diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h

index c27275e..0165eed 100644

--- a/libsepol/include/sepol/policydb/policydb.h

+++ b/libsepol/include/sepol/policydb/policydb.h

@@ -683,10 +683,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);

 #define POLICYDB_VERSION_ROLETRANS	26

 #define POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	27

 #define POLICYDB_VERSION_DEFAULT_TYPE	28

+#define POLICYDB_VERSION_CONSTRAINT_NAMES	29

 /* Range of policy versions we understand*/

 #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE

-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_DEFAULT_TYPE

+#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_CONSTRAINT_NAMES

 /* Module versions and specific changes*/

 #define MOD_POLICYDB_VERSION_BASE		4

@@ -704,9 +705,10 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);

 #define MOD_POLICYDB_VERSION_TUNABLE_SEP	14

 #define MOD_POLICYDB_VERSION_NEW_OBJECT_DEFAULTS	15

 #define MOD_POLICYDB_VERSION_DEFAULT_TYPE	16

+#define MOD_POLICYDB_VERSION_CONSTRAINT_NAMES	17

 #define MOD_POLICYDB_VERSION_MIN MOD_POLICYDB_VERSION_BASE

-#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_DEFAULT_TYPE

+#define MOD_POLICYDB_VERSION_MAX MOD_POLICYDB_VERSION_CONSTRAINT_NAMES

 #define POLICYDB_CONFIG_MLS    1

diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h

index aef0c7b..1969a10 100644

--- a/libsepol/include/sepol/policydb/services.h

+++ b/libsepol/include/sepol/policydb/services.h

@@ -58,6 +58,38 @@ extern int sepol_compute_av_reason(sepol_security_id_t ssid,

 				   struct sepol_av_decision *avd,

 				   unsigned int *reason);

+/* 

+ * Same as above, but also returns the constraint expression calculations

+ * whether allowed or denied in a buffer. This buffer is allocated by

+ * this call and must be free'd by the caller using free(3). The contraint

+ * buffer will contain any constraints in infix notation.

+ * If the SHOW_GRANTED flag is set it will show granted and denied

+ * constraints. The default is to show only denied constraints.

+ */

+#define SHOW_GRANTED      1

+extern int sepol_compute_av_reason_buffer(sepol_security_id_t ssid,

+				   sepol_security_id_t tsid,

+				   sepol_security_class_t tclass,

+				   sepol_access_vector_t requested,

+				   struct sepol_av_decision *avd,

+				   unsigned int *reason,

+				   char **reason_buf,

+				   unsigned int flags);

+/*

+ * Return a class ID associated with the class string representation

+ * specified by `class_name'.

+ */

+extern int sepol_class_name_to_id(const char *class_name,

+					sepol_security_class_t  *tclass);

+

+/*

+ * Return a permission av bit associated with tclass and the string

+ * representation of the `perm_name'.

+ */

+extern int sepol_perm_name_to_av(sepol_security_class_t tclass,

+					const char *perm_name,

+					sepol_access_vector_t *av);

+

 /*

  * Compute a SID to use for labeling a new object in the 

  * class `tclass' based on a SID pair.  

diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c

index f0555bb..6fd992f 100644

--- a/libsepol/src/expand.c

+++ b/libsepol/src/expand.c

@@ -384,6 +384,17 @@ static int constraint_node_clone(constraint_node_t ** dst,

 			new_expr->op = expr->op;

 			if (new_expr->expr_type == CEXPR_NAMES) {

 				if (new_expr->attr & CEXPR_TYPE) {

+					/*

+					 * Copy over constraint policy source types and/or

+					 * attributes for sepol_compute_av_reason_buffer(3) so that

+					 * utilities can analyse constraint errors.

+					 */

+					if (map_ebitmap(&expr->type_names->types,

+							&new_expr->type_names->types,

+							state->typemap)) {

+						ERR(NULL, "Failed to map type_names->types");

+						goto out_of_mem;

+					}

 					/* Type sets require expansion and conversion. */

 					if (expand_convert_type_set(state->out,

 								    state->

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c

index 1f49261..8c7efbc 100644

--- a/libsepol/src/policydb.c

+++ b/libsepol/src/policydb.c

@@ -165,6 +165,13 @@ static struct policydb_compat_info policydb_compat[] = {

 	 .target_platform = SEPOL_TARGET_SELINUX,

 	},

 	{

+	 .type = POLICY_KERN,

+	 .version = POLICYDB_VERSION_CONSTRAINT_NAMES,

+	 .sym_num = SYM_NUM,

+	 .ocon_num = OCON_NODE6 + 1,

+	 .target_platform = SEPOL_TARGET_SELINUX,

+	},

+	{

 	 .type = POLICY_BASE,

 	 .version = MOD_POLICYDB_VERSION_BASE,

 	 .sym_num = SYM_NUM,

@@ -256,6 +263,13 @@ static struct policydb_compat_info policydb_compat[] = {

 	 .target_platform = SEPOL_TARGET_SELINUX,

 	},

 	{

+	 .type = POLICY_BASE,

+	 .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES,

+	 .sym_num = SYM_NUM,

+	 .ocon_num = OCON_NODE6 + 1,

+	 .target_platform = SEPOL_TARGET_SELINUX,

+	},

+	{

 	 .type = POLICY_MOD,

 	 .version = MOD_POLICYDB_VERSION_BASE,

 	 .sym_num = SYM_NUM,

@@ -346,6 +360,13 @@ static struct policydb_compat_info policydb_compat[] = {

 	 .ocon_num = 0,

 	 .target_platform = SEPOL_TARGET_SELINUX,

 	},

+	{

+	 .type = POLICY_MOD,

+	 .version = MOD_POLICYDB_VERSION_CONSTRAINT_NAMES,

+	 .sym_num = SYM_NUM,

+	 .ocon_num = 0,

+	 .target_platform = SEPOL_TARGET_SELINUX,

+	},

 };

 #if 0

@@ -2019,6 +2040,10 @@ static int read_cons_helper(policydb_t * p, constraint_node_t ** nodep,

 				if (p->policy_type != POLICY_KERN &&

 				    type_set_read(e->type_names, fp))

 					return -1;

+				else if (p->policy_type == POLICY_KERN &&

+					 p->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES &&

+					 type_set_read(e->type_names, fp))

+					return -1;

 				break;

 			default:

 				return -1;

diff --git a/libsepol/src/services.c b/libsepol/src/services.c

index 7fac4a0..43ec07e 100644

--- a/libsepol/src/services.c

+++ b/libsepol/src/services.c

@@ -43,6 +43,11 @@

  * Implementation of the security services.

  */

+/* The initial sizes malloc'd for sepol_compute_av_reason_buffer() support */

+#define REASON_BUF_SIZE 2048

+#define EXPR_BUF_SIZE 1024

+#define STACK_LEN 32

+

 #include <stdlib.h>

 #include <sys/types.h>

 #include <sys/socket.h>

@@ -54,6 +59,7 @@

 #include <sepol/policydb/services.h>

 #include <sepol/policydb/conditional.h>

 #include <sepol/policydb/flask.h>

+#include <sepol/policydb/util.h>

 #include "debug.h"

 #include "private.h"

@@ -70,6 +76,50 @@ static int selinux_enforcing = 1;

 static sidtab_t mysidtab, *sidtab = &mysidtab;

 static policydb_t mypolicydb, *policydb = &mypolicydb;

+/* Used by sepol_compute_av_reason_buffer() to keep track of entries */

+static int reason_buf_used;

+static int reason_buf_len;

+

+/* Stack services for RPN to infix conversion. */

+static char **stack;

+static int stack_len;

+static int next_stack_entry;

+

+static void push(char * expr_ptr)

+{

+	if (next_stack_entry >= stack_len) {

+		char **new_stack = stack;

+		int new_stack_len;

+

+		if (stack_len == 0)

+			new_stack_len = STACK_LEN;

+		else

+			new_stack_len = stack_len * 2;

+

+		new_stack = realloc(stack, new_stack_len * sizeof(*stack));

+		if (!new_stack) {

+			ERR(NULL, "unable to allocate stack space");

+			return;

+		}

+		stack_len = new_stack_len;

+		stack = new_stack;

+	}

+	stack[next_stack_entry] = expr_ptr;

+	next_stack_entry++;

+}

+

+static char *pop(void)

+{

+	next_stack_entry--;

+	if (next_stack_entry < 0) {

+		next_stack_entry = 0;

+		ERR(NULL, "pop called with no stack entries");

+		return NULL;

+	}

+	return stack[next_stack_entry];

+}

+/* End Stack services */

+

 int hidden sepol_set_sidtab(sidtab_t * s)

 {

 	sidtab = s;

@@ -113,20 +163,195 @@ int sepol_set_policydb_from_file(FILE * fp)

 static uint32_t latest_granting = 0;

 /*

- * Return the boolean value of a constraint expression 

- * when it is applied to the specified source and target 

+ * cat_expr_buf adds a string to an expression buffer and handles realloc's if

+ * buffer is too small. The array of expression text buffer pointers and its

+ * counter are globally defined here as constraint_expr_eval_reason() sets

+ * them up and cat_expr_buf updates the e_buf pointer if the buffer is realloc'ed.

+ */

+static int expr_counter;

+static char **expr_list;

+static int expr_buf_used;

+static int expr_buf_len;

+

+static void cat_expr_buf(char *e_buf, char *string)

+{

+	int len, new_buf_len;

+	char *p, *new_buf = e_buf;

+

+	while (1) {

+		p = e_buf + expr_buf_used;

+		len = snprintf(p, expr_buf_len - expr_buf_used, "%s", string);

+		if (len < 0 || len >= expr_buf_len - expr_buf_used) {

+			new_buf_len = expr_buf_len + EXPR_BUF_SIZE;

+			new_buf = realloc(e_buf, new_buf_len);

+			if (!new_buf) {

+				ERR(NULL, "failed to realloc expr buffer");

+				return;

+			}

+			/* Update the new ptr in the expr list and locally + new len */

+			expr_list[expr_counter] = new_buf;

+			e_buf = new_buf;

+			expr_buf_len = new_buf_len;

+		} else {

+			expr_buf_used += len;

+			return;

+		}

+	}

+}

+

+/*

+ * If the POLICY_KERN version is < POLICYDB_VERSION_CONSTRAINT_NAMES,

+ * then just return.

+ *

+ * If the POLICY_KERN version is >= POLICYDB_VERSION_CONSTRAINT_NAMES,

+ * then for 'types' only, read the types_names->types list as it will

+ * contain a list of types and attributes that were defined in the

+ * policy source.

+ */

+static void get_names_list(constraint_expr_t *e, int type)

+{

+	ebitmap_t *types;

+	types = &e->type_names->types;

+	int rc = 0;

+	unsigned int i;

+	char tmp_buf[128];

+	/* if -type_names->types is 0, then output string <empty_set> */

+	int empty_set = 0;

+

+	if (policydb->policy_type == POLICY_KERN &&

+			policydb->policyvers >= POLICYDB_VERSION_CONSTRAINT_NAMES &&

+			type == CEXPR_TYPE) {

+		/*

+		 * Process >= POLICYDB_VERSION_CONSTRAINT_NAMES with CEXPR_TYPE, then

+		 * obtain the list of names defined in the policy source.

+		 */

+		cat_expr_buf(expr_list[expr_counter], "{ POLICY_SOURCE: ");

+		for (i = ebitmap_startbit(types); i < ebitmap_length(types); i++) {

+			if ((rc = ebitmap_get_bit(types, i)) == 0)

+				continue;

+			/* Collect entries */

+			snprintf(tmp_buf, sizeof(tmp_buf), "%s ", policydb->p_type_val_to_name[i]);

+			cat_expr_buf(expr_list[expr_counter], tmp_buf);

+			empty_set++;

+		}

+		if (empty_set == 0)

+			cat_expr_buf(expr_list[expr_counter], "<empty_set> ");

+		cat_expr_buf(expr_list[expr_counter], "} ");

+	}

+	return;

+}

+

+static void msgcat(char *src, char *tgt, char *rel, int failed)

+{

+	char tmp_buf[1024];

+	if (failed)

+		snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Fail-) ",

+				src, rel, tgt);

+	else

+		snprintf(tmp_buf, sizeof(tmp_buf), "(%s %s %s -Pass-) ",

+				src, rel, tgt);

+	cat_expr_buf(expr_list[expr_counter], tmp_buf);

+}

+

+/* Returns a buffer with class, statement type and permissions */

+static char *get_class_info(sepol_security_class_t tclass,

+							constraint_node_t *constraint,

+							context_struct_t * xcontext)

+{

+	constraint_expr_t *e;

+	int mls, state_num;

+

+	/* Find if MLS statement or not */

+	mls = 0;

+	for (e = constraint->expr; e; e = e->next) {

+		if (e->attr >= CEXPR_L1L2) {

+			mls = 1;

+			break;

+		}

+	}

+

+	/* Determine statement type */

+	char *statements[] = {

+        "constrain ",			/* 0 */

+		"mlsconstrain ",		/* 1 */

+        "validatetrans ",		/* 2 */

+		"mlsvalidatetrans ",	/* 3 */

+        0 };

+

+	if (xcontext == NULL)

+		state_num = mls + 0;

+	else

+		state_num = mls + 2;

+

+	int class_buf_len = 0;

+	int new_class_buf_len;

+	int len, buf_used;

+	char *class_buf = NULL, *p;

+	char *new_class_buf = NULL;

+

+	while (1) {

+		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;

+		new_class_buf = realloc(class_buf, new_class_buf_len);

+			if (!new_class_buf)

+				return NULL;

+		class_buf_len = new_class_buf_len;

+		class_buf = new_class_buf;

+		buf_used = 0;

+		p = class_buf;

+

+		/* Add statement type */

+		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);

+		if (len < 0 || len >= class_buf_len - buf_used)

+			continue;

+

+		/* Add class entry */

+		p += len;

+		buf_used += len;

+		len = snprintf(p, class_buf_len - buf_used, "%s ",

+				policydb->p_class_val_to_name[tclass - 1]);

+		if (len < 0 || len >= class_buf_len - buf_used)

+			continue;

+

+		/* Add permission entries */

+		p += len;

+		buf_used += len;

+		len = snprintf(p, class_buf_len - buf_used, "{%s } (",

+				sepol_av_to_string(policydb, tclass, constraint->permissions));

+		if (len < 0 || len >= class_buf_len - buf_used)

+			continue;

+		break;

+	}

+	return class_buf;

+}

+

+/*

+ * Modified version of constraint_expr_eval that will process each

+ * constraint as before but adds the information to text buffers that

+ * will hold various components. The expression will be in RPN format,

+ * therefore there is a stack based RPN to infix converter to produce

+ * the final readable constraint.

+ *

+ * Return the boolean value of a constraint expression

+ * when it is applied to the specified source and target

  * security contexts.

  *

  * xcontext is a special beast...  It is used by the validatetrans rules

  * only.  For these rules, scontext is the context before the transition,

  * tcontext is the context after the transition, and xcontext is the context

  * of the process performing the transition.  All other callers of

- * constraint_expr_eval should pass in NULL for xcontext.

+ * constraint_expr_eval_reason should pass in NULL for xcontext.

+ * 

+ * This function will also build a buffer as the constraint is processed

+ * for analysis. If this option is not required, then:

+ *      'tclass' should be '0' and r_buf MUST be NULL.

  */

-static int constraint_expr_eval(context_struct_t * scontext,

+static int constraint_expr_eval_reason(context_struct_t * scontext,

 				context_struct_t * tcontext,

 				context_struct_t * xcontext,

-				constraint_expr_t * cexpr)

+				sepol_security_class_t tclass,

+				constraint_node_t *constraint,

+				char **r_buf,

+				unsigned int flags)

 {

 	uint32_t val1, val2;

 	context_struct_t *c;

@@ -136,56 +361,137 @@ static int constraint_expr_eval(context_struct_t * scontext,

 	int s[CEXPR_MAXDEPTH];

 	int sp = -1;

-	for (e = cexpr; e; e = e->next) {

+	char tmp_buf[128];

+

+/*

+ * Define the s_t_x_num values that make up r1, t2 etc. in text strings

+ * Set 1 = source, 2 = target, 3 = xcontext for validatetrans

+ */

+#define SOURCE  1

+#define TARGET  2

+#define XTARGET 3

+

+	int s_t_x_num = SOURCE;

+

+	/* Set 0 = fail, u = CEXPR_USER, r = CEXPR_ROLE, t = CEXPR_TYPE */

+	int u_r_t = 0;

+

+	char *name1, *name2;

+	char *src = NULL;

+	char *tgt = NULL;

+

+	int rc = 0, x;

+

+	char *class_buf = NULL;

+

+	class_buf = get_class_info(tclass, constraint, xcontext);

+	if (!class_buf) {

+		ERR(NULL, "failed to allocate class buffer");

+		return -ENOMEM;

+	}

+

+	/* Original function but with buffer support */

+	int expr_list_len = 0;

+	expr_counter = 0;

+	expr_list = NULL;

+	for (e = constraint->expr; e; e = e->next) {

+		/* Allocate a stack to hold expression buffer entries */

+		if (expr_counter >= expr_list_len) {

+			char **new_expr_list = expr_list;

+			int new_expr_list_len;

+

+			if (expr_list_len == 0)

+				new_expr_list_len = STACK_LEN;

+			else

+				new_expr_list_len = expr_list_len * 2;

+

+			new_expr_list = realloc(expr_list, new_expr_list_len * sizeof(*expr_list));

+			if (!new_expr_list) {

+				ERR(NULL, "failed to allocate expr buffer stack");

+				rc = -ENOMEM;

+				goto out;

+			}

+			expr_list_len = new_expr_list_len;

+			expr_list = new_expr_list;

+		}

+

+		/*

+		 * malloc a buffer to store each expression text component. If the

+		 * buffer is too small cat_expr_buf() will realloc extra space.

+		 */

+		expr_buf_len = EXPR_BUF_SIZE;

+		expr_list[expr_counter] = malloc(expr_buf_len);

+		if (!expr_list[expr_counter]) {

+			ERR(NULL, "failed to allocate expr buffer");

+			rc = -ENOMEM;

+			goto out;

+		}

+		expr_buf_used = 0;

+

+		/* Now process each expression of the constraint */

 		switch (e->expr_type) {

 		case CEXPR_NOT:

 			BUG_ON(sp < 0);

 			s[sp] = !s[sp];

+			cat_expr_buf(expr_list[expr_counter], "not");

 			break;

 		case CEXPR_AND:

 			BUG_ON(sp < 1);

 			sp--;

 			s[sp] &= s[sp + 1];

+			cat_expr_buf(expr_list[expr_counter], "and");

 			break;

 		case CEXPR_OR:

 			BUG_ON(sp < 1);

 			sp--;

 			s[sp] |= s[sp + 1];

+			cat_expr_buf(expr_list[expr_counter], "or");

 			break;

 		case CEXPR_ATTR:

 			if (sp == (CEXPR_MAXDEPTH - 1))

-				return 0;

+				goto out;

+

 			switch (e->attr) {

 			case CEXPR_USER:

 				val1 = scontext->user;

 				val2 = tcontext->user;

+				free(src); src = strdup("u1");

+				free(tgt); tgt = strdup("u2");

 				break;

 			case CEXPR_TYPE:

 				val1 = scontext->type;

 				val2 = tcontext->type;

+				free(src); src = strdup("t1");

+				free(tgt); tgt = strdup("t2");

 				break;

 			case CEXPR_ROLE:

 				val1 = scontext->role;

 				val2 = tcontext->role;

 				r1 = policydb->role_val_to_struct[val1 - 1];

 				r2 = policydb->role_val_to_struct[val2 - 1];

+				name1 = policydb->p_role_val_to_name[r1->s.value - 1];

+				name2 = policydb->p_role_val_to_name[r2->s.value - 1];

+				snprintf(tmp_buf, sizeof(tmp_buf), "r1=%s", name1);

+				free(src); src = strdup(tmp_buf);

+				snprintf(tmp_buf, sizeof(tmp_buf), "r2=%s ", name2);

+				free(tgt); tgt = strdup(tmp_buf);

+

 				switch (e->op) {

 				case CEXPR_DOM:

-					s[++sp] =

-					    ebitmap_get_bit(&r1->dominates,

-							    val2 - 1);

+					s[++sp] = ebitmap_get_bit(&r1->dominates, val2 - 1);

+					msgcat(src, tgt, "dom", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_DOMBY:

-					s[++sp] =

-					    ebitmap_get_bit(&r2->dominates,

-							    val1 - 1);

+					s[++sp] = ebitmap_get_bit(&r2->dominates, val1 - 1);

+					msgcat(src, tgt, "domby", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_INCOMP:

-					s[++sp] =

-					    (!ebitmap_get_bit

-					     (&r1->dominates, val2 - 1)

-					     && !ebitmap_get_bit(&r2->dominates,

-								 val1 - 1));

+					s[++sp] = (!ebitmap_get_bit(&r1->dominates, val2 - 1)

+						 && !ebitmap_get_bit(&r2->dominates, val1 - 1));

+					msgcat(src, tgt, "incomp", s[sp] == 0);

+					expr_counter++;

 					continue;

 				default:

 					break;

@@ -194,110 +500,327 @@ static int constraint_expr_eval(context_struct_t * scontext,

 			case CEXPR_L1L2:

 				l1 = &(scontext->range.level[0]);

 				l2 = &(tcontext->range.level[0]);

+				free(src); src = strdup("l1");

+				free(tgt); tgt = strdup("l2");

 				goto mls_ops;

 			case CEXPR_L1H2:

 				l1 = &(scontext->range.level[0]);

 				l2 = &(tcontext->range.level[1]);

+				free(src); src = strdup("l1");

+				free(tgt); tgt = strdup("h2");

 				goto mls_ops;

 			case CEXPR_H1L2:

 				l1 = &(scontext->range.level[1]);

 				l2 = &(tcontext->range.level[0]);

+				free(src); src = strdup("h1");

+				free(tgt); tgt = strdup("L2");

 				goto mls_ops;

 			case CEXPR_H1H2:

 				l1 = &(scontext->range.level[1]);

 				l2 = &(tcontext->range.level[1]);

+				free(src); src = strdup("h1");

+				free(tgt); tgt = strdup("h2");

 				goto mls_ops;

 			case CEXPR_L1H1:

 				l1 = &(scontext->range.level[0]);

 				l2 = &(scontext->range.level[1]);

+				free(src); src = strdup("l1");

+				free(tgt); tgt = strdup("h1");

 				goto mls_ops;

 			case CEXPR_L2H2:

 				l1 = &(tcontext->range.level[0]);

 				l2 = &(tcontext->range.level[1]);

-				goto mls_ops;

-			      mls_ops:

+				free(src); src = strdup("l2");

+				free(tgt); tgt = strdup("h2");

+			mls_ops:

 				switch (e->op) {

 				case CEXPR_EQ:

 					s[++sp] = mls_level_eq(l1, l2);

+					msgcat(src, tgt, "eq", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_NEQ:

 					s[++sp] = !mls_level_eq(l1, l2);

+					msgcat(src, tgt, "neq", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_DOM:

 					s[++sp] = mls_level_dom(l1, l2);

+					msgcat(src, tgt, "dom", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_DOMBY:

 					s[++sp] = mls_level_dom(l2, l1);

+					msgcat(src, tgt, "domby", s[sp] == 0);

+					expr_counter++;

 					continue;

 				case CEXPR_INCOMP:

 					s[++sp] = mls_level_incomp(l2, l1);

+					msgcat(src, tgt, "incomp", s[sp] == 0);

+					expr_counter++;

 					continue;

 				default:

 					BUG();

-					return 0;

+					goto out;

 				}

 				break;

 			default:

 				BUG();

-				return 0;

+				goto out;

 			}

 			switch (e->op) {

 			case CEXPR_EQ:

 				s[++sp] = (val1 == val2);

+				msgcat(src, tgt, "eq", s[sp] == 0);

 				break;

 			case CEXPR_NEQ:

 				s[++sp] = (val1 != val2);

+				msgcat(src, tgt, "neq", s[sp] == 0);

 				break;

 			default:

 				BUG();

-				return 0;

+				goto out;

 			}

 			break;

 		case CEXPR_NAMES:

 			if (sp == (CEXPR_MAXDEPTH - 1))

-				return 0;

+				goto out;

+			s_t_x_num = SOURCE;

 			c = scontext;

-			if (e->attr & CEXPR_TARGET)

+			if (e->attr & CEXPR_TARGET) {

+				s_t_x_num = TARGET;

 				c = tcontext;

-			else if (e->attr & CEXPR_XTARGET) {

+			} else if (e->attr & CEXPR_XTARGET) {

+				s_t_x_num = XTARGET;

 				c = xcontext;

-				if (!c) {

-					BUG();

-					return 0;

-				}

 			}

-			if (e->attr & CEXPR_USER)

+			if (!c) {

+				BUG();

+				goto out;

+			}

+			if (e->attr & CEXPR_USER) {

+				u_r_t = CEXPR_USER;

 				val1 = c->user;

-			else if (e->attr & CEXPR_ROLE)

+				name1 = policydb->p_user_val_to_name[val1 - 1];

+				snprintf(tmp_buf, sizeof(tmp_buf), "u%d=%s ",

+						s_t_x_num, name1);

+				free(src); src = strdup(tmp_buf);

+			}

+			else if (e->attr & CEXPR_ROLE) {

+				u_r_t = CEXPR_ROLE;

 				val1 = c->role;

-			else if (e->attr & CEXPR_TYPE)

+				name1 = policydb->p_role_val_to_name[val1 - 1];

+				snprintf(tmp_buf, sizeof(tmp_buf), "r%d=%s ", s_t_x_num, name1);

+				free(src); src = strdup(tmp_buf);

+			}

+			else if (e->attr & CEXPR_TYPE) {

+				u_r_t = CEXPR_TYPE;

 				val1 = c->type;

+				name1 = policydb->p_type_val_to_name[val1 - 1];

+				snprintf(tmp_buf, sizeof(tmp_buf),

+						"t%d=%s ", s_t_x_num, name1);

+				free(src); src = strdup(tmp_buf);

+			}