diff --git a/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
new file mode 100644
index 0000000..4ad47e4
--- /dev/null
+++ b/SOURCES/0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
@@ -0,0 +1,49 @@
+From e0a1cdb6181bcf3a23fe63b8e67fd5020e81d05e Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Fri, 22 Jan 2021 16:25:52 +0100
+Subject: [PATCH] python/sepolgen: allow any policy statement in if(n)def
+
+"ifdef/ifndef" statements can be used to conditionally define
+an interface, but this syntax is not recognised by sepolgen-ifgen.
+Fix sepolgen-ifgen to allow any policy statement inside an
+"ifdef/ifndef" statement.
+
+Fixes:
+        $ cat <<EOF > i.if
+ifndef(`apache_manage_pid_files',`
+        interface(`apache_manage_pid_files',`
+                manage_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
+        ')
+')
+
+        #sepolgen-ifgen --interface=i.if
+        i.if: Syntax error on line 2 interface [type=INTERFACE]
+        i.if: Syntax error on line 4 ' [type=SQUOTE]
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+[OM: s/fidef/ifdef/]
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ python/sepolgen/src/sepolgen/refparser.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/python/sepolgen/src/sepolgen/refparser.py b/python/sepolgen/src/sepolgen/refparser.py
+index f506dc3a..5d77e2a3 100644
+--- a/python/sepolgen/src/sepolgen/refparser.py
++++ b/python/sepolgen/src/sepolgen/refparser.py
+@@ -431,9 +431,9 @@ def p_ifelse(p):
+ 
+ 
+ def p_ifdef(p):
+-    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+-             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
+-             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK interface_stmts SQUOTE COMMA TICK interface_stmts SQUOTE CPAREN optional_semi
++    '''ifdef : IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
++             | IFNDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
++             | IFDEF OPAREN TICK IDENTIFIER SQUOTE COMMA TICK statements SQUOTE COMMA TICK statements SQUOTE CPAREN optional_semi
+     '''
+     x = refpolicy.IfDef(p[4])
+     if p[1] == 'ifdef':
+-- 
+2.29.2
+
diff --git a/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
new file mode 100644
index 0000000..aab207b
--- /dev/null
+++ b/SOURCES/0036-setfiles-Do-not-abort-on-labeling-error.patch
@@ -0,0 +1,68 @@
+From 53ccdd55adfbec60fb4277286f2ad94660838504 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 13 Jan 2021 22:09:47 +0100
+Subject: [PATCH] setfiles: Do not abort on labeling error
+
+Commit 602347c7422e ("policycoreutils: setfiles - Modify to use
+selinux_restorecon") changed behavior of setfiles. Original
+implementation skipped files which it couldn't set context to while the
+new implementation aborts on them. setfiles should abort only if it
+can't validate a context from spec_file.
+
+Reproducer:
+
+    # mkdir -p r/1 r/2 r/3
+    # touch r/1/1 r/2/1
+    # chattr +i r/2/1
+    # touch r/3/1
+    # setfiles -r r -v /etc/selinux/targeted/contexts/files/file_contexts r
+    Relabeled r from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:root_t:s0
+    Relabeled r/2 from unconfined_u:object_r:mnt_t:s0 to unconfined_u:object_r:default_t:s0
+    setfiles: Could not set context for r/2/1:  Operation not permitted
+
+r/3 and r/1 are not relabeled.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/setfiles.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index bc83c27b4c06..68eab45aa2b4 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -182,6 +182,7 @@ int main(int argc, char **argv)
+ 	policyfile = NULL;
+ 	nerr = 0;
+ 
++	r_opts.abort_on_error = 0;
+ 	r_opts.progname = strdup(argv[0]);
+ 	if (!r_opts.progname) {
+ 		fprintf(stderr, "%s:  Out of memory!\n", argv[0]);
+@@ -194,7 +195,6 @@ int main(int argc, char **argv)
+ 		 * setfiles:
+ 		 * Recursive descent,
+ 		 * Does not expand paths via realpath,
+-		 * Aborts on errors during the file tree walk,
+ 		 * Try to track inode associations for conflict detection,
+ 		 * Does not follow mounts (sets SELINUX_RESTORECON_XDEV),
+ 		 * Validates all file contexts at init time.
+@@ -202,7 +202,6 @@ int main(int argc, char **argv)
+ 		iamrestorecon = 0;
+ 		r_opts.recurse = SELINUX_RESTORECON_RECURSE;
+ 		r_opts.userealpath = 0; /* SELINUX_RESTORECON_REALPATH */
+-		r_opts.abort_on_error = SELINUX_RESTORECON_ABORT_ON_ERROR;
+ 		r_opts.add_assoc = SELINUX_RESTORECON_ADD_ASSOC;
+ 		/* FTS_PHYSICAL and FTS_NOCHDIR are always set by selinux_restorecon(3) */
+ 		r_opts.xdev = SELINUX_RESTORECON_XDEV;
+@@ -226,7 +225,6 @@ int main(int argc, char **argv)
+ 		iamrestorecon = 1;
+ 		r_opts.recurse = 0;
+ 		r_opts.userealpath = SELINUX_RESTORECON_REALPATH;
+-		r_opts.abort_on_error = 0;
+ 		r_opts.add_assoc = 0;
+ 		r_opts.xdev = 0;
+ 		r_opts.ignore_mounts = 0;
+-- 
+2.30.0
+
diff --git a/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
new file mode 100644
index 0000000..349c675
--- /dev/null
+++ b/SOURCES/0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
@@ -0,0 +1,110 @@
+From 2f135022f4372dc34198c48cfd67b91044e6dfd7 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 13 Jan 2021 22:09:48 +0100
+Subject: [PATCH] setfiles: drop ABORT_ON_ERRORS and related code
+
+`setfiles -d` doesn't have any impact on number of errors before it
+aborts. It always aborts on first invalid context in spec file.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/Makefile      |  3 ---
+ policycoreutils/setfiles/ru/setfiles.8 |  2 +-
+ policycoreutils/setfiles/setfiles.8    |  3 +--
+ policycoreutils/setfiles/setfiles.c    | 18 ------------------
+ 4 files changed, 2 insertions(+), 24 deletions(-)
+
+diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
+index bc5a8db789a5..a3bbbe116b7f 100644
+--- a/policycoreutils/setfiles/Makefile
++++ b/policycoreutils/setfiles/Makefile
+@@ -5,8 +5,6 @@ SBINDIR ?= /sbin
+ MANDIR = $(PREFIX)/share/man
+ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
+ 
+-ABORT_ON_ERRORS=$(shell grep "^\#define ABORT_ON_ERRORS" setfiles.c | awk -S '{ print $$3 }')
+-
+ CFLAGS ?= -g -Werror -Wall -W
+ override LDLIBS += -lselinux -lsepol
+ 
+@@ -26,7 +24,6 @@ restorecon_xattr: restorecon_xattr.o restore.o
+ 
+ man:
+ 	@cp -af setfiles.8 setfiles.8.man
+-	@sed -i "s/ABORT_ON_ERRORS/$(ABORT_ON_ERRORS)/g" setfiles.8.man
+ 
+ install: all
+ 	[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
+diff --git a/policycoreutils/setfiles/ru/setfiles.8 b/policycoreutils/setfiles/ru/setfiles.8
+index 27815a3f1eee..910101452625 100644
+--- a/policycoreutils/setfiles/ru/setfiles.8
++++ b/policycoreutils/setfiles/ru/setfiles.8
+@@ -47,7 +47,7 @@ setfiles \- установить SELinux-контексты безопаснос
+ проверить действительность контекстов относительно указанной двоичной политики.
+ .TP
+ .B \-d
+-показать, какая спецификация соответствует каждому из файлов (не прекращать проверку после получения ошибок ABORT_ON_ERRORS).
++показать, какая спецификация соответствует каждому из файлов.
+ .TP
+ .BI \-e \ directory
+ исключить каталог (чтобы исключить более одного каталога, этот параметр необходимо использовать соответствующее количество раз).
+diff --git a/policycoreutils/setfiles/setfiles.8 b/policycoreutils/setfiles/setfiles.8
+index a8a76c860dac..b7d3cefb96ff 100644
+--- a/policycoreutils/setfiles/setfiles.8
++++ b/policycoreutils/setfiles/setfiles.8
+@@ -56,8 +56,7 @@ option will force a replacement of the entire context.
+ check the validity of the contexts against the specified binary policy.
+ .TP
+ .B \-d
+-show what specification matched each file (do not abort validation
+-after ABORT_ON_ERRORS errors). Not affected by "\-q"
++show what specification matched each file. Not affected by "\-q"
+ .TP
+ .BI \-e \ directory
+ directory to exclude (repeat option for more than one directory).
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index 68eab45aa2b4..bcbdfbfe53e2 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -23,14 +23,6 @@ static int nerr;
+ 
+ #define STAT_BLOCK_SIZE 1
+ 
+-/* setfiles will abort its operation after reaching the
+- * following number of errors (e.g. invalid contexts),
+- * unless it is used in "debug" mode (-d option).
+- */
+-#ifndef ABORT_ON_ERRORS
+-#define ABORT_ON_ERRORS	10
+-#endif
+-
+ #define SETFILES "setfiles"
+ #define RESTORECON "restorecon"
+ static int iamrestorecon;
+@@ -57,15 +49,6 @@ static __attribute__((__noreturn__)) void usage(const char *const name)
+ 	exit(-1);
+ }
+ 
+-void inc_err(void)
+-{
+-	nerr++;
+-	if (nerr > ABORT_ON_ERRORS - 1 && !r_opts.debug) {
+-		fprintf(stderr, "Exiting after %d errors.\n", ABORT_ON_ERRORS);
+-		exit(-1);
+-	}
+-}
+-
+ void set_rootpath(const char *arg)
+ {
+ 	if (strlen(arg) == 1 && strncmp(arg, "/", 1) == 0) {
+@@ -98,7 +81,6 @@ int canoncon(char **contextp)
+ 		*contextp = tmpcon;
+ 	} else if (errno != ENOENT) {
+ 		rc = -1;
+-		inc_err();
+ 	}
+ 
+ 	return rc;
+-- 
+2.30.0
+
diff --git a/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
new file mode 100644
index 0000000..31b9a34
--- /dev/null
+++ b/SOURCES/0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
@@ -0,0 +1,44 @@
+From a691da617a2d3c864786ff2742d9a9f87ecc7d05 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Mon, 1 Feb 2021 15:24:32 +0100
+Subject: [PATCH] policycoreutils/setfiles: Drop unused nerr variable
+
+Suggested-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ policycoreutils/setfiles/setfiles.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
+index bcbdfbfe53e2..82d0aaa75893 100644
+--- a/policycoreutils/setfiles/setfiles.c
++++ b/policycoreutils/setfiles/setfiles.c
+@@ -19,7 +19,6 @@ static int warn_no_match;
+ static int null_terminated;
+ static int request_digest;
+ static struct restore_opts r_opts;
+-static int nerr;
+ 
+ #define STAT_BLOCK_SIZE 1
+ 
+@@ -162,7 +161,6 @@ int main(int argc, char **argv)
+ 	warn_no_match = 0;
+ 	request_digest = 0;
+ 	policyfile = NULL;
+-	nerr = 0;
+ 
+ 	r_opts.abort_on_error = 0;
+ 	r_opts.progname = strdup(argv[0]);
+@@ -417,9 +415,6 @@ int main(int argc, char **argv)
+ 	r_opts.selabel_opt_digest = (request_digest ? (char *)1 : NULL);
+ 	r_opts.selabel_opt_path = altpath;
+ 
+-	if (nerr)
+-		exit(-1);
+-
+ 	restore_init(&r_opts);
+ 
+ 	if (use_input_file) {
+-- 
+2.30.0
+
diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec
index e9c4cff..54bc196 100644
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 10%{?dist}
+Release: 12%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@@ -72,6 +72,10 @@ Patch0031: 0031-dbus-Fix-FileNotFoundError-in-org.selinux.relabel_on.patch
 Patch0032: 0032-restorecond-Fix-redundant-console-log-output-error.patch
 Patch0033: 0033-python-semanage-empty-stdout-before-exiting-on-Broke.patch
 Patch0034: 0034-python-semanage-Sort-imports-in-alphabetical-order.patch
+Patch0035: 0035-python-sepolgen-allow-any-policy-statement-in-if-n-d.patch
+Patch0036: 0036-setfiles-Do-not-abort-on-labeling-error.patch
+Patch0037: 0037-setfiles-drop-ABORT_ON_ERRORS-and-related-code.patch
+Patch0038: 0038-policycoreutils-setfiles-Drop-unused-nerr-variable.patch
 
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@@ -509,6 +513,12 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Tue Feb  2 2021 Petr Lautrbach <plautrba@redhat.com> - 2.9-12
+- setfiles: Do not abort on labeling error (#1794518)
+
+* Wed Jan 27 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-11
+- python/sepolgen: allow any policy statement in if(n)def (#1868717)
+
 * Sat Jan 16 2021 Vit Mojzis <vmojzis@redhat.com> - 2.9-10
 - python/semanage: Sort imports in alphabetical order
 - python/semanage: empty stdout before exiting on BrokenPipeError (#1822100)