diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f8649bc
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/libselinux-3.3.tar.gz
diff --git a/.libselinux.metadata b/.libselinux.metadata
new file mode 100644
index 0000000..db6fb6a
--- /dev/null
+++ b/.libselinux.metadata
@@ -0,0 +1 @@
+70128f2395fc86b09c57db979972b4823b35e614 SOURCES/libselinux-3.3.tar.gz
diff --git a/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
new file mode 100644
index 0000000..ed63a8c
--- /dev/null
+++ b/SOURCES/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -0,0 +1,1333 @@
+From ec1b147076345478636de763ce5d4e8daa69afd6 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 30 Jul 2021 14:14:37 +0200
+Subject: [PATCH] Use SHA-2 instead of SHA-1
+
+The use of SHA-1 in RHEL9 is deprecated
+---
+ libselinux/include/selinux/label.h | 6 +-
+ libselinux/include/selinux/restorecon.h | 4 +-
+ libselinux/man/man3/selabel_digest.3 | 4 +-
+ libselinux/man/man3/selabel_open.3 | 2 +-
+ libselinux/man/man3/selinux_restorecon.3 | 16 +-
+ .../man/man3/selinux_restorecon_xattr.3 | 2 +-
+ libselinux/src/Makefile | 2 +-
+ libselinux/src/label_file.c | 40 +--
+ libselinux/src/label_internal.h | 10 +-
+ libselinux/src/label_support.c | 8 +-
+ libselinux/src/selinux_restorecon.c | 24 +-
+ libselinux/src/sha1.c | 220 -------------
+ libselinux/src/sha1.h | 85 -----
+ libselinux/src/sha256.c | 294 ++++++++++++++++++
+ libselinux/src/sha256.h | 89 ++++++
+ libselinux/utils/selabel_digest.c | 26 +-
+ .../selabel_get_digests_all_partial_matches.c | 28 +-
+ 17 files changed, 469 insertions(+), 391 deletions(-)
+ delete mode 100644 libselinux/src/sha1.c
+ delete mode 100644 libselinux/src/sha1.h
+ create mode 100644 libselinux/src/sha256.c
+ create mode 100644 libselinux/src/sha256.h
+
+diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
+index e8983606d93b..a35d84d63b0a 100644
+--- a/libselinux/include/selinux/label.h
++++ b/libselinux/include/selinux/label.h
+@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ const char *key, const char **aliases, int type);
+
+ /**
+- * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
++ * selabel_digest - Retrieve the SHA256 digest and the list of specfiles used to
+ * generate the digest. The SELABEL_OPT_DIGEST option must
+ * be set in selabel_open() to initiate the digest generation.
+ * @handle: specifies backend instance to query
+- * @digest: returns a pointer to the SHA1 digest.
++ * @digest: returns a pointer to the SHA256 digest.
+ * @digest_len: returns length of digest in bytes.
+- * @specfiles: a list of specfiles used in the SHA1 digest generation.
++ * @specfiles: a list of specfiles used in the SHA256 digest generation.
+ * The list is NULL terminated and will hold @num_specfiles entries.
+ * @num_specfiles: number of specfiles in the list.
+ *
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index 466de39aac72..ca8ce768587a 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -27,8 +27,8 @@ extern int selinux_restorecon(const char *pathname,
+ * restorecon_flags options
+ */
+ /*
+- * Force the checking of labels even if the stored SHA1 digest
+- * matches the specfiles SHA1 digest (requires CAP_SYS_ADMIN).
++ * Force the checking of labels even if the stored SHA256 digest
++ * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
+ */
+ #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
+ /*
+diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
+index 56a008f00df0..5f7c42533d0e 100644
+--- a/libselinux/man/man3/selabel_digest.3
++++ b/libselinux/man/man3/selabel_digest.3
+@@ -20,11 +20,11 @@ selabel_digest \- Return digest of specfiles and list of files used
+ .BR selabel_digest ()
+ performs an operation on the handle
+ .IR hnd ,
+-returning the results of the SHA1 digest pointed to by
++returning the results of the SHA256 digest pointed to by
+ .IR digest ,
+ whose length will be
+ .IR digest_len .
+-The list of specfiles used in the SHA1 digest calculation is returned in
++The list of specfiles used in the SHA256 digest calculation is returned in
+ .I specfiles
+ with the number of entries in
+ .IR num_specfiles .
+diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
+index 971ebc1acd41..2cf2eb8a1410 100644
+--- a/libselinux/man/man3/selabel_open.3
++++ b/libselinux/man/man3/selabel_open.3
+@@ -69,7 +69,7 @@ is used; a custom validation function can be provided via
+ Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+ .TP
+ .B SELABEL_OPT_DIGEST
+-A non-null value for this option enables the generation of an SHA1 digest of
++A non-null value for this option enables the generation of an SHA256 digest of
+ the spec files loaded as described in
+ .BR selabel_digest (3)
+ .
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index ad637406a30d..c4576fe79ff6 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -28,7 +28,7 @@ If this is a directory and the
+ .B SELINUX_RESTORECON_RECURSE
+ has been set (for descending through directories), then
+ .BR selinux_restorecon ()
+-will write an SHA1 digest of specfile entries calculated by
++will write an SHA256 digest of specfile entries calculated by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute of
+ .IR security.sehash
+@@ -47,7 +47,7 @@ will take place.
+ .br
+ The
+ .IR restorecon_flags
+-that can be used to manage the usage of the SHA1 digest are:
++that can be used to manage the usage of the SHA256 digest are:
+ .RS
+ .B SELINUX_RESTORECON_SKIP_DIGEST
+ .br
+@@ -65,8 +65,8 @@ Do not check or update any extended attribute
+ entries.
+ .sp
+ .B SELINUX_RESTORECON_IGNORE_DIGEST
+-force the checking of labels even if the stored SHA1 digest matches the
+-specfile entries SHA1 digest. The specfile entries digest will be written to the
++force the checking of labels even if the stored SHA256 digest matches the
++specfile entries SHA256 digest. The specfile entries digest will be written to the
+ .IR security.sehash
+ extended attribute once relabeling has been completed successfully provided the
+ .B SELINUX_RESTORECON_NOCHANGE
+@@ -84,7 +84,7 @@ default specfile context.
+ .sp
+ .B SELINUX_RESTORECON_RECURSE
+ change file and directory labels recursively (descend directories)
+-and if successful write an SHA1 digest of the specfile entries to an
++and if successful write an SHA256 digest of the specfile entries to an
+ extended attribute as described in the
+ .B NOTES
+ section.
+@@ -158,7 +158,7 @@ to treat conflicting specifications, such as where two hardlinks for the
+ same inode have different contexts, as errors.
+ .RE
+ .sp
+-The behavior regarding the checking and updating of the SHA1 digest described
++The behavior regarding the checking and updating of the SHA256 digest described
+ above is the default behavior. It is possible to change this by first calling
+ .BR selabel_open (3)
+ and not enabling the
+@@ -200,7 +200,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+ .B SELINUX_RESTORECON_RECURSE
+ flag is set)
+ .BR selinux_restorecon ()
+-will write a calculated SHA1 digest of the specfile entries returned by
++will write a calculated SHA256 digest of the specfile entries returned by
+ .BR selabel_get_digests_all_partial_matches (3)
+ to an extended attribute named
+ .IR security.sehash
+@@ -222,7 +222,7 @@ Should any of the specfile entries have changed, then when
+ .BR selinux_restorecon ()
+ is run again with the
+ .B SELINUX_RESTORECON_RECURSE
+-flag set, new SHA1 digests will be calculated and all files automatically
++flag set, new SHA256 digests will be calculated and all files automatically
+ relabeled depending on the settings of the
+ .B SELINUX_RESTORECON_SET_SPECFILE_CTX
+ flag (provided
+diff --git a/libselinux/man/man3/selinux_restorecon_xattr.3 b/libselinux/man/man3/selinux_restorecon_xattr.3
+index c56326814b94..098c840fc59b 100644
+--- a/libselinux/man/man3/selinux_restorecon_xattr.3
++++ b/libselinux/man/man3/selinux_restorecon_xattr.3
+@@ -119,7 +119,7 @@ By default
+ .BR selinux_restorecon_xattr (3)
+ will use the default set of specfiles described in
+ .BR files_contexts (5)
+-to calculate the SHA1 digests to be used for comparison.
++to calculate the SHA256 digests to be used for comparison.
+ To change this default behavior
+ .BR selabel_open (3)
+ must be called specifying the required
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 52c40f018f51..674a5ed3a6f8 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -120,7 +120,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
+ -DBUILD_HOST
+ SRCS= callbacks.c freecon.c label.c label_file.c \
+ label_backends_android.c regex.c label_support.c \
+- matchpathcon.c setrans_client.c sha1.c booleans.c
++ matchpathcon.c setrans_client.c sha256.c booleans.c
+ else
+ LABEL_BACKEND_ANDROID=y
+ endif
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 2e28d0474d73..c1306c9979e7 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -1005,7 +1005,7 @@ static struct spec *lookup_common(struct selabel_handle *rec,
+
+ /*
+ * Returns true if the digest of all partial matched contexts is the same as
+- * the one saved by setxattr, otherwise returns false. The length of the SHA1
++ * the one saved by setxattr, otherwise returns false. The length of the SHA256
+ * digest will always be returned. The caller must free any returned digests.
+ */
+ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -1014,39 +1014,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+ uint8_t **xattr_digest,
+ size_t *digest_len)
+ {
+- uint8_t read_digest[SHA1_HASH_SIZE];
++ uint8_t read_digest[SHA256_HASH_SIZE];
+ ssize_t read_size = getxattr(pathname, RESTORECON_PARTIAL_MATCH_DIGEST,
+- read_digest, SHA1_HASH_SIZE
++ read_digest, SHA256_HASH_SIZE
+ #ifdef __APPLE__
+ , 0, 0
+ #endif /* __APPLE __ */
+ );
+- uint8_t hash_digest[SHA1_HASH_SIZE];
++ uint8_t hash_digest[SHA256_HASH_SIZE];
+ bool status = selabel_hash_all_partial_matches(rec, pathname,
+ hash_digest);
+
+ *xattr_digest = NULL;
+ *calculated_digest = NULL;
+- *digest_len = SHA1_HASH_SIZE;
++ *digest_len = SHA256_HASH_SIZE;
+
+- if (read_size == SHA1_HASH_SIZE) {
+- *xattr_digest = calloc(1, SHA1_HASH_SIZE + 1);
++ if (read_size == SHA256_HASH_SIZE) {
++ *xattr_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ if (!*xattr_digest)
+ goto oom;
+
+- memcpy(*xattr_digest, read_digest, SHA1_HASH_SIZE);
++ memcpy(*xattr_digest, read_digest, SHA256_HASH_SIZE);
+ }
+
+ if (status) {
+- *calculated_digest = calloc(1, SHA1_HASH_SIZE + 1);
++ *calculated_digest = calloc(1, SHA256_HASH_SIZE + 1);
+ if (!*calculated_digest)
+ goto oom;
+
+- memcpy(*calculated_digest, hash_digest, SHA1_HASH_SIZE);
++ memcpy(*calculated_digest, hash_digest, SHA256_HASH_SIZE);
+ }
+
+- if (status && read_size == SHA1_HASH_SIZE &&
+- memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
++ if (status && read_size == SHA256_HASH_SIZE &&
++ memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
+ return true;
+
+ return false;
+@@ -1066,22 +1066,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+ return false;
+ }
+
+- Sha1Context context;
+- Sha1Initialise(&context);
++ Sha256Context context;
++ Sha256Initialise(&context);
+ size_t i;
+ for (i = 0; i < total_matches; i++) {
+ char* regex_str = matches[i]->regex_str;
+ mode_t mode = matches[i]->mode;
+ char* ctx_raw = matches[i]->lr.ctx_raw;
+
+- Sha1Update(&context, regex_str, strlen(regex_str) + 1);
+- Sha1Update(&context, &mode, sizeof(mode_t));
+- Sha1Update(&context, ctx_raw, strlen(ctx_raw) + 1);
++ Sha256Update(&context, regex_str, strlen(regex_str) + 1);
++ Sha256Update(&context, &mode, sizeof(mode_t));
++ Sha256Update(&context, ctx_raw, strlen(ctx_raw) + 1);
+ }
+
+- SHA1_HASH sha1_hash;
+- Sha1Finalise(&context, &sha1_hash);
+- memcpy(digest, sha1_hash.bytes, SHA1_HASH_SIZE);
++ SHA256_HASH sha256_hash;
++ Sha256Finalise(&context, &sha256_hash);
++ memcpy(digest, sha256_hash.bytes, SHA256_HASH_SIZE);
+
+ free(matches);
+ return true;
+diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
+index 782c6aa8cc0c..304e8d96490a 100644
+--- a/libselinux/src/label_internal.h
++++ b/libselinux/src/label_internal.h
+@@ -13,7 +13,7 @@
+ #include <stdio.h>
+ #include <selinux/selinux.h>
+ #include <selinux/label.h>
+-#include "sha1.h"
++#include "sha256.h"
+
+ #if defined(ANDROID) || defined(__APPLE__)
+ // Android and Mac do not have fgets_unlocked()
+@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+ */
+
+ /*
+- * Calculate an SHA1 hash of all the files used to build the specs.
++ * Calculate an SHA256 hash of all the files used to build the specs.
+ * The hash value is held in rec->digest if SELABEL_OPT_DIGEST set. To
+ * calculate the hash the hashbuf will hold a concatenation of all the files
+ * used. This is released once the value has been calculated.
+ */
+-#define DIGEST_SPECFILE_SIZE SHA1_HASH_SIZE
++#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
+ #define DIGEST_FILES_MAX 8
+ struct selabel_digest {
+- unsigned char *digest; /* SHA1 digest of specfiles */
++ unsigned char *digest; /* SHA256 digest of specfiles */
+ unsigned char *hashbuf; /* buffer to hold specfiles */
+ size_t hashbuf_size; /* buffer size */
+ size_t specfile_cnt; /* how many specfiles processed */
+@@ -110,7 +110,7 @@ struct selabel_handle {
+ */
+ char *spec_file;
+
+- /* ptr to SHA1 hash information if SELABEL_OPT_DIGEST set */
++ /* ptr to SHA256 hash information if SELABEL_OPT_DIGEST set */
+ struct selabel_digest *digest;
+ };
+
+diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
+index 94ed6e4273cb..f53d73b609ab 100644
+--- a/libselinux/src/label_support.c
++++ b/libselinux/src/label_support.c
+@@ -115,15 +115,15 @@ int read_spec_entries(char *line_buf, const char **errbuf, int num_args, ...)
+ /* Once all the specfiles are in the hash_buf, generate the hash. */
+ void digest_gen_hash(struct selabel_digest *digest)
+ {
+- Sha1Context context;
++ Sha256Context context;
+
+ /* If SELABEL_OPT_DIGEST not set then just return */
+ if (!digest)
+ return;
+
+- Sha1Initialise(&context);
+- Sha1Update(&context, digest->hashbuf, digest->hashbuf_size);
+- Sha1Finalise(&context, (SHA1_HASH *)digest->digest);
++ Sha256Initialise(&context);
++ Sha256Update(&context, digest->hashbuf, digest->hashbuf_size);
++ Sha256Finalise(&context, (SHA256_HASH *)digest->digest);
+ free(digest->hashbuf);
+ digest->hashbuf = NULL;
+ return;
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 04d956504952..100c77108a27 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -37,7 +37,7 @@
+ #include "callbacks.h"
+ #include "selinux_internal.h"
+ #include "label_file.h"
+-#include "sha1.h"
++#include "sha256.h"
+
+ #define STAR_COUNT 1024
+
+@@ -293,7 +293,7 @@ static int exclude_non_seclabel_mounts(void)
+ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ bool delete_all)
+ {
+- char *sha1_buf = NULL;
++ char *sha256_buf = NULL;
+ size_t i, digest_len = 0;
+ int rc, digest_result;
+ bool match;
+@@ -316,15 +316,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ }
+
+ /* Convert entry to a hex encoded string. */
+- sha1_buf = malloc(digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = malloc(digest_len * 2 + 1);
++ if (!sha256_buf) {
+ free(xattr_digest);
+ free(calculated_digest);
+ goto oom;
+ }
+
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]), "%02x", xattr_digest[i]);
++ sprintf((&sha256_buf[i * 2]), "%02x", xattr_digest[i]);
+
+ digest_result = match ? MATCH : NOMATCH;
+
+@@ -344,7 +344,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ /* Now add entries to link list. */
+ new_entry = malloc(sizeof(struct dir_xattr));
+ if (!new_entry) {
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+ new_entry->next = NULL;
+@@ -352,15 +352,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ new_entry->directory = strdup(directory);
+ if (!new_entry->directory) {
+ free(new_entry);
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+
+- new_entry->digest = strdup(sha1_buf);
++ new_entry->digest = strdup(sha256_buf);
+ if (!new_entry->digest) {
+ free(new_entry->directory);
+ free(new_entry);
+- free(sha1_buf);
++ free(sha256_buf);
+ goto oom;
+ }
+
+@@ -374,7 +374,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ dir_xattr_last = new_entry;
+ }
+
+- free(sha1_buf);
++ free(sha256_buf);
+ return 0;
+
+ oom:
+@@ -741,7 +741,7 @@ err:
+
+ struct dir_hash_node {
+ char *path;
+- uint8_t digest[SHA1_HASH_SIZE];
++ uint8_t digest[SHA256_HASH_SIZE];
+ struct dir_hash_node *next;
+ };
+ /*
+@@ -1091,7 +1091,7 @@ int selinux_restorecon(const char *pathname_orig,
+ if (setxattr(current->path,
+ RESTORECON_PARTIAL_MATCH_DIGEST,
+ current->digest,
+- SHA1_HASH_SIZE, 0) < 0) {
++ SHA256_HASH_SIZE, 0) < 0) {
+ selinux_log(SELINUX_ERROR,
+ "setxattr failed: %s: %m\n",
+ current->path);
+diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
+deleted file mode 100644
+index a848467785f3..000000000000
+--- a/libselinux/src/sha1.c
++++ /dev/null
+@@ -1,220 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// LibSha1
+-//
+-// Implementation of SHA1 hash function.
+-// Original author: Steve Reid <sreid@sea-to-sky.net>
+-// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-// and Ralph Giles <giles@ghostscript.com>
+-// Modified by WaterJuice retaining Public Domain license.
+-//
+-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-// Modified to:
+-// - stop symbols being exported for libselinux shared library - October 2015
+-// Richard Haines <richard_c_haines@btinternet.com>
+-// - Not cast the workspace from a byte array to a CHAR64LONG16 due to alignment isses.
+-// Fixes:
+-// sha1.c:73:33: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'CHAR64LONG16 *' increases required alignment from 1 to 4 [-Werror,-Wcast-align]
+-// CHAR64LONG16* block = (CHAR64LONG16*) workspace;
+-// William Roberts <william.c.roberts@intel.com>
+-// - Silence clang's -Wextra-semi-stmt warning - July 2021, Nicolas Iooss <nicolas.iooss@m4x.org>
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include "sha1.h"
+-#include <memory.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-typedef union
+-{
+- uint8_t c [64];
+- uint32_t l [16];
+-} CHAR64LONG16;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// INTERNAL FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
+-
+-// blk0() and blk() perform the initial expand.
+-#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
+- |(rol(block->l[i],8)&0x00FF00FF))
+-
+-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
+- ^block->l[(i+2)&15]^block->l[i&15],1))
+-
+-// (R0+R1), R2, R3, R4 are the different operations used in SHA1
+-#define R0(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R1(v,w,x,y,z,i) do { z += ((w&(x^y))^y) + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
+-#define R2(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
+-#define R3(v,w,x,y,z,i) do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
+-#define R4(v,w,x,y,z,i) do { z += (w^x^y) + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
+-
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TransformFunction
+-//
+-// Hash a single 512-bit block. This is the core of the algorithm
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-static
+-void
+- TransformFunction
+- (
+- uint32_t state[5],
+- const uint8_t buffer[64]
+- )
+-{
+- uint32_t a;
+- uint32_t b;
+- uint32_t c;
+- uint32_t d;
+- uint32_t e;
+- CHAR64LONG16 workspace;
+- CHAR64LONG16* block = &workspace;
+-
+- memcpy(block, buffer, 64);
+-
+- // Copy context->state[] to working vars
+- a = state[0];
+- b = state[1];
+- c = state[2];
+- d = state[3];
+- e = state[4];
+-
+- // 4 rounds of 20 operations each. Loop unrolled.
+- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
+- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
+- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
+- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
+- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
+- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
+- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
+- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
+- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
+- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
+- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
+- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
+- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
+- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
+- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
+- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
+- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
+- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
+- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
+- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+-
+- // Add the working vars back into context.state[]
+- state[0] += a;
+- state[1] += b;
+- state[2] += c;
+- state[3] += d;
+- state[4] += e;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Initialise
+-//
+-// Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Initialise
+- (
+- Sha1Context* Context
+- )
+-{
+- // SHA1 initialization constants
+- Context->State[0] = 0x67452301;
+- Context->State[1] = 0xEFCDAB89;
+- Context->State[2] = 0x98BADCFE;
+- Context->State[3] = 0x10325476;
+- Context->State[4] = 0xC3D2E1F0;
+- Context->Count[0] = 0;
+- Context->Count[1] = 0;
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Update
+-//
+-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Update
+- (
+- Sha1Context* Context,
+- const void* Buffer,
+- uint32_t BufferSize
+- )
+-{
+- uint32_t i;
+- uint32_t j;
+-
+- j = (Context->Count[0] >> 3) & 63;
+- if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
+- {
+- Context->Count[1]++;
+- }
+-
+- Context->Count[1] += (BufferSize >> 29);
+- if ((j + BufferSize) > 63)
+- {
+- i = 64 - j;
+- memcpy(&Context->Buffer[j], Buffer, i);
+- TransformFunction(Context->State, Context->Buffer);
+- for (; i + 63 < BufferSize; i += 64)
+- {
+- TransformFunction(Context->State, (const uint8_t*)Buffer + i);
+- }
+- j = 0;
+- }
+- else
+- {
+- i = 0;
+- }
+-
+- memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+-}
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Finalise
+-//
+-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-// calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Finalise
+- (
+- Sha1Context* Context,
+- SHA1_HASH* Digest
+- )
+-{
+- uint32_t i;
+- uint8_t finalcount[8];
+-
+- for (i = 0; i < 8; i++)
+- {
+- finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
+- >> ((3-(i & 3)) * 8) ) & 255); // Endian independent
+- }
+- Sha1Update(Context, (const uint8_t*)"\x80", 1);
+- while ((Context->Count[0] & 504) != 448)
+- {
+- Sha1Update(Context, (const uint8_t*)"\0", 1);
+- }
+-
+- Sha1Update(Context, finalcount, 8); // Should cause a Sha1TransformFunction()
+- for (i = 0; i < SHA1_HASH_SIZE; i++)
+- {
+- Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
+- }
+-}
+diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
+deleted file mode 100644
+index f83a6e7ed7ba..000000000000
+--- a/libselinux/src/sha1.h
++++ /dev/null
+@@ -1,85 +0,0 @@
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// LibSha1
+-//
+-// Implementation of SHA1 hash function.
+-// Original author: Steve Reid <sreid@sea-to-sky.net>
+-// Contributions by: James H. Brown <jbrown@burgoyne.com>, Saul Kravitz <Saul.Kravitz@celera.com>,
+-// and Ralph Giles <giles@ghostscript.com>
+-// Modified by WaterJuice retaining Public Domain license.
+-//
+-// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#ifndef _sha1_h_
+-#define _sha1_h_
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// IMPORTS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-#include <stdint.h>
+-#include <stdio.h>
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// TYPES
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
+-typedef struct
+-{
+- uint32_t State[5];
+- uint32_t Count[2];
+- uint8_t Buffer[64];
+-} Sha1Context;
+-
+-#define SHA1_HASH_SIZE ( 160 / 8 )
+-
+-typedef struct
+-{
+- uint8_t bytes [SHA1_HASH_SIZE];
+-} SHA1_HASH;
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// PUBLIC FUNCTIONS
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Initialise
+-//
+-// Initialises an SHA1 Context. Use this to initialise/reset a context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Initialise
+- (
+- Sha1Context* Context
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Update
+-//
+-// Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
+-// calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Update
+- (
+- Sha1Context* Context,
+- const void* Buffer,
+- uint32_t BufferSize
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-// Sha1Finalise
+-//
+-// Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
+-// calling this, Sha1Initialised must be used to reuse the context.
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-void
+- Sha1Finalise
+- (
+- Sha1Context* Context,
+- SHA1_HASH* Digest
+- );
+-
+-///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
+-#endif //_sha1_h_
+diff --git a/libselinux/src/sha256.c b/libselinux/src/sha256.c
+new file mode 100644
+index 000000000000..fe2aeef07f53
+--- /dev/null
++++ b/libselinux/src/sha256.c
+@@ -0,0 +1,294 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// WjCryptLib_Sha256
++//
++// Implementation of SHA256 hash function.
++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++// Modified by WaterJuice retaining Public Domain license.
++//
++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include "sha256.h"
++#include <memory.h>
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// MACROS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#define ror(value, bits) (((value) >> (bits)) | ((value) << (32 - (bits))))
++
++#define MIN(x, y) ( ((x)<(y))?(x):(y) )
++
++#define STORE32H(x, y) \
++ { (y)[0] = (uint8_t)(((x)>>24)&255); (y)[1] = (uint8_t)(((x)>>16)&255); \
++ (y)[2] = (uint8_t)(((x)>>8)&255); (y)[3] = (uint8_t)((x)&255); }
++
++#define LOAD32H(x, y) \
++ { x = ((uint32_t)((y)[0] & 255)<<24) | \
++ ((uint32_t)((y)[1] & 255)<<16) | \
++ ((uint32_t)((y)[2] & 255)<<8) | \
++ ((uint32_t)((y)[3] & 255)); }
++
++#define STORE64H(x, y) \
++ { (y)[0] = (uint8_t)(((x)>>56)&255); (y)[1] = (uint8_t)(((x)>>48)&255); \
++ (y)[2] = (uint8_t)(((x)>>40)&255); (y)[3] = (uint8_t)(((x)>>32)&255); \
++ (y)[4] = (uint8_t)(((x)>>24)&255); (y)[5] = (uint8_t)(((x)>>16)&255); \
++ (y)[6] = (uint8_t)(((x)>>8)&255); (y)[7] = (uint8_t)((x)&255); }
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// CONSTANTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// The K array
++static const uint32_t K[64] = {
++ 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL,
++ 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL,
++ 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL,
++ 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
++ 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL,
++ 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL,
++ 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL,
++ 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
++ 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL,
++ 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL,
++ 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL,
++ 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
++ 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
++};
++
++#define BLOCK_SIZE 64
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// INTERNAL FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++// Various logical functions
++#define Ch( x, y, z ) (z ^ (x & (y ^ z)))
++#define Maj( x, y, z ) (((x | y) & z) | (x & y))
++#define S( x, n ) ror((x),(n))
++#define R( x, n ) (((x)&0xFFFFFFFFUL)>>(n))
++#define Sigma0( x ) (S(x, 2) ^ S(x, 13) ^ S(x, 22))
++#define Sigma1( x ) (S(x, 6) ^ S(x, 11) ^ S(x, 25))
++#define Gamma0( x ) (S(x, 7) ^ S(x, 18) ^ R(x, 3))
++#define Gamma1( x ) (S(x, 17) ^ S(x, 19) ^ R(x, 10))
++
++#define Sha256Round( a, b, c, d, e, f, g, h, i ) \
++ t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
++ t1 = Sigma0(a) + Maj(a, b, c); \
++ d += t0; \
++ h = t0 + t1;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// TransformFunction
++//
++// Compress 512-bits
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++static
++void
++ TransformFunction
++ (
++ Sha256Context* Context,
++ uint8_t const* Buffer
++ )
++{
++ uint32_t S[8];
++ uint32_t W[64];
++ uint32_t t0;
++ uint32_t t1;
++ uint32_t t;
++ int i;
++
++ // Copy state into S
++ for( i=0; i<8; i++ )
++ {
++ S[i] = Context->state[i];
++ }
++
++ // Copy the state into 512-bits into W[0..15]
++ for( i=0; i<16; i++ )
++ {
++ LOAD32H( W[i], Buffer + (4*i) );
++ }
++
++ // Fill W[16..63]
++ for( i=16; i<64; i++ )
++ {
++ W[i] = Gamma1( W[i-2]) + W[i-7] + Gamma0( W[i-15] ) + W[i-16];
++ }
++
++ // Compress
++ for( i=0; i<64; i++ )
++ {
++ Sha256Round( S[0], S[1], S[2], S[3], S[4], S[5], S[6], S[7], i );
++ t = S[7];
++ S[7] = S[6];
++ S[6] = S[5];
++ S[5] = S[4];
++ S[4] = S[3];
++ S[3] = S[2];
++ S[2] = S[1];
++ S[1] = S[0];
++ S[0] = t;
++ }
++
++ // Feedback
++ for( i=0; i<8; i++ )
++ {
++ Context->state[i] = Context->state[i] + S[i];
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Initialise
++//
++// Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Initialise
++ (
++ Sha256Context* Context // [out]
++ )
++{
++ Context->curlen = 0;
++ Context->length = 0;
++ Context->state[0] = 0x6A09E667UL;
++ Context->state[1] = 0xBB67AE85UL;
++ Context->state[2] = 0x3C6EF372UL;
++ Context->state[3] = 0xA54FF53AUL;
++ Context->state[4] = 0x510E527FUL;
++ Context->state[5] = 0x9B05688CUL;
++ Context->state[6] = 0x1F83D9ABUL;
++ Context->state[7] = 0x5BE0CD19UL;
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Update
++//
++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Update
++ (
++ Sha256Context* Context, // [in out]
++ void const* Buffer, // [in]
++ uint32_t BufferSize // [in]
++ )
++{
++ uint32_t n;
++
++ if( Context->curlen > sizeof(Context->buf) )
++ {
++ return;
++ }
++
++ while( BufferSize > 0 )
++ {
++ if( Context->curlen == 0 && BufferSize >= BLOCK_SIZE )
++ {
++ TransformFunction( Context, (uint8_t*)Buffer );
++ Context->length += BLOCK_SIZE * 8;
++ Buffer = (uint8_t*)Buffer + BLOCK_SIZE;
++ BufferSize -= BLOCK_SIZE;
++ }
++ else
++ {
++ n = MIN( BufferSize, (BLOCK_SIZE - Context->curlen) );
++ memcpy( Context->buf + Context->curlen, Buffer, (size_t)n );
++ Context->curlen += n;
++ Buffer = (uint8_t*)Buffer + n;
++ BufferSize -= n;
++ if( Context->curlen == BLOCK_SIZE )
++ {
++ TransformFunction( Context, Context->buf );
++ Context->length += 8*BLOCK_SIZE;
++ Context->curlen = 0;
++ }
++ }
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Finalise
++//
++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++// calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Finalise
++ (
++ Sha256Context* Context, // [in out]
++ SHA256_HASH* Digest // [out]
++ )
++{
++ int i;
++
++ if( Context->curlen >= sizeof(Context->buf) )
++ {
++ return;
++ }
++
++ // Increase the length of the message
++ Context->length += Context->curlen * 8;
++
++ // Append the '1' bit
++ Context->buf[Context->curlen++] = (uint8_t)0x80;
++
++ // if the length is currently above 56 bytes we append zeros
++ // then compress. Then we can fall back to padding zeros and length
++ // encoding like normal.
++ if( Context->curlen > 56 )
++ {
++ while( Context->curlen < 64 )
++ {
++ Context->buf[Context->curlen++] = (uint8_t)0;
++ }
++ TransformFunction(Context, Context->buf);
++ Context->curlen = 0;
++ }
++
++ // Pad up to 56 bytes of zeroes
++ while( Context->curlen < 56 )
++ {
++ Context->buf[Context->curlen++] = (uint8_t)0;
++ }
++
++ // Store length
++ STORE64H( Context->length, Context->buf+56 );
++ TransformFunction( Context, Context->buf );
++
++ // Copy output
++ for( i=0; i<8; i++ )
++ {
++ STORE32H( Context->state[i], Digest->bytes+(4*i) );
++ }
++}
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Calculate
++//
++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++// buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Calculate
++ (
++ void const* Buffer, // [in]
++ uint32_t BufferSize, // [in]
++ SHA256_HASH* Digest // [in]
++ )
++{
++ Sha256Context context;
++
++ Sha256Initialise( &context );
++ Sha256Update( &context, Buffer, BufferSize );
++ Sha256Finalise( &context, Digest );
++}
+diff --git a/libselinux/src/sha256.h b/libselinux/src/sha256.h
+new file mode 100644
+index 000000000000..406ed869cd82
+--- /dev/null
++++ b/libselinux/src/sha256.h
+@@ -0,0 +1,89 @@
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// WjCryptLib_Sha256
++//
++// Implementation of SHA256 hash function.
++// Original author: Tom St Denis, tomstdenis@gmail.com, http://libtom.org
++// Modified by WaterJuice retaining Public Domain license.
++//
++// This is free and unencumbered software released into the public domain - June 2013 waterjuice.org
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#pragma once
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// IMPORTS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++#include <stdint.h>
++#include <stdio.h>
++
++typedef struct
++{
++ uint64_t length;
++ uint32_t state[8];
++ uint32_t curlen;
++ uint8_t buf[64];
++} Sha256Context;
++
++#define SHA256_HASH_SIZE ( 256 / 8 )
++
++typedef struct
++{
++ uint8_t bytes [SHA256_HASH_SIZE];
++} SHA256_HASH;
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// PUBLIC FUNCTIONS
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Initialise
++//
++// Initialises a SHA256 Context. Use this to initialise/reset a context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Initialise
++ (
++ Sha256Context* Context // [out]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Update
++//
++// Adds data to the SHA256 context. This will process the data and update the internal state of the context. Keep on
++// calling this function until all the data has been added. Then call Sha256Finalise to calculate the hash.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Update
++ (
++ Sha256Context* Context, // [in out]
++ void const* Buffer, // [in]
++ uint32_t BufferSize // [in]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Finalise
++//
++// Performs the final calculation of the hash and returns the digest (32 byte buffer containing 256bit hash). After
++// calling this, Sha256Initialised must be used to reuse the context.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Finalise
++ (
++ Sha256Context* Context, // [in out]
++ SHA256_HASH* Digest // [out]
++ );
++
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++// Sha256Calculate
++//
++// Combines Sha256Initialise, Sha256Update, and Sha256Finalise into one function. Calculates the SHA256 hash of the
++// buffer.
++////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
++void
++ Sha256Calculate
++ (
++ void const* Buffer, // [in]
++ uint32_t BufferSize, // [in]
++ SHA256_HASH* Digest // [in]
++ );
+diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
+index 49408a0ba8d8..67befadd23c5 100644
+--- a/libselinux/utils/selabel_digest.c
++++ b/libselinux/utils/selabel_digest.c
+@@ -15,8 +15,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ "Where:\n\t"
+ "-b The backend - \"file\", \"media\", \"x\", \"db\" or "
+ "\"prop\"\n\t"
+- "-v Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
+- " on the list of specfiles to compare the SHA1 digests.\n\t"
++ "-v Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
++ " on the list of specfiles to compare the SHA256 digests.\n\t"
+ "-B Use base specfiles only (valid for \"-b file\" only).\n\t"
+ "-i Do not request a digest.\n\t"
+ "-f Optional file containing the specs (defaults to\n\t"
+@@ -62,12 +62,12 @@ int main(int argc, char **argv)
+ int backend = 0, rc, opt, validate = 0;
+ char *baseonly = NULL, *file = NULL, *digest = (char *)1;
+ char **specfiles = NULL;
+- unsigned char *sha1_digest = NULL;
++ unsigned char *sha256_digest = NULL;
+ size_t i, num_specfiles;
+
+ char cmd_buf[4096];
+ char *cmd_ptr;
+- char *sha1_buf;
++ char *sha256_buf;
+
+ struct selabel_handle *hnd;
+ struct selinux_opt selabel_option[] = {
+@@ -137,7 +137,7 @@ int main(int argc, char **argv)
+ return -1;
+ }
+
+- rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
++ rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
+ &num_specfiles);
+
+ if (rc) {
+@@ -152,19 +152,19 @@ int main(int argc, char **argv)
+ goto err;
+ }
+
+- sha1_buf = malloc(digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = malloc(digest_len * 2 + 1);
++ if (!sha256_buf) {
+ fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
+ strerror(errno));
+ rc = -1;
+ goto err;
+ }
+
+- printf("SHA1 digest: ");
++ printf("SHA256 digest: ");
+ for (i = 0; i < digest_len; i++)
+- sprintf(&(sha1_buf[i * 2]), "%02x", sha1_digest[i]);
++ sprintf(&(sha256_buf[i * 2]), "%02x", sha256_digest[i]);
+
+- printf("%s\n", sha1_buf);
++ printf("%s\n", sha256_buf);
+ printf("calculated using the following specfile(s):\n");
+
+ if (specfiles) {
+@@ -177,13 +177,13 @@ int main(int argc, char **argv)
+ cmd_ptr += strlen(specfiles[i]) + 1;
+ printf("%s\n", specfiles[i]);
+ }
+- sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha1 -hex");
++ sprintf(cmd_ptr, "| /usr/bin/openssl dgst -sha256 -hex");
+
+ if (validate)
+- rc = run_check_digest(cmd_buf, sha1_buf);
++ rc = run_check_digest(cmd_buf, sha256_buf);
+ }
+
+- free(sha1_buf);
++ free(sha256_buf);
+ err:
+ selabel_close(hnd);
+ return rc;
+diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+index e28833d2ce97..900f018c0091 100644
+--- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
++++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
+@@ -18,8 +18,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ "-v Validate file_contxts entries against loaded policy.\n\t"
+ "-r Recursively descend directories.\n\t"
+ "-f Optional file_contexts file (defaults to current policy).\n\t"
+- "path Path to check current SHA1 digest against file_contexts entries.\n\n"
+- "This will check the directory selinux.sehash SHA1 digest for "
++ "path Path to check current SHA256 digest against file_contexts entries.\n\n"
++ "This will check the directory selinux.sehash SHA256 digest for "
+ "<path> against\na newly generated digest based on the "
+ "file_context entries for that node\n(using the regx, mode "
+ "and path entries).\n", progname);
+@@ -37,7 +37,7 @@ int main(int argc, char **argv)
+ char *paths[2] = { NULL, NULL };
+ uint8_t *xattr_digest = NULL;
+ uint8_t *calculated_digest = NULL;
+- char *sha1_buf = NULL;
++ char *sha256_buf = NULL;
+
+ struct selabel_handle *hnd;
+ struct selinux_opt selabel_option[] = {
+@@ -105,27 +105,27 @@ int main(int argc, char **argv)
+ &xattr_digest,
+ &digest_len);
+
+- sha1_buf = calloc(1, digest_len * 2 + 1);
+- if (!sha1_buf) {
++ sha256_buf = calloc(1, digest_len * 2 + 1);
++ if (!sha256_buf) {
+ fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
+ strerror(errno));
+ return -1;
+ }
+
+ if (status) { /* They match */
+- printf("xattr and file_contexts SHA1 digests match for: %s\n",
++ printf("xattr and file_contexts SHA256 digests match for: %s\n",
+ ftsent->fts_path);
+
+ if (calculated_digest) {
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]),
++ sprintf((&sha256_buf[i * 2]),
+ "%02x",
+ calculated_digest[i]);
+- printf("SHA1 digest: %s\n", sha1_buf);
++ printf("SHA256 digest: %s\n", sha256_buf);
+ }
+ } else {
+ if (!calculated_digest) {
+- printf("No SHA1 digest available for: %s\n",
++ printf("No SHA256 digest available for: %s\n",
+ ftsent->fts_path);
+ printf("as file_context entry is \"<<none>>\"\n");
+ goto cleanup;
+@@ -135,25 +135,25 @@ int main(int argc, char **argv)
+ ftsent->fts_path);
+
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]), "%02x",
++ sprintf((&sha256_buf[i * 2]), "%02x",
+ calculated_digest[i]);
+- printf("generated SHA1 digest: %s\n", sha1_buf);
++ printf("generated SHA256 digest: %s\n", sha256_buf);
+
+ if (!xattr_digest) {
+ printf("however there is no selinux.sehash xattr entry.\n");
+ } else {
+ printf("however it does NOT match the current entry of:\n");
+ for (i = 0; i < digest_len; i++)
+- sprintf((&sha1_buf[i * 2]),
++ sprintf((&sha256_buf[i * 2]),
+ "%02x",
+ xattr_digest[i]);
+- printf("%s\n", sha1_buf);
++ printf("%s\n", sha256_buf);
+ }
+ }
+ cleanup:
+ free(xattr_digest);
+ free(calculated_digest);
+- free(sha1_buf);
++ free(sha256_buf);
+ break;
+ }
+ default:
+--
+2.32.0
+
diff --git a/SOURCES/0002-label_file-fix-a-data-race.patch b/SOURCES/0002-label_file-fix-a-data-race.patch
new file mode 100644
index 0000000..0554c37
--- /dev/null
+++ b/SOURCES/0002-label_file-fix-a-data-race.patch
@@ -0,0 +1,73 @@
+From 5844f389429f26a0a62a65561fa3006feaaf6f3b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:32 +0200
+Subject: [PATCH] label_file: fix a data race
+
+The 'matches' member of 'struct spec' may be written to by different
+threads, so it needs to be accessed using the proper atomic constructs.
+Since the actual count of matches doesn't matter and is not used,
+convert this field to a bool and just atomically set/read it using GCC
+__atomic builtins (which are already being used in another place).
+
+If the compiler lacks support for __atomic builtins (which seem to have
+been introduced in GCC 4.1), just fail the compilation. I don't think
+it's worth tryin to invent a workaround to support a 15 years old
+compiler.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/label_file.c | 15 +++++++++++++--
+ libselinux/src/label_file.h | 2 +-
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index c1306c9979e7..33d395e414f0 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -951,7 +951,12 @@ static struct spec **lookup_all(struct selabel_handle *rec,
+ rc = regex_match(spec->regex, key, partial);
+ if (rc == REGEX_MATCH || (partial && rc == REGEX_MATCH_PARTIAL)) {
+ if (rc == REGEX_MATCH) {
+- spec->matches++;
++#ifdef __ATOMIC_RELAXED
++ __atomic_store_n(&spec->any_matches,
++ true, __ATOMIC_RELAXED);
++#else
++#error "Please use a compiler that supports __atomic builtins"
++#endif
+ }
+
+ if (strcmp(spec_arr[i].lr.ctx_raw, "<<none>>") == 0) {
+@@ -1249,9 +1254,15 @@ static void stats(struct selabel_handle *rec)
+ struct saved_data *data = (struct saved_data *)rec->data;
+ unsigned int i, nspec = data->nspec;
+ struct spec *spec_arr = data->spec_arr;
++ bool any_matches;
+
+ for (i = 0; i < nspec; i++) {
+- if (spec_arr[i].matches == 0) {
++#ifdef __ATOMIC_RELAXED
++ any_matches = __atomic_load_n(&spec_arr[i].any_matches, __ATOMIC_RELAXED);
++#else
++#error "Please use a compiler that supports __atomic builtins"
++#endif
++ if (!any_matches) {
+ if (spec_arr[i].type_str) {
+ COMPAT_LOG(SELINUX_WARNING,
+ "Warning! No matches for (%s, %s, %s)\n",
+diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
+index 343ffc705e43..b453e13f8075 100644
+--- a/libselinux/src/label_file.h
++++ b/libselinux/src/label_file.h
+@@ -51,7 +51,7 @@ struct spec {
+ bool regex_compiled; /* bool to indicate if the regex is compiled */
+ pthread_mutex_t regex_lock; /* lock for lazy compilation of regex */
+ mode_t mode; /* mode format value */
+- int matches; /* number of matching pathnames */
++ bool any_matches; /* did any pathname match? */
+ int stem_id; /* indicates which stem-compression item */
+ char hasMetaChars; /* regular expression has meta-chars */
+ char from_mmap; /* this spec is from an mmap of the data */
+--
+2.33.1
+
diff --git a/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch b/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
new file mode 100644
index 0000000..01c6d25
--- /dev/null
+++ b/SOURCES/0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
@@ -0,0 +1,30 @@
+From 5dd3a11842c08a25a0f7ab798ce85710fe1e8f1f Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:33 +0200
+Subject: [PATCH] selinux_restorecon: simplify fl_head allocation by using
+ calloc()
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 100c77108a27..e29a2c390182 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -425,10 +425,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ struct stat64 sb;
+
+ if (!fl_head) {
+- fl_head = malloc(sizeof(file_spec_t) * HASH_BUCKETS);
++ fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
+ if (!fl_head)
+ goto oom;
+- memset(fl_head, 0, sizeof(file_spec_t) * HASH_BUCKETS);
+ }
+
+ h = (ino + (ino >> HASH_BITS)) & HASH_MASK;
+--
+2.33.1
+
diff --git a/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch b/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
new file mode 100644
index 0000000..1143f33
--- /dev/null
+++ b/SOURCES/0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
@@ -0,0 +1,81 @@
+From 4598a46c5ed12248a3a6e1dbe1b5a3dca52bacac Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:34 +0200
+Subject: [PATCH] selinux_restorecon: protect file_spec list with a mutex
+
+Not very useful on its own, but will allow to implement a parallel
+version of selinux_restorecon() in subsequent patches.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index e29a2c390182..43acbace309d 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -411,6 +411,7 @@ typedef struct file_spec {
+ } file_spec_t;
+
+ static file_spec_t *fl_head;
++static pthread_mutex_t fl_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+ /*
+ * Try to add an association between an inode and a context. If there is a
+@@ -424,6 +425,8 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ int h, ret;
+ struct stat64 sb;
+
++ __pthread_mutex_lock(&fl_mutex);
++
+ if (!fl_head) {
+ fl_head = calloc(HASH_BUCKETS, sizeof(file_spec_t));
+ if (!fl_head)
+@@ -444,11 +447,11 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ fl->con = strdup(con);
+ if (!fl->con)
+ goto oom;
+- return 1;
++ goto unlock_1;
+ }
+
+ if (strcmp(fl->con, con) == 0)
+- return 1;
++ goto unlock_1;
+
+ selinux_log(SELINUX_ERROR,
+ "conflicting specifications for %s and %s, using %s.\n",
+@@ -457,6 +460,9 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ fl->file = strdup(file);
+ if (!fl->file)
+ goto oom;
++
++ __pthread_mutex_unlock(&fl_mutex);
++
+ if (flags->conflicterror) {
+ selinux_log(SELINUX_ERROR,
+ "treating conflicting specifications as an error.\n");
+@@ -481,13 +487,19 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ goto oom_freefl;
+ fl->next = prevfl->next;
+ prevfl->next = fl;
++
++ __pthread_mutex_unlock(&fl_mutex);
+ return 0;
+
+ oom_freefl:
+ free(fl);
+ oom:
++ __pthread_mutex_unlock(&fl_mutex);
+ selinux_log(SELINUX_ERROR, "%s: Out of memory\n", __func__);
+ return -1;
++unlock_1:
++ __pthread_mutex_unlock(&fl_mutex);
++ return 1;
+ }
+
+ /*
+--
+2.33.1
+
diff --git a/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch b/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch
new file mode 100644
index 0000000..078d5b4
--- /dev/null
+++ b/SOURCES/0005-libselinux-make-selinux_log-thread-safe.patch
@@ -0,0 +1,88 @@
+From c2e4cf5b21e8c775c669f3933d25a0946774ec0d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:35 +0200
+Subject: [PATCH] libselinux: make selinux_log() thread-safe
+
+Ensure that selinux_log() is thread-safe by guarding the call to the
+underlying callback with a mutex.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/callbacks.c | 8 +++++---
+ libselinux/src/callbacks.h | 13 ++++++++++++-
+ 2 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
+index c18ccc54754a..469c4055f4d7 100644
+--- a/libselinux/src/callbacks.c
++++ b/libselinux/src/callbacks.c
+@@ -10,6 +10,8 @@
+ #include <selinux/selinux.h>
+ #include "callbacks.h"
+
++pthread_mutex_t log_mutex = PTHREAD_MUTEX_INITIALIZER;
++
+ /* default implementations */
+ static int __attribute__ ((format(printf, 2, 3)))
+ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
+@@ -56,7 +58,7 @@ default_selinux_policyload(int seqno __attribute__((unused)))
+
+ /* callback pointers */
+ int __attribute__ ((format(printf, 2, 3)))
+-(*selinux_log)(int, const char *, ...) =
++(*selinux_log_direct)(int, const char *, ...) =
+ default_selinux_log;
+
+ int
+@@ -81,7 +83,7 @@ selinux_set_callback(int type, union selinux_callback cb)
+ {
+ switch (type) {
+ case SELINUX_CB_LOG:
+- selinux_log = cb.func_log;
++ selinux_log_direct = cb.func_log;
+ break;
+ case SELINUX_CB_AUDIT:
+ selinux_audit = cb.func_audit;
+@@ -106,7 +108,7 @@ selinux_get_callback(int type)
+
+ switch (type) {
+ case SELINUX_CB_LOG:
+- cb.func_log = selinux_log;
++ cb.func_log = selinux_log_direct;
+ break;
+ case SELINUX_CB_AUDIT:
+ cb.func_audit = selinux_audit;
+diff --git a/libselinux/src/callbacks.h b/libselinux/src/callbacks.h
+index 03d87f0cbdfe..f4dab15789f9 100644
+--- a/libselinux/src/callbacks.h
++++ b/libselinux/src/callbacks.h
+@@ -10,9 +10,11 @@
+ #include <string.h>
+ #include <selinux/selinux.h>
+
++#include "selinux_internal.h"
++
+ /* callback pointers */
+ extern int __attribute__ ((format(printf, 2, 3)))
+-(*selinux_log) (int type, const char *, ...) ;
++(*selinux_log_direct) (int type, const char *, ...) ;
+
+ extern int
+ (*selinux_audit) (void *, security_class_t, char *, size_t) ;
+@@ -26,4 +28,13 @@ extern int
+ extern int
+ (*selinux_netlink_policyload) (int seqno) ;
+
++/* Thread-safe selinux_log() function */
++extern pthread_mutex_t log_mutex;
++
++#define selinux_log(type, ...) do { \
++ __pthread_mutex_lock(&log_mutex); \
++ selinux_log_direct(type, __VA_ARGS__); \
++ __pthread_mutex_unlock(&log_mutex); \
++} while(0)
++
+ #endif /* _SELINUX_CALLBACKS_H_ */
+--
+2.33.1
+
diff --git a/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch b/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch
new file mode 100644
index 0000000..3dc8213
--- /dev/null
+++ b/SOURCES/0006-libselinux-make-is_context_customizable-thread-safe.patch
@@ -0,0 +1,81 @@
+From 9a8db9356c07d16a9337df416a3261c0527afeb7 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:36 +0200
+Subject: [PATCH] libselinux: make is_context_customizable() thread-safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use the __selinux_once() macro to ensure that threads don't race to
+initialize the list of customizable types.
+
+Reported-by: Christian Göttsche <cgzones@googlemail.com>
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+Tested-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ libselinux/src/is_customizable_type.c | 23 +++++++++++------------
+ 1 file changed, 11 insertions(+), 12 deletions(-)
+
+diff --git a/libselinux/src/is_customizable_type.c b/libselinux/src/is_customizable_type.c
+index 1b17860c3622..f83e1e83e944 100644
+--- a/libselinux/src/is_customizable_type.c
++++ b/libselinux/src/is_customizable_type.c
+@@ -9,7 +9,10 @@
+ #include "selinux_internal.h"
+ #include "context_internal.h"
+
+-static int get_customizable_type_list(char *** retlist)
++static char **customizable_list = NULL;
++static pthread_once_t customizable_once = PTHREAD_ONCE_INIT;
++
++static void customizable_init(void)
+ {
+ FILE *fp;
+ char *buf;
+@@ -18,12 +21,12 @@ static int get_customizable_type_list(char *** retlist)
+
+ fp = fopen(selinux_customizable_types_path(), "re");
+ if (!fp)
+- return -1;
++ return;
+
+ buf = malloc(selinux_page_size);
+ if (!buf) {
+ fclose(fp);
+- return -1;
++ return;
+ }
+ while (fgets_unlocked(buf, selinux_page_size, fp) && ctr < UINT_MAX) {
+ ctr++;
+@@ -54,23 +57,19 @@ static int get_customizable_type_list(char *** retlist)
+ fclose(fp);
+ free(buf);
+ if (!list)
+- return -1;
+- *retlist = list;
+- return 0;
++ return;
++ customizable_list = list;
+ }
+
+-static char **customizable_list = NULL;
+-
+ int is_context_customizable(const char * scontext)
+ {
+ int i;
+ const char *type;
+ context_t c;
+
+- if (!customizable_list) {
+- if (get_customizable_type_list(&customizable_list) != 0)
+- return -1;
+- }
++ __selinux_once(customizable_once, customizable_init);
++ if (!customizable_list)
++ return -1;
+
+ c = context_new(scontext);
+ if (!c)
+--
+2.33.1
+
diff --git a/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch b/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
new file mode 100644
index 0000000..a5affd5
--- /dev/null
+++ b/SOURCES/0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
@@ -0,0 +1,45 @@
+From 73310c9694724b3ef54bbf3a3193dbb0a68ecc3b Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:37 +0200
+Subject: [PATCH] selinux_restorecon: add a global mutex to synchronize
+ progress output
+
+Another small incremental change to pave the way for a parallel
+selinux_restorecon() function.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/src/selinux_restorecon.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 43acbace309d..169dfe3ae232 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -60,6 +60,7 @@ static int exclude_count = 0;
+ static struct edir *exclude_lst = NULL;
+ static uint64_t fc_count = 0; /* Number of files processed so far */
+ static uint64_t efile_count; /* Estimated total number of files */
++static pthread_mutex_t progress_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+ /* Store information on directories with xattr's. */
+ static struct dir_xattr *dir_xattr_list;
+@@ -647,6 +648,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ }
+
+ if (flags->progress) {
++ __pthread_mutex_lock(&progress_mutex);
+ fc_count++;
+ if (fc_count % STAR_COUNT == 0) {
+ if (flags->mass_relabel && efile_count > 0) {
+@@ -658,6 +660,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ }
+ fflush(stdout);
+ }
++ __pthread_mutex_unlock(&progress_mutex);
+ }
+
+ if (flags->add_assoc) {
+--
+2.33.1
+
diff --git a/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch b/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
new file mode 100644
index 0000000..a16023e
--- /dev/null
+++ b/SOURCES/0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
@@ -0,0 +1,800 @@
+From 847282ce385a4fc03092eb10422b1878590e9bdd Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Tue, 26 Oct 2021 13:52:38 +0200
+Subject: [PATCH] selinux_restorecon: introduce selinux_restorecon_parallel(3)
+
+Refactor selinux_restorecon(3) to allow for distributing the relabeling
+to multiple threads and add a new function
+selinux_restorecon_parallel(3), which allows specifying the number of
+threads to use. The existing selinux_restorecon(3) function maintains
+the same interface and maintains the same behavior (i.e. relabeling is
+done on a single thread).
+
+The parallel implementation takes a simple approach of performing all
+the directory tree traversal in a critical section and only letting the
+relabeling of individual objects run in parallel. Thankfully, this
+approach turns out to be efficient enough in practice, as shown by
+restorecon benchmarks (detailed in a subsequent patch that switches
+setfiles & restorecon to use selinux_restorecon_parallel(3)).
+
+Note that to be able to use the parallelism, the calling application/
+library must be explicitly linked to the libpthread library (statically
+or dynamically). This is necessary to mantain the requirement that
+libselinux shouldn't explicitly link with libpthread. (I don't know what
+exactly was the reason behind this requirement as the commit logs are
+fuzzy, but special care has been taken in the past to maintain it, so I
+didn't want to break it...)
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/include/selinux/restorecon.h | 14 +
+ libselinux/man/man3/selinux_restorecon.3 | 29 ++
+ .../man/man3/selinux_restorecon_parallel.3 | 1 +
+ libselinux/src/libselinux.map | 5 +
+ libselinux/src/selinux_internal.h | 16 +
+ libselinux/src/selinux_restorecon.c | 436 ++++++++++++------
+ libselinux/src/selinuxswig_python.i | 6 +-
+ libselinux/src/selinuxswig_python_exception.i | 8 +
+ 8 files changed, 368 insertions(+), 147 deletions(-)
+ create mode 100644 libselinux/man/man3/selinux_restorecon_parallel.3
+
+diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
+index ca8ce768587a..8f9a030cda98 100644
+--- a/libselinux/include/selinux/restorecon.h
++++ b/libselinux/include/selinux/restorecon.h
+@@ -2,6 +2,7 @@
+ #define _RESTORECON_H_
+
+ #include <sys/types.h>
++#include <stddef.h>
+ #include <stdarg.h>
+
+ #ifdef __cplusplus
+@@ -23,6 +24,19 @@ extern "C" {
+ */
+ extern int selinux_restorecon(const char *pathname,
+ unsigned int restorecon_flags);
++/**
++ * selinux_restorecon_parallel - Relabel files, optionally use more threads.
++ * @pathname: specifies file/directory to relabel.
++ * @restorecon_flags: specifies the actions to be performed when relabeling.
++ * @nthreads: specifies the number of threads to use (0 = use number of CPUs
++ * currently online)
++ *
++ * Same as selinux_restorecon(3), but allows to use multiple threads to do
++ * the work.
++ */
++extern int selinux_restorecon_parallel(const char *pathname,
++ unsigned int restorecon_flags,
++ size_t nthreads);
+ /*
+ * restorecon_flags options
+ */
+diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
+index c4576fe79ff6..500845917fb8 100644
+--- a/libselinux/man/man3/selinux_restorecon.3
++++ b/libselinux/man/man3/selinux_restorecon.3
+@@ -11,6 +11,14 @@ selinux_restorecon \- restore file(s) default SELinux security contexts
+ .br
+ .BI "unsigned int " restorecon_flags ");"
+ .in
++.sp
++.BI "int selinux_restorecon_parallel(const char *" pathname ,
++.in +\w'int selinux_restorecon_parallel('u
++.br
++.BI "unsigned int " restorecon_flags ","
++.br
++.BI "size_t " nthreads ");"
++.in
+ .
+ .SH "DESCRIPTION"
+ .BR selinux_restorecon ()
+@@ -187,6 +195,27 @@ unless the
+ .B SELINUX_RESTORECON_IGNORE_MOUNTS
+ flag has been set.
+ .RE
++.sp
++.BR selinux_restorecon_parallel()
++is similar to
++.BR selinux_restorecon (3),
++but accepts another parameter that allows to run relabeling over multiple
++threads:
++.sp
++.RS
++.IR nthreads
++specifies the number of threads to use during relabeling. When set to 1,
++the behavior is the same as calling
++.BR selinux_restorecon (3).
++When set to 0, the function will try to use as many threads as there are
++online CPU cores. When set to any other number, the function will try to use
++the given number of threads.
++.sp
++Note that to use the parallel relabeling capability, the calling process
++must be linked with the
++.B libpthread
++library (either at compile time or dynamically at run time). Otherwise the
++function will print a warning and fall back to the single threaded mode.
+ .
+ .SH "RETURN VALUE"
+ On success, zero is returned. On error, \-1 is returned and
+diff --git a/libselinux/man/man3/selinux_restorecon_parallel.3 b/libselinux/man/man3/selinux_restorecon_parallel.3
+new file mode 100644
+index 000000000000..092d8412cc93
+--- /dev/null
++++ b/libselinux/man/man3/selinux_restorecon_parallel.3
+@@ -0,0 +1 @@
++.so man3/selinux_restorecon.3
+diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
+index 2a368e93f9fd..d138e951ef0d 100644
+--- a/libselinux/src/libselinux.map
++++ b/libselinux/src/libselinux.map
+@@ -240,3 +240,8 @@ LIBSELINUX_1.0 {
+ local:
+ *;
+ };
++
++LIBSELINUX_3.3 {
++ global:
++ selinux_restorecon_parallel;
++} LIBSELINUX_1.0;
+diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
+index 27e9ac532c3f..297dcf26dee3 100644
+--- a/libselinux/src/selinux_internal.h
++++ b/libselinux/src/selinux_internal.h
+@@ -69,6 +69,22 @@ extern int selinux_page_size ;
+ pthread_mutex_unlock(LOCK); \
+ } while (0)
+
++#pragma weak pthread_create
++#pragma weak pthread_join
++#pragma weak pthread_cond_init
++#pragma weak pthread_cond_signal
++#pragma weak pthread_cond_destroy
++#pragma weak pthread_cond_wait
++
++/* check if all functions needed to do parallel operations are available */
++#define __pthread_supported ( \
++ pthread_create && \
++ pthread_join && \
++ pthread_cond_init && \
++ pthread_cond_destroy && \
++ pthread_cond_signal && \
++ pthread_cond_wait \
++)
+
+ #define SELINUXDIR "/etc/selinux/"
+ #define SELINUXCONFIG SELINUXDIR "config"
+diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
+index 169dfe3ae232..f7e84657d09d 100644
+--- a/libselinux/src/selinux_restorecon.c
++++ b/libselinux/src/selinux_restorecon.c
+@@ -610,7 +610,7 @@ out:
+ }
+
+ static int restorecon_sb(const char *pathname, const struct stat *sb,
+- struct rest_flags *flags)
++ struct rest_flags *flags, bool first)
+ {
+ char *newcon = NULL;
+ char *curcon = NULL;
+@@ -639,7 +639,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ sb->st_mode);
+
+ if (rc < 0) {
+- if (errno == ENOENT && flags->warnonnomatch)
++ if (errno == ENOENT && flags->warnonnomatch && first)
+ selinux_log(SELINUX_INFO,
+ "Warning no default label for %s\n",
+ lookup_path);
+@@ -814,66 +814,215 @@ oom:
+ goto free;
+ }
+
++struct rest_state {
++ struct rest_flags flags;
++ dev_t dev_num;
++ struct statfs sfsb;
++ bool ignore_digest;
++ bool setrestorecondigest;
++ bool parallel;
+
+-/*
+- * Public API
+- */
++ FTS *fts;
++ FTSENT *ftsent_first;
++ struct dir_hash_node *head, *current;
++ bool abort;
++ int error;
++ int saved_errno;
++ pthread_mutex_t mutex;
++};
+
+-/* selinux_restorecon(3) - Main function that is responsible for labeling */
+-int selinux_restorecon(const char *pathname_orig,
+- unsigned int restorecon_flags)
++static void *selinux_restorecon_thread(void *arg)
+ {
+- struct rest_flags flags;
++ struct rest_state *state = arg;
++ FTS *fts = state->fts;
++ FTSENT *ftsent;
++ int error;
++ char ent_path[PATH_MAX];
++ struct stat ent_st;
++ bool first = false;
++
++ if (state->parallel)
++ pthread_mutex_lock(&state->mutex);
++
++ if (state->ftsent_first) {
++ ftsent = state->ftsent_first;
++ state->ftsent_first = NULL;
++ first = true;
++ goto loop_body;
++ }
++
++ while (((void)(errno = 0), ftsent = fts_read(fts)) != NULL) {
++loop_body:
++ /* If the FTS_XDEV flag is set and the device is different */
++ if (state->flags.set_xdev &&
++ ftsent->fts_statp->st_dev != state->dev_num)
++ continue;
++
++ switch (ftsent->fts_info) {
++ case FTS_DC:
++ selinux_log(SELINUX_ERROR,
++ "Directory cycle on %s.\n",
++ ftsent->fts_path);
++ errno = ELOOP;
++ state->error = -1;
++ state->abort = true;
++ goto finish;
++ case FTS_DP:
++ continue;
++ case FTS_DNR:
++ error = errno;
++ errno = ftsent->fts_errno;
++ selinux_log(SELINUX_ERROR,
++ "Could not read %s: %m.\n",
++ ftsent->fts_path);
++ errno = error;
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ case FTS_NS:
++ error = errno;
++ errno = ftsent->fts_errno;
++ selinux_log(SELINUX_ERROR,
++ "Could not stat %s: %m.\n",
++ ftsent->fts_path);
++ errno = error;
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ case FTS_ERR:
++ error = errno;
++ errno = ftsent->fts_errno;
++ selinux_log(SELINUX_ERROR,
++ "Error on %s: %m.\n",
++ ftsent->fts_path);
++ errno = error;
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ case FTS_D:
++ if (state->sfsb.f_type == SYSFS_MAGIC &&
++ !selabel_partial_match(fc_sehandle,
++ ftsent->fts_path)) {
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ }
++
++ if (check_excluded(ftsent->fts_path)) {
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ }
+
+- flags.nochange = (restorecon_flags &
++ if (state->setrestorecondigest) {
++ struct dir_hash_node *new_node = NULL;
++
++ if (check_context_match_for_dir(ftsent->fts_path,
++ &new_node,
++ state->error) &&
++ !state->ignore_digest) {
++ selinux_log(SELINUX_INFO,
++ "Skipping restorecon on directory(%s)\n",
++ ftsent->fts_path);
++ fts_set(fts, ftsent, FTS_SKIP);
++ continue;
++ }
++
++ if (new_node && !state->error) {
++ if (!state->current) {
++ state->current = new_node;
++ state->head = state->current;
++ } else {
++ state->current->next = new_node;
++ state->current = new_node;
++ }
++ }
++ }
++ /* fall through */
++ default:
++ strcpy(ent_path, ftsent->fts_path);
++ ent_st = *ftsent->fts_statp;
++ if (state->parallel)
++ pthread_mutex_unlock(&state->mutex);
++
++ error = restorecon_sb(ent_path, &ent_st, &state->flags,
++ first);
++
++ if (state->parallel) {
++ pthread_mutex_lock(&state->mutex);
++ if (state->abort)
++ goto unlock;
++ }
++
++ state->error |= error;
++ first = false;
++ if (error && state->flags.abort_on_error) {
++ state->abort = true;
++ goto finish;
++ }
++ break;
++ }
++ }
++
++finish:
++ if (!state->saved_errno)
++ state->saved_errno = errno;
++unlock:
++ if (state->parallel)
++ pthread_mutex_unlock(&state->mutex);
++ return NULL;
++}
++
++static int selinux_restorecon_common(const char *pathname_orig,
++ unsigned int restorecon_flags,
++ size_t nthreads)
++{
++ struct rest_state state;
++
++ state.flags.nochange = (restorecon_flags &
+ SELINUX_RESTORECON_NOCHANGE) ? true : false;
+- flags.verbose = (restorecon_flags &
++ state.flags.verbose = (restorecon_flags &
+ SELINUX_RESTORECON_VERBOSE) ? true : false;
+- flags.progress = (restorecon_flags &
++ state.flags.progress = (restorecon_flags &
+ SELINUX_RESTORECON_PROGRESS) ? true : false;
+- flags.mass_relabel = (restorecon_flags &
++ state.flags.mass_relabel = (restorecon_flags &
+ SELINUX_RESTORECON_MASS_RELABEL) ? true : false;
+- flags.recurse = (restorecon_flags &
++ state.flags.recurse = (restorecon_flags &
+ SELINUX_RESTORECON_RECURSE) ? true : false;
+- flags.set_specctx = (restorecon_flags &
++ state.flags.set_specctx = (restorecon_flags &
+ SELINUX_RESTORECON_SET_SPECFILE_CTX) ? true : false;
+- flags.userealpath = (restorecon_flags &
++ state.flags.userealpath = (restorecon_flags &
+ SELINUX_RESTORECON_REALPATH) ? true : false;
+- flags.set_xdev = (restorecon_flags &
++ state.flags.set_xdev = (restorecon_flags &
+ SELINUX_RESTORECON_XDEV) ? true : false;
+- flags.add_assoc = (restorecon_flags &
++ state.flags.add_assoc = (restorecon_flags &
+ SELINUX_RESTORECON_ADD_ASSOC) ? true : false;
+- flags.abort_on_error = (restorecon_flags &
++ state.flags.abort_on_error = (restorecon_flags &
+ SELINUX_RESTORECON_ABORT_ON_ERROR) ? true : false;
+- flags.syslog_changes = (restorecon_flags &
++ state.flags.syslog_changes = (restorecon_flags &
+ SELINUX_RESTORECON_SYSLOG_CHANGES) ? true : false;
+- flags.log_matches = (restorecon_flags &
++ state.flags.log_matches = (restorecon_flags &
+ SELINUX_RESTORECON_LOG_MATCHES) ? true : false;
+- flags.ignore_noent = (restorecon_flags &
++ state.flags.ignore_noent = (restorecon_flags &
+ SELINUX_RESTORECON_IGNORE_NOENTRY) ? true : false;
+- flags.warnonnomatch = true;
+- flags.conflicterror = (restorecon_flags &
++ state.flags.warnonnomatch = true;
++ state.flags.conflicterror = (restorecon_flags &
+ SELINUX_RESTORECON_CONFLICT_ERROR) ? true : false;
+ ignore_mounts = (restorecon_flags &
+ SELINUX_RESTORECON_IGNORE_MOUNTS) ? true : false;
+- bool ignore_digest = (restorecon_flags &
++ state.ignore_digest = (restorecon_flags &
+ SELINUX_RESTORECON_IGNORE_DIGEST) ? true : false;
+- bool setrestorecondigest = true;
++ state.setrestorecondigest = true;
++
++ state.head = NULL;
++ state.current = NULL;
++ state.abort = false;
++ state.error = 0;
++ state.saved_errno = 0;
+
+ struct stat sb;
+- struct statfs sfsb;
+- FTS *fts;
+- FTSENT *ftsent;
+ char *pathname = NULL, *pathdnamer = NULL, *pathdname, *pathbname;
+ char *paths[2] = { NULL, NULL };
+ int fts_flags, error, sverrno;
+- dev_t dev_num = 0;
+ struct dir_hash_node *current = NULL;
+- struct dir_hash_node *head = NULL;
+- int errno_tmp;
+
+- if (flags.verbose && flags.progress)
+- flags.verbose = false;
++ if (state.flags.verbose && state.flags.progress)
++ state.flags.verbose = false;
+
+ __selinux_once(fc_once, restorecon_init);
+
+@@ -886,13 +1035,31 @@ int selinux_restorecon(const char *pathname_orig,
+ */
+ if (selabel_no_digest ||
+ (restorecon_flags & SELINUX_RESTORECON_SKIP_DIGEST))
+- setrestorecondigest = false;
++ state.setrestorecondigest = false;
++
++ if (!__pthread_supported) {
++ if (nthreads != 1) {
++ nthreads = 1;
++ selinux_log(SELINUX_WARNING,
++ "Threading functionality not available, falling back to 1 thread.");
++ }
++ } else if (nthreads == 0) {
++ long nproc = sysconf(_SC_NPROCESSORS_ONLN);
++
++ if (nproc > 0) {
++ nthreads = nproc;
++ } else {
++ nthreads = 1;
++ selinux_log(SELINUX_WARNING,
++ "Unable to detect CPU count, falling back to 1 thread.");
++ }
++ }
+
+ /*
+ * Convert passed-in pathname to canonical pathname by resolving
+ * realpath of containing dir, then appending last component name.
+ */
+- if (flags.userealpath) {
++ if (state.flags.userealpath) {
+ char *basename_cpy = strdup(pathname_orig);
+ if (!basename_cpy)
+ goto realpatherr;
+@@ -937,7 +1104,7 @@ int selinux_restorecon(const char *pathname_orig,
+ paths[0] = pathname;
+
+ if (lstat(pathname, &sb) < 0) {
+- if (flags.ignore_noent && errno == ENOENT) {
++ if (state.flags.ignore_noent && errno == ENOENT) {
+ free(pathdnamer);
+ free(pathname);
+ return 0;
+@@ -952,21 +1119,21 @@ int selinux_restorecon(const char *pathname_orig,
+
+ /* Skip digest if not a directory */
+ if (!S_ISDIR(sb.st_mode))
+- setrestorecondigest = false;
++ state.setrestorecondigest = false;
+
+- if (!flags.recurse) {
++ if (!state.flags.recurse) {
+ if (check_excluded(pathname)) {
+ error = 0;
+ goto cleanup;
+ }
+
+- error = restorecon_sb(pathname, &sb, &flags);
++ error = restorecon_sb(pathname, &sb, &state.flags, true);
+ goto cleanup;
+ }
+
+ /* Obtain fs type */
+- memset(&sfsb, 0, sizeof sfsb);
+- if (!S_ISLNK(sb.st_mode) && statfs(pathname, &sfsb) < 0) {
++ memset(&state.sfsb, 0, sizeof(state.sfsb));
++ if (!S_ISLNK(sb.st_mode) && statfs(pathname, &state.sfsb) < 0) {
+ selinux_log(SELINUX_ERROR,
+ "statfs(%s) failed: %m\n",
+ pathname);
+@@ -975,21 +1142,21 @@ int selinux_restorecon(const char *pathname_orig,
+ }
+
+ /* Skip digest on in-memory filesystems and /sys */
+- if (sfsb.f_type == RAMFS_MAGIC || sfsb.f_type == TMPFS_MAGIC ||
+- sfsb.f_type == SYSFS_MAGIC)
+- setrestorecondigest = false;
++ if (state.sfsb.f_type == RAMFS_MAGIC || state.sfsb.f_type == TMPFS_MAGIC ||
++ state.sfsb.f_type == SYSFS_MAGIC)
++ state.setrestorecondigest = false;
+
+- if (flags.set_xdev)
++ if (state.flags.set_xdev)
+ fts_flags = FTS_PHYSICAL | FTS_NOCHDIR | FTS_XDEV;
+ else
+ fts_flags = FTS_PHYSICAL | FTS_NOCHDIR;
+
+- fts = fts_open(paths, fts_flags, NULL);
+- if (!fts)
++ state.fts = fts_open(paths, fts_flags, NULL);
++ if (!state.fts)
+ goto fts_err;
+
+- ftsent = fts_read(fts);
+- if (!ftsent)
++ state.ftsent_first = fts_read(state.fts);
++ if (!state.ftsent_first)
+ goto fts_err;
+
+ /*
+@@ -1001,106 +1168,66 @@ int selinux_restorecon(const char *pathname_orig,
+ * directories with a different device number when the FTS_XDEV flag
+ * is set (from http://marc.info/?l=selinux&m=124688830500777&w=2).
+ */
+- dev_num = ftsent->fts_statp->st_dev;
++ state.dev_num = state.ftsent_first->fts_statp->st_dev;
+
+- error = 0;
+- do {
+- /* If the FTS_XDEV flag is set and the device is different */
+- if (flags.set_xdev && ftsent->fts_statp->st_dev != dev_num)
+- continue;
++ if (nthreads == 1) {
++ state.parallel = false;
++ selinux_restorecon_thread(&state);
++ } else {
++ size_t i;
++ pthread_t self = pthread_self();
++ pthread_t *threads = NULL;
+
+- switch (ftsent->fts_info) {
+- case FTS_DC:
+- selinux_log(SELINUX_ERROR,
+- "Directory cycle on %s.\n",
+- ftsent->fts_path);
+- errno = ELOOP;
+- error = -1;
+- goto out;
+- case FTS_DP:
+- continue;
+- case FTS_DNR:
+- errno_tmp = errno;
+- errno = ftsent->fts_errno;
+- selinux_log(SELINUX_ERROR,
+- "Could not read %s: %m.\n",
+- ftsent->fts_path);
+- errno = errno_tmp;
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
+- case FTS_NS:
+- errno_tmp = errno;
+- errno = ftsent->fts_errno;
+- selinux_log(SELINUX_ERROR,
+- "Could not stat %s: %m.\n",
+- ftsent->fts_path);
+- errno = errno_tmp;
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
+- case FTS_ERR:
+- errno_tmp = errno;
+- errno = ftsent->fts_errno;
+- selinux_log(SELINUX_ERROR,
+- "Error on %s: %m.\n",
+- ftsent->fts_path);
+- errno = errno_tmp;
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
+- case FTS_D:
+- if (sfsb.f_type == SYSFS_MAGIC &&
+- !selabel_partial_match(fc_sehandle,
+- ftsent->fts_path)) {
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
+- }
++ pthread_mutex_init(&state.mutex, NULL);
+
+- if (check_excluded(ftsent->fts_path)) {
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
++ threads = calloc(nthreads - 1, sizeof(*threads));
++ if (!threads)
++ goto oom;
++
++ state.parallel = true;
++ /*
++ * Start (nthreads - 1) threads - the main thread is going to
++ * take part, too.
++ */
++ for (i = 0; i < nthreads - 1; i++) {
++ if (pthread_create(&threads[i], NULL,
++ selinux_restorecon_thread, &state)) {
++ /*
++ * If any thread fails to be created, just mark
++ * it as such and let the successfully created
++ * threads do the job. In the worst case the
++ * main thread will do everything, but that's
++ * still better than to give up.
++ */
++ threads[i] = self;
+ }
++ }
+
+- if (setrestorecondigest) {
+- struct dir_hash_node *new_node = NULL;
++ /* Let's join in on the fun! */
++ selinux_restorecon_thread(&state);
+
+- if (check_context_match_for_dir(ftsent->fts_path,
+- &new_node,
+- error) &&
+- !ignore_digest) {
+- selinux_log(SELINUX_INFO,
+- "Skipping restorecon on directory(%s)\n",
+- ftsent->fts_path);
+- fts_set(fts, ftsent, FTS_SKIP);
+- continue;
+- }
+-
+- if (new_node && !error) {
+- if (!current) {
+- current = new_node;
+- head = current;
+- } else {
+- current->next = new_node;
+- current = current->next;
+- }
+- }
+- }
+- /* fall through */
+- default:
+- error |= restorecon_sb(ftsent->fts_path,
+- ftsent->fts_statp, &flags);
+- if (flags.warnonnomatch)
+- flags.warnonnomatch = false;
+- if (error && flags.abort_on_error)
+- goto out;
+- break;
++ /* Now wait for all threads to finish. */
++ for (i = 0; i < nthreads - 1; i++) {
++ /* Skip threads that failed to be created. */
++ if (pthread_equal(threads[i], self))
++ continue;
++ pthread_join(threads[i], NULL);
+ }
+- } while ((ftsent = fts_read(fts)) != NULL);
++ free(threads);
++
++ pthread_mutex_destroy(&state.mutex);
++ }
++
++ error = state.error;
++ if (state.saved_errno)
++ goto out;
+
+ /*
+ * Labeling successful. Write partial match digests for subdirectories.
+ * TODO: Write digest upon FTS_DP if no error occurs in its descents.
+ */
+- if (setrestorecondigest && !flags.nochange && !error) {
+- current = head;
++ if (state.setrestorecondigest && !state.flags.nochange && !error) {
++ current = state.head;
+ while (current != NULL) {
+ if (setxattr(current->path,
+ RESTORECON_PARTIAL_MATCH_DIGEST,
+@@ -1115,22 +1242,21 @@ int selinux_restorecon(const char *pathname_orig,
+ }
+
+ out:
+- if (flags.progress && flags.mass_relabel)
++ if (state.flags.progress && state.flags.mass_relabel)
+ fprintf(stdout, "\r%s 100.0%%\n", pathname);
+
+- sverrno = errno;
+- (void) fts_close(fts);
+- errno = sverrno;
++ (void) fts_close(state.fts);
++ errno = state.saved_errno;
+ cleanup:
+- if (flags.add_assoc) {
+- if (flags.verbose)
++ if (state.flags.add_assoc) {
++ if (state.flags.verbose)
+ filespec_eval();
+ filespec_destroy();
+ }
+ free(pathdnamer);
+ free(pathname);
+
+- current = head;
++ current = state.head;
+ while (current != NULL) {
+ struct dir_hash_node *next = current->next;
+
+@@ -1164,6 +1290,26 @@ fts_err:
+ goto cleanup;
+ }
+
++
++/*
++ * Public API
++ */
++
++/* selinux_restorecon(3) - Main function that is responsible for labeling */
++int selinux_restorecon(const char *pathname_orig,
++ unsigned int restorecon_flags)
++{
++ return selinux_restorecon_common(pathname_orig, restorecon_flags, 1);
++}
++
++/* selinux_restorecon_parallel(3) - Parallel version of selinux_restorecon(3) */
++int selinux_restorecon_parallel(const char *pathname_orig,
++ unsigned int restorecon_flags,
++ size_t nthreads)
++{
++ return selinux_restorecon_common(pathname_orig, restorecon_flags, nthreads);
++}
++
+ /* selinux_restorecon_set_sehandle(3) is called to set the global fc handle */
+ void selinux_restorecon_set_sehandle(struct selabel_handle *hndl)
+ {
+diff --git a/libselinux/src/selinuxswig_python.i b/libselinux/src/selinuxswig_python.i
+index 4c73bf92df96..17e03b9e36a5 100644
+--- a/libselinux/src/selinuxswig_python.i
++++ b/libselinux/src/selinuxswig_python.i
+@@ -20,7 +20,7 @@ DISABLED = -1
+ PERMISSIVE = 0
+ ENFORCING = 1
+
+-def restorecon(path, recursive=False, verbose=False, force=False):
++def restorecon(path, recursive=False, verbose=False, force=False, nthreads=1):
+ """ Restore SELinux context on a given path
+
+ Arguments:
+@@ -32,6 +32,8 @@ def restorecon(path, recursive=False, verbose=False, force=False):
+ force -- Force reset of context to match file_context for customizable files,
+ and the default file context, changing the user, role, range portion as well
+ as the type (default False)
++ nthreads -- The number of threads to use during relabeling, or 0 to use as many
++ threads as there are online CPU cores (default 1)
+ """
+
+ restorecon_flags = SELINUX_RESTORECON_IGNORE_DIGEST | SELINUX_RESTORECON_REALPATH
+@@ -41,7 +43,7 @@ def restorecon(path, recursive=False, verbose=False, force=False):
+ restorecon_flags |= SELINUX_RESTORECON_VERBOSE
+ if force:
+ restorecon_flags |= SELINUX_RESTORECON_SET_SPECFILE_CTX
+- selinux_restorecon(os.path.expanduser(path), restorecon_flags)
++ selinux_restorecon_parallel(os.path.expanduser(path), restorecon_flags, nthreads)
+
+ def chcon(path, context, recursive=False):
+ """ Set the SELinux context on a given path """
+diff --git a/libselinux/src/selinuxswig_python_exception.i b/libselinux/src/selinuxswig_python_exception.i
+index 237ea69ad5f5..a02f4923a1e7 100644
+--- a/libselinux/src/selinuxswig_python_exception.i
++++ b/libselinux/src/selinuxswig_python_exception.i
+@@ -1183,6 +1183,14 @@
+ }
+ }
+
++%exception selinux_restorecon_parallel {
++ $action
++ if (result < 0) {
++ PyErr_SetFromErrno(PyExc_OSError);
++ SWIG_fail;
++ }
++}
++
+ %exception selinux_restorecon_set_alt_rootpath {
+ $action
+ if (result < 0) {
+--
+2.33.1
+
diff --git a/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch b/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
new file mode 100644
index 0000000..a8ce120
--- /dev/null
+++ b/SOURCES/0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
@@ -0,0 +1,29 @@
+From 9456297275987dedefe2e8ad508360be9d9f9e7f Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Tue, 23 Nov 2021 11:31:08 +0100
+Subject: [PATCH] libselinux: Fix selinux_restorecon_parallel symbol version
+
+selinux_restorecon_parallel was originally proposed before 3.3, but it
+was merged after release so it will be introduced in version 3.4.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/libselinux.map | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/libselinux.map b/libselinux/src/libselinux.map
+index d138e951ef0d..4acf1caacb55 100644
+--- a/libselinux/src/libselinux.map
++++ b/libselinux/src/libselinux.map
+@@ -241,7 +241,7 @@ LIBSELINUX_1.0 {
+ *;
+ };
+
+-LIBSELINUX_3.3 {
++LIBSELINUX_3.4 {
+ global:
+ selinux_restorecon_parallel;
+ } LIBSELINUX_1.0;
+--
+2.33.1
+
diff --git a/SOURCES/selinuxconlist.8 b/SOURCES/selinuxconlist.8
new file mode 100644
index 0000000..c698daa
--- /dev/null
+++ b/SOURCES/selinuxconlist.8
@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)
diff --git a/SOURCES/selinuxdefcon.8 b/SOURCES/selinuxdefcon.8
new file mode 100644
index 0000000..3cbeff2
--- /dev/null
+++ b/SOURCES/selinuxdefcon.8
@@ -0,0 +1,24 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- report default SELinux context for user
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user fromcon
+
+.SH "DESCRIPTION"
+.B selinuxdefcon
+reports the default context for the specified user from the specified context
+
+.B \-l level
+mcs/mls level
+
+.SH EXAMPLE
+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+.SH AUTHOR
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)
diff --git a/SPECS/libselinux.spec b/SPECS/libselinux.spec
new file mode 100644
index 0000000..0b26d37
--- /dev/null
+++ b/SPECS/libselinux.spec
@@ -0,0 +1,2818 @@
+%define ruby_inc %(pkg-config --cflags ruby)
+%define libsepolver 3.3-1
+
+Summary: SELinux library and simple utilities
+Name: libselinux
+Version: 3.3
+Release: 2%{?dist}
+License: Public Domain
+# https://github.com/SELinuxProject/selinux/wiki/Releases
+Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
+Source1: selinuxconlist.8
+Source2: selinuxdefcon.8
+Url: https://github.com/SELinuxProject/selinux/wiki
+# $ git clone https://github.com/fedora-selinux/selinux.git
+# $ cd selinux
+# $ git format-patch -N 3.3 -- libselinux
+# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# Patch list start
+Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
+Patch0002: 0002-label_file-fix-a-data-race.patch
+Patch0003: 0003-selinux_restorecon-simplify-fl_head-allocation-by-us.patch
+Patch0004: 0004-selinux_restorecon-protect-file_spec-list-with-a-mut.patch
+Patch0005: 0005-libselinux-make-selinux_log-thread-safe.patch
+Patch0006: 0006-libselinux-make-is_context_customizable-thread-safe.patch
+Patch0007: 0007-selinux_restorecon-add-a-global-mutex-to-synchronize.patch
+Patch0008: 0008-selinux_restorecon-introduce-selinux_restorecon_para.patch
+Patch0009: 0009-libselinux-Fix-selinux_restorecon_parallel-symbol-ve.patch
+# Patch list end
+BuildRequires: gcc make
+BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
+BuildRequires: python3 python3-devel
+BuildRequires: systemd
+Requires: libsepol%{?_isa} >= %{libsepolver} pcre2
+Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
+
+%description
+Security-enhanced Linux is a feature of the Linux® kernel and a number
+of utilities with enhanced security functionality designed to add
+mandatory access controls to Linux. The Security-enhanced Linux
+kernel contains new architectural components originally developed to
+improve the security of the Flask operating system. These
+architectural components provide general support for the enforcement
+of many kinds of mandatory access control policies, including those
+based on the concepts of Type Enforcement®, Role-based Access
+Control, and Multi-level Security.
+
+libselinux provides an API for SELinux applications to get and set
+process and file security contexts and to obtain security policy
+decisions. Required for any applications that use the SELinux API.
+
+%package utils
+Summary: SELinux libselinux utilities
+Requires: %{name}%{?_isa} = %{version}-%{release}
+
+%description utils
+The libselinux-utils package contains the utilities
+
+%package -n python3-libselinux
+Summary: SELinux python 3 bindings for libselinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+%{?python_provide:%python_provide python3-libselinux}
+# Remove before F30
+Provides: %{name}-python3 = %{version}-%{release}
+Provides: %{name}-python3%{?_isa} = %{version}-%{release}
+Obsoletes: %{name}-python3 < %{version}-%{release}
+
+%description -n python3-libselinux
+The libselinux-python3 package contains python 3 bindings for developing
+SELinux applications.
+
+%package ruby
+Summary: SELinux ruby bindings for libselinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Provides: ruby(selinux)
+
+%description ruby
+The libselinux-ruby package contains the ruby bindings for developing
+SELinux applications.
+
+%package devel
+Summary: Header files and libraries used to build SELinux
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: libsepol-devel%{?_isa} >= %{libsepolver}
+
+%description devel
+The libselinux-devel package contains the libraries and header files
+needed for developing SELinux applications.
+
+%package static
+Summary: Static libraries used to build SELinux
+Requires: %{name}-devel%{?_isa} = %{version}-%{release}
+
+%description static
+The libselinux-static package contains the static libraries
+needed for developing SELinux applications.
+
+%prep
+%autosetup -p 2 -n libselinux-%{version}
+
+%build
+export DISABLE_RPM="y"
+export USE_PCRE2="y"
+
+%set_build_flags
+CFLAGS="$CFLAGS -fno-semantic-interposition"
+
+# To support building the Python wrapper against multiple Python runtimes
+# Define a function, for how to perform a "build" of the python wrapper against
+# a specific runtime:
+BuildPythonWrapper() {
+ BinaryName=$1
+
+ # Perform the build from the upstream Makefile:
+ %make_build \
+ PYTHON=$BinaryName \
+ LIBDIR="%{_libdir}" \
+ pywrap
+}
+
+%make_build LIBDIR="%{_libdir}" swigify
+%make_build LIBDIR="%{_libdir}" all
+
+BuildPythonWrapper %{__python3}
+
+%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
+
+%install
+InstallPythonWrapper() {
+ BinaryName=$1
+
+ make \
+ PYTHON=$BinaryName \
+ DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
+ SHLIBDIR="%{_lib}" BINDIR="%{_bindir}" \
+ SBINDIR="%{_sbindir}" \
+ LIBSEPOLA="%{_libdir}/libsepol.a" \
+ install-pywrap
+}
+
+rm -rf %{buildroot}
+mkdir -p %{buildroot}%{_tmpfilesdir}
+mkdir -p %{buildroot}%{_libdir}
+mkdir -p %{buildroot}%{_includedir}
+mkdir -p %{buildroot}%{_sbindir}
+install -d -m 0755 %{buildroot}%{_rundir}/setrans
+echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libselinux.conf
+
+InstallPythonWrapper %{__python3}
+
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
+make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
+
+# Nuke the files we don't want to distribute
+rm -f %{buildroot}%{_sbindir}/compute_*
+rm -f %{buildroot}%{_sbindir}/deftype
+rm -f %{buildroot}%{_sbindir}/execcon
+rm -f %{buildroot}%{_sbindir}/getenforcemode
+rm -f %{buildroot}%{_sbindir}/getfilecon
+rm -f %{buildroot}%{_sbindir}/getpidcon
+rm -f %{buildroot}%{_sbindir}/mkdircon
+rm -f %{buildroot}%{_sbindir}/policyvers
+rm -f %{buildroot}%{_sbindir}/setfilecon
+rm -f %{buildroot}%{_sbindir}/selinuxconfig
+rm -f %{buildroot}%{_sbindir}/selinuxdisable
+rm -f %{buildroot}%{_sbindir}/getseuser
+rm -f %{buildroot}%{_sbindir}/togglesebool
+rm -f %{buildroot}%{_sbindir}/selinux_check_securetty_context
+mv %{buildroot}%{_sbindir}/getdefaultcon %{buildroot}%{_sbindir}/selinuxdefcon
+mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
+install -d %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE1} %{buildroot}%{_mandir}/man8/
+install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
+rm -f %{buildroot}%{_mandir}/man8/togglesebool*
+
+%ldconfig_scriptlets
+
+%files
+%license LICENSE
+%{_libdir}/libselinux.so.*
+%dir %{_rundir}/setrans/
+%{_tmpfilesdir}/libselinux.conf
+
+%files utils
+%{_sbindir}/avcstat
+%{_sbindir}/getenforce
+%{_sbindir}/getsebool
+%{_sbindir}/matchpathcon
+%{_sbindir}/sefcontext_compile
+%{_sbindir}/selinuxconlist
+%{_sbindir}/selinuxdefcon
+%{_sbindir}/selinuxexeccon
+%{_sbindir}/selinuxenabled
+%{_sbindir}/setenforce
+%{_sbindir}/selabel_digest
+%{_sbindir}/selabel_lookup
+%{_sbindir}/selabel_lookup_best_match
+%{_sbindir}/selabel_partial_match
+%{_sbindir}/selinux_check_access
+%{_sbindir}/selabel_get_digests_all_partial_matches
+%{_sbindir}/validatetrans
+%{_mandir}/man5/*
+%{_mandir}/man8/*
+%{_mandir}/ru/man5/*
+%{_mandir}/ru/man8/*
+
+%files devel
+%{_libdir}/libselinux.so
+%{_libdir}/pkgconfig/libselinux.pc
+%{_includedir}/selinux/
+%{_mandir}/man3/*
+
+%files static
+%{_libdir}/libselinux.a
+
+%files -n python3-libselinux
+%{python3_sitearch}/selinux/
+%{python3_sitearch}/selinux-%{version}*
+%{python3_sitearch}/_selinux*
+
+%files ruby
+%{ruby_vendorarchdir}/selinux.so
+
+%changelog
+* Mon Nov 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-2
+- Introduce selinux_restorecon_parallel(3)
+
+* Fri Oct 22 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-1
+- SELinux userspace 3.3 release
+
+* Fri Oct 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc3.1
+- SELinux userspace 3.3-rc3 release
+
+* Wed Sep 29 2021 Petr Lautrbach <plautrba@redhat.com> - 3.3-0.rc2.1
+- SELinux userspace 3.3-rc2 release
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-6
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Wed Jul 28 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-5
+- Rebase on upstream commit 32611aea6543
+
+* Fri Jun 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-4
+- Use SHA-2 instead of SHA-1 (#1934964)
+
+* Tue May 25 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-3
+- selinux_check_passwd_access_internal(): respect deny_unknown
+- Silence -Wstringop-overflow warning from gcc 10.3.1
+- Fixed misc compiler and static analyzer findings
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.2-2
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
+- SELinux userspace 3.2 release
+
+* Fri Feb 5 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc2.1
+- SELinux userspace 3.2-rc2 release
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.2-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Wed Jan 20 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-0.rc1.1
+- SELinux userspace 3.2-rc1 release
+
+* Thu Jan 07 2021 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.1-6
+- F-34: rebuild against ruby 3.0
+
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- selinux(8): explain that runtime disable is deprecated
+
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
+- Use libsepol.so.2
+- Convert matchpathcon to selabel_lookup()
+- Change userspace AVC setenforce and policy load messages to audit
+ format
+- Remove trailing slash on selabel_file lookups
+- Use kernel status page by default
+
+* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
+- Re-enable LTO
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+- Use -fno-semantic-interposition and more make macros
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Wed Jul 1 2020 Jeff Law <law@redhat.com> - 3.0-6
+- Disable LTO
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
+- Rebuilt for Python 3.9
+
+* Thu Mar 5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
+- Eliminate use of security_compute_user()
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
+- F-32: rebuild against ruby27
+
+* Fri Dec 6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
+- SELinux userspace 3.0 release
+
+* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.r1.1
+- SELinux userspace 3.0-rc1 release candidate
+
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-7
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Fri Aug 16 2019 Miro Hrončok <mhroncok@redhat.com> - 2.9-6
+- Rebuilt for Python 3.8
+
+* Mon Aug 12 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-5
+- Drop python2-libselinux (#1739646)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri Jun 28 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-3
+- Use standard build flags for Python bindings
+
+* Fri May 24 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-2
+- Use Python distutils to install SELinux python bindings
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
+* Wed Mar 6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
+- SELinux userspace 2.9-rc2 release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release
+
+* Tue Jan 22 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-8
+- F-30: again rebuild against ruby26
+
+* Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-7
+- selinux_restorecon: Skip customized files also without -v
+- Do not dereference symlink with statfs in selinux_restorecon
+
+* Mon Jan 21 2019 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.8-6
+- F-30: rebuild against ruby26
+
+* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-5
+- Fix RESOURCE_LEAK coverity scan defects
+
+* Tue Sep 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-4
+- Fix the whatis line for the selinux_boolean_sub.3 manpage
+- Fix line wrapping in selabel_file.5
+- Fix spelling errors in manpages
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Jun 15 2018 Miro Hrončok <mhroncok@redhat.com> - 2.8-2
+- Rebuilt for Python 3.7
+
+* Fri May 25 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-1
+- SELinux userspace 2.8 release
+
+* Mon May 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
+- SELinux userspace 2.8-rc3 release candidate
+
+* Fri May 4 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc2.1
+- SELinux userspace 2.8-rc2 release candidate
+
+* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc1.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-13
+- build: Replace PYSITEDIR with PYTHONLIBDIR
+
+* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-12
+- Correct manpages regarding removable_context
+- build: follow standard semantics for DESTDIR and PREFIX
+
+* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-11
+- Escape macros in %%changelog
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Feb 03 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.7-9
+- Switch to %%ldconfig_scriptlets
+
+* Tue Jan 09 2018 Iryna Shcherbina <ishcherb@redhat.com> - 2.7-8
+- Update Python 2 dependency declarations to new packaging standards
+ (See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
+
+* Fri Jan 05 2018 Mamoru TASAKA <mtasaka@fedoraproject.org> - 2.7-7
+- F-28: rebuild for ruby25
+
+* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-6
+- Rebuild with libsepol-2.7-3
+
+* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
+- Drop golang bindings
+- Add support for pcre2 to pkgconfig definition
+
+* Wed Sep 27 2017 Petr Šabata <contyk@redhat.com> - 2.7-4
+- Enable the python3 subpackages on EL
+
+* Sat Aug 19 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-3
+- Also add Provides for the old name without %%_isa
+
+* Thu Aug 10 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.7-2
+- Python 2 binary package renamed to python2-libselinux
+ See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3
+- Python 3 binary package renamed to python3-libselinux
+
+* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
+- Update to upstream release 2017-08-04
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sat Jul 29 2017 Florian Weimer <fweimer@redhat.com> - 2.6-9
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Fri Jul 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-8
+- Always unmount selinuxfs for SELINUX=disabled
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Apr 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-6
+- Don't finalize mount state in selinux_set_policy_root()
+- Follow upstream and rename _selinux.so to _selinux.cpython-36m-x86_64-linux-gnu.so
+
+* Thu Apr 06 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-5
+- Fix setfiles progress indicator
+
+* Wed Mar 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-4
+- Fix segfault in selinux_restorecon_sb() (#1433577)
+- Change matchpathcon usage to match with matchpathcon manpage
+- Fix a corner case getsebool return value
+
+* Tue Mar 14 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
+- Fix 'semanage boolean -m' to modify active value
+
+* Thu Mar 02 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-2
+- Fix FTBFS - fatal error (#1427902)
+
+* Sun Feb 12 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
+- Update to upstream release 2016-10-14
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Feb 01 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.5-17
+- Add missing %%license macro
+
+* Fri Jan 13 2017 Vít Ondruch <vondruch@redhat.com> - 2.5-16
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.4
+
+* Wed Jan 11 2017 Petr Lautrbach <plautrba@redhat.com> - 2.5-15
+- Rewrite restorecon() python method
+
+* Fri Dec 09 2016 Charalampos Stratakis <cstratak@redhat.com> - 2.5-14
+- Rebuild for Python 3.6
+
+* Tue Nov 22 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-13
+- Fix pointer handling in realpath_not_final (#1376598)
+
+* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-12
+- Fix -Wsign-compare warnings
+- Drop unused stdio_ext.h header file
+- Kill logging check for selinux_enabled()
+- Drop usage of _D_ALLOC_NAMLEN
+- Add openrc_contexts functions
+- Fix redefinition of XATTR_NAME_SELINUX
+- Correct error path to always try text
+- Clean up process_file()
+- Handle NULL pcre study data
+- Fix in tree compilation of utils that depend on libsepol
+
+* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-11
+- Rebuilt with libsepol-2.5-9
+
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.5-10
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Mon Jun 27 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-9
+- Clarify is_selinux_mls_enabled() description
+- Explain how to free policy type from selinux_getpolicytype()
+- Compare absolute pathname in matchpathcon -V
+- Add selinux_snapperd_contexts_path()
+
+* Fri Jun 24 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8
+- Move _selinux.so to /usr/lib64/python*/site-packages
+
+* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
+- Modify audit2why analyze function to use loaded policy
+- Sort object files for deterministic linking order
+- Respect CC and PKG_CONFIG environment variable
+- Avoid mounting /proc outside of selinux_init_load_policy()
+
+* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
+- Fix multiple spelling errors
+
+* Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- Rebuilt with libsepol-2.5-5
+
+* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
+- Fix typo in sefcontext_compile.8
+
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix location of selinuxfs mount point
+- Only mount /proc if necessary
+- procattr: return einval for <= 0 pid args
+- procattr: return error on invalid pid_t input
+
+* Sat Feb 27 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
+- Use fully versioned arch-specific requires
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
+* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
+- Update to upstream rc1 release 2016-01-07
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Jan 12 2016 Vít Ondruch <vondruch@redhat.com> - 2.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.3
+
+* Thu Dec 10 2015 Petr Lautrbach <plautrba@redhat.com> - 2.4-6
+- Build libselinux without rpm_execcon() (#1284019)
+
+* Thu Oct 15 2015 Robert Kuska <rkuska@redhat.com> - 2.4-5
+- Rebuilt for Python3.5 rebuild
+
+* Wed Sep 30 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-4
+- Flush the class/perm string mapping cache on policy reload (#1264051)
+- Fix restorecon when path has no context
+
+* Wed Sep 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-3
+- Simplify procattr cache (#1257157,#1232371)
+
+* Fri Aug 14 2015 Adam Jackson <ajax@redhat.com> 2.4-2
+- Export ldflags into the build so hardening works
+
+* Tue Jul 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-1.1
+- Update to 2.4 release
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue May 12 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-10
+- is_selinux_enabled: Add /etc/selinux/config test (#1219045)
+- matchpathcon/selabel_file: Fix man pages (#1219718)
+
+* Thu Apr 23 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-9
+- revert support for policy compressed with xv (#1185266)
+
+* Tue Apr 21 2015 Petr Lautrbach <plautrba@redhat.com> 2.3-8
+- selinux.py - use os.walk() instead of os.path.walk() (#1195004)
+- is_selinux_enabled(): drop no-policy-loaded test (#1195074)
+- fix -Wformat errors and remove deprecated mudflap option
+
+* Mon Mar 16 2015 Than Ngo <than@redhat.com> - 2.3-7
+- bump release and rebuild so that koji-shadow can rebuild it
+ against new gcc on secondary arch
+
+* Mon Jan 19 2015 Vít Ondruch <vondruch@redhat.com> - 2.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.2
+
+* Thu Aug 21 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-5
+- Compiled file context files and the original should have the same permissions from dwalsh@redhat.com
+- Add selinux_openssh_contexts_path() to get a path to /contexts/openssh_contexts
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Kalev Lember <kalevlember@gmail.com> - 2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Python_3.4
+
+* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
+- Update to upstream
+ * Get rid of security_context_t and fix const declarations.
+ * Refactor rpm_execcon() into a new setexecfilecon() from Guillem Jover.
+
+* Tue May 6 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.2-8
+- Add selinux_openssh_contexts_path()
+
+* Thu Apr 24 2014 Vít Ondruch <vondruch@redhat.com> - 2.2.2-7
+- Rebuilt for https://fedoraproject.org/wiki/Changes/Ruby_2.1
+
+* Mon Feb 24 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-6
+- Fix spelling mistake in man page
+
+* Thu Feb 20 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-5
+- More go bindings
+- restorecon, getpidcon, setexeccon
+
+* Fri Feb 14 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-4
+- Add additional go bindings for get*con calls
+- Add go bindings test command
+- Modify man pages of set*con calls to mention that they are thread specific
+
+* Fri Jan 24 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-3
+- Move selinux.go to /usr/lib64/golang/src/pkg/github.com/selinux/selinux.go
+- Add Int_to_mcs function to generate MCS labels from integers.
+
+* Tue Jan 14 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-2
+- Add ghost flag for /var/run/setrans
+
+* Mon Jan 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.2-1
+- Update to upstream
+ * Fix userspace AVC handling of per-domain permissive mode.
+- Verify context is not null when passed into *setfilecon_raw
+
+* Fri Dec 27 2013 Adam Williamson <awilliam@redhat.com> - 2.2.1-6
+- revert unexplained change to rhat.patch which broke SELinux disablement
+
+* Mon Dec 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-5
+- Verify context is not null when passed into lsetfilecon_raw
+
+* Wed Dec 18 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-4
+- Mv selinux.go to /usr/share/gocode/src/selinux
+
+* Tue Dec 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-3
+- Add golang support to selinux.
+
+* Thu Dec 5 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-2
+- Remove togglesebool man page
+
+* Mon Nov 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.2.1-1
+- Update to upstream
+ * Remove -lpthread from pkg-config file; it is not required.
+- Add support for policy compressed with xv
+
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
+- Update to upstream
+ * Fix avc_has_perm() returns -1 even when SELinux is in permissive mode.
+ * Support overriding Makefile RANLIB from Sven Vermeulen.
+ * Update pkgconfig definition from Sven Vermeulen.
+ * Mount sysfs before trying to mount selinuxfs from Sven Vermeulen.
+ * Fix man pages from Laurent Bigonville.
+ * Support overriding PATH and LIBBASE in Makefiles from Laurent Bigonville.
+ * Fix LDFLAGS usage from Laurent Bigonville
+ * Avoid shadowing stat in load_mmap from Joe MacDonald.
+ * Support building on older PCRE libraries from Joe MacDonald.
+ * Fix handling of temporary file in sefcontext_compile from Dan Walsh.
+ * Fix procattr cache from Dan Walsh.
+ * Define python constants for getenforce result from Dan Walsh.
+ * Fix label substitution handling of / from Dan Walsh.
+ * Add selinux_current_policy_path from Dan Walsh.
+ * Change get_context_list to only return good matches from Dan Walsh.
+ * Support udev-197 and higher from Sven Vermeulen and Dan Walsh.
+ * Add support for local substitutions from Dan Walsh.
+ * Change setfilecon to not return ENOSUP if context is already correct from Dan Walsh.
+ * Python wrapper leak fixes from Dan Walsh.
+ * Export SELINUX_TRANS_DIR definition in selinux.h from Dan Walsh.
+ * Add selinux_systemd_contexts_path from Dan Walsh.
+ * Add selinux_set_policy_root from Dan Walsh.
+ * Add man page for sefcontext_compile from Dan Walsh.
+
+* Fri Oct 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-21
+- Add systemd_contexts support
+- Do substitutions on a local sub followed by a dist sub
+
+* Thu Oct 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-20
+- Eliminate requirement on pthread library, by applying patch for Jakub Jelinek
+Resolves #1013801
+
+* Mon Sep 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-19
+- Fix handling of libselinux getconlist with only one entry
+
+* Tue Sep 3 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-17
+- Add Python constants for SELinux enforcing modes
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.13-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Fri Jun 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-16
+- Add sefcontext_compile.8 man page
+- Add Russell Coker patch to fix man pages
+- Add patches from Laurent Bigonville to fix Makefiles for debian.
+- modify spec file to use %%{_prefix}/lib
+
+* Mon May 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-15
+- Fix patch that Handles substitutions for /
+
+* Wed Apr 17 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-14
+- Handle substitutions for /
+- semanage fcontext -a -e / /opt/rh/devtoolset-2/root
+
+* Tue Apr 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-13
+- Add Eric Paris patch to fix procattr calls after a fork.
+
+* Tue Mar 26 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-12
+- Move secolor.conf.5 into mcstrans package and out of libselinux
+
+* Wed Mar 20 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-11
+- Fix python bindings for selinux_check_access
+
+* Tue Mar 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-10
+- Fix reseting the policy root in matchpathcon
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-9
+- Cleanup setfcontext_compile atomic patch
+- Add matchpathcon -P /etc/selinux/mls support by allowing users to set alternate root
+- Make sure we set exit codes from selinux_label calls to ENOENT or SUCCESS
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-8
+- Make setfcontext_compile atomic
+
+* Wed Mar 6 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-7
+- Fix memory leak in set*con calls.
+
+* Thu Feb 28 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-6
+- Move matchpathcon to -utils package
+- Remove togglesebool
+
+* Thu Feb 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-5
+- Fix selinux man page to reflect what current selinux policy is.
+
+* Fri Feb 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-4
+- Add new constant SETRANS_DIR which points to the directory where mstransd can find the socket and libvirt can write its translations files.
+
+* Fri Feb 15 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-3
+- Bring back selinux_current_policy_path
+
+* Thu Feb 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-2
+- Revert some changes which are causing the wrong policy version file to be created
+
+* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.13-1
+- Update to upstream
+ * audit2why: make sure path is nul terminated
+ * utils: new file context regex compiler
+ * label_file: use precompiled filecontext when possible
+ * do not leak mmapfd
+ * sefcontontext_compile: Add error handling to help debug problems in libsemanage.
+ * man: make selinux.8 mention service man pages
+ * audit2why: Fix segfault if finish() called twice
+ * audit2why: do not leak on multiple init() calls
+ * mode_to_security_class: interface to translate a mode_t in to a security class
+ * audit2why: Cleanup audit2why analysys function
+ * man: Fix program synopsis and function prototypes in man pages
+ * man: Fix man pages formatting
+ * man: Fix typo in man page
+ * man: Add references and man page links to _raw function variants
+ * Use ENOTSUP instead of EOPNOTSUPP for getfilecon functions
+ * man: context_new(3): fix the return value description
+ * selinux_status_open: handle error from sysconf
+ * selinux_status_open: do not leak statusfd on exec
+ * Fix errors found by coverity
+ * Change boooleans.subs to booleans.subs_dist.
+ * optimize set*con functions
+ * pkg-config do not specifc ruby version
+ * unmap file contexts on selabel_close()
+ * do not leak file contexts with mmap'd backend
+ * sefcontext_compile: do not leak fd on error
+ * matchmediacon: do not leak fd
+ * src/label_android_property: do not leak fd on error
+
+* Sun Jan 27 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
+- Update to latest patches from eparis/Upstream
+
+* Fri Jan 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-19
+- Update to latest patches from eparis/Upstream
+
+* Wed Jan 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-18
+- Try procatt speedup patch again
+
+* Wed Jan 23 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-17
+- Roll back procattr speedups since it seems to be screwing up systemd labeling.
+
+* Tue Jan 22 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-16
+- Fix tid handling for setfscreatecon, old patch still broken in libvirt
+
+* Wed Jan 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-15
+- Fix tid handling for setfscreatecon, old patch still broken in libvirt
+
+* Mon Jan 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-14
+- setfscreatecon after fork was broken by the Set*con patch.
+- We needed to reset the thread variables after a fork.
+
+* Thu Jan 10 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-13
+- Fix setfscreatecon call to handle failure mode, which was breaking udev
+
+* Wed Jan 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-12
+- Ondrej Oprala patch to optimize set*con functions
+- Set*con now caches the security context and only re-sets it if it changes.
+
+* Tue Jan 8 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-11
+- Rebuild against latest libsepol
+
+* Fri Jan 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.12-10
+- Update to latest patches from eparis/Upstream
+- Fix errors found by coverity
+- set the sepol_compute_av_reason_buffer flag to 0. This means calculate denials only?
+- audit2why: remove a useless policy vers variable
+- audit2why: use the new constraint information
+
+* Mon Nov 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-9
+- Rebuild with latest libsepol
+
+* Fri Nov 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-8
+- Return EPERM if login program can not reach default label for user
+- Attempt to return container info from audit2why
+
+* Thu Nov 1 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-7
+- Apply patch from eparis to fix leaked file descriptor in new labeling code
+
+* Fri Oct 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-6
+- Add new function mode_to_security_class which takes mode instead of a string.
+- Possibly will be used with coreutils.
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-5
+- Add back selinuxconlist and selinuxdefcon man pages
+
+* Mon Oct 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-4
+- Fix segfault from calling audit2why.finish() multiple times
+
+* Fri Oct 12 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-3
+- Fix up selinux man page to reference service man pages
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-2
+- Rebuild with fixed libsepol
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-1
+- Update to upstream
+ * Add support for lxc_contexts_path
+ * utils: add service to getdefaultcon
+ * libsemanage: do not set soname needlessly
+ * libsemanage: remove PYTHONLIBDIR and ruby equivalent
+ * boolean name equivalency
+ * getsebool: support boolean name substitution
+ * Add man page for new selinux_boolean_sub function.
+ * expose selinux_boolean_sub
+ * matchpathcon: add -m option to force file type check
+ * utils: avcstat: clear sa_mask set
+ * seusers: Check for strchr failure
+ * booleans: initialize pointer to silence coveriety
+ * stop messages when SELinux disabled
+ * label_file: use PCRE instead of glibc regex functions
+ * label_file: remove all typedefs
+ * label_file: move definitions to include file
+ * label_file: do string to mode_t conversion in a helper function
+ * label_file: move error reporting back into caller
+ * label_file: move stem/spec handling to header
+ * label_file: drop useless ncomp field from label_file data
+ * label_file: move spec_hasMetaChars to header
+ * label_file: fix potential read past buffer in spec_hasMetaChars
+ * label_file: move regex sorting to the header
+ * label_file: add accessors for the pcre extra data
+ * label_file: only run regex files one time
+ * label_file: new process_file function
+ * label_file: break up find_stem_from_spec
+ * label_file: struct reorg
+ * label_file: only run array once when sorting
+ * Ensure that we only close the selinux netlink socket once.
+ * improve the file_contexts.5 manual page
+
+* Fri Aug 03 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.11-6
+- rebuild for https://fedoraproject.org/wiki/Features/Python_3.3
+
+* Wed Aug 1 2012 David Malcolm <dmalcolm@redhat.com> - 2.1.11-5
+- make with_python3 be conditional on fedora
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Mon Jul 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-3
+- Move the tmpfiles.d content from /etc/tmpfiles.d to /usr/lib/tmpfiles.d
+
+* Fri Jul 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-2
+- Revert Eric Paris Patch for selinux_binary_policy_path
+
+* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.11-1
+- Update to upstream
+ * Fortify source now requires all code to be compiled with -O flag
+ * asprintf return code must be checked
+ * avc_netlink_recieve handle EINTR
+ * audit2why: silence -Wmissing-prototypes warning
+ * libsemanage: remove build warning when build swig c files
+ * matchpathcon: bad handling of symlinks in /
+ * seusers: remove unused lineno
+ * seusers: getseuser: gracefully handle NULL service
+ * New Android property labeling backend
+ * label_android_property whitespace cleanups
+ * additional makefile support for rubywrap
+
+* Mon Jun 11 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-5
+- Fix booleans.subs name, change function name to selinux_boolean_sub,
+ add man page, minor fixes to the function
+
+* Fri May 25 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-4
+- Fix to compile with Fortify source
+ * Add -O compiler flag
+ * Check return code from asprintf
+- Fix handling of symbolic links in / by realpath_not_final
+
+* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
+- Add support for lxc contexts file
+
+* Fri Mar 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-2
+- Add support fot boolean subs file
+
+* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
+- Update to upstream
+ * Fix dead links to www.nsa.gov/selinux
+ * Remove jump over variable declaration
+ * Fix old style function definitions
+ * Fix const-correctness
+ * Remove unused flush_class_cache method
+ * Add prototype decl for destructor
+ * Add more printf format annotations
+ * Add printf format attribute annotation to die() method
+ * Fix const-ness of parameters & make usage() methods static
+ * Enable many more gcc warnings for libselinux/src/ builds
+ * utils: Enable many more gcc warnings for libselinux/utils builds
+ * Change annotation on include/selinux/avc.h to avoid upsetting SWIG
+ * Ensure there is a prototype for 'matchpathcon_lib_destructor'
+ * Update Makefiles to handle /usrmove
+ * utils: Stop separating out matchpathcon as something special
+ * pkg-config to figure out where ruby include files are located
+ * build with either ruby 1.9 or ruby 1.8
+ * assert if avc_init() not called
+ * take security_deny_unknown into account
+ * security_compute_create_name(3)
+ * Do not link against python library, this is considered
+ * bad practice in debian
+ * Hide unnecessarily-exported library destructors
+
+* Thu Feb 16 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-9
+- Add selinux_current_policy_path to return /sys/fs/selinux/policy if it exists
+- Otherwise search for policy on disk
+
+* Wed Feb 15 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-8
+- Change selinux_binary_policy_path to return /sys/fs/selinux/policy
+- Add selinux_installed_policy_path to return what selinux_binary_policy_path used to return
+- avc_has_perm will now return yes if the machine is in permissive mode
+- Make work with ruby-1.9
+
+* Fri Feb 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-7
+- avc_netlink_recieve should continue to poll if it receinves an EINTR rather
+
+* Sun Jan 29 2012 Kay Sievers <kay@redhat.com> - 2.1.9-6
+- use /sbin/ldconfig, glibc does not provide
+ /usr/sbin/ldconfig in the RPM database for now
+
+* Fri Jan 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-5
+- Rebuild with cleaned up upstream to work in /usr
+
+* Wed Jan 25 2012 Harald Hoyer <harald@redhat.com> 2.1.9-4
+- install everything in /usr
+ https://fedoraproject.org/wiki/Features/UsrMove
+
+* Mon Jan 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-3
+- Add Dan Berrange code cleanup patches.
+
+* Wed Jan 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.9-2
+- Fix selabal_open man page to refer to proper selinux_opt structure
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+-Update to upstream
+ * Fix setenforce man page to refer to selinux man page
+ * Cleanup Man pages
+ * merge freecon with getcon man page
+
+* Mon Dec 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
+- Add patch from Richard Haines
+ When selabel_lookup found an invalid context with validation enabled, it
+ always stated it was 'file_contexts' whether media, x, db or file.
+ The fix is to store the spec file name in the selabel_lookup_rec on
+ selabel_open and use this as output for logs. Also a minor fix if key is
+ NULL to stop seg faults.
+- Fix setenforce manage page.
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
+- Rebuild with new libsepol
+
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-2
+- Fix setenforce man page, from Miroslav Grepl
+
+* Tue Dec 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+- Upgrade to upstream
+ * selinuxswig_python.i: don't make syscall if it won't change anything
+ * Remove assert in security_get_boolean_names(3)
+ * Mapped compute functions now obey deny_unknown flag
+ * get_default_type now sets EINVAL if no entry.
+ * return EINVAL if invalid role selected
+ * Updated selabel_file(5) man page
+ * Updated selabel_db(5) man page
+ * Updated selabel_media(5) man page
+ * Updated selabel_x(5) man page
+ * Add man/man5 man pages
+ * Add man/man5 man pages
+ * Add man/man5 man pages
+ * use -W and -Werror in utils
+
+* Tue Nov 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-2
+- Change python binding for restorecon to check if the context matches.
+- If it does do not reset
+
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
+- Upgrade to upstream
+ * Makefiles: syntax, convert all ${VAR} to $(VAR)
+ * load_policy: handle selinux=0 and /sys/fs/selinux not exist
+ * regenerate .pc on VERSION change
+ * label: cosmetic cleanups
+ * simple interface for access checks
+ * Don't reinitialize avc_init if it has been called previously
+ * seusers: fix to handle large sets of groups
+ * audit2why: close fd on enomem
+ * rename and export symlink_realpath
+ * label_file: style changes to make Eric happy.
+
+* Mon Oct 24 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-4
+- Apply libselinux patch to handle large groups in seusers.
+
+* Wed Oct 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-3
+- Add selinux_check_access function. Needed for passwd, chfn, chsh
+
+* Thu Sep 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-2
+- Handle situation where selinux=0 passed to the kernel and both /selinux and
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.6-1
+-Update to upstream
+ * utils: matchpathcon: remove duplicate declaration
+ * src: matchpathcon: use myprintf not fprintf
+ * src: matchpathcon: make sure resolved path starts
+ * put libselinux.so.1 in /lib not /usr/lib
+ * tree: default make target to all not
+
+* Wed Sep 14 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-5
+- Switch to use ":" as prefix separator rather then ";"
+
+* Thu Sep 8 2011 Ville Skyttä <ville.skytta@iki.fi> - 2.1.5-4
+- Avoid unnecessary shell invocation in %%post.
+
+* Tue Sep 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-3
+- Fix handling of subset labeling that is causing segfault in restorecon
+
+* Fri Sep 2 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
+- Change matchpathcon_init_prefix and selabel_open to allow multiple initial
+prefixes. Now you can specify a ";" separated list of prefixes and the
+labeling system will only load regular expressions that match these prefixes.
+
+* Tue Aug 30 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
+- Change matchpatcon to use proper myprintf
+- Fix symlink_realpath to always include "/"
+- Update to upstream
+ * selinux_file_context_verify function returns wrong value.
+ * move realpath helper to matchpathcon library
+ * python wrapper makefile changes
+
+* Mon Aug 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
+- Move to new Makefile that can build with or without PYTHON being set
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-1
+-Update to upstream
+2.1.4 2011-0817
+ * mapping fix for invalid class/perms after selinux_set_mapping
+ * audit2why: work around python bug not defining
+ * resolv symlinks and dot directories before matching
+
+2.1.2 2011-0803
+ * audit2allow: do not print statistics
+ * make python bindings for restorecon work on relative path
+ * fix python audit2why binding error
+ * support new python3 functions
+ * do not check fcontext duplicates on use
+ * Patch for python3 for libselinux
+
+2.1.1 2011-08-02
+ * move .gitignore into utils
+ * new setexecon utility
+ * selabel_open fix processing of substitution files
+ * mountpoint changing patch.
+ * simplify SRCS in Makefile
+
+2.1.1 2011-08-01
+ * Remove generated files, introduce more .gitignore
+
+
+
+* Thu Jul 28 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.0-1
+-Update to upstream
+ * Release, minor version bump
+ * Give correct names to mount points in load_policy by Dan Walsh.
+ * Make sure selinux state is reported correctly if selinux is disabled or
+ fails to load by Dan Walsh.
+ * Fix crash if selinux_key_create was never called by Dan Walsh.
+ * Add new file_context.subs_dist for distro specific filecon substitutions
+ by Dan Walsh.
+ * Update man pages for selinux_color_* functions by Richard Haines.
+
+* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-6
+- Only call dups check within selabel/matchpathcon if you are validating the
+context
+- This seems to speed the loading of labels by 4 times.
+
+* Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-5
+- Move /selinux to /sys/fs/selinux
+- Add selinuxexeccon
+- Add realpath to matchpathcon to handle matchpathcon * type queries.
+
+* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-4
+- Update for latest libsepol
+
+* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-3
+- Update for latest libsepol
+
+* Wed Apr 13 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-2
+- Fix restorecon python binding to accept relative paths
+
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-1
+-Update to upstream
+ * Give correct names to mount points in load_policy by Dan Walsh.
+ * Make sure selinux state is reported correctly if selinux is disabled or
+ fails to load by Dan Walsh.
+ * Fix crash if selinux_key_create was never called by Dan Walsh.
+ * Add new file_context.subs_dist for distro specific filecon substitutions
+ by Dan Walsh.
+ * Update man pages for selinux_color_* functions by Richard Haines.
+
+* Wed Apr 6 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.101-1
+- Clean up patch to make handling of constructor cleanup more portable
+ * db_language object class support for selabel_lookup from KaiGai Kohei.
+ * Library destructors for thread local storage keys from Eamon Walsh.
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-5
+- Add distribution subs path
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-4
+Add patch from dbhole@redhat.com to initialize thread keys to -1
+Errors were being seen in libpthread/libdl that were related
+to corrupt thread specific keys. Global destructors that are called on dl
+unload. During destruction delete a thread specific key without checking
+if it has been initialized. Since the constructor is not called each time
+(i.e. key is not initialized with pthread_key_create each time), and the
+default is 0, there is a possibility that key 0 for an active thread gets
+deleted. This is exactly what is happening in case of OpenJDK.
+
+Workaround patch that initializes the key to -1. Thus if the constructor is not
+called, the destructor tries to delete key -1 which is deemed invalid by
+pthread_key_delete, and is ignored.
+
+* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-3
+- Call fini_selinuxmnt if selinux is disabled, to cause is_selinux_disabled() to report correct data
+
+* Fri Apr 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-2
+- Change mount source options to use "proc" and "selinuxfs"
+
+* Tue Mar 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.99-1
+- Update to upstream
+ * Turn off default user handling when computing user contexts by Dan Walsh
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org>
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Feb 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.98-3
+- Fixup selinux man page
+
+* Tue Jan 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.98-2
+- Fix Makefile to use pkg-config --cflags python3 to discover include paths
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.98-1
+- Update to upstream
+ - Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list
+
+* Mon Dec 6 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.97-1
+- Update to upstream
+ * Thread local storage fixes from Eamon Walsh.
+
+* Sat Dec 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-9
+- Add /etc/tmpfiles.d support for /var/run/setrans
+
+* Wed Nov 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-8
+- Ghost /var/run/setrans
+
+* Wed Sep 29 2010 jkeating - 2.0.96-7
+- Rebuilt for gcc bug 634757
+
+* Thu Sep 16 2010 Adam Tkac <atkac redhat com> - 2.0.96-6
+- rebuild via updated swig (#624674)
+
+* Sun Aug 22 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-5
+- Update for python 3.2a1
+
+* Tue Jul 27 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-4
+- Turn off fallback in to SELINUX_DEFAULTUSER in get_context_list
+
+* Wed Jul 21 2010 David Malcolm <dmalcolm@redhat.com> - 2.0.96-3
+- Rebuilt for https://fedoraproject.org/wiki/Features/Python_2.7/MassRebuild
+
+* Fri Jun 25 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-2
+- Turn off messages in audit2why
+
+* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.96-1
+- Update to upstream
+ * Add const qualifiers to public API where appropriate by KaiGai Kohei.
+
+2.0.95 2010-06-10
+ * Remove duplicate slashes in paths in selabel_lookup from Chad Sellers
+ * Adds a chcon method to the libselinux python bindings from Steve Lawrence
+- add python3 subpackage from David Malcolm
+
+* Wed Mar 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.94-1
+* Set errno=EINVAL for invalid contexts from Dan Walsh.
+
+* Tue Mar 16 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.93-1
+- Update to upstream
+ * Show strerror for security_getenforce() by Colin Waters.
+ * Merged selabel database support by KaiGai Kohei.
+ * Modify netlink socket blocking code by KaiGai Kohei.
+
+* Sun Mar 7 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.92-1
+- Update to upstream
+ * Fix from Eric Paris to fix leak on non-selinux systems.
+ * regenerate swig wrappers
+ * pkgconfig fix to respect LIBDIR from Dan Walsh.
+
+* Wed Feb 24 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.91-1
+- Update to upstream
+ * Change the AVC to only audit the permissions specified by the
+ policy, excluding any permissions specified via dontaudit or not
+ specified via auditallow.
+ * Fix compilation of label_file.c with latest glibc headers.
+
+* Mon Feb 22 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-5
+- Fix potential doublefree on init
+
+* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-4
+- Fix libselinux.pc
+
+* Mon Jan 18 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-3
+- Fix man page for selinuxdefcon
+
+* Mon Jan 4 2010 Dan Walsh <dwalsh@redhat.com> - 2.0.90-2
+- Free memory on disabled selinux boxes
+
+* Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.90-1
+- Update to upstream
+ * add/reformat man pages by Guido Trentalancia <guido@trentalancia.com>.
+ * Change exception.sh to be called with bash by Manoj Srivastava <srivasta@debian.org>
+
+* Mon Nov 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.89-2
+- Fix selinuxdefcon man page
+
+* Mon Nov 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.89-1
+- Update to upstream
+ * Add pkgconfig file from Eamon Walsh.
+
+* Thu Oct 29 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.88-1
+- Update to upstream
+ * Rename and export selinux_reset_config()
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.87-1
+- Update to upstream
+ * Add exception handling in libselinux from Dan Walsh. This uses a
+ shell script called exception.sh to generate a swig interface file.
+ * make swigify
+ * Make matchpathcon print <<none>> if path not found in fcontext file.
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.86-2
+- Eliminate -pthread switch in Makefile
+
+* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.86-1
+- Update to upstream
+ * Removal of reference counting on userspace AVC SID's.
+
+* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Tue Jul 7 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.85-1
+- Update to upstream
+ * Reverted Tomas Mraz's fix for freeing thread local storage to avoid
+ pthread dependency.
+ * Removed fini_context_translations() altogether.
+ * Merged lazy init patch from Stephen Smalley based on original patch
+ by Steve Grubb.
+
+* Tue Jul 7 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.84-1
+- Update to upstream
+ * Add per-service seuser support from Dan Walsh.
+ * Let load_policy gracefully handle selinuxfs being mounted from Stephen Smalley.
+ * Check /proc/filesystems before /proc/mounts for selinuxfs from Eric
+ Paris.
+
+* Wed Jun 24 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.82-2
+- Add provices ruby(selinux)
+
+* Tue Jun 23 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.82-1
+- Update to upstream
+ * Fix improper use of thread local storage from Tomas Mraz <tmraz@redhat.com>.
+ * Label substitution support from Dan Walsh.
+ * Support for labeling virtual machine images from Dan Walsh.
+
+* Mon May 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.81-1
+- Update to upstream
+ * Trim / from the end of input paths to matchpathcon from Dan Walsh.
+ * Fix leak in process_line in label_file.c from Hiroshi Shinji.
+ * Move matchpathcon to /sbin, add matchpathcon to clean target from Dan Walsh.
+ * getdefaultcon to print just the correct match and add verbose option from Dan Walsh.
+
+* Wed Apr 8 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.80-1
+- Update to upstream
+ * deny_unknown wrapper function from KaiGai Kohei.
+ * security_compute_av_flags API from KaiGai Kohei.
+ * Netlink socket management and callbacks from KaiGai Kohei.
+
+* Fri Apr 3 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-6
+- Fix Memory Leak
+
+* Thu Apr 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-5
+- Fix crash in python
+
+* Sun Mar 29 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-4
+- Add back in additional interfaces
+
+* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-3
+- Add back in av_decision to python swig
+
+* Thu Mar 12 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.79-1
+- Update to upstream
+ * Netlink socket handoff patch from Adam Jackson.
+ * AVC caching of compute_create results by Eric Paris.
+
+* Tue Mar 10 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-5
+- Add patch from ajax to accellerate X SELinux
+- Update eparis patch
+
+* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-4
+- Add eparis patch to accellerate Xwindows performance
+
+* Mon Mar 9 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-3
+- Fix URL
+
+* Fri Mar 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-2
+- Add substitute pattern
+- matchpathcon output <<none>> on ENOENT
+
+* Mon Mar 2 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.78-1
+- Update to upstream
+ * Fix incorrect conversion in discover_class code.
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.77-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Wed Feb 18 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-5
+- Add
+ - selinux_virtual_domain_context_path
+ - selinux_virtual_image_context_path
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-3
+- Throw exeptions in python swig bindings on failures
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-2
+- Fix restorecon python code
+
+* Tue Jan 6 2009 Dan Walsh <dwalsh@redhat.com> - 2.0.77-1
+- Update to upstream
+
+* Tue Dec 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-6
+- Strip trailing / for matchpathcon
+
+* Tue Dec 16 2008 Dan Walsh <dwalsh@redhat.com>l - 2.0.76-5
+- Fix segfault if seusers file does not work
+
+* Fri Dec 12 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-4
+- Add new function getseuser which will take username and service and return
+- seuser and level. ipa will populate file in future.
+- Change selinuxdefcon to return just the context by default
+
+* Sat Nov 29 2008 Ignacio Vazquez-Abrams <ivazqueznet+rpm@gmail.com> - 2.0.76-2
+- Rebuild for Python 2.6
+
+* Mon Nov 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.76-1
+- Update to Upstream
+ * Allow shell-style wildcards in x_contexts file.
+
+* Mon Nov 17 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.75-2
+- Eamon Walsh Patch - libselinux: allow shell-style wildcarding in X names
+- Add Restorecon/Install python functions from Luke Macken
+
+* Fri Nov 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.75-1
+- Update to Upstream
+ * Correct message types in AVC log messages.
+ * Make matchpathcon -V pass mode from Dan Walsh.
+ * Add man page for selinux_file_context_cmp from Dan Walsh.
+
+* Tue Sep 30 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.73-1
+- Update to Upstream
+ * New man pages from Dan Walsh.
+ * Update flask headers from refpolicy trunk from Dan Walsh.
+
+* Fri Sep 26 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-6
+- Fix matchpathcon -V call
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-5
+- Add flask definitions for open, X and nlmsg_tty_audit
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-4
+- Add missing get/setkeycreatecon man pages
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-3
+- Split out utilities
+
+* Tue Sep 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-2
+- Add missing man page links for [lf]getfilecon
+
+* Tue Aug 5 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.71-1
+- Update to Upstream
+ * Add group support to seusers using %%groupname syntax from Dan Walsh.
+ * Mark setrans socket close-on-exec from Stephen Smalley.
+ * Only apply nodups checking to base file contexts from Stephen Smalley.
+
+* Fri Aug 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.70-1
+- Update to Upstream
+ * Merge ruby bindings from Dan Walsh.
+- Add support for Linux groups to getseuserbyname
+
+* Fri Aug 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.69-2
+- Allow group handling in getseuser call
+
+* Tue Jul 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.69-1
+- Update to Upstream
+ * Handle duplicate file context regexes as a fatal error from Stephen Smalley.
+ This prevents adding them via semanage.
+ * Fix audit2why shadowed variables from Stephen Smalley.
+ * Note that freecon NULL is legal in man page from Karel Zak.
+
+* Wed Jul 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-4
+- Add ruby support for puppet
+
+* Tue Jul 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-3
+- Rebuild for new libsepol
+
+* Sun Jun 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-2
+- Add Karel Zak patch for freecon man page
+
+* Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.67-1
+- Update to Upstream
+ * New and revised AVC, label, and mapping man pages from Eamon Walsh.
+ * Add swig python bindings for avc interfaces from Dan Walsh.
+
+* Sun Jun 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.65-1
+- Update to Upstream
+ * Fix selinux_file_context_verify() and selinux_lsetfilecon_default() to call matchpathcon_init_prefix if not already initialized.
+ * Add -q qualifier for -V option of matchpathcon and change it to indicate whether verification succeeded or failed via exit status.
+
+* Fri May 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-3
+- libselinux no longer neets to telnet -u in post install
+
+* Wed May 7 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-2
+- Add sedefaultcon and setconlist commands to dump login context
+
+* Tue Apr 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.64-1
+- Update to Upstream
+ * Fixed selinux_set_callback man page.
+ * Try loading the max of the kernel-supported version and the libsepol-supported version when no manipulation of the binary policy is needed from Stephen Smalley.
+ * Fix memory leaks in matchpathcon from Eamon Walsh.
+
+* Wed Apr 16 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-4
+- Add Xavior Toth patch for security_id_t in swig
+
+* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-3
+- Add avc.h to swig code
+
+* Wed Apr 9 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-2
+- Grab the latest policy for the kernel
+
+* Tue Apr 1 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.61-1
+- Update to Upstream
+ * Man page typo fix from Jim Meyering.
+
+* Sun Mar 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.60-1
+- Update to Upstream
+ * Changed selinux_init_load_policy() to not warn about a failed mount of selinuxfs if selinux was disabled in the kernel.
+
+* Thu Mar 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.59-2
+- Fix matchpathcon memory leak
+
+* Fri Feb 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.59-1
+- Update to Upstream
+ * Merged new X label "poly_selection" namespace from Eamon Walsh.
+
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.58-1
+- Update to Upstream
+ * Merged reset_selinux_config() for load policy from Dan Walsh.
+
+* Thu Feb 28 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.57-2
+- Reload library on loading of policy to handle chroot
+
+* Mon Feb 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.57-1
+- Update to Upstream
+ * Merged avc_has_perm() errno fix from Eamon Walsh.
+
+* Fri Feb 22 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.56-1
+- Update to Upstream
+ * Regenerated Flask headers from refpolicy flask definitions.
+
+* Wed Feb 13 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.55-1
+- Update to Upstream
+ * Merged compute_member AVC function and manpages from Eamon Walsh.
+ * Provide more error reporting on load policy failures from Stephen Smalley.
+
+* Fri Feb 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.53-1
+- Update to Upstream
+ * Merged new X label "poly_prop" namespace from Eamon Walsh.
+
+* Wed Feb 6 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.52-1
+- Update to Upstream
+ * Disable setlocaldefs if no local boolean or users files are present from Stephen Smalley.
+ * Skip userspace preservebools processing for Linux >= 2.6.22 from Stephen Smalley.
+
+* Tue Jan 29 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.50-1
+- Update to Upstream
+ * Merged fix for audit2why from Dan Walsh.
+
+* Fri Jan 25 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.49-2
+- Fix audit2why to grab latest policy versus the one selected by the kernel
+
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.49-1
+* Merged audit2why python binding from Dan Walsh.
+
+* Wed Jan 23 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.48-1
+* Merged updated swig bindings from Dan Walsh, including typemap for pid_t.
+
+* Mon Jan 21 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-4
+- Update to use libsepol-static library
+
+* Wed Jan 16 2008 Adel Gadllah <adel.gadllah@gmail.com> - 2.0.47-3
+- Move libselinux.a to -static package
+- Spec cleanups
+
+* Tue Jan 15 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-2
+- Put back libselinux.a
+
+* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.47-1
+- Fix memory references in audit2why and change to use tuples
+- Update to Upstream
+ * Fix for the avc: granted null message bug from Stephen Smalley.
+
+* Fri Jan 11 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-6
+- Fix __init__.py specification
+
+* Tue Jan 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-5
+- Add audit2why python bindings
+
+* Tue Jan 8 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-4
+- Add pid_t typemap for swig bindings
+
+* Thu Jan 3 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-3
+- smp_mflag
+
+* Thu Jan 3 2008 Dan Walsh <dwalsh@redhat.com> - 2.0.46-2
+- Fix spec file caused by spec review
+
+* Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.46-1
+- Upgrade to upstream
+ * matchpathcon(8) man page update from Dan Walsh.
+
+* Fri Nov 30 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.45-1
+- Upgrade to upstream
+ * dlopen libsepol.so.1 rather than libsepol.so from Stephen Smalley.
+ * Based on a suggestion from Ulrich Drepper, defer regex compilation until we have a stem match, by Stephen Smalley.
+ * A further optimization would be to defer regex compilation until we have a complete match of the constant prefix of the regex - TBD.
+
+* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.43-1
+- Upgrade to upstream
+ * Regenerated Flask headers from policy.
+
+* Thu Nov 15 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.42-1
+- Upgrade to upstream
+ * AVC enforcing mode override patch from Eamon Walsh.
+ * Aligned attributes in AVC netlink code from Eamon Walsh.
+- Move libselinux.so back into devel package, procps has been fixed
+
+* Tue Nov 6 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.40-1
+- Upgrade to upstream
+ * Merged refactored AVC netlink code from Eamon Walsh.
+ * Merged new X label namespaces from Eamon Walsh.
+ * Bux fix and minor refactoring in string representation code.
+
+* Fri Oct 5 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.37-1
+- Upgrade to upstream
+ * Merged selinux_get_callback, avc_open, empty string mapping from Eamon Walsh.
+
+* Fri Sep 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.36-1
+- Upgrade to upstream
+ * Fix segfault resulting from missing file_contexts file.
+
+* Thu Sep 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.35-2
+- Fix segfault on missing file_context file
+
+* Wed Sep 26 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.35-1
+- Upgrade to upstream
+ * Make netlink socket close-on-exec to avoid descriptor leakage from Dan Walsh.
+ * Pass CFLAGS when using gcc for linking from Dennis Gilmore.
+
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-3
+- Add sparc patch to from Dennis Gilmore to build on Sparc platform
+
+* Mon Sep 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-2
+- Remove leaked file descriptor
+
+* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.34-1
+- Upgrade to latest from NSA
+ * Fix selabel option flag setting for 64-bit from Stephen Smalley.
+
+* Tue Sep 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.33-2
+- Change matchpatcon to use syslog instead of syserror
+
+* Thu Sep 13 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.33-1
+- Upgrade to latest from NSA
+ * Re-map a getxattr return value of 0 to a getfilecon return value of -1 with errno EOPNOTSUPP from Stephen Smalley.
+ * Fall back to the compat code for security_class_to_string and security_av_perm_to_string from Stephen Smalley.
+ * Fix swig binding for rpm_execcon from James Athey.
+
+* Thu Sep 6 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-4
+- Apply James Athway patch to fix rpm_execcon python binding
+
+* Tue Aug 28 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-3
+- Move libselinux.so back into main package, breaks procps
+
+* Thu Aug 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.31-2
+- Upgrade to upstream
+ * Fix file_contexts.homedirs path from Todd Miller.
+
+* Tue Aug 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.30-2
+- Remove requirement on setransd, Moved to selinux-policy-mls
+
+* Fri Aug 10 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.30-1
+- Move libselinux.so into devel package
+- Upgrade to upstream
+ * Fix segfault resulting from uninitialized print-callback pointer.
+ * Added x_contexts path function patch from Eamon Walsh.
+ * Fix build for EMBEDDED=y from Yuichi Nakamura.
+ * Fix markup problems in selinux man pages from Dan Walsh.
+
+* Fri Aug 3 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.29-1
+- Upgrade to upstream
+ * Updated version for stable branch.
+ * Added x_contexts path function patch from Eamon Walsh.
+ * Fix build for EMBEDDED=y from Yuichi Nakamura.
+ * Fix markup problems in selinux man pages from Dan Walsh.
+ * Updated av_permissions.h and flask.h to include new nscd permissions from Dan Walsh.
+ * Added swigify to top-level Makefile from Dan Walsh.
+ * Fix for string_to_security_class segfault on x86_64 from Stephen
+ Smalley.
+
+* Mon Jul 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-3
+- Apply Steven Smalley patch to fix segfault in string_to_security_class
+
+* Wed Jul 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-2
+- Fix matchpathcon to set default myprintf
+
+* Mon Jul 16 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.24-1
+- Upgrade to upstream
+ * Fix for getfilecon() for zero-length contexts from Stephen Smalley.
+
+* Wed Jul 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-3
+- Update to match flask/access_vectors in policy
+
+* Tue Jul 10 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-2
+- Fix man page markup lanquage for translations
+
+* Tue Jun 26 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.23-1
+- Fix semanage segfault on x86 platform
+
+* Thu Jun 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.22-1
+- Upgrade to upstream
+ * Labeling and callback interface patches from Eamon Walsh.
+
+* Tue Jun 19 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.21-2
+- Refactored swig
+
+* Mon Jun 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.21-1
+- Upgrade to upstream
+ * Class and permission mapping support patches from Eamon Walsh.
+ * Object class discovery support patches from Chris PeBenito.
+ * Refactoring and errno support in string representation code.
+
+* Fri Jun 1 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.18-1
+- Upgrade to upstream
+- Merged patch to reduce size of libselinux and remove need for libsepol for embedded systems from Yuichi Nakamura.
+ This patch also turns the link-time dependency on libsepol into a runtime (dlopen) dependency even in the non-embedded case.
+
+2.0.17 2007-05-31
+ * Updated Lindent script and reindented two header files.
+
+* Fri May 4 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.16-1
+- Upgrade to upstream
+ * Merged additional swig python bindings from Dan Walsh.
+ * Merged helpful message when selinuxfs mount fails patch from Dax Kelson.
+
+* Tue Apr 24 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.14-1
+- Upgrade to upstream
+ * Merged build fix for avc_internal.c from Joshua Brindle.
+
+* Mon Apr 23 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.13-2
+- Add get_context_list funcitions to swig file
+
+* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.13-1
+- Upgrade to upstream
+ * Merged rpm_execcon python binding fix, matchpathcon man page fix, and getsebool -a handling for EACCES from Dan Walsh.
+
+* Thu Apr 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.12-2
+- Add missing interface
+
+* Wed Apr 11 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.12-1
+- Upgrade to upstream
+ * Merged support for getting initial contexts from James Carter.
+
+* Mon Apr 9 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.11-1
+- Upgrade to upstream
+ * Merged userspace AVC patch to follow kernel's behavior for permissive mode in caching previous denials from Eamon Walsh.
+ * Merged sidput(NULL) patch from Eamon Walsh.
+
+* Thu Apr 5 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.9-2
+- Make rpm_exec swig work
+
+* Tue Mar 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.9-1
+- Upgrade to upstream
+ * Merged class/av string conversion and avc_compute_create patch from Eamon Walsh.
+
+* Tue Mar 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.8-1
+- Upgrade to upstream
+ * Merged fix for avc.h #include's from Eamon Walsh.
+
+* Thu Mar 22 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.7-2
+- Add stdint.h to avc.h
+
+* Mon Mar 12 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.7-1
+- Merged patch to drop support for CACHETRANS=0 config option from Steve Grubb.
+- Merged patch to drop support for old /etc/sysconfig/selinux and
+- /etc/security policy file layout from Steve Grubb.
+
+* Thu Mar 8 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-2
+- Do not fail on permission denied in getsebool
+
+* Tue Feb 27 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.5-1
+- Upgrade to upstream
+ * Merged init_selinuxmnt() and is_selinux_enabled() improvements from Steve Grubb.
+
+* Wed Feb 21 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.4-1
+- Upgrade to upstream
+ * Removed sending of setrans init message.
+ * Merged matchpathcon memory leak fix from Steve Grubb.
+
+* Tue Feb 20 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.2-1
+- Upgrade to upstream
+ * Merged more swig initializers from Dan Walsh.
+
+* Sun Feb 18 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.1-1
+- Upgrade to upstream
+ * Merged patch from Todd Miller to convert int types over to C99 style.
+
+* Wed Feb 7 2007 Dan Walsh <dwalsh@redhat.com> - 2.0.0-1
+- Merged patch from Todd Miller to remove sscanf in matchpathcon.c because
+ of the use of the non-standard format (original patch changed
+ for style).
+- Merged patch from Todd Miller to fix memory leak in matchpathcon.c.
+
+* Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-2
+- Add context function to python to split context into 4 parts
+
+* Fri Jan 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.34.0-1
+- Upgrade to upstream
+ * Updated version for stable branch.
+
+* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.6-1
+- Upgrade to upstream
+ * Merged man page updates to make "apropos selinux" work from Dan Walsh.
+
+* Wed Jan 17 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.5-1
+- Upgrade to upstream
+ * Merged getdefaultcon utility from Dan Walsh.
+
+* Mon Jan 15 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-3
+- Add Ulrich NSCD__GETSERV and NSCD__SHMEMGRP for Uli
+
+* Fri Jan 12 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-2
+- Add reference to selinux man page in all man pages to make apropos work
+Resolves: # 217881
+
+* Thu Jan 11 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.4-1
+- Upstream wanted some minor changes, upgrading to keep api the same
+- Upgrade to upstream
+ * Merged selinux_check_securetty_context() and support from Dan Walsh.
+Resolves: #200110
+
+* Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-3
+- Cleanup patch
+
+* Fri Jan 5 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-2
+- Add securetty handling
+Resolves: #200110
+
+* Thu Jan 4 2007 Dan Walsh <dwalsh@redhat.com> - 1.33.3-1
+- Upgrade to upstream
+ * Merged patch for matchpathcon utility to use file mode information
+ when available from Dan Walsh.
+
+* Thu Dec 7 2006 Jeremy Katz <katzj@redhat.com> - 1.33.2-4
+- rebuild against python 2.5
+
+* Wed Dec 6 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-3
+- Fix matchpathcon to lstat files
+
+* Thu Nov 30 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-2
+- Update man page
+
+* Tue Nov 14 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.2-1
+- Upgrade to upstream
+
+* Fri Nov 3 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-2
+- Add James Antill patch for login verification of MLS Levels
+- MLS ragnes need to be checked, Eg. login/cron. This patch adds infrastructure.
+
+* Tue Oct 24 2006 Dan Walsh <dwalsh@redhat.com> - 1.33.1-1
+- Upgrade to latest from NSA
+ * Merged updated flask definitions from Darrel Goeddel.
+ This adds the context security class, and also adds
+ the string definitions for setsockcreate and polmatch.
+
+* Tue Oct 17 2006 Dan Walsh <dwalsh@redhat.com> - 1.32-1
+- Upgrade to latest from NSA
+ * Updated version for release.
+
+* Sun Oct 01 2006 Jesse Keating <jkeating@redhat.com> - 1.30.29-2
+- rebuilt for unwind info generation, broken in gcc-4.1.1-21
+
+* Fri Sep 29 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.29-1
+- Upgrade to latest from NSA
+ * Merged av_permissions.h update from Steve Grubb,
+ adding setsockcreate and polmatch definitions.
+
+* Wed Sep 27 2006 Jeremy Katz <katzj@redhat.com> - 1.30.28-3
+- really make -devel depend on libsepol-devel
+
+* Wed Sep 27 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-2
+- Add sgrubb patch for polmatch
+
+* Wed Sep 13 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.28-1
+- Upgrade to latest from NSA
+ * Merged patch from Steve Smalley to fix SIGPIPE in setrans_client
+
+* Tue Sep 5 2006 Jeremy Katz <katzj@redhat.com> - 1.30.27-2
+- have -devel require libsepol-devel
+
+* Thu Aug 24 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.27-1
+- Upgrade to latest from NSA
+ * Merged patch to not log avc stats upon a reset from Steve Grubb.
+ * Applied patch to revert compat_net setting upon policy load.
+ * Merged file context homedir and local path functions from
+ Chris PeBenito.
+
+* Fri Aug 18 2006 Jesse Keating <jkeating@redhat.com> - 1.20.26-2
+- rebuilt with latest binutils to pick up 64K -z commonpagesize on ppc*
+ (#203001)
+
+* Sat Aug 12 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.25-1
+- Upgrade to latest from NSA
+ * Merged file context homedir and local path functions from
+ Chris PeBenito.
+ * Rework functions that access /proc/pid/attr to access the
+ per-thread nodes, and unify the code to simplify maintenance.
+
+* Fri Aug 11 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.24-1
+- Upgrade to latest from NSA
+ * Merged return value fix for *getfilecon() from Dan Walsh.
+ * Merged sockcreate interfaces from Eric Paris.
+
+* Wed Aug 9 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.22-2
+- Fix translation return codes to return size of buffer
+
+* Tue Aug 1 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.22-1
+- Upgrade to latest from NSA
+ * Merged no-tls-direct-seg-refs patch from Jeremy Katz.
+ * Merged netfilter_contexts support patch from Chris PeBenito.
+
+* Tue Aug 1 2006 Dan Walsh <dwalsh@redhat.com> - 1.30.20-1
+- Upgrade to latest from NSA
+ * Merged context_*_set errno patch from Jim Meyering.
+
+* Tue Aug 1 2006 Jeremy Katz <katzj@redhat.com> - 1.30.19-5
+- only build non-fpic objects with -mno-tls-direct-seg-refs
+
+* Tue Aug 1 2006 Jeremy Katz <katzj@redhat.com> - 1.30.19-4
+- build with -mno-tls-direct-seg-refs on x86 to avoid triggering
+ segfaults with xen (#200783)
+
+* Mon Jul 17 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-3
+- Rebuild for new gcc
+
+* Tue Jul 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-2
+- Fix libselinux to not telinit during installs
+
+* Tue Jul 4 2006 Dan Walsh <dwalsh@redhat.com> 1.30.19-1
+- Upgrade to latest from NSA
+ * Lindent.
+ * Merged {get,set}procattrcon patch set from Eric Paris.
+ * Merged re-base of keycreate patch originally by Michael LeMay from Eric Paris.
+ * Regenerated Flask headers from refpolicy.
+ * Merged patch from Dan Walsh with:
+ - Added selinux_file_context_{cmp,verify}.
+ - Added selinux_lsetfilecon_default.
+ - Delay translation of contexts in matchpathcon.
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-5
+- Yet another change to matchpathcon
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-4
+- Turn off error printing in library. Need to compile with DEBUG to get it back
+
+* Wed Jun 21 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-3
+- Fix error reporting of matchpathcon
+
+* Mon Jun 19 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-2
+- Add function to compare file context on disk versus contexts in file_contexts file.
+
+* Fri Jun 16 2006 Dan Walsh <dwalsh@redhat.com> 1.30.15-1
+- Upgrade to latest from NSA
+ * Merged patch from Dan Walsh with:
+ * Added selinux_getpolicytype() function.
+ * Modified setrans code to skip processing if !mls_enabled.
+ * Set errno in the !selinux_mnt case.
+ * Allocate large buffers from the heap, not on stack.
+ Affects is_context_customizable, selinux_init_load_policy,
+ and selinux_getenforcemode.
+
+* Thu Jun 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.12-2
+- Add selinux_getpolicytype()
+
+* Thu Jun 1 2006 Dan Walsh <dwalsh@redhat.com> 1.30.12-1
+- Upgrade to latest from NSA
+ * Merged !selinux_mnt checks from Ian Kent.
+
+* Thu Jun 1 2006 Dan Walsh <dwalsh@redhat.com> 1.30.11-2
+- Check for selinux_mnt == NULL
+
+* Tue May 30 2006 Dan Walsh <dwalsh@redhat.com> 1.30.11-1
+- Merged matchmediacon and trans_to_raw_context fixes from
+ Serge Hallyn.
+
+* Fri May 26 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-4
+- Remove getseuser
+
+* Thu May 25 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-3
+- Bump requires to grab latest libsepol
+
+* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-2
+- Add BuildRequires for swig
+
+* Tue May 23 2006 Dan Walsh <dwalsh@redhat.com> 1.30.10-1
+- Upgrade to latest from NSA
+ * Merged simple setrans client cache from Dan Walsh.
+ Merged avcstat patch from Russell Coker.
+ * Modified selinux_mkload_policy() to also set /selinux/compat_net
+ appropriately for the loaded policy.
+
+* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 1.30.8-1
+- More fixes for translation cache
+- Upgrade to latest from NSA
+ * Added matchpathcon_fini() function to free memory allocated by
+ matchpathcon_init().
+
+* Wed May 17 2006 Dan Walsh <dwalsh@redhat.com> 1.30.7-2
+- Add simple cache to improve translation speed
+
+* Tue May 16 2006 Dan Walsh <dwalsh@redhat.com> 1.30.7-1
+- Upgrade to latest from NSA
+ * Merged setrans client cleanup patch from Steve Grubb.
+
+* Tue May 9 2006 Dan Walsh <dwalsh@redhat.com> 1.30.6-2
+- Add Russell's AVC patch to handle large numbers
+
+* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.6-1
+- Upgrade to latest from NSA
+ * Merged getfscreatecon man page fix from Dan Walsh.
+ * Updated booleans(8) man page to drop references to the old
+ booleans file and to note that setsebool can be used to set
+ the boot-time defaults via -P.
+
+* Mon May 8 2006 Dan Walsh <dwalsh@redhat.com> 1.30.5-1
+- Upgrade to latest from NSA
+ * Merged fix warnings patch from Karl MacMillan.
+ * Merged setrans client support from Dan Walsh.
+ This removes use of libsetrans.
+ * Merged patch to eliminate use of PAGE_SIZE constant from Dan Walsh.
+ * Merged swig typemap fixes from Glauber de Oliveira Costa.
+
+* Wed May 3 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-3
+- Change the way translations work, Use setransd/remove libsetrans
+
+* Tue May 2 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-2
+- Add selinuxswig fixes
+- Stop using PAGE_SIZE and start using sysconf(_SC_PAGE_SIZE)
+
+* Fri Apr 14 2006 Dan Walsh <dwalsh@redhat.com> 1.30.3-1
+- Upgrade to latest from NSA
+ * Added distclean target to Makefile.
+ * Regenerated swig files.
+ * Changed matchpathcon_init to verify that the spec file is
+ a regular file.
+ * Merged python binding t_output_helper removal patch from Dan Walsh.
+
+* Tue Apr 11 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-2
+- Fix python bindings for matchpathcon
+- Fix booleans man page
+
+* Mon Mar 27 2006 Dan Walsh <dwalsh@redhat.com> 1.30.1-1
+- Merged Makefile PYLIBVER definition patch from Dan Walsh.
+
+* Fri Mar 10 2006 Dan Walsh <dwalsh@redhat.com> 1.30-1
+- Make some fixes so it will build on RHEL4
+- Upgrade to latest from NSA
+ * Updated version for release.
+ * Altered rpm_execcon fallback logic for permissive mode to also
+ handle case where /selinux/enforce is not available.
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.29.7-1.2
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.29.7-1.1
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Jan 20 2006 Dan Walsh <dwalsh@redhat.com> 1.29.7-1
+- Upgrade to latest from NSA
+ * Merged install-pywrap Makefile patch from Joshua Brindle.
+
+* Wed Jan 18 2006 Dan Walsh <dwalsh@redhat.com> 1.29.6-1
+- Upgrade to latest from NSA
+ * Merged pywrap Makefile patch from Dan Walsh.
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.29.5-2
+- Split out pywrap in Makefile
+
+* Fri Jan 13 2006 Dan Walsh <dwalsh@redhat.com> 1.29.5-1
+- Upgrade to latest from NSA
+ * Added getseuser test program.
+
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.29.4-1
+- Upgrade to latest from NSA
+ * Added format attribute to myprintf in matchpathcon.c and
+ removed obsoleted rootlen variable in init_selinux_config().
+
+* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.29.3-2
+- Build with new libsepol
+
+* Wed Jan 4 2006 Dan Walsh <dwalsh@redhat.com> 1.29.3-1
+- Upgrade to latest from NSA
+ * Merged several fixes and improvements from Ulrich Drepper
+ (Red Hat), including:
+ - corrected use of getline
+ - further calls to __fsetlocking for local files
+ - use of strdupa and asprintf
+ - proper handling of dirent in booleans code
+ - use of -z relro
+ - several other optimizations
+ * Merged getpidcon python wrapper from Dan Walsh (Red Hat).
+
+* Sat Dec 24 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-4
+- Add build requires line for libsepol-devel
+
+* Tue Dec 20 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-3
+- Fix swig call for getpidcon
+
+* Mon Dec 19 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-2
+- Move libselinux.so to base package
+
+* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-1
+- Upgrade to latest from NSA
+ * Merged call to finish_context_translations from Dan Walsh.
+ This eliminates a memory leak from failing to release memory
+ allocated by libsetrans.
+
+* Sun Dec 11 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-3
+- update to latest libsetrans
+- Fix potential memory leak
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Thu Dec 8 2005 Dan Walsh <dwalsh@redhat.com> 1.29.1-1
+- Update to never version
+ * Merged patch for swig interfaces from Dan Walsh.
+
+* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 1.28-1
+- Update to never version
+
+* Wed Dec 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.28-2
+- Fix some of the python swig objects
+
+* Thu Dec 1 2005 Dan Walsh <dwalsh@redhat.com> 1.27.28-1
+- Update to latest from NSA
+ * Added MATCHPATHCON_VALIDATE flag for set_matchpathcon_flags() and
+ modified matchpathcon implementation to make context validation/
+ canonicalization optional at matchpathcon_init time, deferring it
+ to a successful matchpathcon by default unless the new flag is set
+ by the caller.
+ * Added matchpathcon_init_prefix() interface, and
+ reworked matchpathcon implementation to support selective
+ loading of file contexts entries based on prefix matching
+ between the pathname regex stems and the specified path
+ prefix (stem must be a prefix of the specified path prefix).
+
+* Wed Nov 30 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1
+- Update to latest from NSA
+ * Change getsebool to return on/off instead of active/inactive
+
+* Tue Nov 29 2005 Dan Walsh <dwalsh@redhat.com> 1.27.25-1
+- Update to latest from NSA
+ * Added -f file_contexts option to matchpathcon util.
+ Fixed warning message in matchpathcon_init().
+ * Merged Makefile python definitions patch from Dan Walsh.
+
+* Mon Nov 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.23-1
+- Update to latest from NSA
+ * Merged swigify patch from Dan Walsh.
+
+* Mon Nov 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-4
+- Separate out libselinux-python bindings into separate rpm
+
+* Thu Nov 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-3
+- Read libsetrans requirement
+
+* Thu Nov 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-2
+- Add python bindings
+
+* Wed Nov 16 2005 Dan Walsh <dwalsh@redhat.com> 1.27.22-1
+- Update to latest from NSA
+ * Merged make failure in rpm_execcon non-fatal in permissive mode
+ patch from Ivan Gyurdiev.
+
+* Tue Nov 15 2005 Dan Walsh <dwalsh@redhat.com> 1.27.21-2
+- Remove requirement for libsetrans
+
+* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.21-1
+- Update to latest from NSA
+ * Added MATCHPATHCON_NOTRANS flag for set_matchpathcon_flags()
+ and modified matchpathcon_init() to skip context translation
+ if it is set by the caller.
+
+* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.20-1
+- Update to latest from NSA
+ * Added security_canonicalize_context() interface and
+ set_matchpathcon_canoncon() interface for obtaining
+ canonical contexts. Changed matchpathcon internals
+ to obtain canonical contexts by default. Provided
+ fallback for kernels that lack extended selinuxfs context
+ interface.
+- Patch to not translate mls when calling setfiles
+
+* Mon Nov 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.19-1
+- Update to latest from NSA
+ * Merged seusers parser changes from Ivan Gyurdiev.
+ * Merged setsebool to libsemanage patch from Ivan Gyurdiev.
+ * Changed seusers parser to reject empty fields.
+
+* Fri Nov 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.18-1
+- Update to latest from NSA
+ * Merged seusers empty level handling patch from Jonathan Kim (TCS).
+
+* Thu Nov 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-4
+- Rebuild for latest libsepol
+
+* Mon Oct 31 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-2
+- Rebuild for latest libsepol
+
+* Wed Oct 26 2005 Dan Walsh <dwalsh@redhat.com> 1.27.17-1
+- Change default to __default__
+
+* Wed Oct 26 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-3
+- Change default to __default__
+
+* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-2
+- Add selinux_translations_path
+
+* Tue Oct 25 2005 Dan Walsh <dwalsh@redhat.com> 1.27.14-1
+- Update to latest from NSA
+ * Merged selinux_path() and selinux_homedir_context_path()
+ functions from Joshua Brindle.
+
+* Fri Oct 21 2005 Dan Walsh <dwalsh@redhat.com> 1.27.13-2
+- Need to check for /sbin/telinit
+
+* Thu Oct 20 2005 Dan Walsh <dwalsh@redhat.com> 1.27.13-1
+- Update to latest from NSA
+ * Merged fixes for make DESTDIR= builds from Joshua Brindle.
+
+* Mon Oct 17 2005 Dan Walsh <dwalsh@redhat.com> 1.27.12-1
+- Update to latest from NSA
+ * Merged get_default_context_with_rolelevel and man pages from
+ Dan Walsh (Red Hat).
+ * Updated call to sepol_policydb_to_image for sepol changes.
+ * Changed getseuserbyname to ignore empty lines and to handle
+ no matching entry in the same manner as no seusers file.
+
+* Fri Oct 14 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-2
+- Tell init to reexec itself in post script
+
+* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.9-1
+- Update to latest from NSA
+ * Changed selinux_mkload_policy to try downgrading the
+ latest policy version available to the kernel-supported version.
+ * Changed selinux_mkload_policy to fall back to the maximum
+ policy version supported by libsepol if the kernel policy version
+ falls outside of the supported range.
+
+* Fri Oct 7 2005 Dan Walsh <dwalsh@redhat.com> 1.27.7-1
+- Update to latest from NSA
+ * Changed getseuserbyname to fall back to the Linux username and
+ NULL level if seusers config file doesn't exist unless
+ REQUIRESEUSERS=1 is set in /etc/selinux/config.
+ * Moved seusers.conf under $SELINUXTYPE and renamed to seusers.
+
+* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.6-1
+- Update to latest from NSA
+ * Added selinux_init_load_policy() function as an even higher level
+ interface for the initial policy load by /sbin/init. This obsoletes
+ the load_policy() function in the sysvinit-selinux.patch.
+ * Added selinux_mkload_policy() function as a higher level interface
+ for loading policy than the security_load_policy() interface.
+
+* Thu Oct 6 2005 Dan Walsh <dwalsh@redhat.com> 1.27.4-1
+- Update to latest from NSA
+ * Merged fix for matchpathcon (regcomp error checking) from Johan
+ Fischer. Also added use of regerror to obtain the error string
+ for inclusion in the error message.
+
+* Tue Oct 4 2005 Dan Walsh <dwalsh@redhat.com> 1.27.3-1
+- Update to latest from NSA
+ * Changed getseuserbyname to not require (and ignore if present)
+ the MLS level in seusers.conf if MLS is disabled, setting *level
+ to NULL in this case.
+
+* Mon Oct 3 2005 Dan Walsh <dwalsh@redhat.com> 1.27.2-1
+- Update to latest from NSA
+ * Merged getseuserbyname patch from Dan Walsh.
+
+* Thu Sep 29 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-3
+- Fix patch to satisfy upstream
+
+* Wed Sep 28 2005 Dan Walsh <dwalsh@redhat.com> 1.27.1-2
+- Update to latest from NSA
+- Add getseuserbyname
+
+* Fri Sep 16 2005 Dan Walsh <dwalsh@redhat.com> 1.26-6
+- Fix patch call
+
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-5
+- Fix strip_con call
+
+* Tue Sep 13 2005 Dan Walsh <dwalsh@redhat.com> 1.26-3
+- Go back to original libsetrans code
+
+* Mon Sep 12 2005 Dan Walsh <dwalsh@redhat.com> 1.26-2
+- Eliminate forth param from mls context when mls is not enabled.
+
+* Tue Sep 6 2005 Dan Walsh <dwalsh@redhat.com> 1.25.7-1
+- Update from NSA
+ * Merged modified form of patch to avoid dlopen/dlclose by
+ the static libselinux from Dan Walsh. Users of the static libselinux
+ will not have any context translation by default.
+
+* Thu Sep 1 2005 Dan Walsh <dwalsh@redhat.com> 1.25.6-1
+- Update from NSA
+ * Added public functions to export context translation to
+ users of libselinux (selinux_trans_to_raw_context,
+ selinux_raw_to_trans_context).
+
+* Mon Aug 29 2005 Dan Walsh <dwalsh@redhat.com> 1.25.5-1
+- Update from NSA
+ * Remove special definition for context_range_set; use
+ common code.
+
+* Thu Aug 25 2005 Dan Walsh <dwalsh@redhat.com> 1.25.4-1
+- Update from NSA
+ * Hid translation-related symbols entirely and ensured that
+ raw functions have hidden definitions for internal use.
+ * Allowed setting NULL via context_set* functions.
+ * Allowed whitespace in MLS component of context.
+ * Changed rpm_execcon to use translated functions to workaround
+ lack of MLS level on upgraded systems.
+
+* Wed Aug 24 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-2
+- Allow set_comp on unset ranges
+
+* Wed Aug 24 2005 Dan Walsh <dwalsh@redhat.com> 1.25.3-1
+- Merged context translation patch, originally by TCS,
+ with modifications by Dan Walsh (Red Hat).
+
+* Wed Aug 17 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-2
+- Apply translation patch
+
+* Thu Aug 11 2005 Dan Walsh <dwalsh@redhat.com> 1.25.2-1
+- Update from NSA
+ * Merged several fixes for error handling paths in the
+ AVC sidtab, matchpathcon, booleans, context, and get_context_list
+ code from Serge Hallyn (IBM). Bugs found by Coverity.
+ * Removed setupns; migrated to pam.
+ * Merged patches to rename checkPasswdAccess() from Joshua Brindle.
+ Original symbol is temporarily retained for compatibility until
+ all callers are updated.
+
+* Mon Jul 18 2005 Dan Walsh <dwalsh@redhat.com> 1.24.2-1
+- Update makefiles
+
+* Wed Jun 29 2005 Dan Walsh <dwalsh@redhat.com> 1.24.1-1
+- Update from NSA
+ * Merged security_setupns() from Chad Sellers.
+- fix selinuxenabled man page
+
+* Fri May 20 2005 Dan Walsh <dwalsh@redhat.com> 1.23.11-1
+- Update from NSA
+ * Merged avcstat and selinux man page from Dan Walsh.
+ * Changed security_load_booleans to process booleans.local
+ even if booleans file doesn't exist.
+
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-3
+- Fix avcstat to clear totals
+
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-2
+- Add info to man page
+
+* Fri Apr 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.10-1
+- Update from NSA
+ * Merged set_selinuxmnt patch from Bill Nottingham (Red Hat).
+ * Rewrote get_ordered_context_list and helpers, including
+ changing logic to allow variable MLS fields.
+
+* Tue Apr 26 2005 Dan Walsh <dwalsh@redhat.com> 1.23.8-1
+- Update from NSA
+
+* Thu Apr 21 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-3
+- Add backin matchpathcon
+
+* Wed Apr 13 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-2
+- Fix selinux_policy_root man page
+
+* Wed Apr 13 2005 Dan Walsh <dwalsh@redhat.com> 1.23.7-1
+- Change assert(selinux_mnt) to if (!selinux_mnt) return -1;
+
+* Mon Apr 11 2005 Dan Walsh <dwalsh@redhat.com> 1.23.6-1
+- Update from NSA
+ * Fixed bug in matchpathcon_filespec_destroy.
+
+* Wed Apr 6 2005 Dan Walsh <dwalsh@redhat.com> 1.23.5-1
+- Update from NSA
+ * Fixed bug in rpm_execcon error handling path.
+
+* Mon Apr 4 2005 Dan Walsh <dwalsh@redhat.com> 1.23.4-1
+- Update from NSA
+ * Merged fix for set_matchpathcon* functions from Andreas Steinmetz.
+ * Merged fix for getconlist utility from Andreas Steinmetz.
+
+* Tue Mar 29 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-3
+- Update from NSA
+
+* Wed Mar 23 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-2
+- Better handling of booleans
+
+* Thu Mar 17 2005 Dan Walsh <dwalsh@redhat.com> 1.23.2-1
+- Update from NSA
+ * Merged destructors patch from Tomas Mraz.
+
+* Thu Mar 17 2005 Dan Walsh <dwalsh@redhat.com> 1.23.1-1
+- Update from NSA
+ * Added set_matchpathcon_flags() function for setting flags
+ controlling operation of matchpathcon. MATCHPATHCON_BASEONLY
+ means only process the base file_contexts file, not
+ file_contexts.homedirs or file_contexts.local, and is for use by
+ setfiles -c.
+ * Updated matchpathcon.3 man page.
+
+* Thu Mar 10 2005 Dan Walsh <dwalsh@redhat.com> 1.22-1
+- Update from NSA
+
+* Tue Mar 8 2005 Dan Walsh <dwalsh@redhat.com> 1.21.13-1
+- Update from NSA
+ * Fixed bug in matchpathcon_filespec_add() - failure to clear fl_head.
+
+* Tue Mar 1 2005 Dan Walsh <dwalsh@redhat.com> 1.21.12-1
+- Update from NSA
+ * Changed matchpathcon_common to ignore any non-format bits in the mode.
+
+* Mon Feb 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.11-2
+- Default matchpathcon to regular files if the user specifies a mode
+
+* Tue Feb 22 2005 Dan Walsh <dwalsh@redhat.com> 1.21.11-1
+- Update from NSA
+ * Merged several fixes from Ulrich Drepper.
+
+* Mon Feb 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.10-3
+- Fix matchpathcon on eof.
+
+* Thu Feb 17 2005 Dan Walsh <dwalsh@redhat.com> 1.21.10-1
+- Update from NSA
+ * Merged matchpathcon patch for file_contexts.homedir from Dan Walsh.
+ * Added selinux_users_path() for path to directory containing
+ system.users and local.users.
+
+* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.9-2
+- Process file_context.homedir
+
+* Thu Feb 10 2005 Dan Walsh <dwalsh@redhat.com> 1.21.9-1
+- Update from NSA
+ * Changed relabel Makefile target to use restorecon.
+
+* Tue Feb 8 2005 Dan Walsh <dwalsh@redhat.com> 1.21.8-1
+- Update from NSA
+ * Regenerated av_permissions.h.
+
+* Wed Feb 2 2005 Dan Walsh <dwalsh@redhat.com> 1.21.7-1
+- Update from NSA
+ * Modified avc_dump_av to explicitly check for any permissions that
+ cannot be mapped to string names and display them as a hex value.
+ * Regenerated av_permissions.h.
+
+* Mon Jan 31 2005 Dan Walsh <dwalsh@redhat.com> 1.21.5-1
+- Update from NSA
+ * Generalized matchpathcon internals, exported more interfaces,
+ and moved additional code from setfiles into libselinux so that
+ setfiles can directly use matchpathcon.
+
+* Fri Jan 28 2005 Dan Walsh <dwalsh@redhat.com> 1.21.4-1
+- Update from NSA
+ * Prevent overflow of spec array in matchpathcon.
+ * Fixed several uses of internal functions to avoid relocations.
+ * Changed rpm_execcon to check is_selinux_enabled() and fallback to
+ a regular execve if not enabled (or unable to determine due to a lack
+ of /proc, e.g. chroot'd environment).
+
+* Wed Jan 26 2005 Dan Walsh <dwalsh@redhat.com> 1.21.2-1
+- Update from NSA
+ * Merged minor fix for avcstat from Dan Walsh.
+
+* Mon Jan 24 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-3
+- rpmexeccon should not fail in permissive mode.
+
+* Fri Jan 21 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-2
+- fix printf in avcstat
+
+* Thu Jan 20 2005 Dan Walsh <dwalsh@redhat.com> 1.21.1-1
+- Update from NSA
+
+* Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-3
+- Modify matchpathcon to also process file_contexts.local if it exists
+
+* Wed Jan 12 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-2
+- Add is_customizable_types function call
+
+* Fri Jan 7 2005 Dan Walsh <dwalsh@redhat.com> 1.20.1-1
+- Update to latest from upstream
+ * Just changing version number to match upstream
+
+* Wed Dec 29 2004 Dan Walsh <dwalsh@redhat.com> 1.19.4-1
+- Update to latest from upstream
+ * Changed matchpathcon to return -1 with errno ENOENT for
+ <<none>> entries, and also for an empty file_contexts configuration.
+
+* Tue Dec 28 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-3
+- Fix link devel libraries
+
+* Mon Dec 27 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-2
+- Fix unitialized variable in avcstat.c
+
+* Tue Nov 30 2004 Dan Walsh <dwalsh@redhat.com> 1.19.3-1
+- Upgrade to upstream
+ * Removed some trivial utils that were not useful or redundant.
+ * Changed BINDIR default to /usr/sbin to match change in Fedora.
+ * Added security_compute_member.
+ * Added man page for setcon.
+
+* Tue Nov 30 2004 Dan Walsh <dwalsh@redhat.com> 1.19.2-1
+- Upgrade to upstream
+
+* Thu Nov 18 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-6
+- Add avcstat program
+
+* Mon Nov 15 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-4
+- Add lots of missing man pages
+
+* Fri Nov 12 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-2
+- Fix output of getsebool.
+
+* Tue Nov 9 2004 Dan Walsh <dwalsh@redhat.com> 1.19.1-1
+- Update from upstream, fix setsebool -P segfault
+
+* Fri Nov 5 2004 Steve Grubb <sgrubb@redhat.com> 1.18.1-5
+- Add a patch from upstream. Fixes signed/unsigned issues, and
+ incomplete structure copy.
+
+* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-4
+- More fixes from sgrubb, better syslog
+
+* Thu Nov 4 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-3
+- Have setsebool and togglesebool log changes to syslog
+
+* Wed Nov 3 2004 Steve Grubb <sgrubb@redhat.com> 1.18.1-2
+- Add patch to make setsebool update bool on disk
+- Make togglesebool have a rollback capability in case it blows up inflight
+
+* Tue Nov 2 2004 Dan Walsh <dwalsh@redhat.com> 1.18.1-1
+- Upgrade to latest from NSA
+
+* Thu Oct 28 2004 Steve Grubb <sgrubb@redhat.com> 1.17.15-2
+- Changed the location of the utilities to /usr/sbin since
+ normal users can't use them anyways.
+
+* Wed Oct 27 2004 Steve Grubb <sgrubb@redhat.com> 1.17.15-2
+- Updated various utilities, removed utilities that are for testing,
+ added man pages.
+
+* Fri Oct 15 2004 Dan Walsh <dwalsh@redhat.com> 1.17.15-1
+- Add -g flag to make
+- Upgrade to latest from NSA
+ * Added rpm_execcon.
+
+* Fri Oct 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.14-1
+- Upgrade to latest from NSA
+ * Merged setenforce and removable context patch from Dan Walsh.
+ * Merged build fix for alpha from Ulrich Drepper.
+ * Removed copyright/license from selinux_netlink.h - definitions only.
+
+* Fri Oct 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-3
+- Change setenforce to accept Enforcing and Permissive
+
+* Wed Sep 22 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-2
+- Add alpha patch
+
+* Mon Sep 20 2004 Dan Walsh <dwalsh@redhat.com> 1.17.13-1
+- Upgrade to latest from NSA
+
+* Thu Sep 16 2004 Dan Walsh <dwalsh@redhat.com> 1.17.12-2
+- Add selinux_removable_context_path
+
+* Tue Sep 14 2004 Dan Walsh <dwalsh@redhat.com> 1.17.12-1
+- Update from NSA
+ * Add matchmediacon
+
+* Tue Sep 14 2004 Dan Walsh <dwalsh@redhat.com> 1.17.11-1
+- Update from NSA
+ * Merged in matchmediacon changes.
+
+* Fri Sep 10 2004 Dan Walsh <dwalsh@redhat.com> 1.17.10-1
+- Update from NSA
+ * Regenerated headers for new nscd permissions.
+
+* Wed Sep 8 2004 Dan Walsh <dwalsh@redhat.com> 1.17.9-2
+- Add matchmediacon
+
+* Wed Sep 8 2004 Dan Walsh <dwalsh@redhat.com> 1.17.9-1
+- Update from NSA
+ * Added get_default_context_with_role.
+
+* Thu Sep 2 2004 Dan Walsh <dwalsh@redhat.com> 1.17.8-2
+- Clean up spec file
+ * Patch from Matthias Saou
+
+* Thu Sep 2 2004 Dan Walsh <dwalsh@redhat.com> 1.17.8-1
+- Update from NSA
+ * Added set_matchpathcon_printf.
+
+* Wed Sep 1 2004 Dan Walsh <dwalsh@redhat.com> 1.17.7-1
+- Update from NSA
+ * Reworked av_inherit.h to allow easier re-use by kernel.
+
+* Tue Aug 31 2004 Dan Walsh <dwalsh@redhat.com> 1.17.6-1
+- Add strcasecmp in selinux_config
+- Update from NSA
+ * Changed avc_has_perm_noaudit to not fail on netlink errors.
+ * Changed avc netlink code to check pid based on patch by Steve Grubb.
+ * Merged second optimization patch from Ulrich Drepper.
+ * Changed matchpathcon to skip invalid file_contexts entries.
+ * Made string tables private to libselinux.
+ * Merged strcat->stpcpy patch from Ulrich Drepper.
+ * Merged matchpathcon man page from Dan Walsh.
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+
+* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.5-1
+- Update from NSA
+ * Merged second optimization patch from Ulrich Drepper.
+ * Changed matchpathcon to skip invalid file_contexts entries.
+ * Made string tables private to libselinux.
+ * Merged strcat->stpcpy patch from Ulrich Drepper.
+ * Merged matchpathcon man page from Dan Walsh.
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+* Mon Aug 30 2004 Dan Walsh <dwalsh@redhat.com> 1.17.4-1
+- Update from NSA
+- Add optflags
+
+* Fri Aug 27 2004 Dan Walsh <dwalsh@redhat.com> 1.17.3-1
+- Update from NSA
+
+* Thu Aug 26 2004 Dan Walsh <dwalsh@redhat.com> 1.17.2-1
+- Add matchpathcon man page
+- Latest from NSA
+ * Merged patch to eliminate PLTs for local syms from Ulrich Drepper.
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+* Tue Aug 24 2004 Dan Walsh <dwalsh@redhat.com> 1.17.1-1
+- Latest from NSA
+ * Autobind netlink socket.
+ * Dropped compatibility code from security_compute_user.
+ * Merged fix for context_range_set from Chad Hanson.
+ * Merged allocation failure checking patch from Chad Hanson.
+ * Merged avc netlink error message patch from Colin Walters.
+
+* Sun Aug 22 2004 Dan Walsh <dwalsh@redhat.com> 1.16.1-1
+- Latest from NSA
+
+* Thu Aug 19 2004 Colin Walters <walters@redhat.com> 1.16-1
+- New upstream version
+
+* Tue Aug 17 2004 Dan Walsh <dwalsh@redhat.com> 1.15.7-1
+- Latest from Upstream
+
+* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.6-1
+- Fix man pages
+
+* Mon Aug 16 2004 Dan Walsh <dwalsh@redhat.com> 1.15.5-1
+- Latest from Upstream
+
+* Fri Aug 13 2004 Dan Walsh <dwalsh@redhat.com> 1.15.4-1
+- Latest from Upstream
+
+* Thu Aug 12 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-2
+- Add man page for boolean functions and SELinux
+
+* Sun Aug 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.3-1
+- Latest from NSA
+
+* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.2-1
+- Latest from NSA
+
+* Mon Jul 19 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-3
+- uppercase getenforce returns, to make them match system-config-securitylevel
+
+* Thu Jul 15 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-2
+- Remove old path patch
+
+* Thu Jul 8 2004 Dan Walsh <dwalsh@redhat.com> 1.15.1-1
+- Update to latest from NSA
+- Add fix to only get old path if file_context file exists in old location
+
+* Wed Jun 30 2004 Dan Walsh <dwalsh@redhat.com> 1.14.1-1
+- Update to latest from NSA
+
+* Wed Jun 16 2004 Dan Walsh <dwalsh@redhat.com> 1.13.4-1
+- add nlclass patch
+- Update to latest from NSA
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sun Jun 13 2004 Dan Walsh <dwalsh@redhat.com> 1.13.3-2
+- Fix selinux_config to break once it finds SELINUXTYPE.
+
+* Fri May 28 2004 Dan Walsh <dwalsh@redhat.com> 1.13.2-1
+-Update with latest from NSA
+
+* Thu May 27 2004 Dan Walsh <dwalsh@redhat.com> 1.13.1-1
+- Change to use new policy mechanism
+
+* Mon May 17 2004 Dan Walsh <dwalsh@redhat.com> 1.12-2
+- add man patch
+
+* Fri May 14 2004 Dan Walsh <dwalsh@redhat.com> 1.12-1
+- Update with latest from NSA
+
+* Wed May 5 2004 Dan Walsh <dwalsh@redhat.com> 1.11.4-1
+- Update with latest from NSA
+
+* Thu Apr 22 2004 Dan Walsh <dwalsh@redhat.com> 1.11.3-1
+- Add changes for relaxed policy
+- Update to match NSA
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11.2-1
+- Add relaxed policy changes
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11-4
+- Sync with NSA
+
+* Thu Apr 15 2004 Dan Walsh <dwalsh@redhat.com> 1.11-3
+- Remove requires glibc>2.3.4
+
+* Wed Apr 14 2004 Dan Walsh <dwalsh@redhat.com> 1.11-2
+- Fix selinuxenabled man page.
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.11-1
+- Upgrade to 1.11
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.10-2
+- Add memleaks patch
+
+* Wed Apr 7 2004 Dan Walsh <dwalsh@redhat.com> 1.10-1
+- Upgrade to latest from NSA and add more man pages
+
+* Thu Apr 1 2004 Dan Walsh <dwalsh@redhat.com> 1.9-1
+- Update to match NSA
+- Cleanup some man pages
+
+* Tue Mar 30 2004 Dan Walsh <dwalsh@redhat.com> 1.8-1
+- Upgrade to latest from NSA
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-6
+- Add Russell's Man pages
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-5
+- Change getenforce to also check is_selinux_enabled
+
+* Thu Mar 25 2004 Dan Walsh <dwalsh@redhat.com> 1.6-4
+- Add ownership to /usr/include/selinux
+
+* Wed Mar 10 2004 Dan Walsh <dwalsh@redhat.com> 1.6-3
+- fix location of file_contexts file.
+
+* Wed Mar 10 2004 Dan Walsh <dwalsh@redhat.com> 1.6-2
+- Fix matchpathcon to use BUFSIZ
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Mon Feb 23 2004 Dan Walsh <dwalsh@redhat.com> 1.4-11
+- add matchpathcon
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Fri Jan 23 2004 Dan Walsh <dwalsh@redhat.com> 1.4-9
+- Add rootok patch
+
+* Wed Jan 14 2004 Dan Walsh <dwalsh@redhat.com> 1.4-8
+- Updated getpeernam patch
+
+* Tue Jan 13 2004 Dan Walsh <dwalsh@redhat.com> 1.4-7
+- Add getpeernam patch
+
+* Thu Dec 18 2003 Dan Walsh <dwalsh@redhat.com> 1.4-6
+- Add getpeercon patch
+
+* Thu Dec 18 2003 Dan Walsh <dwalsh@redhat.com> 1.4-5
+- Put mntpoint patch, because found fix for SysVinit
+
+* Wed Dec 17 2003 Dan Walsh <dwalsh@redhat.com> 1.4-4
+- Add remove mntpoint patch, because it breaks SysVinit
+
+* Wed Dec 17 2003 Dan Walsh <dwalsh@redhat.com> 1.4-3
+- Add mntpoint patch for SysVinit
+
+* Fri Dec 12 2003 Dan Walsh <dwalsh@redhat.com> 1.4-2
+- Add -r -u -t to getcon
+
+* Sat Dec 6 2003 Dan Walsh <dwalsh@redhat.com> 1.4-1
+- Upgrade to latest from NSA
+
+* Mon Oct 27 2003 Dan Walsh <dwalsh@redhat.com> 1.3-2
+- Fix x86_64 build
+
+* Wed Oct 22 2003 Dan Walsh <dwalsh@redhat.com> 1.3-1
+- Latest tarball from NSA.
+
+* Tue Oct 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-9
+- Update with latest changes from NSA
+
+* Mon Oct 20 2003 Dan Walsh <dwalsh@redhat.com> 1.2-8
+- Change location of .so file
+
+* Wed Oct 8 2003 Dan Walsh <dwalsh@redhat.com> 1.2-7
+- Break out into development library
+
+* Wed Oct 8 2003 Dan Walsh <dwalsh@redhat.com> 1.2-6
+- Move location of libselinux.so to /lib
+
+* Fri Oct 3 2003 Dan Walsh <dwalsh@redhat.com> 1.2-5
+- Add selinuxenabled patch
+
+* Wed Oct 1 2003 Dan Walsh <dwalsh@redhat.com> 1.2-4
+- Update with final NSA 1.2 sources.
+
+* Fri Sep 12 2003 Dan Walsh <dwalsh@redhat.com> 1.2-3
+- Update with latest from NSA.
+
+* Thu Aug 28 2003 Dan Walsh <dwalsh@redhat.com> 1.2-2
+- Fix to build on x86_64
+
+* Thu Aug 21 2003 Dan Walsh <dwalsh@redhat.com> 1.2-1
+- update for version 1.2
+
+* Tue May 27 2003 Dan Walsh <dwalsh@redhat.com> 1.0-1
+- Initial version