think
+it's worth tryin to invent a workaround to support a 15 years old
+compiler.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/label_file.c | 15 +++++++++++++--
+ libselinux/src/label_file.h |  2 +-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index c1306c9979e7..33d395e414f0 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -951,7 +951,12 @@ static struct spec **lookup_all(struct selabel_handle *rec,
+ 			rc = regex_match(spec->regex, key, partial);
+ 			if (rc == REGEX_MATCH || (partial && rc == REGEX_MATCH_PARTIAL)) {
+ 				if (rc == REGEX_MATCH) {
+-					spec->matches++;
++#ifdef __ATOMIC_RELAXED
++					__atomic_store_n(&spec->any_matches,
++							 true, __ATOMIC_RELAXED);
++#else
++#error "Please use a compiler that supports __atomic builtins"
++#endif
+ 				}
+ 
+ 				if (strcmp(spec_arr[i].lr.ctx_raw, "<<none>>") == 0) {
+@@ -1249,9 +1254,15 @@ static void stats(struct selabel_handle *rec)
+ 	struct saved_data *data = (struct saved_data *)rec->data;
+ 	unsigned int i, nspec = data->nspec;
+ 	struct spec *spec_arr = data->spec_arr;
++	bool any_matches;
+ 
+ 	for (i = 0; i < nspec; i++) {
+-		if (spec_arr[i].matches == 0) {
++#ifdef __ATOMIC_RELAXED
++		any_matches = __atomic_load_n(&spec_arr[i].any_matches, __ATOMIC_RELAXED);
++#else
++#error "Please use a compiler that supports __atomic builtins"
++#endif
++		if (!any_matches) {
+ 			if (spec_arr[i].type_str) {
+ 				COMPAT_LOG(SELINUX_WARNING,
+ 				    "Warning!  No matches for (%s, %s, %s)\n",
+diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
+index 343ffc705e43..b453e13f8075 100644
+--- a/libselinux/src/label_file.h
++++ b/libselinux/src/label_file.h
+@@ -51,7 +51,7 @@ struct spec {
+ 	bool regex_compiled; /* bool to indicate if the regex is compiled */
+ 	pthread_mutex_t regex_lock; /* lock for lazy compilation of regex */
+ 	mode_t mode;		/* mode format value */
+-	int matches;		/* number of matching pathnames */
++	bool any_matches;	/* did any pathname match? */
+ 	int stem_id;		/* indicates which stem-compression item */
+ 	char hasMetaChars;	/* regular expression has meta-chars */
+ 	char from_mmap;		/* this spec is from an mmap of the data */
+-- 
+2.33.1
+
diff --git a/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch b/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
new file mode 100644
index 0000000..01c6d25
--- /dev/null
+++ b/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
@@ -0,0 +1,30 @@
+From 5dd3a11842c08a25a0f7ab798ce85710fe1e8f1f Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:33 +0200
+Subject: [PATCH] selinux_restorecon: simplify fl_head allocation by using
+ calloc()
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 100c77108a27..e29a2c390182 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -425,10 +425,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	struct stat64 sb;
+ 
+ 	if (!fl_head) {
+-		fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS);
++		fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
+ 		if (!fl_head)
+ 			goto oom;
+-		memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS);
+ 	}
+ 
+ 	h = (ino + (ino >> HASH_BITS)) & HASH_MASK;
+-- 
+2.33.1
+
diff --git a/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch b/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
new file mode 100644
index 0000000..1143f33
--- /dev/null
+++ b/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
@@ -0,0 +1,81 @@
+From 4598a46c5ed12248a3a6e1dbe1b5a3dca52bacac Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:34 +0200
+Subject: [PATCH] selinux_restorecon: protect file_spec list with a mutex
+
+Not very useful on its own, but will allow to implement a parallel
+version of selinux_restorecon() in subsequent patches.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index e29a2c390182..43acbace309d 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -411,6 +411,7 @@ typedef struct file_spec {
+ } file_spec_t;
+ 
+ static file_spec_t *fl_head;
++static pthread_mutex_t fl_mutex = PTHREAD_MUTEX_INITIALIZER;
+ 
+ /*
+  * Try to add an association between an inode and a context. If there is a
+@@ -424,6 +425,8 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 	int h, ret;
+ 	struct stat64 sb;
+ 
++	__pthread_mutex_lock(&fl_mutex);
++
+ 	if (!fl_head) {
+ 		fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
+ 		if (!fl_head)
+@@ -444,11 +447,11 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 				fl->con = strdup(con);
+ 				if (!fl->con)
+ 					goto oom;
+-				return 1;
++				goto unlock_1;
+ 			}
+ 
+ 			if (strcmp(fl->con, con) == 0)
+-				return 1;
++				goto unlock_1;
+ 
+ 			selinux_log(SELINUX_ERROR,
+ 				"conflicting specifications for %s and %s, using %s.\n",
+@@ -457,6 +460,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 			fl->file = strdup(file);
+ 			if (!fl->file)
+ 				goto oom;
++
++			__pthread_mutex_unlock(&fl_mutex);
++
+ 			if (flags->conflicterror) {
+ 				selinux_log(SELINUX_ERROR,
+ 				"treating conflicting specifications as an error.\n");
+@@ -481,13 +487,19 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 		goto oom_freefl;
+ 	fl->next = prevfl->next;
+ 	prevfl->next = fl;
++
++	__pthread_mutex_unlock(&fl_mutex);
+ 	return 0;
+ 
+ oom_freefl:
+ 	free(fl);
+ oom:
++	__pthread_mutex_unlock(&fl_mutex);
+ 	selinux_log(SELINUX_ERROR, "%s:  Out of memory\n", __func__);
+ 	return -1;
++unlock_1:
++	__pthread_mutex_unlock(&fl_mutex);
++	return 1;
+ }
+ 
+ /*
+-- 
+2.33.1
+
diff --git a/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch b/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch
new file mode 100644
index 0000000..078d5b4
--- /dev/null
+++ b/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch
@@ -0,0 +1,88 @@
+From c2e4cf5b21e8c775c669f3933d25a0946774ec0d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:35 +0200
+Subject: [PATCH] libselinux: make selinux_log() thread-safe
+
+Ensure that selinux_log() is thread-safe by guarding the call to the
+underlying callback with a mutex.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/callbacks.c |  8 +++++---
+ libselinux/src/callbacks.h | 13 ++++++++++++-
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
+index c18ccc54754a..469c4055f4d7 100644
+--- a/libselinux/src/callbacks.c
++++ b/libselinux/src/callbacks.c
+@@ -10,6 +10,8 @@
+ #include <selinux/selinux.h>
+ #include "callbacks.h"
+ 
++pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
++
+ /* default implementations */
+ static int __attribute__ ((format(printf, 2, 3)))
+ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
+@@ -56,7 +58,7 @@ default_selinux_policyload(int seqno __attribute__((unused)))
+ 
+ /* callback pointers */
+ int __attribute__ ((format(printf, 2, 3)))
+-(*selinux_log)(int, const char *, ...) =
++(*selinux_log_direct)(int, const char *, ...) =
+ 	default_selinux_log;
+ 
+ int
+@@ -81,7 +83,7 @@ selinux_set_callback(int type, union selinux_callback cb)
+ {
+ 	switch (type) {
+ 	case SELINUX_CB_LOG:
+-		selinux_log = cb.func_log;
++		selinux_log_direct = cb.func_log;
+ 		break;
+ 	case SELINUX_CB_AUDIT:
+ 		selinux_audit = cb.func_audit;
+@@ -106,7 +108,7 @@ selinux_get_callback(int type)
+ 
+ 	switch (type) {
+ 	case SELINUX_CB_LOG:
+-		cb.func_log = selinux_log;
++		cb.func_log = selinux_log_direct;
+ 		break;
+ 	case SELINUX_CB_AUDIT:
+ 		cb.func_audit = selinux_audit;
+diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
+index 03d87f0cbdfe..f4dab15789f9 100644
+--- a/libselinux/src/callbacks.h
++++ b/libselinux/src/callbacks.h
+@@ -10,9 +10,11 @@
+ #include <string.h>
+ #include <selinux/selinux.h>
+ 
++#include "selinux_internal.h"
++
+ /* callback pointers */
+ extern int __attribute__ ((format(printf, 2, 3)))
+-(*selinux_log) (int type, const char *, ...) ;
++(*selinux_log_direct) (int type, const char *, ...) ;
+ 
+ extern int
+ (*selinux_audit) (void *, security_class_t, char *, size_t) ;
+@@ -26,4 +28,13 @@ extern int
+ extern int
+ (*selinux_netlink_policyload) (int seqno) ;
+ 
++/* Thread-safe selinux_log() function */
++extern pthread_mutex_t log_mutex;
++
++#define selinux_log(type, ...) do { \
++	__pthread_mutex_lock(&log_mutex); \
++	selinux_log_direct(type, __VA_ARGS__); \
++	__pthread_mutex_unlock(&log_mutex); \
++} while(0)
++
+ #endif				/* _SELINUX_CALLBACKS_H_ */
+-- 
+2.33.1
+
diff --git a/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch b/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch
new file mode 100644
index 0000000..3dc8213
--- /dev/null
+++ b/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch
@@ -0,0 +1,81 @@
+From 9a8db9356c07d16a9337df416a3261c0527afeb7 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:36 +0200
+Subject: [PATCH] libselinux: make is_context_customizable() thread-safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the __selinux_once() macro to ensure that threads don't race to
+initialize the list of customizable types.
+
+Reported-by: Christian Göttsche <cgzones@googlemail.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Tested-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libselinux/src/is_customizable_type.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
+index 1b17860c3622..f83e1e83e944 100644
+--- a/libselinux/src/is_customizable_type.c
++++ b/libselinux/src/is_customizable_type.c
+@@ -9,7 +9,10 @@
+ #include "selinux_internal.h"
+ #include "context_internal.h"
+ 
+-static int get_customizable_type_list(char *** retlist)
++static char **customizable_list = NULL;
++static pthread_once_t customizable_once = PTHREAD_ONCE_INIT;
++
++static void customizable_init(void)
+ {
+ 	FILE *fp;
+ 	char *buf;
+@@ -18,12 +21,12 @@ static int get_customizable_type_list(char *** retlist)
+ 
+ 	fp = fopen(selinux_customizable_types_path(), "re");
+ 	if (!fp)
+-		return -1;
++		return;
+ 
+ 	buf = malloc(selinux_page_size);
+ 	if (!buf) {
+ 		fclose(fp);
+-		return -1;
++		return;
+ 	}
+ 	while (fgets_unlocked(buf, selinux_page_size, fp) && ctr < UINT_MAX) {
+ 		ctr++;
+@@ -54,23 +57,19 @@ static int get_customizable_type_list(char *** retlist)
+ 	fclose(fp);
+ 	free(buf);
+ 	if (!list)
+-		return -1;
+-	*retlist = list;
+-	return 0;
++		return;
++	customizable_list = list;
+ }
+ 
+-static char **customizable_list = NULL;
+-
+ int is_context_customizable(const char * scontext)
+ {
+ 	int i;
+ 	const char *type;
+ 	context_t c;
+ 
+-	if (!customizable_list) {
+-		if (get_customizable_type_list(&customizable_list) != 0)
+-			return -1;
+-	}
++	__selinux_once(customizable_once, customizable_init);
++	if (!customizable_list)
++		return -1;
+ 
+ 	c = context_new(scontext);
+ 	if (!c)
+-- 
+2.33.1
+
diff --git a/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch b/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
new file mode 100644
index 0000000..a5affd5
--- /dev/null
+++ b/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
@@ -0,0 +1,45 @@
+From 73310c9694724b3ef54bbf3a3193dbb0a68ecc3b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:37 +0200
+Subject: [PATCH] selinux_restorecon: add a global mutex to synchronize
+ progress output
+
+Another small incremental change to pave the way for a parallel
+selinux_restorecon() function.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 43acbace309d..169dfe3ae232 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -60,6 +60,7 @@ static int exclude_count = 0;
+ static struct edir *exclude_lst = NULL;
+ static uint64_t fc_count = 0;	/* Number of files processed so far */
+ static uint64_t efile_count;	/* Estimated total number of files */
++static pthread_mutex_t progress_mutex = PTHREAD_MUTEX_INITIALIZER;
+ 
+ /* Store information on directories with xattr's. */
+ static struct dir_xattr *dir_xattr_list;
+@@ -647,6 +648,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ 	}
+ 
+ 	if (flags->progress) {
++		__pthread_mutex_lock(&progress_mutex);
+ 		fc_count++;
+ 		if (fc_count % STAR_COUNT == 0) {
+ 			if (flags->mass_relabel && efile_count > 0) {
+@@ -658,6 +660,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ 			}
+ 			fflush(stdout);
+ 		}
++		__pthread_mutex_unlock(&progress_mutex);
+ 	}
+ 
+ 	if (flags->add_assoc) {
+-- 
+2.33.1
+
diff --git a/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch b/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
new file mode 100644
index 0000000..a16023e
--- /dev/null
+++ b/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
@@ -0,0 +1,800 @@
+From 847282ce385a4fc03092eb10422b1878590e9bdd Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:38 +0200
+Subject: [PATCH] selinux_restorecon: introduce selinux_restorecon_parallel(3)
+
+Refactor selinux_restorecon(3) to allow for distributing the relabeling
+to multiple threads and add a new function
+selinux_restorecon_parallel(3), which allows specifying the number of
+threads to use. The existing selinux_restorecon(3) function maintains
+the same interface and maintains the same behavior (i.e. relabeling is
+done on a single thread).
+
+The parallel implementation takes a simple approach of performing all
+the directory tree traversal in a critical section and only letting the
+relabeling of individual objects run in parallel. Thankfully, this
+approach turns out to be efficient enough in practice, as shown by
+restorecon benchmarks (detailed in a subsequent patch that switches
+setfiles & restorecon to use selinux_restorecon_parallel(3)).
+
+Note that to be able to use the parallelism, the calling application/
+library must be explicitly linked to the libpthread library (statically
+or dynamically). This is necessary to mantain the requirement that
+libselinux shouldn't explicitly link with libpthread. (I don't know what
+exactly was the reason behind this requirement as the commit logs are
+fuzzy, but special care has been taken in the past to maintain it, so I
+didn't want to break it...)
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/include/selinux/restorecon.h       |  14 +
+ libselinux/man/man3/selinux_restorecon.3      |  29 ++
+ .../man/man3/selinux_restorecon_parallel.3    |   1 +
+ libselinux/src/libselinux.map                 |   5 +
+ libselinux/src/selinux_internal.h             |  16 +
+ libselinux/src/selinux_restorecon.c           | 436 ++++++++++++------
+ libselinux/src/selinuxswig_python.i           |   6 +-
+ libselinux/src/selinuxswig_python_exception.i |   8 +
+ 8 files changed, 368 insertions(+), 147 deletions(-)
+ create mode 100644 libselinux/man/man3/selinux_restorecon_parallel.3
+
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index ca8ce768587a..8f9a030cda98 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -2,6 +2,7 @@
+ #define _RESTORECON_H_
+ 
+ #include <sys/types.h>
++#include <stddef.h>
+ #include <stdarg.h>
+ 
+ #ifdef __cplusplus
+@@ -23,6 +24,19 @@ extern "C" {
+  */
+ extern int selinux_restorecon(const char *pathname,
+ 				    unsigned int restorecon_flags);
++/**
++ * selinux_restorecon_parallel - Relabel files, optionally use more threads.
++ * @pathname: specifies file/directory to relabel.
++ * @restorecon_flags: specifies the actions to be performed when relabeling.
++ * @nthreads: specifies the number of threads to use (0 = use number of CPUs
++ *            currently online)
++ *
++ * Same as selinux_restorecon(3), but allows to use multiple threads to do
++ * the work.
++ */
++extern int selinux_restorecon_parallel(const char *pathname,
++				       unsigned int restorecon_flags,
++				       size_t nthreads);
+ /*
+  * restorecon_flags options
+  */
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index c4576fe79ff6..500845917fb8 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -11,6 +11,14 @@ selinux_restorecon \- restore file(s) default SELinux security contexts
+ .br
+ .BI "unsigned int " restorecon_flags ");"
+ .in
++.sp
++.BI "int selinux_restorecon_parallel(const char *" pathname ,
++.in +\w'int selinux_restorecon_parallel('u
++.br
++.BI "unsigned int " restorecon_flags ","
++.br
++.BI "size_t " nthreads ");"
++.in
+ .
+ .SH "DESCRIPTION"
+ .BR selinux_restorecon ()
+@@ -187,6 +195,27 @@ unless the
+ .B SELINUX_RESTORECON_IGNORE_MOUNTS
+ flag has been set.
+ .RE
++.sp
++.BR selinux_restorecon_parallel()
++is similar to
++.BR selinux_restorecon (3),
++but accepts another parameter that allows to run relabeling over multiple
++threads:
++.sp
++.RS
++.IR nthreads
++specifies the number of threads to use during relabeling. When set to 1,
++the behavior is the same as calling
++.BR selinux_restorecon (3).
++When set to 0, the function will try to use as many threads as there are
++online CPU cores. When set to any other number, the function will try to use
++the given number of threads.
++.sp
++Note that to use the parallel relabeling capability, the calling process
++must be linked with the
++.B libpthread
++library (either at compile time or dynamically at run time). Otherwise the
++function will print a warning and fall back to the single threaded mode.
+ .
+ .SH "RETURN VALUE"
+ On success, zero is returned.  On error, \-1 is returned and
+diff --git a/libselinux/man/man3/selinux_restorecon_parallel.3 b/libselinux/man/man3/selinux_restorecon_parallel.3
+new file mode 100644
+index 000000000000..092d8412cc93
+--- /dev/null
++++ b/libselinux/man/man3/selinux_restorecon_parallel.3
+@@ -0,0 +1 @@
++.so man3/selinux_restorecon.3
+diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
+index 2a368e93f9fd..d138e951ef0d 100644
+--- a/libselinux/src/libselinux.map
++++ b/libselinux/src/libselinux.map
+@@ -240,3 +240,8 @@ LIBSELINUX_1.0 {
+   local:
+     *;
+ };
++
++LIBSELINUX_3.3 {
++  global:
++    selinux_restorecon_parallel;
++} LIBSELINUX_1.0;
+diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
+index 27e9ac532c3f..297dcf26dee3 100644
+--- a/libselinux/src/selinux_internal.h
++++ b/libselinux/src/selinux_internal.h
+@@ -69,6 +69,22 @@ extern int selinux_page_size ;
+ 			pthread_mutex_unlock(LOCK);		\
+ 	} while (0)
+ 
++#pragma weak pthread_create
++#pragma weak pthread_join
++#pragma weak pthread_cond_init
++#pragma weak pthread_cond_signal
++#pragma weak pthread_cond_destroy
++#pragma weak pthread_cond_wait
++
++/* check if all functions needed to do parallel operations are available */
++#define __pthread_supported (					\
++	pthread_create &&					\
++	pthread_join &&						\
++	pthread_cond_init &&					\
++	pthread_cond_destroy &&					\
++	pthread_cond_signal &&					\
++	pthread_cond_wait					\
++)
+ 
+ #define SELINUXDIR "/etc/selinux/"
+ #define SELINUXCONFIG SELINUXDIR "config"
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 169dfe3ae232..f7e84657d09d 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -610,7 +610,7 @@ out:
+ }
+ 
+ static int restorecon_sb(const char *pathname, const struct stat *sb,
+-			    struct rest_flags *flags)
++			    struct rest_flags *flags, bool first)
+ {
+ 	char *newcon = NULL;
+ 	char *curcon = NULL;
+@@ -639,7 +639,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ 						    sb->st_mode);
+ 
+ 	if (rc < 0) {
+-		if (errno == ENOENT && flags->warnonnomatch)
++		if (errno == ENOENT && flags->warnonnomatch && first)
+ 			selinux_log(SELINUX_INFO,
+ 				    "Warning no default label for %s\n",
+ 				    lookup_path);
+@@ -814,66 +814,215 @@ oom:
+ 	goto free;
+ }
+ 
++struct rest_state {
++	struct rest_flags flags;
++	dev_t dev_num;
++	struct statfs sfsb;
++	bool ignore_digest;
++	bool setrestorecondigest;
++	bool parallel;
+ 
+-/*
+- * Public API
+- */
++	FTS *fts;
++	FTSENT *ftsent_first;
++	struct dir_hash_node *head, *current;
++	bool abort;
++	int error;
++	int saved_errno;
++	pthread_mutex_t mutex;
++};
+ 
+-/* selinux_restorecon(3) - Main function that is responsible for labeling */
+-int selinux_restorecon(const char *pathname_orig,
+-		       unsigned int restorecon_flags)
++static void *selinux_restorecon_thread(void *arg)
+ {
+-	struct rest_flags flags;
++	struct rest_state *state = arg;
++	FTS *fts = state->fts;
++	FTSENT *ftsent;
++	int error;
++	char ent_path[PATH_MAX];
++	struct stat ent_st;
++	bool first = false;
++
++	if (state->parallel)
++		pthread_mutex_lock(&state->mutex);
++
++	if (state->ftsent_first) {
++		ftsent = state->ftsent_first;
++		state->ftsent_first = NULL;
++		first = true;
++		goto loop_body;
++	}
++
++	while (((void)(errno = 0), ftsent = fts_read(fts)) != NULL) {
++loop_body:
++		/* If the FTS_XDEV flag is set and the device is different */
++		if (state->flags.set_xdev &&
++		    ftsent->fts_statp->st_dev != state->dev_num)
++			continue;
++
++		switch (ftsent->fts_info) {
++		case FTS_DC:
++			selinux_log(SELINUX_ERROR,
++				    "Directory cycle on %s.\n",
++				    ftsent->fts_path);
++			errno = ELOOP;
++			state->error = -1;
++			state->abort = true;
++			goto finish;
++		case FTS_DP:
++			continue;
++		case FTS_DNR:
++			error = errno;
++			errno = ftsent->fts_errno;
++			selinux_log(SELINUX_ERROR,
++				    "Could not read %s: %m.\n",
++				    ftsent->fts_path);
++			errno = error;
++			fts_set(fts, ftsent, FTS_SKIP);
++			continue;
++		case FTS_NS:
++			error = errno;
++			errno = ftsent->fts_errno;
++			selinux_log(SELINUX_ERROR,
++				    "Could not stat %s: %m.\n",
++				    ftsent->fts_path);
++			errno = error;
++			fts_set(fts, ftsent, FTS_SKIP);
++			continue;
++		case FTS_ERR:
++			error = errno;
++			errno = ftsent->fts_errno;
++			selinux_log(SELINUX_ERROR,
++				    "Error on %s: %m.\n",
++				    ftsent->fts_path);
++			errno = error;
++			fts_set(fts, ftsent, FTS_SKIP);
++			continue;
++		case FTS_D:
++			if (state->sfsb.f_type == SYSFS_MAGIC &&
++			    !selabel_partial_match(fc_sehandle,
++			    ftsent->fts_path)) {
++				fts_set(fts, ftsent, FTS_SKIP);
++				continue;
++			}
++
++			if (check_excluded(ftsent->fts_path)) {
++				fts_set(fts, ftsent, FTS_SKIP);
++				continue;
++			}
+ 
+-	flags.nochange = (restorecon_flags &
++			if (state->setrestorecondigest) {
++				struct dir_hash_node *new_node = NULL;
++
++				if (check_context_match_for_dir(ftsent->fts_path,
++								&new_node,
++								state->error) &&
++								!state->ignore_digest) {
++					selinux_log(SELINUX_INFO,
++						"Skipping restorecon on directory(%s)\n",
++						    ftsent->fts_path);
++					fts_set(fts, ftsent, FTS_SKIP);
++					continue;
++				}
++
++				if (new_node && !state->error) {
++					if (!state->current) {
++						state->current = new_node;
++						state->head = state->current;
++					} else {
++						state->current->next = new_node;
++						state->current = new_node;
++					}
++				}
++			}
++			/* fall through */
++		default:
++			strcpy(ent_path, ftsent->fts_path);
++			ent_st = *ftsent->fts_statp;
++			if (state->parallel)
++				pthread_mutex_unlock(&state->mutex);
++
++			error = restorecon_sb(ent_path, &ent_st, &state->flags,
++					      first);
++
++			if (state->parallel) {
++				pthread_mutex_lock(&state->mutex);
++				if (state->abort)
++					goto unlock;
++			}
++
++			state->error |= error;
++			first = false;
++			if (error && state->flags.abort_on_error) {
++				state->abort = true;
++				goto finish;
++			}
++			break;
++		}
++	}
++
++finish:
++	if (!state->saved_errno)
++		state->saved_errno = errno;
++unlock:
++	if (state->parallel)
++		pthread_mutex_unlock(&state->mutex);
++	return NULL;
++}
++
++static int selinux_restorecon_common(const char *pathname_orig,
++				     unsigned int restorecon_flags,
++				     size_t nthreads)
++{
++	struct rest_state state;
++
++	state.flags.nochange = (restorecon_flags &
+ 		    SELINUX_RESTORECON_NOCHANGE) ? true : false;
+-	flags.verbose = (restorecon_flags &
++	state.flags.verbose = (restorecon_flags &
+ 		    SELINUX_RESTORECON_VERBOSE) ? true : false;
+-	flags.progress = (restorecon_flags &
++	state.flags.progress = (restorecon_flags &
+ 		    SELINUX_RESTORECON_PROGRESS) ? true : false;
+-	flags.mass_relabel = (restorecon_flags &
++	state.flags.mass_relabel = (restorecon_flags &
+ 		    SELINUX_RESTORECON_MASS_RELABEL) ? true : false;
+-	flags.recurse = (restorecon_flags &
++	state.flags.recurse = (restorecon_flags &
+ 		    SELINUX_RESTORECON_RECURSE) ? true : false;
+-	flags.set_specctx = (restorecon_flags &
++	state.flags.set_specctx = (restorecon_flags &
+ 		    SELINUX_RESTORECON_SET_SPECFILE_CTX) ? true : false;
+-	flags.userealpath = (restorecon_flags &
++	state.flags.userealpath = (restorecon_flags &
+ 		   SELINUX_RESTORECON_REALPATH) ? true : false;
+-	flags.set_xdev = (restorecon_flags &
++	state.flags.set_xdev = (restorecon_flags &
+ 		   SELINUX_RESTORECON_XDEV) ? true : false;
+-	flags.add_assoc = (restorecon_flags &
++	state.flags.add_assoc = (restorecon_flags &
+ 		   SELINUX_RESTORECON_ADD_ASSOC) ? true : false;
+-	flags.abort_on_error = (restorecon_flags &
++	state.flags.abort_on_error = (restorecon_flags &
+ 		   SELINUX_RESTORECON_ABORT_ON_ERROR) ? true : false;
+-	flags.syslog_changes = (restorecon_flags &
++	state.flags.syslog_changes = (restorecon_flags &
+ 		   SELINUX_RESTORECON_SYSLOG_CHANGES) ? true : false;
+-	flags.log_matches = (restorecon_flags &
++	state.flags.log_matches = (restorecon_flags &
+ 		   SELINUX_RESTORECON_LOG_MATCHES) ? true : false;
+-	flags.ignore_noent = (restorecon_flags &
++	state.flags.ignore_noent = (restorecon_flags &
+ 		   SELINUX_RESTORECON_IGNORE_NOENTRY) ? true : false;
+-	flags.warnonnomatch = true;
+-	flags.conflicterror = (restorecon_flags &
++	state.flags.warnonnomatch = true;
++	state.flags.conflicterror = (restorecon_flags &
+ 		   SELINUX_RESTORECON_CONFLICT_ERROR) ? true : false;
+ 	ignore_mounts = (restorecon_flags &
+ 		   SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false;
+-	bool ignore_digest = (restorecon_flags &
++	state.ignore_digest = (restorecon_flags &
+ 		    SELINUX_RESTORECON_IGNORE_DIGEST) ? true : false;
+-	bool setrestorecondigest = true;
++	state.setrestorecondigest = true;
++
++	state.head = NULL;
++	state.current = NULL;
++	state.abort = false;
++	state.error = 0;
++	state.saved_errno = 0;
+ 
+ 	struct stat sb;
+-	struct statfs sfsb;
+-	FTS *fts;
+-	FTSENT *ftsent;
+ 	char *pathname = NULL, *pathdnamer = NULL, *pathdname, *pathbname;
+ 	char *paths[2] = { NULL, NULL };
+ 	int fts_flags, error, sverrno;
+-	dev_t dev_num = 0;
+ 	struct dir_hash_node *current = NULL;
+-	struct dir_hash_node *head = NULL;
+-	int errno_tmp;
+ 
+-	if (flags.verbose && flags.progress)
+-		flags.verbose = false;
++	if (state.flags.verbose && state.flags.progress)
++		state.flags.verbose = false;
+ 
+ 	__selinux_once(fc_once, restorecon_init);
+ 
+@@ -886,13 +1035,31 @@ int selinux_restorecon(const char *pathname_orig,
+ 	 */
+ 	if (selabel_no_digest ||
+ 	    (restorecon_flags & SELINUX_RESTORECON_SKIP_DIGEST))
+-		setrestorecondigest = false;
++		state.setrestorecondigest = false;
++
++	if (!__pthread_supported) {
++		if (nthreads != 1) {
++			nthreads = 1;
++			selinux_log(SELINUX_WARNING,
++				"Threading functionality not available, falling back to 1 thread.");
++		}
++	} else if (nthreads == 0) {
++		long nproc = sysconf(_SC_NPROCESSORS_ONLN);
++
++		if (nproc > 0) {
++			nthreads = nproc;
++		} else {
++			nthreads = 1;
++			selinux_log(SELINUX_WARNING,
++				"Unable to detect CPU count, falling back to 1 thread.");
++		}
++	}
+ 
+ 	/*
+ 	 * Convert passed-in pathname to canonical pathname by resolving
+ 	 * realpath of containing dir, then appending last component name.
+ 	 */
+-	if (flags.userealpath) {
++	if (state.flags.userealpath) {
+ 		char *basename_cpy = strdup(pathname_orig);
+ 		if (!basename_cpy)
+ 			goto realpatherr;
+@@ -937,7 +1104,7 @@ int selinux_restorecon(const char *pathname_orig,
+ 	paths[0] = pathname;
+ 
+ 	if (lstat(pathname, &sb) < 0) {
+-		if (flags.ignore_noent && errno == ENOENT) {
++		if (state.flags.ignore_noent && errno == ENOENT) {
+ 			free(pathdnamer);
+ 			free(pathname);
+ 			return 0;
+@@ -952,21 +1119,21 @@ int selinux_restorecon(const char *pathname_orig,
+ 
+ 	/* Skip digest if not a directory */
+ 	if (!S_ISDIR(sb.st_mode))
+-		setrestorecondigest = false;
++		state.setrestorecondigest = false;
+ 
+-	if (!flags.recurse) {
++	if (!state.flags.recurse) {
+ 		if (check_excluded(pathname)) {
+ 			error = 0;
+ 			goto cleanup;
+ 		}
+ 
+-		error = restorecon_sb(pathname, &sb, &flags);
++		error = restorecon_sb(pathname, &sb, &state.flags, true);
+ 		goto cleanup;
+ 	}
+ 
+ 	/* Obtain fs type */
+-	memset(&sfsb, 0, sizeof sfsb);
+-	if (!S_ISLNK(sb.st_mode) && statfs(pathname, &sfsb) < 0) {
++	memset(&state.sfsb, 0, sizeof(state.sfsb));
++	if (!S_ISLNK(sb.st_mode) && statfs(pathname, &state.sfsb) < 0) {
+ 		selinux_log(SELINUX_ERROR,
+ 			    "statfs(%s) failed: %m\n",
+ 			    pathname);
+@@ -975,21 +1142,21 @@ int selinux_restorecon(const char *pathname_orig,
+ 	}
+ 
+ 	/* Skip digest on in-memory filesystems and /sys */
+-	if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC ||
+-	    sfsb.f_type == SYSFS_MAGIC)
+-		setrestorecondigest = false;
++	if (state.sfsb.f_type == RAMFS_MAGIC || state.sfsb.f_type == TMPFS_MAGIC ||
++	    state.sfsb.f_type == SYSFS_MAGIC)
++		state.setrestorecondigest = false;
+ 
+-	if (flags.set_xdev)
++	if (state.flags.set_xdev)
+ 		fts_flags = FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV;
+ 	else
+ 		fts_flags = FTS_PHYSICAL | FTS_NOCHDIR;
+ 
+-	fts = fts_open(paths, fts_flags, NULL);
+-	if (!fts)
++	state.fts = fts_open(paths, fts_flags, NULL);
++	if (!state.fts)
+ 		goto fts_err;
+ 
+-	ftsent = fts_read(fts);
+-	if (!ftsent)
++	state.ftsent_first = fts_read(state.fts);
++	if (!state.ftsent_first)
+ 		goto fts_err;
+ 
+ 	/*
+@@ -1001,106 +1168,66 @@ int selinux_restorecon(const char *pathname_orig,
+ 	 * directories with a different device number when the FTS_XDEV flag
+ 	 * is set (from http://marc.info/?l=selinux&m=124688830500777&w=2).
+ 	 */
+-	dev_num = ftsent->fts_statp->st_dev;
++	state.dev_num = state.ftsent_first->fts_statp->st_dev;
+ 
+-	error = 0;
+-	do {
+-		/* If the FTS_XDEV flag is set and the device is different */
+-		if (flags.set_xdev && ftsent->fts_statp->st_dev != dev_num)
+-			continue;
++	if (nthreads == 1) {
++		state.parallel = false;
++		selinux_restorecon_thread(&state);
++	} else {
++		size_t i;
++		pthread_t self = pthread_self();
++		pthread_t *threads = NULL;
+ 
+-		switch (ftsent->fts_info) {
+-		case FTS_DC:
+-			selinux_log(SELINUX_ERROR,
+-				    "Directory cycle on %s.\n",
+-				    ftsent->fts_path);
+-			errno = ELOOP;
+-			error = -1;
+-			goto out;
+-		case FTS_DP:
+-			continue;
+-		case FTS_DNR:
+-			errno_tmp = errno;
+-			errno = ftsent->fts_errno;
+-			selinux_log(SELINUX_ERROR,
+-				    "Could not read %s: %m.\n",
+-				    ftsent->fts_path);
+-			errno = errno_tmp;
+-			fts_set(fts, ftsent, FTS_SKIP);
+-			continue;
+-		case FTS_NS:
+-			errno_tmp = errno;
+-			errno = ftsent->fts_errno;
+-			selinux_log(SELINUX_ERROR,
+-				    "Could not stat %s: %m.\n",
+-				    ftsent->fts_path);
+-			errno = errno_tmp;
+-			fts_set(fts, ftsent, FTS_SKIP);
+-			continue;
+-		case FTS_ERR:
+-			errno_tmp = errno;
+-			errno = ftsent->fts_errno;
+-			selinux_log(SELINUX_ERROR,
+-				    "Error on %s: %m.\n",
+-				    ftsent->fts_path);
+-			errno = errno_tmp;
+-			fts_set(fts, ftsent, FTS_SKIP);
+-			continue;
+-		case FTS_D:
+-			if (sfsb.f_type == SYSFS_MAGIC &&
+-			    !selabel_partial_match(fc_sehandle,
+-			    ftsent->fts_path)) {
+-				fts_set(fts, ftsent, FTS_SKIP);
+-				continue;
+-			}
++		pthread_mutex_init(&state.mutex, NULL);
+ 
+-			if (check_excluded(ftsent->fts_path)) {
+-				fts_set(fts, ftsent, FTS_SKIP);
+-				continue;
++		threads = calloc(nthreads - 1, sizeof(*threads));
++		if (!threads)
++			goto oom;
++
++		state.parallel = true;
++		/*
++		 * Start (nthreads - 1) threads - the main thread is going to
++		 * take part, too.
++		 */
++		for (i = 0; i < nthreads - 1; i++) {
++			if (pthread_create(&threads[i], NULL,
++					   selinux_restorecon_thread, &state)) {
++				/*
++				 * If any thread fails to be created, just mark
++				 * it as such and let the successfully created
++				 * threads do the job. In the worst case the
++				 * main thread will do everything, but that's
++				 * still better than to give up.
++				 */
++				threads[i] = self;
+ 			}
++		}
+ 
+-			if (setrestorecondigest) {
+-				struct dir_hash_node *new_node = NULL;
++		/* Let's join in on the fun! */
++		selinux_restorecon_thread(&state);
+ 
+-				if (check_context_match_for_dir(ftsent->fts_path,
+-								&new_node,
+-								error) &&
+-								!ignore_digest) {
+-					selinux_log(SELINUX_INFO,
+-						    "Skipping restorecon on directory(%s)\n",
+-						    ftsent->fts_path);
+-					fts_set(fts, ftsent, FTS_SKIP);
+-					continue;
+-				}
+-
+-				if (new_node && !error) {
+-					if (!current) {
+-						current = new_node;
+-						head = current;
+-					} else {
+-						current->next = new_node;
+-						current = current->next;
+-					}
+-				}
+-			}
+-			/* fall through */
+-		default:
+-			error |= restorecon_sb(ftsent->fts_path,
+-					       ftsent->fts_statp, &flags);
+-			if (flags.warnonnomatch)
+-				flags.warnonnomatch = false;
+-			if (error && flags.abort_on_error)
+-				goto out;
+-			break;
++		/* Now wait for all threads to finish. */
++		for (i = 0; i < nthreads - 1; i++) {
++			/* Skip threads that failed to be created. */
++			if (pthread_equal(threads[i], self))
++				continue;
++			pthread_join(threads[i], NULL);
+ 		}
+-	} while ((ftsent = fts_read(fts)) != NULL);
++		free(threads);
++
++		pthread_mutex_destroy(&state.mutex);
++	}
++
++	error = state.error;
++	if (state.saved_errno)
++		goto out;
+ 
+ 	/*
+ 	 * Labeling successful. Write partial match digests for subdirectories.
+ 	 * TODO: Write digest upon FTS_DP if no error occurs in its descents.
+ 	 */
+-	if (setrestorecondigest && !flags.nochange && !error) {
+-		current = head;
++	if (state.setrestorecondigest && !state.flags.nochange && !error) {
++		current = state.head;
+ 		while (current != NULL) {
+ 			if (setxattr(current->path,
+ 			    RESTORECON_PARTIAL_MATCH_DIGEST,
+@@ -1115,22 +1242,21 @@ int selinux_restorecon(const char *pathname_orig,
+ 	}
+ 
+ out:
+-	if (flags.progress && flags.mass_relabel)
++	if (state.flags.progress && state.flags.mass_relabel)
+ 		fprintf(stdout, "\r%s 100.0%%\n", pathname);
+ 
+-	sverrno = errno;
+-	(void) fts_close(fts);
+-	errno = sverrno;
++	(void) fts_close(state.fts);
++	errno = state.saved_errno;
+ cleanup:
+-	if (flags.add_assoc) {
+-		if (flags.verbose)
++	if (state.flags.add_assoc) {
++		if (state.flags.verbose)
+ 			filespec_eval();
+ 		filespec_destroy();
+ 	}
+ 	free(pathdnamer);
+ 	free(pathname);
+ 
+-	current = head;
++	current = state.head;
+ 	while (current != NULL) {
+ 		struct dir_hash_node *next = current->next;
+ 
+@@ -1164,6 +1290,26 @@ fts_err:
+ 	goto cleanup;
+ }
+ 
++
++/*
++ * Public API
++ */
++
++/* selinux_restorecon(3) - Main function that is responsible for labeling */
++int selinux_restorecon(const char *pathname_orig,
++		       unsigned int restorecon_flags)
++{
++	return selinux_restorecon_common(pathname_orig, restorecon_flags, 1);
++}
++
++/* selinux_restorecon_parallel(3) - Parallel version of selinux_restorecon(3) */
++int selinux_restorecon_parallel(const char *pathname_orig,
++				unsigned int restorecon_flags,
++				size_t nthreads)
++{
++	return selinux_restorecon_common(pathname_orig, restorecon_flags, nthreads);
++}
++
+ /* selinux_restorecon_set_sehandle(3) is called to set the global fc handle */
+ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
+ {
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 4c73bf92df96..17e03b9e36a5 100644
+--- a/libselinux/src/selinuxswig_python.i
++++ b/libselinux/src/selinuxswig_python.i
+@@ -20,7 +20,7 @@ DISABLED = -1
+ PERMISSIVE = 0
+ ENFORCING = 1
+ 
+-def restorecon(path, recursive=False, verbose=False, force=False):
++def restorecon(path, recursive=False, verbose=False, force=False, nthreads=1):
+     """ Restore SELinux context on a given path
+ 
+     Arguments:
+@@ -32,6 +32,8 @@ def restorecon(path, recursive=False, verbose=False, force=False):
+     force -- Force reset of context to match file_context for customizable files,
+     and the default file context, changing the user, role, range portion  as well
+     as the type (default False)
++    nthreads -- The number of threads to use during relabeling, or 0 to use as many
++    threads as there are online CPU cores (default 1)
+     """
+ 
+     restorecon_flags = SELINUX_RESTORECON_IGNORE_DIGEST | SELINUX_RESTORECON_REALPATH
+@@ -41,7 +43,7 @@ def restorecon(path, recursive=False, verbose=False, force=False):
+         restorecon_flags |= SELINUX_RESTORECON_VERBOSE
+     if force:
+         restorecon_flags |= SELINUX_RESTORECON_SET_SPECFILE_CTX
+-    selinux_restorecon(os.path.expanduser(path), restorecon_flags)
++    selinux_restorecon_parallel(os.path.expanduser(path), restorecon_flags, nthreads)
+ 
+ def chcon(path, context, recursive=False):
+     """ Set the SELinux context on a given path """
+diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
+index 237ea69ad5f5..a02f4923a1e7 100644
+--- a/libselinux/src/selinuxswig_python_exception.i
++++ b/libselinux/src/selinuxswig_python_exception.i
+@@ -1183,6 +1183,14 @@
+   }
+ }
+ 
++%exception selinux_restorecon_parallel {
++  $action
++  if (result < 0) {
++     PyErr_SetFromErrno(PyExc_OSError);
++     SWIG_fail;
++  }
++}
++
+ %exception selinux_restorecon_set_alt_rootpath {
+   $action
+   if (result < 0) {
+-- 
+2.33.1
+
diff --git a/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch b/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
new file mode 100644
index 0000000..a8ce120
--- /dev/null
+++ b/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
@@ -0,0 +1,29 @@
+From 9456297275987dedefe2e8ad508360be9d9f9e7f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 23 Nov 2021 11:31:08 +0100
+Subject: [PATCH] libselinux: Fix selinux_restorecon_parallel symbol version
+
+selinux_restorecon_parallel was originally proposed before 3.3, but it
+was merged after release so it will be introduced in version 3.4.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/libselinux.map | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
+index d138e951ef0d..4acf1caacb55 100644
+--- a/libselinux/src/libselinux.map
++++ b/libselinux/src/libselinux.map
+@@ -241,7 +241,7 @@ LIBSELINUX_1.0 {
+     *;
+ };
+ 
+-LIBSELINUX_3.3 {
++LIBSELINUX_3.4 {
+   global:
+     selinux_restorecon_parallel;
+ } LIBSELINUX_1.0;
+-- 
+2.33.1
+
diff --git a/SOURCES/selinuxconlist.8 b/SOURCES/selinuxconlist.8
new file mode 100644
index 0000000..c698daa
--- /dev/null
+++ b/SOURCES/selinuxconlist.8
@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)
diff --git a/SOURCES/selinuxdefcon.8 b/SOURCES/selinuxdefcon.8
new file mode 100644
index 0000000..3cbeff2
--- /dev/null
+++ b/SOURCES/selinuxdefcon.8
@@ -0,0 +1,24 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- report default SELinux context for user 
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user fromcon
+
+.SH "DESCRIPTION"
+.B selinuxdefcon
+reports the default context for the specified user from the specified context
+
+.B \-l level
+mcs/mls level
+
+.SH EXAMPLE
+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
new file mode 100644
index 0000000..0b26d37
--- /dev/null
+++ b/SPECS/libselinux.spec
@@ -0,0 +1,2818 @@
+%define ruby_inc %(pkg-config --cflags ruby)
+%define libsepolver 3.3-1
+
+Summary: SELinux library and simple utilities
+Name: libselinux
+Version: 3.3
+Release: 2%{?dist}
+License: Public Domain
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
+Source1: selinuxconlist.8
+Source2: selinuxdefcon.8
+Url: https://github.com/SELinuxProject/selinux/wiki
+# $ git clone https://github.com/fedora-selinux/selinux.git
+# $ cd selinux
+# $ git format-patch -N 3.3 -- libselinux
+# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# Patch list start
+Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
+Patch0002: 0002-label_file-fix-a-data-race.patch
+Patch0003: 0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
+Patch0004: 0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
+Patch0005: 0005-libselinux-make-selinux_log-thread-safe.patch
+Patch0006: 0006-libselinux-make-is_context_customizable-thread-safe.patch
+Patch0007: 0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
+Patch0008: 0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
+Patch0009: 0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
+# Patch list end
+BuildRequires: gcc make
+BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
+BuildRequires: python3 python3-devel
+BuildRequires: systemd
+Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
+Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
+
+%description
+Security-enhanced Linux is a feature of the Linux® kernel and a number
+of utilities with enhanced security functionality designed to add
+mandatory access controls to Linux.  The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These
+architectural components provide general support for the enforcement
+of many kinds of mandatory access control policies, including those
+based on the concepts of Type Enforcement®, Role-based Access
+Control, and Multi-level Security.
+
+libselinux provides an API for SELinux applications to get and set
+process and file security contexts and to obtain security policy
+decisions.  Required for any applications that use the SELinux API.
+
+%package utils
+Summary: SELinux libselinux utilities
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description utils
+The libselinux-utils package contains the utilities
+
+%package -n python3-libselinux
+Summary: SELinux python 3 bindings for libselinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%{?python_provide:%python_provide python3-libselinux}
+# Remove before F30
+Provides: %{name}-python3 = %{version}-%{release}
+Provides: %{name}-python3%{?_isa} = %{version}-%{release}
+Obsoletes: %{name}-python3 < %{version}-%{release}
+
+%description -n python3-libselinux
+The libselinux-python3 package contains python 3 bindings for developing
+SELinux applications. 
+
+%package ruby
+Summary: SELinux ruby bindings for libselinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Provides: ruby(selinux)
+
+%description ruby
+The libselinux-ruby package contains the ruby bindings for developing 
+SELinux applications. 
+
+%package devel
+Summary: Header files and libraries used to build SELinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: libsepol-devel%{?_isa} >= %{libsepolver}
+
+%description devel
+The libselinux-devel package contains the libraries and header files
+needed for developing SELinux applications. 
+
+%package static
+Summary: Static libraries used to build SELinux
+Requires: %{name}-devel%{?_isa} = %{version}-%{release}
+
+%description static
+The libselinux-static package contains the static libraries
+needed for developing SELinux applications. 
+
+%prep
+%autosetup -p 2 -n libselinux-%{version}
+
+%build
+export DISABLE_RPM="y"
+export USE_PCRE2="y"
+
+%set_build_flags
+CFLAGS="$CFLAGS -fno-semantic-interposition"
+
+# To support building the Python wrapper against multiple Python runtimes
+# Define a function, for how to perform a "build" of the python wrapper against
+# a specific runtime:
+BuildPythonWrapper() {
+  BinaryName=$1
+
+  # Perform the build from the upstream Makefile:
+  %make_build \
+    PYTHON=$BinaryName \
+    LIBDIR="%{_libdir}" \
+    pywrap
+}
+
+%make_build LIBDIR="%{_libdir}" swigify
+%make_build LIBDIR="%{_libdir}" all
+
+BuildPythonWrapper %{__python3}
+
+%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
+
+%install
+InstallPythonWrapper() {
+  BinaryName=$1
+
+  make \
+    PYTHON=$BinaryName \
+    DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
+    SHLIBDIR="%{_lib}" BINDIR="%{_bindir}" \
+    SBINDIR="%{_sbindir}" \
+    LIBSEPOLA="%{_libdir}/libsepol.a" \
+    install-pywrap
+}
+
+rm -rf %{buildroot}
+mkdir -p %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}%{_libdir}
+mkdir -p %{buildroot}%{_includedir}
+mkdir -p %{buildroot}%{_sbindir}
+install -d -m 0755 %{buildroot}%{_rundir}/setrans
+echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
+
+InstallPythonWrapper %{__python3}
+
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
+make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
+
+# Nuke the files we don't want to distribute
+rm -f %{buildroot}%{_sbindir}/compute_*
+rm -f %{buildroot}%{_sbindir}/deftype
+rm -f %{buildroot}%{_sbindir}/execcon
+rm -f %{buildroot}%{_sbindir}/getenforcemode
+rm -f %{buildroot}%{_sbindir}/getfilecon
+rm -f %{buildroot}%{_sbindir}/getpidcon
+rm -f %{buildroot}%{_sbindir}/mkdircon
+rm -f %{buildroot}%{_sbindir}/policyvers
+rm -f %{buildroot}%{_sbindir}/setfilecon
+rm -f %{buildroot}%{_sbindir}/selinuxconfig
+rm -f %{buildroot}%{_sbindir}/selinuxdisable
+rm -f %{buildroot}%{_sbindir}/getseuser
+rm -f %{buildroot}%{_sbindir}/togglesebool
+rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
+mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
+mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
+rm -f %{buildroot}%{_mandir}/man8/togglesebool*
+
+%ldconfig_scriptlets
+
+%files
+%license LICENSE
+%{_libdir}/libselinux.so.*
+%dir %{_rundir}/setrans/
+%{_tmpfilesdir}/libselinux.conf
+
+%files utils
+%{_sbindir}/avcstat
+%{_sbindir}/getenforce
+%{_sbindir}/getsebool
+%{_sbindir}/matchpathcon
+%{_sbindir}/sefcontext_compile
+%{_sbindir}/selinuxconlist
+%{_sbindir}/selinuxdefcon
+%{_sbindir}/selinuxexeccon
+%{_sbindir}/selinuxenabled
+%{_sbindir}/setenforce
+%{_sbindir}/selabel_digest
+%{_sbindir}/selabel_lookup
+%{_sbindir}/selabel_lookup_best_match
+%{_sbindir}/selabel_partial_match
+%{_sbindir}/selinux_check_access
+%{_sbindir}/selabel_get_digests_all_partial_matches
+%{_sbindir}/validatetrans
+%{_mandir}/man5/*
+%{_mandir}/man8/*
+%{_mandir}/ru/man5/*
+%{_mandir}/ru/man8/*
+
+%files devel
+%{_libdir}/libselinux.so
+%{_libdir}/pkgconfig/libselinux.pc
+%{_includedir}/selinux/
+%{_mandir}/man3/*
+
+%files static
+%{_libdir}/libselinux.a
+
+%files -n python3-libselinux
+%{python3_sitearch}/selinux/
+%{python3_sitearch}/selinux-%{version}*
+%{python3_sitearch}/_selinux*
+
+%files ruby
+%{ruby_vendorarchdir}/selinux.so
+
+%changelog
+* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
+- Introduce selinux_restorecon_parallel(3)
+
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Fri Oct  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
+- Rebase on upstream commit 32611aea6543
+
+* Fri Jun 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
+- Use SHA-2 instead of SHA-1 (#1934964)
+
+* Tue May 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
+- selinux_check_passwd_access_internal(): respect deny_unknown
+- Silence -Wstringop-overflow warning from gcc 10.3.1
+- Fixed misc compiler and static analyzer findings
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar  8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Fri Feb  5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
+* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
+- F-34: rebuild against ruby 3.0
+
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- selinux(8): explain that runtime disable is deprecated
+
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
+- Use libsepol.so.2
+- Convert matchpathcon to selabel_lookup()
+- Change userspace AVC setenforce and policy load messages to audit
+  format
+- Remove trailing slash on selabel_file lookups
+- Use kernel status page by default
+
+* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
+- Re-enable LTO
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+- Use -fno-semantic-interposition and more make macros
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Wed Jul  1 2020 Jeff Law <law@redhat.com> - 3.0-6
+- Disable LTO
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
+- Rebuilt for Python 3.9
+
+* Thu Mar  5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
+- Eliminate use of security_compute_user()
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
+- F-32: rebuild against ruby27
+
+* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
+- SELinux userspace 3.0 release
+
+* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.r1.1
+- SELinux userspace 3.0-rc1 release candidate
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-7
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-6
+- Rebuilt for Python 3.8
+
+* Mon Aug 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
+- Drop python2-libselinux (#1739646)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jun 28 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
+- Use standard build flags for Python bindings
+
+* Fri May 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
+- Use Python distutils to install SELinux python bindings
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
+* Wed Mar  6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
+- SELinux userspace 2.9-rc2 release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release
+
+* Tue Jan 22 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-8
+- F-30: again rebuild against ruby26
+
+* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
+- selinux_restorecon: Skip customized files also without -v
+- Do not dereference symlink with statfs in selinux_restorecon
+
+* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-6
+- F-30: rebuild against ruby26
+
+* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
+- Fix RESOURCE_LEAK coverity scan defects
+
+* Tue Sep  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
+- Fix the whatis line for the selinux_boolean_sub.3 manpage
+- Fix line wrapping in selabel_file.5
+- Fix spelling errors in manpages
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
+- Rebuilt for Python 3.7
+
+* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
+- SELinux userspace 2.8 release
+
+* Mon May 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
+- SELinux userspace 2.8-rc3 release candidate
+
+* Fri May  4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
+- SELinux userspace 2.8-rc2 release candidate
+
+* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-13
+- build: Replace PYSITEDIR with PYTHONLIBDIR
+
+* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-12
+- Correct manpages regarding removable_context
+- build: follow standard semantics for DESTDIR and PREFIX
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-11
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-9
+- Switch to %%ldconfig_scriptlets
+
+* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.7-8
+- Update Python 2 dependency declarations to new packaging standards
+  (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Jan 05 2018 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7-7
+- F-28: rebuild for ruby25
+
+* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-6
+- Rebuild with libsepol-2.7-3
+
+* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
+- Drop golang bindings
+- Add support for pcre2 to pkgconfig definition
+
+* Wed Sep 27 2017 Petr Šabata <contyk@redhat.com> - 2.7-4
+- Enable the python3 subpackages on EL
+
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-3
+- Also add Provides for the old name without %%_isa
+
+* Thu Aug 10 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-2
+- Python 2 binary package renamed to python2-libselinux
+  See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+- Python 3 binary package renamed to python3-libselinux
+
+* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
+- Update to upstream release 2017-08-04
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sat Jul 29 2017 Florian Weimer <fweimer@redhat.com> - 2.6-9
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Fri Jul 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-8
+- Always unmount selinuxfs for SELINUX=disabled
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Apr 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-6
+- Don't finalize mount state in selinux_set_policy_root()
+- Follow upstream and rename _selinux.so to _selinux.cpython-36m-x86_64-linux-gnu.so
+
+* Thu Apr 06 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-5
+- Fix setfiles progress indicator
+
+* Wed Mar 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-4
+- Fix segfault in selinux_restorecon_sb() (#1433577)
+- Change matchpathcon usage to match with matchpathcon manpage
+- Fix a corner case getsebool return value
+
+* Tue Mar 14 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
+- Fix 'semanage boolean -m' to modify active value
+
+* Thu Mar 02 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
+- Fix FTBFS - fatal error (#1427902)
+
+* Sun Feb 12 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
+- Update to upstream release 2016-10-14
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Feb 01 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.5-17
+- Add missing %%license macro
+
+* Fri Jan 13 2017 Vít Ondruch <vondruch@redhat.com> - 2.5-16
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.4
+
+* Wed Jan 11 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-15
+- Rewrite restorecon() python method
+
+* Fri Dec 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.5-14
+- Rebuild for Python 3.6
+
+* Tue Nov 22 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-13
+- Fix pointer handling in realpath_not_final (#1376598)
+
+* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-12
+- Fix -Wsign-compare warnings
+- Drop unused stdio_ext.h header file
+- Kill logging check for selinux_enabled()
+- Drop usage of _D_ALLOC_NAMLEN
+- Add openrc_contexts functions
+- Fix redefinition of XATTR_NAME_SELINUX
+- Correct error path to always try text
+- Clean up process_file()
+- Handle NULL pcre study data
+- Fix in tree compilation of utils that depend on libsepol
+
+* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-11
+- Rebuilt with libsepol-2.5-9
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-10
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-9
+- Clarify is_selinux_mls_enabled() description
+- Explain how to free policy type from selinux_getpolicytype()
+- Compare absolute pathname in matchpathcon -V
+- Add selinux_snapperd_contexts_path()
+
+* Fri Jun 24 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8
+- Move _selinux.so to /usr/lib64/python*/site-packages
+
+* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
+- Modify audit2why analyze function to use loaded policy
+- Sort object files for deterministic linking order
+- Respect CC and PKG_CONFIG environment variable
+- Avoid mounting /proc outside of selinux_init_load_policy()
+
+* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
+- Fix multiple spelling errors
+
+* Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- Rebuilt with libsepol-2.5-5
+
+* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
+- Fix typo in sefcontext_compile.8
+
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix location of selinuxfs mount point
+- Only mount /proc if necessary
+- procattr: return einval for <= 0 pid args
+- procattr: return error on invalid pid_t input
+
+* Sat Feb 27 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
+- Use fully versioned arch-specific requires
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
+* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
+- Update to upstream rc1 release 2016-01-07
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Jan 12 2016 Vít Ondruch <vondruch@redhat.com> - 2.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.3
+
+* Thu Dec 10 2015 Petr Lautrbach <plautrba@redhat.com> - 2.4-6
+- Build libselinux without rpm_execcon() (#1284019)
+
+* Thu Oct 15 2015 Robert Kuska <rkuska@redhat.com> - 2.4-5
+- Rebuilt for Python3.5 rebuild
+
+* Wed Sep 30 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-4
+- Flush the class/perm string mapping cache on policy reload (#1264051)
+- Fix restorecon when path has no context
+
+* Wed Sep 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-3
+- Simplify procattr cache (#1257157,#1232371)
+
+* Fri Aug 14 2015 Adam Jackson <ajax@redhat.com> 2.4-2
+- Export ldflags into the build so hardening works
+
+* Tue Jul 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-1.1
+- Update to 2.4 release
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue May 12 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-10
+- is_selinux_enabled: Add /etc/selinux/config test (#1219045)
+- matchpathcon/selabel_file: Fix man pages (#1219718)
+
+* Thu Apr 23 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-9
+- revert support for policy compressed with xv (#1185266)
+
+* Tue Apr 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-8
+- selinux.py - use os.walk() instead of os.path.walk() (#1195004)
+- is_selinux_enabled(): drop no-policy-loaded test (#1195074)
+- fix -Wformat errors and remove deprecated mudflap option
+
+* Mon Mar 16 2015 Than Ngo <than@redhat.com> - 2.3-7
+- bump release and rebuild so that koji-shadow can rebuild it
+  against new gcc on secondary arch
+
+* Mon Jan 19 2015 Vít Ondruch <vondruch@redhat.com> - 2.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.2
+
+* Thu Aug 21 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-5
+- Compiled file context files and the original should have the same permissions from dwalsh@redhat.com
+- Add selinux_openssh_contexts_path() to get a path to /contexts/openssh_contexts
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Kalev Lember <kalevlember@gmail.com> - 2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
+- Update to upstream 
+	* Get rid of security_context_t and fix const declarations.
+	* Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
+
+* Tue May 6 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.2-8
+- Add selinux_openssh_contexts_path()
+
+* Thu Apr 24 2014 Vít Ondruch <vondruch@redhat.com> - 2.2.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.1
+
+* Mon Feb 24 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-6
+- Fix spelling mistake in man page
+
+* Thu Feb 20 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-5
+- More go bindings
+-   restorecon, getpidcon, setexeccon
+
+* Fri Feb 14 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-4
+- Add additional go bindings for get*con calls
+- Add go bindings test command
+- Modify man pages of set*con calls to mention that they are thread specific
+
+* Fri Jan 24 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-3
+- Move selinux.go to /usr/lib64/golang/src/pkg/github.com/selinux/selinux.go
+- Add Int_to_mcs function to generate MCS labels from integers.
+
+* Tue Jan 14 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-2
+- Add ghost flag for /var/run/setrans
+
+* Mon Jan 6 2014 Dan Walsh <dwalsh@redhat.com>  - 2.2.2-1
+- Update to upstream 
+      * Fix userspace AVC handling of per-domain permissive mode.
+- Verify context is not null when passed into *setfilecon_raw
+
+* Fri Dec 27 2013 Adam Williamson <awilliam@redhat.com> - 2.2.1-6
+- revert unexplained change to rhat.patch which broke SELinux disablement
+
+* Mon Dec 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-5
+- Verify context is not null when passed into lsetfilecon_raw
+
+* Wed Dec 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-4
+- Mv selinux.go to /usr/share/gocode/src/selinux
+
+* Tue Dec 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-3
+- Add golang support to selinux.
+
+* Thu Dec 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-2
+- Remove togglesebool man page
+
+* Mon Nov 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-1
+- Update to upstream 
+	* Remove -lpthread from pkg-config file; it is not required.
+- Add support for policy compressed with xv
+
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
+- Update to upstream 
+	* Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
+	* Support overriding Makefile RANLIB from Sven Vermeulen.
+	* Update pkgconfig definition from Sven Vermeulen.
+	* Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
+	* Fix man pages from Laurent Bigonville.
+	* Support overriding PATH  and LIBBASE in Makefiles from Laurent Bigonville.
+	* Fix LDFLAGS usage from Laurent Bigonville
+	* Avoid shadowing stat in load_mmap from Joe MacDonald.
+	* Support building on older PCRE libraries from Joe MacDonald.
+	* Fix handling of temporary file in sefcontext_compile from Dan Walsh.
+	* Fix procattr cache from Dan Walsh.
+	* Define python constants for getenforce result from Dan Walsh.
+	* Fix label substitution handling of / from Dan Walsh.
+	* Add selinux_current_policy_path from Dan Walsh.
+	* Change get_context_list to only return good matches from Dan Walsh.
+	* Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
+	* Add support for local substitutions from Dan Walsh.
+	* Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
+	* Python wrapper leak fixes from Dan Walsh.
+	* Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
+	* Add selinux_systemd_contexts_path from Dan Walsh.
+	* Add selinux_set_policy_root from Dan Walsh.
+	* Add man page for sefcontext_compile from Dan Walsh.
+
+* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-21
+- Add systemd_contexts support
+- Do substitutions on a local sub followed by a dist sub
+
+* Thu Oct 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-20
+- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek 
+Resolves #1013801
+
+* Mon Sep 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-19
+- Fix handling of libselinux getconlist with only one entry
+
+* Tue Sep 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-17
+- Add Python constants for SELinux enforcing modes
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.13-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-16
+- Add sefcontext_compile.8  man page
+- Add Russell Coker  patch to fix man pages
+- Add patches from Laurent Bigonville to fix Makefiles for debian.
+- modify spec file to use %%{_prefix}/lib
+
+* Mon May 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-15
+- Fix patch that Handles substitutions for /
+
+* Wed Apr 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-14
+- Handle substitutions for /
+- semanage fcontext -a -e  / /opt/rh/devtoolset-2/root
+
+* Tue Apr 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-13
+- Add Eric Paris patch to fix procattr calls after a fork.
+
+* Tue Mar 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-12
+- Move secolor.conf.5 into mcstrans package and out of libselinux 
+
+* Wed Mar 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-11
+- Fix python bindings for selinux_check_access
+
+* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-10
+- Fix reseting the policy root in matchpathcon
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-9
+- Cleanup setfcontext_compile atomic patch
+- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
+- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-8
+- Make setfcontext_compile atomic
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-7
+- Fix memory leak in set*con calls.
+
+* Thu Feb 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-6
+- Move matchpathcon to -utils package
+- Remove togglesebool
+
+* Thu Feb 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-5
+- Fix selinux man page to reflect what current selinux policy is.
+
+* Fri Feb 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-4
+- Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files.
+
+* Fri Feb 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-3
+- Bring back selinux_current_policy_path
+
+* Thu Feb 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-2
+- Revert some changes which are causing the wrong policy version file to be created
+
+* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-1
+- Update to upstream 
+        * audit2why: make sure path is nul terminated
+        * utils: new file context regex compiler
+        * label_file: use precompiled filecontext when possible
+        * do not leak mmapfd
+        * sefcontontext_compile: Add error handling to help debug problems in libsemanage.
+        * man: make selinux.8 mention service man pages
+        * audit2why: Fix segfault if finish() called twice
+        * audit2why: do not leak on multiple init() calls
+        * mode_to_security_class: interface to translate a mode_t in to a security class
+        * audit2why: Cleanup audit2why analysys function
+        * man: Fix program synopsis and function prototypes in man pages
+        * man: Fix man pages formatting
+        * man: Fix typo in man page
+        * man: Add references and man page links to _raw function variants
+        * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
+        * man: context_new(3): fix the return value description
+        * selinux_status_open: handle error from sysconf
+        * selinux_status_open: do not leak statusfd on exec
+        * Fix errors found by coverity
+        * Change boooleans.subs to booleans.subs_dist.
+        * optimize set*con functions
+        * pkg-config do not specifc ruby version
+        * unmap file contexts on selabel_close()
+        * do not leak file contexts with mmap'd backend
+        * sefcontext_compile: do not leak fd on error
+        * matchmediacon: do not leak fd 
+        * src/label_android_property: do not leak fd on error
+
+* Sun Jan 27 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
+- Update to latest patches from eparis/Upstream
+
+* Fri Jan 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-19
+- Update to latest patches from eparis/Upstream
+
+* Wed Jan 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-18
+- Try procatt speedup patch again
+
+* Wed Jan 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-17
+- Roll back procattr speedups since it seems to be screwing up systemd labeling.
+
+* Tue Jan 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-16
+- Fix tid handling for setfscreatecon, old patch still broken in libvirt
+
+* Wed Jan 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-15
+- Fix tid handling for setfscreatecon, old patch still broken in libvirt
+
+* Mon Jan 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-14
+- setfscreatecon after fork was broken by the Set*con patch.
+- We needed to reset the thread variables after a fork.
+
+* Thu Jan 10 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-13
+- Fix setfscreatecon call to handle failure mode, which was breaking udev
+
+* Wed Jan 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-12
+- Ondrej Oprala patch to optimize set*con functions
+-    Set*con now caches the security context and only re-sets it if it changes.
+
+* Tue Jan 8 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-11
+- Rebuild against latest libsepol
+
+* Fri Jan 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-10
+- Update to latest patches from eparis/Upstream
+-    Fix errors found by coverity
+-    set the sepol_compute_av_reason_buffer flag to 0.  This means calculate denials only?
+-    audit2why: remove a useless policy vers variable
+-    audit2why: use the new constraint information
+
+* Mon Nov 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-9
+- Rebuild with latest libsepol
+
+* Fri Nov 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-8
+- Return EPERM if login program can not reach default label for user
+- Attempt to return container info from audit2why
+
+* Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7
+- Apply patch from eparis to fix leaked file descriptor in new labeling code
+
+* Fri Oct 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-6
+- Add new function mode_to_security_class which takes mode instead of a string.
+- Possibly will be used with coreutils.
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-5
+- Add back selinuxconlist and selinuxdefcon man pages
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
+- Fix segfault from calling audit2why.finish() multiple times
+
+* Fri Oct 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
+- Fix up selinux man page to reference service man pages
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
+- Rebuild with fixed libsepol
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
+- Update to upstream 
+	* Add support for lxc_contexts_path
+	* utils: add service to getdefaultcon
+	* libsemanage: do not set soname needlessly
+	* libsemanage: remove PYTHONLIBDIR and ruby equivalent
+	* boolean name equivalency
+	* getsebool: support boolean name substitution
+	* Add man page for new selinux_boolean_sub function.
+	* expose selinux_boolean_sub
+	* matchpathcon: add -m option to force file type check
+	* utils: avcstat: clear sa_mask set
+	* seusers: Check for strchr failure
+	* booleans: initialize pointer to silence coveriety
+	* stop messages when SELinux disabled
+	* label_file: use PCRE instead of glibc regex functions
+	* label_file: remove all typedefs
+	* label_file: move definitions to include file
+	* label_file: do string to mode_t conversion in a helper function
+	* label_file: move error reporting back into caller
+	* label_file: move stem/spec handling to header
+	* label_file: drop useless ncomp field from label_file data
+	* label_file: move spec_hasMetaChars to header
+	* label_file: fix potential read past buffer in spec_hasMetaChars
+	* label_file: move regex sorting to the header
+	* label_file: add accessors for the pcre extra data
+	* label_file: only run regex files one time
+	* label_file: new process_file function
+	* label_file: break up find_stem_from_spec
+	* label_file: struct reorg
+	* label_file: only run array once when sorting
+	* Ensure that we only close the selinux netlink socket once.
+	* improve the file_contexts.5 manual page
+
+* Fri Aug 03 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.11-6
+- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3
+
+* Wed Aug  1 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.11-5
+- make with_python3 be conditional on fedora
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jul 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
+- Move the tmpfiles.d content from /etc/tmpfiles.d to /usr/lib/tmpfiles.d
+
+* Fri Jul 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
+- Revert Eric Paris Patch for selinux_binary_policy_path
+
+* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
+- Update to upstream 
+	* Fortify source now requires all code to be compiled with -O flag
+	* asprintf return code must be checked
+	* avc_netlink_recieve handle EINTR
+	* audit2why: silence -Wmissing-prototypes warning
+	* libsemanage: remove build warning when build swig c files
+	* matchpathcon: bad handling of symlinks in /
+	* seusers: remove unused lineno
+	* seusers: getseuser: gracefully handle NULL service
+	* New Android property labeling backend
+	* label_android_property whitespace cleanups
+	* additional makefile support for rubywrap
+
+* Mon Jun 11 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-5
+- Fix booleans.subs name, change function name to selinux_boolean_sub, 
+  add man page, minor fixes to the function
+
+* Fri May 25 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
+- Fix to compile with Fortify source
+      * Add -O compiler flag
+      * Check return code from asprintf
+- Fix handling of symbolic links in / by realpath_not_final
+
+* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
+- Add support for lxc contexts file
+
+* Fri Mar 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-2
+- Add support fot boolean subs file
+
+* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
+- Update to upstream 
+	* Fix dead links to www.nsa.gov/selinux
+	* Remove jump over variable declaration
+	* Fix old style function definitions
+	* Fix const-correctness
+	* Remove unused flush_class_cache method
+	* Add prototype decl for destructor
+	* Add more printf format annotations
+	* Add printf format attribute annotation to die() method
+	* Fix const-ness of parameters & make usage() methods static
+	* Enable many more gcc warnings for libselinux/src/ builds
+	* utils: Enable many more gcc warnings for libselinux/utils builds
+	* Change annotation on include/selinux/avc.h to avoid upsetting SWIG
+	* Ensure there is a prototype for 'matchpathcon_lib_destructor'
+	* Update Makefiles to handle /usrmove
+	* utils: Stop separating out matchpathcon as something special
+	* pkg-config to figure out where ruby include files are located
+	* build with either ruby 1.9 or ruby 1.8
+	* assert if avc_init() not called
+	* take security_deny_unknown into account
+	* security_compute_create_name(3)
+	* Do not link against python library, this is considered
+	* bad practice in debian
+	* Hide unnecessarily-exported library destructors
+
+* Thu Feb 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-9
+- Add selinux_current_policy_path to return /sys/fs/selinux/policy if it exists
+- Otherwise search for policy on disk
+
+* Wed Feb 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-8
+- Change selinux_binary_policy_path to return /sys/fs/selinux/policy
+- Add selinux_installed_policy_path to return what selinux_binary_policy_path used to return
+- avc_has_perm will now return yes if the machine is in permissive mode
+- Make work with ruby-1.9
+
+* Fri Feb 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-7
+- avc_netlink_recieve should continue to poll if it receinves an EINTR rather 
+
+* Sun Jan 29 2012 Kay Sievers <kay@redhat.com> - 2.1.9-6
+- use /sbin/ldconfig, glibc does not provide
+  /usr/sbin/ldconfig in the RPM database for now
+
+* Fri Jan 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-5
+- Rebuild with cleaned up upstream to work in /usr
+
+* Wed Jan 25 2012 Harald Hoyer <harald@redhat.com> 2.1.9-4
+- install everything in /usr
+  https://fedoraproject.org/wiki/Features/UsrMove
+
+* Mon Jan 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
+- Add Dan Berrange code cleanup patches.
+
+* Wed Jan 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
+- Fix selabal_open man page to refer to proper selinux_opt structure
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+-Update to upstream
+	* Fix setenforce man page to refer to selinux man page
+	* Cleanup Man pages
+	* merge freecon with getcon man page
+
+* Mon Dec 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
+- Add patch from Richard Haines
+      When selabel_lookup found an invalid context with validation enabled, it
+      always stated it was 'file_contexts' whether media, x, db or file.
+      The fix is to store the spec file name in the selabel_lookup_rec on
+      selabel_open and use this as output for logs. Also a minor fix if key is
+      NULL to stop seg faults.
+- Fix setenforce manage page.
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
+- Rebuild with new libsepol
+
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-2
+- Fix setenforce man page, from Miroslav Grepl
+
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+- Upgrade to upstream
+	* selinuxswig_python.i: don't make syscall if it won't change anything
+	* Remove assert in security_get_boolean_names(3)
+	* Mapped compute functions now obey deny_unknown flag
+	* get_default_type now sets EINVAL if no entry.
+	* return EINVAL if invalid role selected
+	* Updated selabel_file(5) man page
+	* Updated selabel_db(5) man page
+	* Updated selabel_media(5) man page
+	* Updated selabel_x(5) man page
+	* Add man/man5 man pages
+	* Add man/man5 man pages
+	* Add man/man5 man pages
+	* use -W and -Werror in utils
+
+* Tue Nov 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
+- Change python binding for restorecon to check if the context matches.
+- If it does do not reset
+
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
+- Upgrade to upstream
+	* Makefiles: syntax, convert all ${VAR} to $(VAR)
+	* load_policy: handle selinux=0 and /sys/fs/selinux not exist
+	* regenerate .pc on VERSION change
+	* label: cosmetic cleanups
+	* simple interface for access checks
+	* Don't reinitialize avc_init if it has been called previously
+	* seusers: fix to handle large sets of groups
+	* audit2why: close fd on enomem
+	* rename and export symlink_realpath
+	* label_file: style changes to make Eric happy.
+
+* Mon Oct 24 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-4
+- Apply libselinux patch to handle large groups in seusers.
+
+* Wed Oct 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-3
+- Add selinux_check_access function. Needed for passwd, chfn, chsh
+
+* Thu Sep 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
+- Handle situation where selinux=0 passed to the kernel and both /selinux and 
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
+-Update to upstream
+	* utils: matchpathcon: remove duplicate declaration
+	* src: matchpathcon: use myprintf not fprintf
+	* src: matchpathcon: make sure resolved path starts
+	* put libselinux.so.1 in /lib not /usr/lib
+	* tree: default make target to all not
+
+* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-5
+- Switch to use ":" as prefix separator rather then ";"
+
+* Thu Sep  8 2011 Ville Skyttä <ville.skytta@iki.fi> - 2.1.5-4
+- Avoid unnecessary shell invocation in %%post.
+
+* Tue Sep 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-3
+- Fix handling of subset labeling that is causing segfault in restorecon
+
+* Fri Sep 2 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
+- Change matchpathcon_init_prefix and selabel_open to allow multiple initial 
+prefixes.  Now you can specify a ";" separated list of prefixes and the 
+labeling system will only load regular expressions that match these prefixes.
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
+- Change matchpatcon to use proper myprintf
+- Fix symlink_realpath to always include "/"
+- Update to upstream
+	* selinux_file_context_verify function returns wrong value.
+	* move realpath helper to matchpathcon library
+	* python wrapper makefile changes
+
+* Mon Aug 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
+- Move to new Makefile that can build with or without PYTHON being set
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-1
+-Update to upstream
+2.1.4 2011-0817
+	* mapping fix for invalid class/perms after selinux_set_mapping
+	* audit2why: work around python bug not defining
+	* resolv symlinks and dot directories before matching
+
+2.1.2 2011-0803
+	* audit2allow: do not print statistics
+	* make python bindings for restorecon work on relative path
+	* fix python audit2why binding error
+	* support new python3 functions
+	* do not check fcontext duplicates on use
+	* Patch for python3 for libselinux
+
+2.1.1 2011-08-02
+	* move .gitignore into utils
+	* new setexecon utility
+	* selabel_open fix processing of substitution files
+	* mountpoint changing patch.
+	* simplify SRCS in Makefile
+
+2.1.1 2011-08-01
+	* Remove generated files, introduce more .gitignore
+
+
+
+* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
+-Update to upstream
+	* Release, minor version bump
+	* Give correct names to mount points in load_policy by Dan Walsh.
+	* Make sure selinux state is reported correctly if selinux is disabled or
+	fails to load by Dan Walsh.
+	* Fix crash if selinux_key_create was never called by Dan Walsh.
+	* Add new file_context.subs_dist for distro specific filecon substitutions
+	by Dan Walsh.
+	* Update man pages for selinux_color_* functions by Richard Haines.
+
+* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-6
+- Only call dups check within selabel/matchpathcon if you are validating the 
+context
+- This seems to speed the loading of labels by 4 times.
+
+* Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-5
+- Move /selinux to /sys/fs/selinux
+- Add selinuxexeccon
+- Add realpath to matchpathcon to handle matchpathcon * type queries.
+
+* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-4
+- Update for latest libsepol
+
+* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-3
+- Update for latest libsepol
+
+* Wed Apr 13 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-2
+- Fix restorecon python binding to accept relative paths
+
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-1
+-Update to upstream
+	* Give correct names to mount points in load_policy by Dan Walsh.
+	* Make sure selinux state is reported correctly if selinux is disabled or
+	fails to load by Dan Walsh.
+	* Fix crash if selinux_key_create was never called by Dan Walsh.
+	* Add new file_context.subs_dist for distro specific filecon substitutions
+	by Dan Walsh.
+	* Update man pages for selinux_color_* functions by Richard Haines.
+
+* Wed Apr 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
+- Clean up patch to make handling of constructor  cleanup more portable
+  * db_language object class support for selabel_lookup from KaiGai Kohei.
+  * Library destructors for thread local storage keys from Eamon Walsh.
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-5
+- Add distribution subs path
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-4
+Add patch from dbhole@redhat.com to initialize thread keys to -1
+Errors were being seen in libpthread/libdl that were related
+to corrupt thread specific keys. Global destructors that are called on dl 
+unload. During destruction delete a thread specific key without checking 
+if it has been initialized. Since the constructor is not called each time 
+(i.e. key is not initialized with pthread_key_create each time), and the 
+default is 0, there is a possibility that key 0 for an active thread gets 
+deleted. This is exactly what is happening in case of OpenJDK.
+
+Workaround patch that initializes the key to -1. Thus if the constructor is not
+called, the destructor tries to delete key -1 which is deemed invalid by 
+pthread_key_delete, and is ignored.
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-3
+- Call fini_selinuxmnt if selinux is disabled, to cause is_selinux_disabled() to report correct data
+
+* Fri Apr 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-2
+- Change mount source options to use "proc" and "selinuxfs"
+
+* Tue Mar 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-1
+- Update to upstream
+  * Turn off default user handling when computing user contexts by Dan Walsh
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.98-3
+- Fixup selinux man page
+
+* Tue Jan 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.98-2
+- Fix Makefile to use pkg-config --cflags python3 to discover include paths
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.98-1
+- Update to upstream 
+  - Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list
+
+* Mon Dec 6 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.97-1
+- Update to upstream 
+	* Thread local storage fixes from Eamon Walsh.
+
+* Sat Dec 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
+- Add /etc/tmpfiles.d support for /var/run/setrans
+
+* Wed Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
+- Ghost /var/run/setrans
+
+* Wed Sep 29 2010 jkeating - 2.0.96-7
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 16 2010 Adam Tkac <atkac redhat com> - 2.0.96-6
+- rebuild via updated swig (#624674)
+
+* Sun Aug 22 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-5
+- Update for python 3.2a1
+
+* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-4
+- Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list
+
+* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.96-3
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Fri Jun 25 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-2
+- Turn off messages in audit2why
+
+* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-1
+- Update to upstream 
+	* Add const qualifiers to public API where appropriate by KaiGai Kohei.
+
+2.0.95 2010-06-10
+	* Remove duplicate slashes in paths in selabel_lookup from Chad Sellers
+	* Adds a chcon method to the libselinux python bindings from Steve Lawrence
+- add python3 subpackage from David Malcolm 
+
+* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1
+* Set errno=EINVAL for invalid contexts from Dan Walsh.
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
+- Update to upstream 
+	* Show strerror for security_getenforce() by Colin Waters.
+	* Merged selabel database support by KaiGai Kohei.
+	* Modify netlink socket blocking code by KaiGai Kohei.
+
+* Sun Mar 7 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.92-1
+- Update to upstream 
+	* Fix from Eric Paris to fix leak on non-selinux systems.
+	* regenerate swig wrappers
+	* pkgconfig fix to respect LIBDIR from Dan Walsh.
+
+* Wed Feb 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.91-1
+- Update to upstream 
+	* Change the AVC to only audit the permissions specified by the
+	policy, excluding any permissions specified via dontaudit or not
+	specified via auditallow.
+	* Fix compilation of label_file.c with latest glibc headers.
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-5
+- Fix potential doublefree on init
+
+* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-4
+- Fix libselinux.pc
+
+* Mon Jan 18 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-3
+- Fix man page for selinuxdefcon
+
+* Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-2
+- Free memory on disabled selinux boxes
+
+* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.90-1
+- Update to upstream 
+	* add/reformat man pages by Guido Trentalancia <guido@trentalancia.com>.
+	* Change exception.sh to be called with bash by Manoj Srivastava <srivasta@debian.org>
+
+* Mon Nov 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.89-2
+- Fix selinuxdefcon man page
+
+* Mon Nov 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.89-1
+- Update to upstream 
+	* Add pkgconfig file from Eamon Walsh.
+
+* Thu Oct 29 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.88-1
+- Update to upstream 
+	* Rename and export selinux_reset_config()
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.87-1
+- Update to upstream 
+	* Add exception handling in libselinux from Dan Walsh. This uses a
+	  shell script called exception.sh to generate a swig interface file.
+	* make swigify
+	* Make matchpathcon print <<none>> if path not found in fcontext file.
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.86-2
+- Eliminate -pthread switch in Makefile
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.86-1
+- Update to upstream 
+	* Removal of reference counting on userspace AVC SID's.
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Tue Jul 7 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.85-1
+- Update to upstream 
+	* Reverted Tomas Mraz's fix for freeing thread local storage to avoid
+	pthread dependency.
+	* Removed fini_context_translations() altogether.
+	* Merged lazy init patch from Stephen Smalley based on original patch
+	by Steve Grubb.
+
+* Tue Jul 7 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.84-1
+- Update to upstream 
+	* Add per-service seuser support from Dan Walsh.
+	* Let load_policy gracefully handle selinuxfs being mounted from Stephen Smalley.
+	* Check /proc/filesystems before /proc/mounts for selinuxfs from Eric
+	Paris.
+
+* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.82-2
+- Add provices ruby(selinux)
+
+* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.82-1
+- Update to upstream 
+	* Fix improper use of thread local storage from Tomas Mraz <tmraz@redhat.com>.
+	* Label substitution support from Dan Walsh.
+	* Support for labeling virtual machine images from Dan Walsh.
+
+* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.81-1
+- Update to upstream 
+	* Trim / from the end of input paths to matchpathcon from Dan Walsh.
+	* Fix leak in process_line in label_file.c from Hiroshi Shinji.
+	* Move matchpathcon to /sbin, add matchpathcon to clean target from Dan Walsh.
+	* getdefaultcon to print just the correct match and add verbose option from Dan Walsh.
+
+* Wed Apr 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.80-1
+- Update to upstream 
+	* deny_unknown wrapper function from KaiGai Kohei.
+	* security_compute_av_flags API from KaiGai Kohei.
+	* Netlink socket management and callbacks from KaiGai Kohei.
+
+* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-6
+- Fix Memory Leak
+
+* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-5
+- Fix crash in python
+
+* Sun Mar 29 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-4
+- Add back in additional interfaces
+
+* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-3
+- Add back in av_decision to python swig
+
+* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-1
+- Update to upstream 
+	* Netlink socket handoff patch from Adam Jackson.
+	* AVC caching of compute_create results by Eric Paris.
+
+* Tue Mar 10 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-5
+- Add patch from ajax to accellerate X SELinux 
+- Update eparis patch
+
+* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-4
+- Add eparis patch to accellerate Xwindows performance
+
+* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-3
+- Fix URL 
+
+* Fri Mar 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-2
+- Add substitute pattern 
+- matchpathcon output <<none>> on ENOENT
+
+* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-1
+- Update to upstream
+	* Fix incorrect conversion in discover_class code.
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.77-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-5
+- Add 
+  - selinux_virtual_domain_context_path
+  - selinux_virtual_image_context_path
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-3
+- Throw exeptions in python swig bindings on failures
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-2
+- Fix restorecon python code
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-1
+- Update to upstream
+
+* Tue Dec 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-6
+- Strip trailing / for matchpathcon
+
+* Tue Dec 16 2008 Dan Walsh <dwalsh@redhat.com>l - 2.0.76-5
+- Fix segfault if seusers file does not work
+
+* Fri Dec 12 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-4
+- Add new function getseuser which will take username and service and return
+- seuser and level.  ipa will populate file in future.
+- Change selinuxdefcon to return just the context by default
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.0.76-2
+- Rebuild for Python 2.6
+
+* Mon Nov 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-1
+- Update to Upstream
+	* Allow shell-style wildcards in x_contexts file.
+
+* Mon Nov 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.75-2
+- Eamon Walsh Patch - libselinux: allow shell-style wildcarding in X names
+- Add Restorecon/Install python functions from Luke Macken
+
+* Fri Nov 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.75-1
+- Update to Upstream
+	* Correct message types in AVC log messages.
+	* Make matchpathcon -V pass mode from Dan Walsh.
+	* Add man page for selinux_file_context_cmp from Dan Walsh.
+
+* Tue Sep 30 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.73-1
+- Update to Upstream
+	* New man pages from Dan Walsh.
+	* Update flask headers from refpolicy trunk from Dan Walsh.
+
+* Fri Sep 26 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-6
+- Fix matchpathcon -V call 
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-5
+- Add flask definitions for open, X and nlmsg_tty_audit
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-4
+- Add missing get/setkeycreatecon man pages
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-3
+- Split out utilities
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-2
+- Add missing man page links for [lf]getfilecon
+
+* Tue Aug 5 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-1
+- Update to Upstream
+	* Add group support to seusers using %%groupname syntax from Dan Walsh.
+	* Mark setrans socket close-on-exec from Stephen Smalley.
+	* Only apply nodups checking to base file contexts from Stephen Smalley.
+
+* Fri Aug 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.70-1
+- Update to Upstream
+	* Merge ruby bindings from Dan Walsh.
+- Add support for Linux groups to getseuserbyname
+
+* Fri Aug 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.69-2
+- Allow group handling in getseuser call
+
+* Tue Jul 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.69-1
+- Update to Upstream
+	* Handle duplicate file context regexes as a fatal error from Stephen Smalley.
+	  This prevents adding them via semanage.
+	* Fix audit2why shadowed variables from Stephen Smalley.
+	* Note that freecon NULL is legal in man page from Karel Zak.
+
+* Wed Jul 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-4
+- Add ruby support for puppet
+
+* Tue Jul 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-3
+- Rebuild for new libsepol
+
+* Sun Jun 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-2
+- Add Karel Zak patch for freecon man page
+
+* Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-1
+- Update to Upstream
+	* New and revised AVC, label, and mapping man pages from Eamon Walsh.
+	* Add swig python bindings for avc interfaces from Dan Walsh.
+
+* Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.65-1
+- Update to Upstream
+	* Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call matchpathcon_init_prefix if not already initialized.
+	* Add -q qualifier for -V option of matchpathcon and change it to indicate whether verification succeeded or failed via exit status.
+
+* Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-3
+- libselinux no longer neets to telnet -u in post install
+
+* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-2
+- Add sedefaultcon and setconlist commands to dump login context
+
+* Tue Apr 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-1
+- Update to Upstream
+	* Fixed selinux_set_callback man page.
+	* Try loading the max of the kernel-supported version and the libsepol-supported version when no manipulation of the binary policy is needed from Stephen Smalley.
+	* Fix memory leaks in matchpathcon from Eamon Walsh.
+
+* Wed Apr 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-4
+- Add Xavior Toth patch for security_id_t in swig
+
+* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-3
+- Add avc.h to swig code
+
+* Wed Apr 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-2
+- Grab the latest policy for the kernel
+
+* Tue Apr 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-1
+- Update to Upstream
+	* Man page typo fix from Jim Meyering.
+
+* Sun Mar 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.60-1
+- Update to Upstream
+	* Changed selinux_init_load_policy() to not warn about a failed mount of selinuxfs if selinux was disabled in the kernel.
+
+* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.59-2
+- Fix matchpathcon memory leak
+
+* Fri Feb 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.59-1
+- Update to Upstream
+	* Merged new X label "poly_selection" namespace from Eamon Walsh.
+
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.58-1
+- Update to Upstream
+	* Merged reset_selinux_config() for load policy from Dan Walsh.
+
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.57-2
+- Reload library on loading of policy to handle chroot
+
+* Mon Feb 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.57-1
+- Update to Upstream
+	* Merged avc_has_perm() errno fix from Eamon Walsh.
+
+* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.56-1
+- Update to Upstream
+	* Regenerated Flask headers from refpolicy flask definitions.
+
+* Wed Feb 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.55-1
+- Update to Upstream
+	* Merged compute_member AVC function and manpages from Eamon Walsh.
+	* Provide more error reporting on load policy failures from Stephen Smalley.
+
+* Fri Feb 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.53-1
+- Update to Upstream
+	* Merged new X label "poly_prop" namespace from Eamon Walsh.
+
+* Wed Feb 6 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.52-1
+- Update to Upstream
+	* Disable setlocaldefs if no local boolean or users files are present from Stephen Smalley.
+	* Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen Smalley.
+
+* Tue Jan 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.50-1
+- Update to Upstream
+	* Merged fix for audit2why from Dan Walsh.
+
+* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.49-2
+- Fix audit2why to grab latest policy versus the one selected by the kernel
+
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.49-1
+* Merged audit2why python binding from Dan Walsh.
+
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.48-1
+* Merged updated swig bindings from Dan Walsh, including typemap for pid_t.
+
+* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-4
+- Update to use libsepol-static library
+
+* Wed Jan 16 2008 Adel Gadllah <adel.gadllah@gmail.com> - 2.0.47-3
+- Move libselinux.a to -static package
+- Spec cleanups
+
+* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-2
+- Put back libselinux.a
+
+* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-1
+- Fix memory references in audit2why and change to use tuples
+- Update to Upstream
+	* Fix for the avc:  granted null message bug from Stephen Smalley.
+
+* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-6
+- Fix __init__.py specification
+
+* Tue Jan 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-5
+- Add audit2why python bindings
+
+* Tue Jan 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-4
+- Add pid_t typemap for swig bindings
+
+* Thu Jan 3 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-3
+- smp_mflag
+
+* Thu Jan 3 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-2
+- Fix spec file caused by spec review 
+
+* Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.46-1
+- Upgrade to upstream
+	* matchpathcon(8) man page update from Dan Walsh.
+
+* Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.45-1
+- Upgrade to upstream
+	* dlopen libsepol.so.1 rather than libsepol.so from Stephen Smalley.
+	* Based on a suggestion from Ulrich Drepper, defer regex compilation until we have a stem match, by Stephen Smalley.
+	*  A further optimization would be to defer regex compilation until we have a complete match of the constant prefix of the regex - TBD.
+
+* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.43-1
+- Upgrade to upstream
+	* Regenerated Flask headers from policy.
+
+* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.42-1
+- Upgrade to upstream
+	* AVC enforcing mode override patch from Eamon Walsh.
+	* Aligned attributes in AVC netlink code from Eamon Walsh.
+- Move libselinux.so back into devel package, procps has been fixed
+
+* Tue Nov 6 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.40-1
+- Upgrade to upstream
+	* Merged refactored AVC netlink code from Eamon Walsh.
+	* Merged new X label namespaces from Eamon Walsh.
+	* Bux fix and minor refactoring in string representation code.
+
+* Fri Oct 5 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.37-1
+- Upgrade to upstream
+	* Merged selinux_get_callback, avc_open, empty string mapping from Eamon Walsh.
+
+* Fri Sep 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.36-1
+- Upgrade to upstream
+	* Fix segfault resulting from missing file_contexts file.
+
+* Thu Sep 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.35-2
+- Fix segfault on missing file_context file
+
+* Wed Sep 26 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.35-1
+- Upgrade to upstream
+	* Make netlink socket close-on-exec to avoid descriptor leakage from Dan Walsh.
+	* Pass CFLAGS when using gcc for linking from Dennis Gilmore. 
+
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-3
+- Add sparc patch to from Dennis Gilmore to build on Sparc platform
+
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-2
+- Remove leaked file descriptor
+
+* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-1
+- Upgrade to latest from NSA
+	* Fix selabel option flag setting for 64-bit from Stephen Smalley.
+
+* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.33-2
+- Change matchpatcon to use syslog instead of syserror
+
+* Thu Sep 13 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.33-1
+- Upgrade to latest from NSA
+	* Re-map a getxattr return value of 0 to a getfilecon return value of -1 with errno EOPNOTSUPP from Stephen Smalley.
+	* Fall back to the compat code for security_class_to_string and security_av_perm_to_string from Stephen Smalley.
+	* Fix swig binding for rpm_execcon from James Athey.
+
+* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-4
+- Apply James Athway patch to fix rpm_execcon python binding
+
+* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-3
+- Move libselinux.so back into main package, breaks procps
+
+* Thu Aug 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-2
+- Upgrade to upstream
+	* Fix file_contexts.homedirs path from Todd Miller.
+
+* Tue Aug 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.30-2
+- Remove requirement on setransd,  Moved to selinux-policy-mls 
+
+* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.30-1
+- Move libselinux.so into devel package
+- Upgrade to upstream
+	* Fix segfault resulting from uninitialized print-callback pointer.
+	* Added x_contexts path function patch from Eamon Walsh.
+	* Fix build for EMBEDDED=y from Yuichi Nakamura.
+	* Fix markup problems in selinux man pages from Dan Walsh.
+
+* Fri Aug 3 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.29-1
+- Upgrade to upstream
+	* Updated version for stable branch.	
+	* Added x_contexts path function patch from Eamon Walsh.
+	* Fix build for EMBEDDED=y from Yuichi Nakamura.
+	* Fix markup problems in selinux man pages from Dan Walsh.
+	* Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
+	* Added swigify to top-level Makefile from Dan Walsh.
+	* Fix for string_to_security_class segfault on x86_64 from Stephen
+	  Smalley.
+
+* Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-3
+- Apply Steven Smalley patch to fix segfault in string_to_security_class
+
+* Wed Jul 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
+- Fix matchpathcon to set default myprintf
+
+* Mon Jul 16 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
+- Upgrade to upstream
+	* Fix for getfilecon() for zero-length contexts from Stephen Smalley.
+
+* Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-3
+- Update to match flask/access_vectors in policy
+
+* Tue Jul 10 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
+- Fix man page markup lanquage for translations
+
+* Tue Jun 26 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
+- Fix semanage segfault on x86 platform
+
+* Thu Jun 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
+- Upgrade to upstream
+	* Labeling and callback interface patches from Eamon Walsh.
+
+* Tue Jun 19 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
+- Refactored swig
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
+- Upgrade to upstream
+	* Class and permission mapping support patches from Eamon Walsh.
+	* Object class discovery support patches from Chris PeBenito.
+	* Refactoring and errno support in string representation code.
+
+* Fri Jun 1 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
+- Upgrade to upstream
+- Merged patch to reduce size of libselinux and remove need for libsepol for embedded systems from Yuichi Nakamura.
+ This patch also turns the link-time dependency on libsepol into a runtime (dlopen) dependency even in the non-embedded case.
+
+2.0.17 2007-05-31
+	* Updated Lindent script and reindented two header files.
+
+* Fri May 4 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
+- Upgrade to upstream
+	* Merged additional swig python bindings from Dan Walsh.
+	* Merged helpful message when selinuxfs mount fails patch from Dax Kelson.
+
+* Tue Apr 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
+- Upgrade to upstream
+	* Merged build fix for avc_internal.c from Joshua Brindle.
+
+* Mon Apr 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.13-2
+- Add get_context_list funcitions to swig file
+
+* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
+- Upgrade to upstream
+	* Merged rpm_execcon python binding fix, matchpathcon man page fix, and getsebool -a handling for EACCES from Dan Walsh.
+
+* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.12-2
+- Add missing interface
+
+* Wed Apr 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.12-1
+- Upgrade to upstream
+	* Merged support for getting initial contexts from James Carter.
+
+* Mon Apr 9 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.11-1
+- Upgrade to upstream
+	* Merged userspace AVC patch to follow kernel's behavior for permissive mode in caching previous denials from Eamon Walsh.
+	* Merged sidput(NULL) patch from Eamon Walsh.
+
+* Thu Apr 5 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
+- Make rpm_exec swig work
+
+* Tue Mar 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
+- Upgrade to upstream
+	* Merged class/av string conversion and avc_compute_create patch from Eamon Walsh.
+
+* Tue Mar 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
+- Upgrade to upstream
+	* Merged fix for avc.h #include's from Eamon Walsh.
+
+* Thu Mar 22 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
+- Add stdint.h to avc.h
+
+* Mon Mar 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
+- Merged patch to drop support for CACHETRANS=0 config option from Steve Grubb.
+- Merged patch to drop support for old /etc/sysconfig/selinux and
+- /etc/security policy file layout from Steve Grubb.
+
+* Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
+- Do not fail on permission denied in getsebool
+
+* Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1
+- Upgrade to upstream
+	* Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
+
+* Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
+- Upgrade to upstream
+	* Removed sending of setrans init message.
+	* Merged matchpathcon memory leak fix from Steve Grubb.
+
+* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
+- Upgrade to upstream
+	* Merged more swig initializers from Dan Walsh.
+
+* Sun Feb 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
+- Upgrade to upstream
+  * Merged patch from Todd Miller to convert int types over to C99 style.
+
+* Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
+- Merged patch from Todd Miller to remove sscanf in matchpathcon.c because
+  of the use of the non-standard format (original patch changed
+  for style).
+- Merged patch from Todd Miller to fix memory leak in matchpathcon.c.
+	
+* Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-2
+- Add context function to python to split context into 4 parts
+
+* Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-1
+- Upgrade to upstream
+	* Updated version for stable branch.	
+
+* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1
+- Upgrade to upstream
+	* Merged man page updates to make "apropos selinux" work from Dan Walsh.
+
+* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
+- Upgrade to upstream
+	* Merged getdefaultcon utility from Dan Walsh.
+
+* Mon Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-3
+- Add Ulrich NSCD__GETSERV and NSCD__SHMEMGRP for Uli
+
+* Fri Jan 12 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-2
+- Add reference to selinux man page in all man pages to make apropos work
+Resolves: # 217881
+
+* Thu Jan 11 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-1
+- Upstream wanted some minor changes, upgrading to keep api the same
+- Upgrade to upstream
+	* Merged selinux_check_securetty_context() and support from Dan Walsh.
+Resolves: #200110
+
+* Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-3
+- Cleanup patch
+
+* Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-2
+- Add securetty handling
+Resolves: #200110
+
+* Thu Jan 4 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-1
+- Upgrade to upstream
+	* Merged patch for matchpathcon utility to use file mode information
+	  when available from Dan Walsh.
+
+* Thu Dec  7 2006 Jeremy Katz <katzj@redhat.com> - 1.33.2-4
+- rebuild against python 2.5
+
+* Wed Dec 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-3
+- Fix matchpathcon to lstat files
+
+* Thu Nov 30 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-2
+- Update man page
+
+* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-1
+- Upgrade to upstream
+
+* Fri Nov 3 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
+- Add James Antill patch for login verification of MLS Levels
+-  MLS ragnes need to be checked, Eg. login/cron. This patch adds infrastructure.
+
+* Tue Oct 24 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
+- Upgrade to latest from NSA
+	* Merged updated flask definitions from Darrel Goeddel.
+ 	  This adds the context security class, and also adds
+	  the string definitions for setsockcreate and polmatch.
+
+* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
+- Upgrade to latest from NSA
+	* Updated version for release.
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.30.29-2
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Fri Sep  29 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.29-1
+- Upgrade to latest from NSA
+	* Merged av_permissions.h update from Steve Grubb,
+	  adding setsockcreate and polmatch definitions.
+
+* Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3
+- really make -devel depend on libsepol-devel
+
+* Wed Sep  27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
+- Add sgrubb patch for polmatch
+
+* Wed Sep  13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1
+- Upgrade to latest from NSA
+	* Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+
+* Tue Sep  5 2006 Jeremy Katz <katzj@redhat.com> - 1.30.27-2
+- have -devel require libsepol-devel
+
+* Thu Aug 24 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.27-1
+- Upgrade to latest from NSA
+	* Merged patch to not log avc stats upon a reset from Steve Grubb.
+	* Applied patch to revert compat_net setting upon policy load.
+	* Merged file context homedir and local path functions from
+	  Chris PeBenito.
+
+* Fri Aug 18 2006 Jesse Keating <jkeating@redhat.com> - 1.20.26-2
+- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
+  (#203001)
+
+* Sat Aug  12 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.25-1
+- Upgrade to latest from NSA
+	* Merged file context homedir and local path functions from
+	  Chris PeBenito.
+	* Rework functions that access /proc/pid/attr to access the
+	  per-thread nodes, and unify the code to simplify maintenance.
+
+* Fri Aug  11 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.24-1
+- Upgrade to latest from NSA
+	* Merged return value fix for *getfilecon() from Dan Walsh.
+	* Merged sockcreate interfaces from Eric Paris.
+
+* Wed Aug  9 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.22-2
+- Fix translation return codes to return size of buffer
+
+* Tue Aug  1 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.22-1
+- Upgrade to latest from NSA
+	* Merged no-tls-direct-seg-refs patch from Jeremy Katz.
+	* Merged netfilter_contexts support patch from Chris PeBenito.
+
+* Tue Aug  1 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.20-1
+- Upgrade to latest from NSA
+	* Merged context_*_set errno patch from Jim Meyering.
+
+* Tue Aug  1 2006 Jeremy Katz <katzj@redhat.com> - 1.30.19-5
+- only build non-fpic objects with -mno-tls-direct-seg-refs
+
+* Tue Aug  1 2006 Jeremy Katz <katzj@redhat.com> - 1.30.19-4
+- build with -mno-tls-direct-seg-refs on x86 to avoid triggering 
+  segfaults with xen (#200783)  
+
+* Mon Jul 17 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-3
+- Rebuild for new gcc
+
+* Tue Jul 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-2
+- Fix libselinux to not telinit during installs
+
+* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-1
+- Upgrade to latest from NSA
+	* Lindent.
+	* Merged {get,set}procattrcon patch set from Eric Paris.
+	* Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
+	* Regenerated Flask headers from refpolicy.
+	* Merged patch from Dan Walsh with:
+	  - Added selinux_file_context_{cmp,verify}.
+	  - Added selinux_lsetfilecon_default.
+	  - Delay translation of contexts in matchpathcon.
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-5
+- Yet another change to matchpathcon
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-4
+- Turn off error printing in library.  Need to compile with DEBUG to get it back
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-3
+- Fix error reporting of matchpathcon
+
+* Mon Jun 19 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-2
+- Add function to compare file context on disk versus contexts in file_contexts file.
+
+* Fri Jun 16 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-1
+- Upgrade to latest from NSA
+	* Merged patch from Dan Walsh with:
+	* Added selinux_getpolicytype() function.
+	* Modified setrans code to skip processing if !mls_enabled.
+	* Set errno in the !selinux_mnt case.
+	* Allocate large buffers from the heap, not on stack.
+	  Affects is_context_customizable, selinux_init_load_policy,
+	  and selinux_getenforcemode.
+
+* Thu Jun 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.12-2
+- Add selinux_getpolicytype()
+
+* Thu Jun 1 2006 Dan Walsh <dwalsh@redhat.com> 1.30.12-1
+- Upgrade to latest from NSA
+	* Merged !selinux_mnt checks from Ian Kent.
+
+* Thu Jun 1 2006 Dan Walsh <dwalsh@redhat.com> 1.30.11-2
+- Check for selinux_mnt == NULL
+
+* Tue May 30 2006 Dan Walsh <dwalsh@redhat.com> 1.30.11-1
+- Merged matchmediacon and trans_to_raw_context fixes from 
+  Serge Hallyn.
+
+* Fri May 26 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-4
+- Remove getseuser
+
+* Thu May 25 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-3
+- Bump requires to grab latest libsepol
+
+* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-2
+- Add BuildRequires for swig
+
+* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-1
+- Upgrade to latest from NSA
+	* Merged simple setrans client cache from Dan Walsh.
+	  Merged avcstat patch from Russell Coker.
+	* Modified selinux_mkload_policy() to also set /selinux/compat_net
+	  appropriately for the loaded policy.
+
+* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 1.30.8-1
+- More fixes for translation cache
+- Upgrade to latest from NSA
+	* Added matchpathcon_fini() function to free memory allocated by
+	  matchpathcon_init().
+
+* Wed May 17 2006 Dan Walsh <dwalsh@redhat.com> 1.30.7-2
+- Add simple cache to improve translation speed
+
+* Tue May 16 2006 Dan Walsh <dwalsh@redhat.com> 1.30.7-1
+- Upgrade to latest from NSA
+	* Merged setrans client cleanup patch from Steve Grubb.
+
+* Tue May 9 2006 Dan Walsh <dwalsh@redhat.com> 1.30.6-2
+- Add Russell's AVC patch to handle large numbers
+
+* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.6-1
+- Upgrade to latest from NSA
+	* Merged getfscreatecon man page fix from Dan Walsh.
+	* Updated booleans(8) man page to drop references to the old
+	  booleans file and to note that setsebool can be used to set
+	  the boot-time defaults via -P.
+
+* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.5-1
+- Upgrade to latest from NSA
+	* Merged fix warnings patch from Karl MacMillan.	
+	* Merged setrans client support from Dan Walsh.
+	  This removes use of libsetrans.
+	* Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
+	* Merged swig typemap fixes from Glauber de Oliveira Costa.
+
+* Wed May 3 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-3
+- Change the way translations work,  Use setransd/remove libsetrans
+
+* Tue May 2 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-2
+- Add selinuxswig fixes
+- Stop using PAGE_SIZE and start using sysconf(_SC_PAGE_SIZE)
+
+* Fri Apr 14 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-1
+- Upgrade to latest from NSA
+	* Added distclean target to Makefile.
+	* Regenerated swig files.
+	* Changed matchpathcon_init to verify that the spec file is
+	  a regular file.
+	* Merged python binding t_output_helper removal patch from Dan Walsh.
+
+* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
+- Fix python bindings for matchpathcon
+- Fix booleans man page
+
+* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-1
+- Merged Makefile PYLIBVER definition patch from Dan Walsh.
+
+* Fri Mar 10 2006 Dan Walsh <dwalsh@redhat.com> 1.30-1
+- Make some fixes so it will build on RHEL4
+- Upgrade to latest from NSA
+	* Updated version for release.
+	* Altered rpm_execcon fallback logic for permissive mode to also
+	  handle case where /selinux/enforce is not available.
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.7-1.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.29.7-1.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Jan 20 2006 Dan Walsh <dwalsh@redhat.com> 1.29.7-1
+- Upgrade to latest from NSA
+	* Merged install-pywrap Makefile patch from Joshua Brindle.
+
+* Wed Jan 18 2006 Dan Walsh <dwalsh@redhat.com> 1.29.6-1
+- Upgrade to latest from NSA
+	* Merged pywrap Makefile patch from Dan Walsh.
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.29.5-2
+- Split out pywrap in Makefile
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.29.5-1
+- Upgrade to latest from NSA
+	* Added getseuser test program.
+
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
+- Upgrade to latest from NSA
+	* Added format attribute to myprintf in matchpathcon.c and
+	  removed obsoleted rootlen variable in init_selinux_config().
+
+* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.29.3-2
+- Build with new libsepol
+
+* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.29.3-1
+- Upgrade to latest from NSA
+	* Merged several fixes and improvements from Ulrich Drepper
+	  (Red Hat), including:
+	  - corrected use of getline
+	  - further calls to __fsetlocking for local files
+	  - use of strdupa and asprintf
+	  - proper handling of dirent in booleans code
+	  - use of -z relro
+	  - several other optimizations
+	* Merged getpidcon python wrapper from Dan Walsh (Red Hat).
+
+* Sat Dec 24 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-4
+- Add build requires line for libsepol-devel
+
+* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-3
+- Fix swig call for getpidcon
+
+* Mon Dec 19 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-2
+- Move libselinux.so to base package
+
+* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-1
+- Upgrade to latest from NSA
+	* Merged call to finish_context_translations from Dan Walsh.
+	  This eliminates a memory leak from failing to release memory
+	  allocated by libsetrans.
+
+* Sun Dec 11 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-3
+- update to latest libsetrans  
+- Fix potential memory leak
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
+- Update to never version
+	* Merged patch for swig interfaces from Dan Walsh.
+
+* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
+- Update to never version
+
+* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.28-2
+- Fix some of the python swig objects
+
+* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.28-1
+- Update to latest from NSA
+	* Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
+	  modified matchpathcon implementation to make context validation/
+	  canonicalization optional at matchpathcon_init time, deferring it
+	  to a successful matchpathcon by default unless the new flag is set
+	  by the caller.
+	* Added matchpathcon_init_prefix() interface, and
+	  reworked matchpathcon implementation to support selective
+	  loading of file contexts entries based on prefix matching
+	  between the pathname regex stems and the specified path
+	  prefix (stem must be a prefix of the specified path prefix).
+
+* Wed Nov 30 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1
+- Update to latest from NSA
+	* Change getsebool to return on/off instead of active/inactive
+
+* Tue Nov 29 2005 Dan Walsh <dwalsh@redhat.com> 1.27.25-1
+- Update to latest from NSA
+	* Added -f file_contexts option to matchpathcon util.
+	  Fixed warning message in matchpathcon_init().
+	* Merged Makefile python definitions patch from Dan Walsh.
+
+* Mon Nov 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.23-1
+- Update to latest from NSA
+	* Merged swigify patch from Dan Walsh.
+
+* Mon Nov 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-4
+- Separate out libselinux-python bindings into separate rpm
+
+* Thu Nov 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-3
+- Read libsetrans requirement
+
+* Thu Nov 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-2
+- Add python bindings
+
+* Wed Nov 16 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-1
+- Update to latest from NSA
+	* Merged make failure in rpm_execcon non-fatal in permissive mode
+	  patch from Ivan Gyurdiev.
+
+* Tue Nov 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.21-2
+- Remove requirement for libsetrans
+
+* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.21-1
+- Update to latest from NSA
+	* Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
+	  and modified matchpathcon_init() to skip context translation
+	  if it is set by the caller.
+
+* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
+- Update to latest from NSA
+	* Added security_canonicalize_context() interface and
+	  set_matchpathcon_canoncon() interface for obtaining
+	  canonical contexts.  Changed matchpathcon internals
+	  to obtain canonical contexts by default.  Provided
+	  fallback for kernels that lack extended selinuxfs context
+	  interface.
+- Patch to not translate mls when calling setfiles
+
+* Mon Nov 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
+- Update to latest from NSA
+	* Merged seusers parser changes from Ivan Gyurdiev.
+	* Merged setsebool to libsemanage patch from Ivan Gyurdiev.
+	* Changed seusers parser to reject empty fields.
+
+* Fri Nov 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.18-1
+- Update to latest from NSA
+	* Merged seusers empty level handling patch from Jonathan Kim (TCS).
+
+* Thu Nov 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-4
+- Rebuild for latest libsepol
+
+* Mon Oct 31 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-2
+- Rebuild for latest libsepol
+
+* Wed Oct 26 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
+- Change default to __default__
+
+* Wed Oct 26 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-3
+- Change default to __default__
+
+* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-2
+- Add selinux_translations_path
+
+* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-1
+- Update to latest from NSA
+	* Merged selinux_path() and selinux_homedir_context_path()
+	  functions from Joshua Brindle.
+
+* Fri Oct 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.13-2
+- Need to check for /sbin/telinit
+
+* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.13-1
+- Update to latest from NSA
+	* Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+* Mon Oct 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.12-1
+- Update to latest from NSA
+	* Merged get_default_context_with_rolelevel and man pages from
+	  Dan Walsh (Red Hat).
+	* Updated call to sepol_policydb_to_image for sepol changes.
+	* Changed getseuserbyname to ignore empty lines and to handle
+	no matching entry in the same manner as no seusers file.
+
+* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
+- Tell init to reexec itself in post script
+
+* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
+- Update to latest from NSA
+	* Changed selinux_mkload_policy to try downgrading the
+	latest policy version available to the kernel-supported version.
+	* Changed selinux_mkload_policy to fall back to the maximum
+	policy version supported by libsepol if the kernel policy version
+	falls outside of the supported range.
+
+* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
+- Update to latest from NSA
+	* Changed getseuserbyname to fall back to the Linux username and
+	NULL level if seusers config file doesn't exist unless 
+	REQUIRESEUSERS=1 is set in /etc/selinux/config.
+	* Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
+
+* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
+- Update to latest from NSA
+	* Added selinux_init_load_policy() function as an even higher level
+	interface for the initial policy load by /sbin/init.  This obsoletes
+	the load_policy() function in the sysvinit-selinux.patch. 
+	* Added selinux_mkload_policy() function as a higher level interface
+	for loading policy than the security_load_policy() interface.
+
+* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
+- Update to latest from NSA
+	* Merged fix for matchpathcon (regcomp error checking) from Johan
+	Fischer.  Also added use of regerror to obtain the error string
+	for inclusion in the error message.
+
+* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
+- Update to latest from NSA
+	* Changed getseuserbyname to not require (and ignore if present)
+	the MLS level in seusers.conf if MLS is disabled, setting *level
+	to NULL in this case.
+
+* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
+- Update to latest from NSA
+	* Merged getseuserbyname patch from Dan Walsh.
+
+* Thu Sep 29 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-3
+- Fix patch to satisfy upstream
+
+* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
+- Update to latest from NSA
+- Add getseuserbyname
+
+* Fri Sep 16 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
+- Fix patch call
+
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
+- Fix strip_con call
+
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
+- Go back to original libsetrans code
+
+* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
+- Eliminate forth param from mls context when mls is not enabled.
+
+* Tue Sep 6 2005 Dan Walsh <dwalsh@redhat.com> 1.25.7-1
+- Update from NSA
+	* Merged modified form of patch to avoid dlopen/dlclose by
+	the static libselinux from Dan Walsh.  Users of the static libselinux
+	will not have any context translation by default.
+
+* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.6-1
+- Update from NSA
+	* Added public functions to export context translation to
+	users of libselinux (selinux_trans_to_raw_context,
+	selinux_raw_to_trans_context).
+
+* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
+- Update from NSA
+	* Remove special definition for context_range_set; use
+	common code.
+
+* Thu Aug 25 2005 Dan Walsh <dwalsh@redhat.com> 1.25.4-1
+- Update from NSA
+	* Hid translation-related symbols entirely and ensured that 
+	raw functions have hidden definitions for internal use.
+	* Allowed setting NULL via context_set* functions.
+	* Allowed whitespace in MLS component of context.
+	* Changed rpm_execcon to use translated functions to workaround
+	lack of MLS level on upgraded systems.
+
+* Wed Aug 24 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-2
+- Allow set_comp on unset ranges
+
+* Wed Aug 24 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
+- Merged context translation patch, originally by TCS,
+  with modifications by Dan Walsh (Red Hat).
+
+* Wed Aug 17 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-2
+- Apply translation patch
+
+* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
+- Update from NSA
+	* Merged several fixes for error handling paths in the
+	  AVC sidtab, matchpathcon, booleans, context, and get_context_list
+	  code from Serge Hallyn (IBM). Bugs found by Coverity.
+	* Removed setupns; migrated to pam.
+	* Merged patches to rename checkPasswdAccess() from Joshua Brindle.
+	  Original symbol is temporarily retained for compatibility until 
+	  all callers are updated.
+
+* Mon Jul 18 2005 Dan Walsh <dwalsh@redhat.com> 1.24.2-1
+- Update makefiles
+
+* Wed Jun 29 2005 Dan Walsh <dwalsh@redhat.com> 1.24.1-1
+- Update from NSA
+	* Merged security_setupns() from Chad Sellers.
+- fix selinuxenabled man page
+
+* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23.11-1
+- Update from NSA
+	* Merged avcstat and selinux man page from Dan Walsh.
+	* Changed security_load_booleans to process booleans.local 
+	  even if booleans file doesn't exist.
+	
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
+- Fix avcstat to clear totals
+
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
+- Add info to man page
+
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
+- Update from NSA
+	* Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
+	* Rewrote get_ordered_context_list and helpers, including
+	  changing logic to allow variable MLS fields.
+
+* Tue Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.8-1
+- Update from NSA
+
+* Thu Apr 21 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-3
+- Add backin matchpathcon
+
+* Wed Apr 13 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-2
+- Fix selinux_policy_root man page
+
+* Wed Apr 13 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-1
+- Change assert(selinux_mnt) to if (!selinux_mnt) return -1;
+
+* Mon Apr 11 2005 Dan Walsh <dwalsh@redhat.com> 1.23.6-1
+- Update from NSA
+	* Fixed bug in matchpathcon_filespec_destroy.
+
+* Wed Apr 6 2005 Dan Walsh <dwalsh@redhat.com> 1.23.5-1
+- Update from NSA
+	* Fixed bug in rpm_execcon error handling path.
+
+* Mon Apr 4 2005 Dan Walsh <dwalsh@redhat.com> 1.23.4-1
+- Update from NSA
+	* Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
+	* Merged fix for getconlist utility from Andreas Steinmetz.
+
+* Tue Mar 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-3
+- Update from NSA
+
+* Wed Mar 23 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-2
+- Better handling of booleans
+
+* Thu Mar 17 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-1
+- Update from NSA
+	* Merged destructors patch from Tomas Mraz.
+
+* Thu Mar 17 2005 Dan Walsh <dwalsh@redhat.com> 1.23.1-1
+- Update from NSA
+	* Added set_matchpathcon_flags() function for setting flags
+	  controlling operation of matchpathcon.  MATCHPATHCON_BASEONLY
+	  means only process the base file_contexts file, not 
+	  file_contexts.homedirs or file_contexts.local, and is for use by
+	  setfiles -c.
+	* Updated matchpathcon.3 man page.
+
+* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
+- Update from NSA
+
+* Tue Mar 8 2005 Dan Walsh <dwalsh@redhat.com> 1.21.13-1
+- Update from NSA
+	* Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
+
+* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.12-1
+- Update from NSA
+  * Changed matchpathcon_common to ignore any non-format bits in the mode.
+
+* Mon Feb 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.11-2
+- Default matchpathcon to regular files if the user specifies a mode
+
+* Tue Feb 22 2005 Dan Walsh <dwalsh@redhat.com> 1.21.11-1
+- Update from NSA
+	* Merged several fixes from Ulrich Drepper.
+
+* Mon Feb 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.10-3
+- Fix matchpathcon on eof.
+
+* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.10-1
+- Update from NSA
+	* Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
+	* Added selinux_users_path() for path to directory containing
+	  system.users and local.users.
+
+* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.9-2
+- Process file_context.homedir
+
+* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.9-1
+- Update from NSA
+  *	 Changed relabel Makefile target to use restorecon.
+
+* Tue Feb 8 2005 Dan Walsh <dwalsh@redhat.com> 1.21.8-1
+- Update from NSA
+	* Regenerated av_permissions.h.
+
+* Wed Feb 2 2005 Dan Walsh <dwalsh@redhat.com> 1.21.7-1
+- Update from NSA
+	* Modified avc_dump_av to explicitly check for any permissions that
+	  cannot be mapped to string names and display them as a hex value.
+	* Regenerated av_permissions.h.
+
+* Mon Jan 31 2005 Dan Walsh <dwalsh@redhat.com> 1.21.5-1
+- Update from NSA
+	* Generalized matchpathcon internals, exported more interfaces,
+	  and moved additional code from setfiles into libselinux so that
+	  setfiles can directly use matchpathcon.
+
+* Fri Jan 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
+- Update from NSA
+	* Prevent overflow of spec array in matchpathcon.
+	* Fixed several uses of internal functions to avoid relocations.
+	* Changed rpm_execcon to check is_selinux_enabled() and fallback to
+	  a regular execve if not enabled (or unable to determine due to a lack
+	  of /proc, e.g. chroot'd environment).
+
+* Wed Jan 26 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
+- Update from NSA
+	* Merged minor fix for avcstat from Dan Walsh.
+
+* Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3
+- rpmexeccon should not fail in permissive mode.
+
+* Fri Jan 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
+- fix printf in avcstat
+
+* Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
+- Update from NSA
+
+* Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-3
+- Modify matchpathcon to also process file_contexts.local if it exists
+
+* Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-2
+- Add is_customizable_types function call
+
+* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
+- Update to latest from upstream
+	* Just changing version number to match upstream
+
+* Wed Dec 29 2004 Dan Walsh <dwalsh@redhat.com> 1.19.4-1
+- Update to latest from upstream
+	* Changed matchpathcon to return -1 with errno ENOENT for 
+	  <<none>> entries, and also for an empty file_contexts configuration.
+
+* Tue Dec 28 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-3
+- Fix link devel libraries
+
+* Mon Dec 27 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-2
+- Fix unitialized variable in avcstat.c
+
+* Tue Nov 30 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-1
+- Upgrade to upstream
+	* Removed some trivial utils that were not useful or redundant.
+	* Changed BINDIR default to /usr/sbin to match change in Fedora.
+	* Added security_compute_member.
+	* Added man page for setcon.
+
+* Tue Nov 30 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
+- Upgrade to upstream
+
+* Thu Nov 18 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-6
+- Add avcstat program
+
+* Mon Nov 15 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-4
+- Add lots of missing man pages
+
+* Fri Nov 12 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-2
+- Fix output of getsebool.
+
+* Tue Nov 9 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
+- Update from upstream, fix setsebool -P segfault
+
+* Fri Nov 5 2004 Steve Grubb <sgrubb@redhat.com> 1.18.1-5
+- Add a patch from upstream. Fixes signed/unsigned issues, and 
+  incomplete structure copy.
+
+* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-4
+- More fixes from sgrubb, better syslog
+
+* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-3
+- Have setsebool and togglesebool log changes to syslog
+
+* Wed Nov 3 2004 Steve Grubb <sgrubb@redhat.com> 1.18.1-2
+- Add patch to make setsebool update bool on disk
+- Make togglesebool have a rollback capability in case it blows up inflight
+
+* Tue Nov 2 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
+- Upgrade to latest from NSA
+
+* Thu Oct 28 2004 Steve Grubb <sgrubb@redhat.com> 1.17.15-2
+- Changed the location of the utilities to /usr/sbin since
+  normal users can't use them anyways.
+
+* Wed Oct 27 2004 Steve Grubb <sgrubb@redhat.com> 1.17.15-2
+- Updated various utilities, removed utilities that are for testing,
+  added man pages.
+
+* Fri Oct 15 2004 Dan Walsh <dwalsh@redhat.com> 1.17.15-1
+- Add -g flag to make
+- Upgrade to latest  from NSA
+	* Added rpm_execcon.
+
+* Fri Oct 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.14-1
+- Upgrade to latest  from NSA
+	* Merged setenforce and removable context patch from Dan Walsh.
+	* Merged build fix for alpha from Ulrich Drepper.
+	* Removed copyright/license from selinux_netlink.h - definitions only.
+
+* Fri Oct 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-3
+- Change setenforce to accept Enforcing and Permissive
+
+* Wed Sep 22 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-2
+- Add alpha patch
+
+* Mon Sep 20 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-1
+- Upgrade to latest  from NSA
+
+* Thu Sep 16 2004 Dan Walsh <dwalsh@redhat.com> 1.17.12-2
+- Add selinux_removable_context_path
+
+* Tue Sep 14 2004 Dan Walsh <dwalsh@redhat.com> 1.17.12-1
+- Update from NSA
+	* Add matchmediacon
+
+* Tue Sep 14 2004 Dan Walsh <dwalsh@redhat.com> 1.17.11-1
+- Update from NSA
+	* Merged in matchmediacon changes.
+
+* Fri Sep 10 2004 Dan Walsh <dwalsh@redhat.com> 1.17.10-1
+- Update from NSA
+	* Regenerated headers for new nscd permissions.
+
+* Wed Sep 8 2004 Dan Walsh <dwalsh@redhat.com> 1.17.9-2
+- Add matchmediacon
+
+* Wed Sep 8 2004 Dan Walsh <dwalsh@redhat.com> 1.17.9-1
+- Update from NSA
+	* Added get_default_context_with_role.
+
+* Thu Sep 2 2004 Dan Walsh <dwalsh@redhat.com> 1.17.8-2
+- Clean up spec file
+	* Patch from Matthias Saou
+
+* Thu Sep 2 2004 Dan Walsh <dwalsh@redhat.com> 1.17.8-1
+- Update from NSA
+	* Added set_matchpathcon_printf.	
+
+* Wed Sep 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.7-1
+- Update from NSA
+	* Reworked av_inherit.h to allow easier re-use by kernel. 
+
+* Tue Aug 31 2004 Dan Walsh <dwalsh@redhat.com> 1.17.6-1
+- Add strcasecmp in selinux_config
+- Update from NSA
+	* Changed avc_has_perm_noaudit to not fail on netlink errors.
+	* Changed avc netlink code to check pid based on patch by Steve Grubb.
+	* Merged second optimization patch from Ulrich Drepper.
+	* Changed matchpathcon to skip invalid file_contexts entries.
+	* Made string tables private to libselinux.
+	* Merged strcat->stpcpy patch from Ulrich Drepper.
+	* Merged matchpathcon man page from Dan Walsh.
+	* Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+	* Autobind netlink socket.
+	* Dropped compatibility code from security_compute_user.
+	* Merged fix for context_range_set from Chad Hanson.
+	* Merged allocation failure checking patch from Chad Hanson.
+	* Merged avc netlink error message patch from Colin Walters.
+
+
+* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
+- Update from NSA
+	* Merged second optimization patch from Ulrich Drepper.
+	* Changed matchpathcon to skip invalid file_contexts entries.
+	* Made string tables private to libselinux.
+	* Merged strcat->stpcpy patch from Ulrich Drepper.
+	* Merged matchpathcon man page from Dan Walsh.
+	* Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+	* Autobind netlink socket.
+	* Dropped compatibility code from security_compute_user.
+	* Merged fix for context_range_set from Chad Hanson.
+	* Merged allocation failure checking patch from Chad Hanson.
+	* Merged avc netlink error message patch from Colin Walters.
+
+* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
+- Update from NSA
+- Add optflags
+
+* Fri Aug 27 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
+- Update from NSA
+
+* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
+- Add matchpathcon man page
+- Latest from NSA
+	* Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+	* Autobind netlink socket.
+	* Dropped compatibility code from security_compute_user.
+	* Merged fix for context_range_set from Chad Hanson.
+	* Merged allocation failure checking patch from Chad Hanson.
+	* Merged avc netlink error message patch from Colin Walters.
+
+* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.17.1-1
+- Latest from NSA
+	* Autobind netlink socket.
+	* Dropped compatibility code from security_compute_user.
+	* Merged fix for context_range_set from Chad Hanson.
+	* Merged allocation failure checking patch from Chad Hanson.
+	* Merged avc netlink error message patch from Colin Walters.
+
+* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
+- Latest from NSA
+
+* Thu Aug 19 2004 Colin Walters <walters@redhat.com> 1.16-1
+- New upstream version
+
+* Tue Aug 17 2004 Dan Walsh <dwalsh@redhat.com> 1.15.7-1
+- Latest from Upstream
+
+* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
+- Fix man pages
+
+* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
+- Latest from Upstream
+
+* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
+- Latest from Upstream
+
+* Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2
+- Add man page for boolean functions and SELinux
+
+* Sun Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
+- Latest from NSA
+
+* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
+- Latest from NSA
+
+* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-3
+- uppercase getenforce returns, to make them match system-config-securitylevel
+
+* Thu Jul 15 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-2
+- Remove old path patch
+
+* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
+- Update to latest from NSA
+- Add fix to only get old path if file_context file exists in old location
+
+* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
+- Update to latest from NSA
+
+* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.13.4-1
+- add nlclass patch
+- Update to latest from NSA
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sun Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
+- Fix selinux_config to break once it finds SELINUXTYPE.
+
+* Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1
+-Update with latest from NSA
+
+* Thu May 27 2004 Dan Walsh <dwalsh@redhat.com> 1.13.1-1
+- Change to use new policy mechanism
+
+* Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2
+- add man patch
+
+* Fri May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
+- Update with latest from NSA
+
+* Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1
+- Update with latest from NSA
+
+* Thu Apr 22 2004 Dan Walsh <dwalsh@redhat.com> 1.11.3-1
+- Add changes for relaxed policy 
+- Update to match NSA 
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11.2-1
+- Add relaxed policy changes 
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11-4
+- Sync with NSA
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11-3
+- Remove requires glibc>2.3.4
+
+* Wed Apr 14 2004 Dan Walsh <dwalsh@redhat.com> 1.11-2
+- Fix selinuxenabled man page.
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.11-1
+- Upgrade to 1.11
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
+- Add memleaks patch
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
+- Upgrade to latest from NSA and add more man pages
+
+* Thu Apr 1 2004 Dan Walsh <dwalsh@redhat.com> 1.9-1
+- Update to match NSA
+- Cleanup some man pages
+
+* Tue Mar 30 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
+- Upgrade to latest from NSA
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-6
+- Add Russell's Man pages
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-5
+- Change getenforce to also check is_selinux_enabled
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-4
+- Add ownership to /usr/include/selinux
+
+* Wed Mar 10 2004 Dan Walsh <dwalsh@redhat.com> 1.6-3
+- fix location of file_contexts file.
+
+* Wed Mar 10 2004 Dan Walsh <dwalsh@redhat.com> 1.6-2
+- Fix matchpathcon to use BUFSIZ
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Feb 23 2004 Dan Walsh <dwalsh@redhat.com> 1.4-11
+- add matchpathcon
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Jan 23 2004 Dan Walsh <dwalsh@redhat.com> 1.4-9
+- Add rootok patch
+
+* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-8
+- Updated getpeernam patch
+
+* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.4-7
+- Add getpeernam patch
+
+* Thu Dec 18 2003 Dan Walsh <dwalsh@redhat.com> 1.4-6
+- Add getpeercon patch
+
+* Thu Dec 18 2003 Dan Walsh <dwalsh@redhat.com> 1.4-5
+- Put mntpoint patch, because found fix for SysVinit
+
+* Wed Dec 17 2003 Dan Walsh <dwalsh@redhat.com> 1.4-4
+- Add remove mntpoint patch, because it breaks SysVinit
+
+* Wed Dec 17 2003 Dan Walsh <dwalsh@redhat.com> 1.4-3
+- Add mntpoint patch for SysVinit
+
+* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.4-2
+- Add -r -u -t to getcon 
+
+* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
+- Upgrade to latest from NSA
+
+* Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2
+- Fix x86_64 build
+
+* Wed Oct 22 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
+- Latest tarball from NSA.
+
+* Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9
+- Update with latest changes from NSA
+
+* Mon Oct 20 2003 Dan Walsh <dwalsh@redhat.com> 1.2-8
+- Change location of .so file
+
+* Wed Oct 8 2003 Dan Walsh <dwalsh@redhat.com> 1.2-7
+- Break out into development library
+
+* Wed Oct  8 2003 Dan Walsh <dwalsh@redhat.com> 1.2-6
+- Move location of libselinux.so to /lib
+
+* Fri Oct  3 2003 Dan Walsh <dwalsh@redhat.com> 1.2-5
+- Add selinuxenabled patch
+
+* Wed Oct  1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-4
+- Update with final NSA 1.2 sources.
+
+* Fri Sep  12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3
+- Update with latest from NSA.
+
+* Thu Aug  28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
+- Fix to build on x86_64
+
+* Thu Aug  21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
+- update for version 1.2
+
+* Tue May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
+- Initial version