Enable gating on tests

https://docs.fedoraproject.org/en-US/ci/gating/

.gitignore

@@ -174,3 +174,44 @@ libselinux-2.0.87.tgz
 libselinux-2.0.88.tgz
 libselinux-2.0.89.tgz
 libselinux-2.0.90.tgz
+libselinux-2.0.91.tgz
+libselinux-2.0.92.tgz
+libselinux-2.0.93.tgz
+libselinux-2.0.94.tgz
+libselinux-2.0.96.tgz
+/libselinux-2.0.97.tgz
+/libselinux-2.0.98.tgz
+/libselinux-2.0.99.tgz
+/libselinux-2.0.101.tgz
+/libselinux-2.0.102.tgz
+/libselinux-2.1.0.tgz
+/libselinux-2.1.4.tgz
+/libselinux-2.1.5.tgz
+/libselinux-2.1.6.tgz
+/libselinux-2.1.7.tgz
+/libselinux-2.1.8.tgz
+/libselinux-2.1.9.tgz
+/libselinux-2.1.10.tgz
+/libselinux-2.1.11.tgz
+/libselinux-2.1.12.tgz
+/libselinux-2.1.13.tgz
+/libselinux-2.2.tgz
+/libselinux-2.2.1.tgz
+/libselinux-2.2.2.tgz
+/libselinux-2.3.tgz
+/libselinux-2.3.tar.gz
+/libselinux-2.4.tar.gz
+/libselinux-2.5-rc1.tar.gz
+/libselinux-2.5.tar.gz
+/libselinux-2.6.tar.gz
+/libselinux-2.7.tar.gz
+/libselinux-2.8-rc1.tar.gz
+/libselinux-2.8-rc2.tar.gz
+/libselinux-2.8-rc3.tar.gz
+/libselinux-2.8.tar.gz
+/libselinux-2.9-rc1.tar.gz
+/libselinux-2.9-rc2.tar.gz
+/libselinux-2.9.tar.gz
+/libselinux-3.0-rc1.tar.gz
+/libselinux-3.0.tar.gz
+/libselinux-3.1.tar.gz

0001-libselinux-use-kernel-status-page-by-default.patch

@@ -0,0 +1,506 @@
+From 05bdc03130d741e53e1fb45a958d0a2c184be503 Mon Sep 17 00:00:00 2001
+From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
+Date: Wed, 5 Aug 2020 15:43:12 -0400
+Subject: [PATCH] libselinux: use kernel status page by default
+
+Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
+/selinux/status") introduced the sestatus mechanism, which allows for
+mmap()'ing of the kernel status page as a replacement for avc_netlink.
+
+The mechanism was initially intended for userspace object managers that
+were calculating access decisions within their application and did not
+rely on the libselinux AVC implementation. In order to properly make use
+of sestatus within avc_has_perm(), the status mechanism needs to
+properly set avc internals during status events; else, avc_enforcing is
+never updated upon sestatus changes.
+
+This commit gets rid of the default avc_netlink_open() in
+avc_init_internal(), replacing it with selinux_status_open(). In the
+event that the kernel status page cannot be mapped, the netlink fallback
+will be used. By default, avc_has_perm_noaudit() and
+selinux_check_access() will now attempt to read the kernel status page,
+which removes a system call from two critical code paths.
+
+Since the AVC thread create/stop callbacks were intended to avoid a
+system call in the critical code path, they no longer need to be created
+by default. In the event that the kernel status page is successfully
+mapped, threads will not be created. Threads will still be
+created/stopped for the sestatus fallback codepaths.
+
+Userspace object managers that still need a netlink socket can call
+avc_netlink_acquire_fd() to open and/or obtain one.
+
+Update the manpage to reflect the new avc_netlink_acquire_fd()
+functionality.
+
+Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/avc_init.3            | 51 ++++++++++++--
+ libselinux/man/man3/avc_netlink_loop.3    |  8 +++
+ libselinux/man/man3/avc_open.3            | 36 +++++++++-
+ libselinux/man/man3/selinux_status_open.3 | 13 ++--
+ libselinux/src/avc.c                      | 15 ++---
+ libselinux/src/avc_internal.c             | 82 ++++++++++++++++-------
+ libselinux/src/avc_internal.h             |  4 ++
+ libselinux/src/checkAccess.c              |  2 +-
+ libselinux/src/sestatus.c                 | 24 +++++++
+ 9 files changed, 184 insertions(+), 51 deletions(-)
+
+diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3
+index e26c3be6071c..a5dc7c93c703 100644
+--- a/libselinux/man/man3/avc_init.3
++++ b/libselinux/man/man3/avc_init.3
+@@ -117,6 +117,8 @@ argument, which does not return under normal conditions.  The
+ callback should cancel the running thread referenced by 
+ .IR thread .
+ By default, threading is not used; see 
++.B KERNEL STATUS PAGE
++and
+ .B NETLINK NOTIFICATION
+ below.
+ 
+@@ -153,14 +155,49 @@ callback should destroy
+ .IR lock ,
+ freeing any resources associated with it.  The default behavior is not to perform any locking.  Note that undefined behavior may result if threading is used without appropriate locking.
+ .
+-.SH "NETLINK NOTIFICATION"
+-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
+-.BR avc_has_perm (3)
+-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
++.SH "KERNEL STATUS PAGE"
++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
++.BR mmap (2)
++SELinux status state in read-only mode to avoid system calls during the cache hit code path.
+ 
+-In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query.  If threading and locking callbacks are passed to
+ .BR avc_init ()
+-however, a dedicated thread will be started to listen on the netlink socket.  This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
++calls
++.BR selinux_status_open (3)
++to initialize the selinux status state. If successfully initialized, the userspace AVC will default to single-threaded mode and ignore the
++.B func_create_thread
++and
++.B func_stop_thread
++callbacks. All callbacks set via
++.BR selinux_set_callback (3)
++will still be honored.
++
++.BR avc_has_perm (3)
++and
++.BR selinux_check_access (3)
++both check for status updates through calls to
++.BR selinux_status_updated (3)
++at the start of each permission query and take the appropriate action.
++
++Two status types are currently implemented.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++.
++.SH "NETLINK NOTIFICATION"
++In the event that the kernel status page is not successfully
++.BR mmap (2)'ed
++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
++.B setenforce
++and
++.B policyload
++events will have the same results as for the status page implementation, but all status update checks will now require a system call.
++
++By default,
++.BR avc_open (3)
++does not set threading or locking callbacks. In the fallback case, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
++.BR avc_init (),
++a dedicated thread will be started to listen on the netlink socket.  This may increase performance in the absence of the status page and will ensure that log messages are generated immediately rather than at the time of the next permission query.
+ .
+ .SH "RETURN VALUE"
+ Functions with a return value return zero on success.  On error, \-1 is returned and
+@@ -192,5 +229,7 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
+ .
+ .SH "SEE ALSO"
+ .BR avc_open (3),
++.BR selinux_status_open (3),
++.BR selinux_status_updated (3),
+ .BR selinux_set_callback (3),
+ .BR selinux (8)
+diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3
+index c8268a124df0..f03d78138d8c 100644
+--- a/libselinux/man/man3/avc_netlink_loop.3
++++ b/libselinux/man/man3/avc_netlink_loop.3
+@@ -54,6 +54,11 @@ closes the netlink socket.  This function is called automatically by
+ returns the netlink socket descriptor number and informs the userspace AVC
+ not to check the socket descriptor automatically on calls to
+ .BR avc_has_perm (3).
++If no such socket descriptor exists,
++.BR avc_netlink_acquire_fd (3)
++will first call
++.BR avc_netlink_open (3)
++and then return the resulting fd.
+ 
+ .BR avc_netlink_release_fd ()
+ returns control of the netlink socket to the userspace AVC, re-enabling
+@@ -78,6 +83,9 @@ with a return value return zero on success.  On error, \-1 is returned and
+ .I errno
+ is set appropriately.
+ .
++.SH "AUTHOR"
++Originally KaiGai Kohei. Updated by Mike Palmiotto <mike.palmiotto@crunchydata.com>
++.
+ .SH "SEE ALSO"
+ .BR avc_open (3),
+ .BR selinux_set_callback (3),
+diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
+index 5b275a8ee040..3090dd5077c7 100644
+--- a/libselinux/man/man3/avc_open.3
++++ b/libselinux/man/man3/avc_open.3
+@@ -46,10 +46,37 @@ include the following:
+ .B AVC_OPT_SETENFORCE
+ This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise.  The system enforcing mode will be ignored.
+ .
+-.SH "NETLINK NOTIFICATION"
+-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
++.SH "KERNEL STATUS PAGE"
++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
++.BR mmap (2)
++SELinux status state in read-only mode to avoid system calls during the cache hit code path.
++
++.BR avc_open ()
++calls
++.BR selinux_status_open (3)
++to initialize the selinux status state.
++
+ .BR avc_has_perm (3)
+-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
++and
++.BR selinux_check_access (3)
++both check for status updates through calls to
++.BR selinux_status_updated (3)
++at the start of each permission query and take the appropriate action.
++
++Two status types are currently implemented.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++.
++.SH "NETLINK NOTIFICATION"
++In the event that the kernel status page is not successfully
++.BR mmap (2)'ed
++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
++.B setenforce
++and
++.B policyload
++events will have the same results as for the status page implementation, but all status update checks will now require a system call.
+ .
+ .SH "RETURN VALUE"
+ Functions with a return value return zero on success.  On error, \-1 is returned and
+@@ -61,9 +88,12 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
+ .
+ .SH "SEE ALSO"
+ .BR selinux (8),
++.BR selinux_check_access (3),
+ .BR avc_has_perm (3),
+ .BR avc_context_to_sid (3),
+ .BR avc_cache_stats (3),
+ .BR avc_add_callback (3),
++.BR selinux_status_open (3),
++.BR selinux_status_updated (3),
+ .BR selinux_set_callback (3),
+ .BR security_compute_av (3)
+diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
+index 2d44be57cbbc..5c9da2f61d19 100644
+--- a/libselinux/man/man3/selinux_status_open.3
++++ b/libselinux/man/man3/selinux_status_open.3
+@@ -48,7 +48,7 @@ Set 1 on the
+ argument to handle a case of older kernels without kernel status page support.
+ In this case, this function tries to open a netlink socket using
+ .BR avc_netlink_open (3)
+-and overwrite corresponding callbacks ( setenforce and policyload).
++and overwrite corresponding callbacks (setenforce and policyload).
+ Thus, we need to pay attention to the interaction with these interfaces,
+ when fallback mode is enabled.
+ .sp
+@@ -57,9 +57,14 @@ unmap the kernel status page and close its file descriptor, or close the
+ netlink socket if fallbacked.
+ .sp
+ .BR selinux_status_updated ()
+-informs us whether something has been updated since the last call.
+-It returns 0 if nothing was happened, however, 1 if something has been
+-updated in this duration, or \-1 on error.
++processes status update events. There are two kinds of status updates.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++
++This function returns 0 if there have been no updates since the last call,
++1 if there have been updates since the last call, or \-1 on error.
+ .sp
+ .BR selinux_status_getenforce ()
+ returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
+diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
+index b4648b2de170..8314d7ba3de6 100644
+--- a/libselinux/src/avc.c
++++ b/libselinux/src/avc.c
+@@ -50,7 +50,6 @@ struct avc_callback_node {
+ 	struct avc_callback_node *next;
+ };
+ 
+-static void *avc_netlink_thread = NULL;
+ static void *avc_lock = NULL;
+ static void *avc_log_lock = NULL;
+ static struct avc_node *avc_node_freelist = NULL;
+@@ -215,17 +214,13 @@ static int avc_init_internal(const char *prefix,
+ 		avc_enforcing = rc;
+ 	}
+ 
+-	rc = avc_netlink_open(0);
++	rc = selinux_status_open(1);
+ 	if (rc < 0) {
+ 		avc_log(SELINUX_ERROR,
+-			"%s:  can't open netlink socket: %d (%s)\n",
++			"%s: could not open selinux status page: %d (%s)\n",
+ 			avc_prefix, errno, strerror(errno));
+ 		goto out;
+ 	}
+-	if (avc_using_threads) {
+-		avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
+-		avc_netlink_trouble = 0;
+-	}
+ 	avc_running = 1;
+       out:
+ 	return rc;
+@@ -557,9 +552,7 @@ void avc_destroy(void)
+ 
+ 	avc_get_lock(avc_lock);
+ 
+-	if (avc_using_threads)
+-		avc_stop_thread(avc_netlink_thread);
+-	avc_netlink_close();
++	selinux_status_close();
+ 
+ 	for (i = 0; i < AVC_CACHE_SLOTS; i++) {
+ 		node = avc_cache.slots[i];
+@@ -766,7 +759,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
+ 		avd_init(avd);
+ 
+ 	if (!avc_using_threads && !avc_app_main_loop) {
+-		(void)avc_netlink_check_nb();
++		(void) selinux_status_updated();
+ 	}
+ 
+ 	if (!aeref) {
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 568a3d928ac1..4ef924527e10 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -53,6 +53,49 @@ int avc_enforcing = 1;
+ int avc_setenforce = 0;
+ int avc_netlink_trouble = 0;
+ 
++/* process setenforce events for netlink and sestatus */
++int avc_process_setenforce(int enforcing)
++{
++	int rc = 0;
++
++	avc_log(SELINUX_INFO,
++		"%s:  received setenforce notice (enforcing=%d)\n",
++		avc_prefix, enforcing);
++	if (avc_setenforce)
++		goto out;
++	avc_enforcing = enforcing;
++	if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
++		avc_log(SELINUX_ERROR,
++			"%s:  cache reset returned %d (errno %d)\n",
++			avc_prefix, rc, errno);
++		return rc;
++	}
++
++out:
++	return selinux_netlink_setenforce(enforcing);
++}
++
++/* process policyload events for netlink and sestatus */
++int avc_process_policyload(uint32_t seqno)
++{
++	int rc = 0;
++
++	avc_log(SELINUX_INFO,
++		"%s:  received policyload notice (seqno=%u)\n",
++		avc_prefix, seqno);
++	rc = avc_ss_reset(seqno);
++	if (rc < 0) {
++		avc_log(SELINUX_ERROR,
++			"%s:  cache reset returned %d (errno %d)\n",
++			avc_prefix, rc, errno);
++		return rc;
++	}
++
++	selinux_flush_class_cache();
++
++	return selinux_netlink_policyload(seqno);
++}
++
+ /* netlink socket code */
+ static int fd = -1;
+ 
+@@ -177,20 +220,7 @@ static int avc_netlink_process(void *buf)
+ 
+ 	case SELNL_MSG_SETENFORCE:{
+ 		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
+-		msg->val = !!msg->val;
+-		avc_log(SELINUX_INFO,
+-			"%s:  received setenforce notice (enforcing=%d)\n",
+-			avc_prefix, msg->val);
+-		if (avc_setenforce)
+-			break;
+-		avc_enforcing = msg->val;
+-		if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+-			avc_log(SELINUX_ERROR,
+-				"%s:  cache reset returned %d (errno %d)\n",
+-				avc_prefix, rc, errno);
+-			return rc;
+-		}
+-		rc = selinux_netlink_setenforce(msg->val);
++		rc = avc_process_setenforce(!!msg->val);
+ 		if (rc < 0)
+ 			return rc;
+ 		break;
+@@ -198,18 +228,7 @@ static int avc_netlink_process(void *buf)
+ 
+ 	case SELNL_MSG_POLICYLOAD:{
+ 		struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
+-		avc_log(SELINUX_INFO,
+-			"%s:  received policyload notice (seqno=%u)\n",
+-			avc_prefix, msg->seqno);
+-		rc = avc_ss_reset(msg->seqno);
+-		if (rc < 0) {
+-			avc_log(SELINUX_ERROR,
+-				"%s:  cache reset returned %d (errno %d)\n",
+-				avc_prefix, rc, errno);
+-			return rc;
+-		}
+-		selinux_flush_class_cache();
+-		rc = selinux_netlink_policyload(msg->seqno);
++		rc = avc_process_policyload(msg->seqno);
+ 		if (rc < 0)
+ 			return rc;
+ 		break;
+@@ -284,6 +303,17 @@ void avc_netlink_loop(void)
+ 
+ int avc_netlink_acquire_fd(void)
+ {
++	if (fd < 0) {
++		int rc = 0;
++		rc = avc_netlink_open(0);
++		if (rc < 0) {
++			avc_log(SELINUX_ERROR,
++				"%s: could not open netlink socket: %d (%s)\n",
++				avc_prefix, errno, strerror(errno));
++			return rc;
++		}
++	}
++
+     avc_app_main_loop = 1;
+ 
+     return fd;
+diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
+index 3f8a6bb1cf84..da67affc9307 100644
+--- a/libselinux/src/avc_internal.h
++++ b/libselinux/src/avc_internal.h
+@@ -32,6 +32,10 @@ extern void (*avc_func_get_lock) (void *);
+ extern void (*avc_func_release_lock) (void *);
+ extern void (*avc_func_free_lock) (void *);
+ 
++/* selinux status processing for netlink and sestatus */
++extern int avc_process_setenforce(int enforcing);
++extern int avc_process_policyload(uint32_t seqno);
++
+ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
+ 				 const struct avc_log_callback *log_cb,
+ 				 const struct avc_thread_callback *thread_cb,
+diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
+index 3491fded7895..b337ea64f977 100644
+--- a/libselinux/src/checkAccess.c
++++ b/libselinux/src/checkAccess.c
+@@ -39,7 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
+ 	if (rc < 0)
+ 		return rc;
+ 
+-	(void) avc_netlink_check_nb();
++	(void) selinux_status_updated();
+ 
+        sclass = string_to_security_class(class);
+        if (sclass == 0) {
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index 86267ff89646..814e86ee10e7 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -39,11 +39,14 @@ struct selinux_status_t
+ static struct selinux_status_t *selinux_status = NULL;
+ static int			selinux_status_fd;
+ static uint32_t			last_seqno;
++static uint32_t			last_policyload;
+ 
+ static uint32_t			fallback_sequence;
+ static int			fallback_enforcing;
+ static int			fallback_policyload;
+ 
++static void			*fallback_netlink_thread = NULL;
++
+ /*
+  * read_sequence
+  *
+@@ -116,6 +119,15 @@ int selinux_status_updated(void)
+ 
+ 	if (last_seqno != curr_seqno)
+ 	{
++		if (avc_enforcing != (int) selinux_status->enforcing) {
++			if (avc_process_setenforce(selinux_status->enforcing) < 0)
++				return -1;
++		}
++		if (last_policyload != selinux_status->policyload) {
++			if (avc_process_policyload(selinux_status->policyload) < 0)
++				return -1;
++			last_policyload = selinux_status->policyload;
++		}
+ 		last_seqno = curr_seqno;
+ 		result = 1;
+ 	}
+@@ -282,6 +294,9 @@ int selinux_status_open(int fallback)
+ 	selinux_status_fd = fd;
+ 	last_seqno = (uint32_t)(-1);
+ 
++	/* No need to use avc threads if the kernel status page is available */
++	avc_using_threads = 0;
++
+ 	return 0;
+ 
+ error:
+@@ -305,6 +320,12 @@ error:
+ 		selinux_status_fd = avc_netlink_acquire_fd();
+ 		last_seqno = (uint32_t)(-1);
+ 
++		if (avc_using_threads)
++		{
++			fallback_netlink_thread = avc_create_thread(&avc_netlink_loop);
++			avc_netlink_trouble = 0;
++		}
++
+ 		fallback_sequence = 0;
+ 		fallback_enforcing = security_getenforce();
+ 		fallback_policyload = 0;
+@@ -333,6 +354,9 @@ void selinux_status_close(void)
+ 	/* fallback-mode */
+ 	if (selinux_status == MAP_FAILED)
+ 	{
++		if (avc_using_threads)
++			avc_stop_thread(fallback_netlink_thread);
++
+ 		avc_netlink_release_fd();
+ 		avc_netlink_close();
+ 		selinux_status = NULL;
+-- 
+2.29.0
+

0002-libselinux-fix-build-order.patch

@@ -0,0 +1,27 @@
+From e7abd802d4d8541627c590424a6578348ee6032b Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 6 Aug 2020 10:46:38 -0400
+Subject: [PATCH] libselinux: fix build order
+
+We need to install the include files before we try to build the source.
+Otherwise, make DESTDIR=~/obj install can fail if there are older
+headers under /usr/include.
+
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index 16531fe95bf5..6a43b243f4da 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -1,4 +1,4 @@
+-SUBDIRS = src include utils man
++SUBDIRS = include src utils man
+ 
+ PKG_CONFIG ?= pkg-config
+ DISABLE_SETRANS ?= n
+-- 
+2.29.0
+

0003-libselinux-use-full-argument-specifiers-for-security.patch

@@ -0,0 +1,38 @@
+From 21fb5f20da225cff23fd811f57cdaec5e9d7badb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 20 Aug 2020 17:15:51 +0200
+Subject: [PATCH] libselinux: use full argument specifiers for
+ security_check_context in man page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The argument for security_check_context(_raw) is defined as `const char *`.
+
+Say so in the man page.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/security_check_context.3 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3
+index 2b9a2d4c8b6a..213ac282588f 100644
+--- a/libselinux/man/man3/security_check_context.3
++++ b/libselinux/man/man3/security_check_context.3
+@@ -5,9 +5,9 @@ security_check_context \- check the validity of a SELinux context
+ .SH "SYNOPSIS"
+ .B #include <selinux/selinux.h>
+ .sp
+-.BI "int security_check_context(char *" con );
++.BI "int security_check_context(const char *" con );
+ .sp
+-.BI "int security_check_context_raw(char *" con );
++.BI "int security_check_context_raw(const char *" con );
+ .
+ .SH "DESCRIPTION"
+ .BR security_check_context ()
+-- 
+2.29.0
+

0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch

@@ -0,0 +1,64 @@
+From 9e4480b921bb50f59b064e842362b26b87e36bbd Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Mon, 24 Aug 2020 09:44:16 -0400
+Subject: [PATCH] libselinux: Remove trailing slash on selabel_file lookups.
+
+Having a trailing slash on a file lookup, e.g. "/some/path/", can
+cause a different result, for example,  when file contexts are written to have
+the directory have a different label than the contents.  This is inconsistent
+with normal Linux behaviors where trailing slashes are ignored.
+
+Many callers already strip the trailing slash before the lookup or users
+revise the file contexts to work around this.  This fixes it comprehensively.
+
+v2: fix length issues
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/label_file.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 412904d14c06..6eeeea68aea4 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -854,6 +854,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 	struct saved_data *data = (struct saved_data *)rec->data;
+ 	struct spec *spec_arr = data->spec_arr;
+ 	int i, rc, file_stem;
++	size_t len;
+ 	mode_t mode = (mode_t)type;
+ 	char *clean_key = NULL;
+ 	const char *prev_slash, *next_slash;
+@@ -894,6 +895,27 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 		key = clean_key;
+ 	}
+ 
++	/* remove trailing slash */
++	len = strlen(key);
++	if (len == 0) {
++		errno = EINVAL;
++		goto finish;
++	}
++
++	if (key[len - 1] == '/') {
++		/* reuse clean_key from above if available */
++		if (!clean_key) {
++			clean_key = (char *) malloc(len);
++			if (!clean_key)
++				goto finish;
++
++			strncpy(clean_key, key, len - 1);
++		}
++
++		clean_key[len - 1] = '\0';
++		key = clean_key;
++	}
++
+ 	sub = selabel_sub_key(data, key);
+ 	if (sub)
+ 		key = sub;
+-- 
+2.29.0
+

0005-libselinux-safely-access-shared-memory-in-selinux_st.patch

@@ -0,0 +1,80 @@
+From ef902db9c842553fd1a6a81068f3d844d487f2fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 25 Aug 2020 17:32:04 +0200
+Subject: [PATCH] libselinux: safely access shared memory in
+ selinux_status_updated()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Access the shared nenory safe in regard to consistent view of the SELinux
+kernel status page - not in regard to thread-safety.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/sestatus.c | 40 ++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index 814e86ee10e7..ca2d3bbf9cb2 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -91,7 +91,9 @@ static inline uint32_t read_sequence(struct selinux_status_t *status)
+ int selinux_status_updated(void)
+ {
+ 	uint32_t	curr_seqno;
+-	int		result = 0;
++	uint32_t	tmp_seqno;
++	uint32_t	enforcing;
++	uint32_t	policyload;
+ 
+ 	if (selinux_status == NULL) {
+ 		errno = EINVAL;
+@@ -117,21 +119,29 @@ int selinux_status_updated(void)
+ 	if (last_seqno & 0x0001)
+ 		last_seqno = curr_seqno;
+ 
+-	if (last_seqno != curr_seqno)
+-	{
+-		if (avc_enforcing != (int) selinux_status->enforcing) {
+-			if (avc_process_setenforce(selinux_status->enforcing) < 0)
+-				return -1;
+-		}
+-		if (last_policyload != selinux_status->policyload) {
+-			if (avc_process_policyload(selinux_status->policyload) < 0)
+-				return -1;
+-			last_policyload = selinux_status->policyload;
+-		}
+-		last_seqno = curr_seqno;
+-		result = 1;
++	if (last_seqno == curr_seqno)
++		return 0;
++
++	/* sequence must not be changed during references */
++	do {
++		enforcing = selinux_status->enforcing;
++		policyload = selinux_status->policyload;
++		tmp_seqno = curr_seqno;
++		curr_seqno = read_sequence(selinux_status);
++	} while (tmp_seqno != curr_seqno);
++
++	if (avc_enforcing != (int) enforcing) {
++		if (avc_process_setenforce(enforcing) < 0)
++			return -1;
++	}
++	if (last_policyload != policyload) {
++		if (avc_process_policyload(policyload) < 0)
++			return -1;
++		last_policyload = policyload;
+ 	}
+-	return result;
++	last_seqno = curr_seqno;
++
++	return 1;
+ }
+ 
+ /*
+-- 
+2.29.0
+

0006-libselinux-initialize-last_policyload-in-selinux_sta.patch

@@ -0,0 +1,54 @@
+From a63f93d83b57f1a10712c5fcd29be246e8eff20d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 25 Aug 2020 17:32:05 +0200
+Subject: [PATCH] libselinux: initialize last_policyload in
+ selinux_status_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If not initialized to the current policyload count, an enforcing change
+will trigger policyload-callbacks in selinux_status_updated().
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/sestatus.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index ca2d3bbf9cb2..9ff2785d876a 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -278,9 +278,10 @@ static int fallback_cb_policyload(int policyload)
+  */
+ int selinux_status_open(int fallback)
+ {
+-	int	fd;
+-	char	path[PATH_MAX];
+-	long	pagesize;
++	int		fd;
++	char		path[PATH_MAX];
++	long		pagesize;
++	uint32_t	seqno;
+ 
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+@@ -304,6 +305,14 @@ int selinux_status_open(int fallback)
+ 	selinux_status_fd = fd;
+ 	last_seqno = (uint32_t)(-1);
+ 
++	/* sequence must not be changed during references */
++	do {
++		seqno = read_sequence(selinux_status);
++
++		last_policyload = selinux_status->policyload;
++
++	} while (seqno != read_sequence(selinux_status));
++
+ 	/* No need to use avc threads if the kernel status page is available */
+ 	avc_using_threads = 0;
+ 
+-- 
+2.29.0
+

0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch

@@ -0,0 +1,71 @@
+From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Thu, 27 Aug 2020 08:58:39 -0400
+Subject: [PATCH] libselinux: Add new log callback levels for enforcing and
+ policy load notices.
+
+This will enable userspace object managers to send proper audits for policy
+loads and setenforce messages generated by the userspace AVC code.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/include/selinux/selinux.h       | 2 ++
+ libselinux/man/man3/selinux_set_callback.3 | 5 +++++
+ libselinux/src/avc_internal.c              | 4 ++--
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index c22834e58418..ae98a92e393e 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
+ #define SELINUX_WARNING		1
+ #define SELINUX_INFO		2
+ #define SELINUX_AVC		3
++#define SELINUX_POLICYLOAD	4
++#define SELINUX_SETENFORCE	5
+ #define SELINUX_TRANS_DIR	"/var/run/setrans"
+ 
+ /* Compute an access decision. */
+diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
+index a4c613ad5d85..6dfe5ff6050f 100644
+--- a/libselinux/man/man3/selinux_set_callback.3
++++ b/libselinux/man/man3/selinux_set_callback.3
+@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
+ .B SELINUX_INFO
+ 
+ .B SELINUX_AVC
++
++.B SELINUX_POLICYLOAD
++
++.B SELINUX_SETENFORCE
++
+ .
+ .TP
+ .B SELINUX_CB_AUDIT
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 4ef924527e10..572b2159c3ed 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
+ {
+ 	int rc = 0;
+ 
+-	avc_log(SELINUX_INFO,
++	avc_log(SELINUX_SETENFORCE,
+ 		"%s:  received setenforce notice (enforcing=%d)\n",
+ 		avc_prefix, enforcing);
+ 	if (avc_setenforce)
+@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
+ {
+ 	int rc = 0;
+ 
+-	avc_log(SELINUX_INFO,
++	avc_log(SELINUX_POLICYLOAD,
+ 		"%s:  received policyload notice (seqno=%u)\n",
+ 		avc_prefix, seqno);
+ 	rc = avc_ss_reset(seqno);
+-- 
+2.29.0
+

0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch

@@ -0,0 +1,30 @@
+From 075f9cfe7a0105e14e878b5617e80d391d016e08 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Fri, 11 Sep 2020 15:56:14 -0400
+Subject: [PATCH] libselinux: Fix selabel_lookup() for the root dir.
+
+9e4480b921bb ("Remove trailing slash on selabel_file lookups.") introduced
+a bug which turns the root directory lookup "/" into an empty string.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/label_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 6eeeea68aea4..726394ca4332 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -902,7 +902,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 		goto finish;
+ 	}
+ 
+-	if (key[len - 1] == '/') {
++	if (len > 1 && key[len - 1] == '/') {
+ 		/* reuse clean_key from above if available */
+ 		if (!clean_key) {
+ 			clean_key = (char *) malloc(len);
+-- 
+2.29.0
+

0009-libselinux-Add-additional-log-callback-details-in-ma.patch

@@ -0,0 +1,38 @@
+From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 15 Sep 2020 13:33:31 -0400
+Subject: [PATCH] libselinux: Add additional log callback details in man page
+ for auditing.
+
+Add additional information about the log callback message types.  Indicate
+which types could be audited and the relevant audit record types for them.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
+index 6dfe5ff6050f..75f49b06d836 100644
+--- a/libselinux/man/man3/selinux_set_callback.3
++++ b/libselinux/man/man3/selinux_set_callback.3
+@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following:
+ 
+ .B SELINUX_SETENFORCE
+ 
++SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
++levels and are not auditable messages.
++
++The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
++audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
++values from libaudit, respectively.  If they are not audited, SELINUX_AVC should be
++considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
++SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
++
+ .
+ .TP
+ .B SELINUX_CB_AUDIT
+-- 
+2.29.0
+

0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch

@@ -0,0 +1,37 @@
+From 7ef5b1854f75056d23e60aabc86706dfed622669 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 15 Sep 2020 13:33:32 -0400
+Subject: [PATCH] libselinux: Change userspace AVC setenforce and policy load
+ messages to audit format.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/avc_internal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 572b2159c3ed..53a99a1fe957 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -59,7 +59,7 @@ int avc_process_setenforce(int enforcing)
+ 	int rc = 0;
+ 
+ 	avc_log(SELINUX_SETENFORCE,
+-		"%s:  received setenforce notice (enforcing=%d)\n",
++		"%s:  op=setenforce lsm=selinux enforcing=%d res=1",
+ 		avc_prefix, enforcing);
+ 	if (avc_setenforce)
+ 		goto out;
+@@ -81,7 +81,7 @@ int avc_process_policyload(uint32_t seqno)
+ 	int rc = 0;
+ 
+ 	avc_log(SELINUX_POLICYLOAD,
+-		"%s:  received policyload notice (seqno=%u)\n",
++		"%s:  op=load_policy lsm=selinux seqno=%u res=1",
+ 		avc_prefix, seqno);
+ 	rc = avc_ss_reset(seqno);
+ 	if (rc < 0) {
+-- 
+2.29.0
+

0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch

@@ -0,0 +1,208 @@
+From d23342a9de2c30f72a3edb13455753caaf259589 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sun, 4 Oct 2020 16:03:39 +0200
+Subject: [PATCH] libselinux: convert matchpathcon to selabel_lookup()
+
+Function matchpathcon() is deprecated in favor of selabel_lookup() but
+program "matchpathcon" is much easier to use than "selabel_loopkup" to
+find the file context which would be applied to some files and
+directories.
+
+More precisely:
+
+    matchpathcon /path/to/my/file
+
+is easier to type and remember than:
+
+    selabel_lookup -b file -k /path/to/my/file
+
+It also allows performing multiple context searches in one command,
+where selabel_lookup cannot use multiple -k options.
+
+Migrate matchpathcon to the preferred API.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/utils/Makefile       |  2 -
+ libselinux/utils/matchpathcon.c | 87 ++++++++++++++-------------------
+ 2 files changed, 38 insertions(+), 51 deletions(-)
+
+diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
+index aa2d3e1b144f..b018a08acbe0 100644
+--- a/libselinux/utils/Makefile
++++ b/libselinux/utils/Makefile
+@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
+ 
+ sefcontext_compile: sefcontext_compile.o ../src/regex.o
+ 
+-matchpathcon: CFLAGS += -Wno-deprecated-declarations
+-
+ all: $(TARGETS)
+ 
+ install: all
+diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
+index cc018d213f4c..a07e160dee71 100644
+--- a/libselinux/utils/matchpathcon.c
++++ b/libselinux/utils/matchpathcon.c
+@@ -1,15 +1,14 @@
+-#include <unistd.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <getopt.h>
+ #include <errno.h>
+-#include <string.h>
++#include <getopt.h>
+ #include <limits.h>
+-#include <sys/types.h>
+-#include <sys/stat.h>
++#include <selinux/label.h>
+ #include <selinux/selinux.h>
+-#include <limits.h>
++#include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <unistd.h>
+ 
+ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ {
+@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 	exit(1);
+ }
+ 
+-static int printmatchpathcon(const char *path, int header, int mode)
++static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans)
+ {
+-	char *buf;
+-	int rc = matchpathcon(path, mode, &buf);
++	char *buf = NULL;
++	int rc;
++
++	if (notrans) {
++		rc = selabel_lookup_raw(hnd, &buf, path, mode);
++	} else {
++		rc = selabel_lookup(hnd, &buf, path, mode);
++	}
+ 	if (rc < 0) {
+ 		if (errno == ENOENT) {
+ 			buf = strdup("<<none>>");
+ 		} else {
+-			fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
++			fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
+ 				strerror(errno));
+ 			return 1;
+ 		}
+@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s)
+ 
+ int main(int argc, char **argv)
+ {
+-	int i, init = 0, force_mode = 0;
++	int i, force_mode = 0;
+ 	int header = 1, opt;
+ 	int verify = 0;
+ 	int notrans = 0;
+ 	int error = 0;
+ 	int quiet = 0;
+-
+-	fprintf(stderr,
+-		"Deprecated, use selabel_lookup\n");
++	struct selabel_handle *hnd;
++	struct selinux_opt options[SELABEL_NOPT] = {};
+ 
+ 	if (argc < 2)
+ 		usage(argv[0]);
+@@ -96,23 +100,10 @@ int main(int argc, char **argv)
+ 			break;
+ 		case 'N':
+ 			notrans = 1;
+-			set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ 			break;
+ 		case 'f':
+-			if (init) {
+-				fprintf(stderr,
+-					"%s:  -f and -p are exclusive\n",
+-					argv[0]);
+-				exit(1);
+-			}
+-			init = 1;
+-			if (matchpathcon_init(optarg)) {
+-				fprintf(stderr,
+-					"Error while processing %s:  %s\n",
+-					optarg,
+-					errno ? strerror(errno) : "invalid");
+-				exit(1);
+-			}
++			options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
++			options[SELABEL_OPT_PATH].value = optarg;
+ 			break;
+ 		case 'P':
+ 			if (selinux_set_policy_root(optarg) < 0 ) {
+@@ -124,20 +115,11 @@ int main(int argc, char **argv)
+ 			}
+ 			break;
+ 		case 'p':
+-			if (init) {
+-				fprintf(stderr,
+-					"%s:  -f and -p are exclusive\n",
+-					argv[0]);
+-				exit(1);
+-			}
+-			init = 1;
+-			if (matchpathcon_init_prefix(NULL, optarg)) {
+-				fprintf(stderr,
+-					"Error while processing %s:  %s\n",
+-					optarg,
+-					errno ? strerror(errno) : "invalid");
+-				exit(1);
+-			}
++			// This option has been deprecated since libselinux 2.5 (2016):
++			// https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
++			fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
++			options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
++			options[SELABEL_OPT_SUBSET].value = optarg;
+ 			break;
+ 		case 'q':
+ 			quiet = 1;
+@@ -146,6 +128,13 @@ int main(int argc, char **argv)
+ 			usage(argv[0]);
+ 		}
+ 	}
++	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
++	if (!hnd) {
++		fprintf(stderr,
++			"Error while opening file contexts database: %s\n",
++			strerror(errno));
++		return -1;
++	}
+ 	for (i = optind; i < argc; i++) {
+ 		int rc, mode = 0;
+ 		struct stat buf;
+@@ -185,19 +174,19 @@ int main(int argc, char **argv)
+ 				if (rc >= 0) {
+ 					printf("%s has context %s, should be ",
+ 					       path, con);
+-					printmatchpathcon(path, 0, mode);
++					printmatchpathcon(hnd, path, 0, mode, notrans);
+ 					freecon(con);
+ 				} else {
+ 					printf
+ 					    ("actual context unknown: %s, should be ",
+ 					     strerror(errno));
+-					printmatchpathcon(path, 0, mode);
++					printmatchpathcon(hnd, path, 0, mode, notrans);
+ 				}
+ 			}
+ 		} else {
+-			error |= printmatchpathcon(path, header, mode);
++			error |= printmatchpathcon(hnd, path, header, mode, notrans);
+ 		}
+ 	}
+-	matchpathcon_fini();
++	selabel_close(hnd);
+ 	return error;
+ }
+-- 
+2.29.0
+

0012-libsepol-Bump-libsepol.so-version.patch

@@ -0,0 +1,45 @@
+From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:49 +0200
+Subject: [PATCH] libsepol: Bump libsepol.so version
+
+Previous commits removed some symbols and broke ABI, therefore we need to change
+SONAME.
+
+See the following quotes from distribution guidelines:
+
+https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
+
+Every time the shared library ABI changes in a way that may break
+binaries linked against older versions of the shared library, the SONAME
+of the library and the corresponding name for the binary package
+containing the runtime shared library should change.
+
+https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
+
+When new versions of the library are released, you should use an ABI
+comparison tool to check for ABI differences in the built shared
+libraries. If it detects any incompatibilities, bump the n number by
+one.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/load_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 2aea826f863e..0034fa53d6e6 100644
+--- a/libselinux/src/load_policy.c
++++ b/libselinux/src/load_policy.c
+@@ -76,7 +76,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
+ #ifdef SHARED
+ 	char *errormsg = NULL;
+ 	void *libsepolh = NULL;
+-	libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
++	libsepolh = dlopen("libsepol.so.2", RTLD_NOW);
+ 	if (libsepolh) {
+ 		usesepol = 1;
+ 		dlerror();
+-- 
+2.29.0
+

0013-libselinux-Add-build-option-to-disable-X11-backend.patch

@@ -0,0 +1,48 @@
+From db0f2f382e31c44eef8f636d5698f9f4b11b4eeb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
+Date: Mon, 12 Oct 2020 17:46:16 +0300
+Subject: [PATCH] libselinux: Add build option to disable X11 backend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
+---
+ libselinux/Makefile     | 5 ++++-
+ libselinux/src/Makefile | 4 ++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index 6a43b243f4da..cb5872b7b090 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -17,7 +17,10 @@ endif
+ ifeq ($(DISABLE_BOOL),y)
+ 	DISABLE_FLAGS+= -DDISABLE_BOOL
+ endif
+-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
++ifeq ($(DISABLE_X11),y)
++	DISABLE_FLAGS+= -DNO_X_BACKEND
++endif
++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
+ 
+ USE_PCRE2 ?= n
+ ifeq ($(USE_PCRE2),y)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 190016e2af34..be0b6eec6f6d 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -126,6 +126,10 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+ endif
+ 
++ifeq ($(DISABLE_X11),y)
++SRCS:= $(filter-out label_x.c, $(SRCS))
++endif
++
+ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ 
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+-- 
+2.29.0
+

0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch

@@ -0,0 +1,31 @@
+From a2f09a2faf2950d15fad34f23c65df62ec0d942c Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 16 Jul 2014 08:28:03 +0200
+Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
+
+---
+ libselinux/man/man8/selinux.8 | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 31364271eed2..8b4fc3706989 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+ .BR sepolicy (8),
+ .BR system-config-selinux (8),
+ .BR togglesebool (8),
+-.BR restorecon (8),
+ .BR fixfiles (8),
++.BR restorecon (8),
+ .BR setfiles (8),
+ .BR semanage (8),
+ .BR sepolicy (8)
++.BR seinfo (8),
++.BR sesearch (8)
+ 
+ Every confined service on the system has a man page in the following format:
+ .br
+-- 
+2.29.0
+

0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch

@@ -0,0 +1,59 @@
+From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
+Date: Mon, 12 Oct 2020 19:07:22 +0300
+Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add option to just enable the android label backend without disabling
+anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
+
+Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
+---
+ libselinux/Makefile     | 3 ++-
+ libselinux/src/Makefile | 6 +++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index cb5872b7b090..ac16c15e8d0a 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
+ DISABLE_SETRANS ?= n
+ DISABLE_RPM ?= n
+ ANDROID_HOST ?= n
++LABEL_BACKEND_ANDROID ?= n
+ ifeq ($(ANDROID_HOST),y)
+ 	override DISABLE_SETRANS=y
+ 	override DISABLE_BOOL=y
+@@ -20,7 +21,7 @@ endif
+ ifeq ($(DISABLE_X11),y)
+ 	DISABLE_FLAGS+= -DNO_X_BACKEND
+ endif
+-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
+ 
+ USE_PCRE2 ?= n
+ ifeq ($(USE_PCRE2),y)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index be0b6eec6f6d..52c40f018f51 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
+ 	label_backends_android.c regex.c label_support.c \
+ 	matchpathcon.c setrans_client.c sha1.c booleans.c
+ else
+-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
++LABEL_BACKEND_ANDROID=y
++endif
++
++ifneq ($(LABEL_BACKEND_ANDROIDT),y)
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
++DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ endif
+ 
+ ifeq ($(DISABLE_X11),y)
+-- 
+2.29.2
+

0016-selinux-8-mark-up-SELINUX-values.patch

@@ -0,0 +1,51 @@
+From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:38 +0100
+Subject: [PATCH] selinux(8): mark up SELINUX values
+
+Mark up the possible values of SELINUX (disabled, permissive, enforcing)
+for better readability.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 8b4fc3706989..522d45960bf3 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
+ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+-any one of disabled, permissive, or enforcing to select one of these
+-options.  The disabled option completely disables the SELinux kernel
+-and application code, leaving the system running without any SELinux
+-protection.  The permissive option enables the SELinux code, but
+-causes it to operate in a mode where accesses that would be denied by
+-policy are permitted but audited.  The enforcing option enables the
+-SELinux code and causes it to enforce access denials as well as
+-auditing them.  Permissive mode may yield a different set of denials
+-than enforcing mode, both because enforcing mode will prevent an
+-operation from proceeding past the first denial and because some
+-application code will fall back to a less privileged mode of operation
+-if denied access.
++any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
++select one of these options.  The \fIdisabled\fR option completely
++disables the SELinux kernel and application code, leaving the system
++running without any SELinux protection.  The \fIpermissive\fR option
++enables the SELinux code, but causes it to operate in a mode where
++accesses that would be denied by policy are permitted but audited.  The
++\fIenforcing\fR option enables the SELinux code and causes it to enforce
++access denials as well as auditing them.  \fIpermissive\fR mode may
++yield a different set of denials than enforcing mode, both because
++enforcing mode will prevent an operation from proceeding past the first
++denial and because some application code will fall back to a less
++privileged mode of operation if denied access.
+ 
+ The
+ .I /etc/selinux/config
+-- 
+2.29.2
+

0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch

@@ -0,0 +1,57 @@
+From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:39 +0100
+Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
+
+Update the main SELinux manpage to explain that runtime disable (i.e.
+disabling SELinux using SELINUX=Disabled) is deprecated and recommend
+disabling SELinux only via the kernel boot parameter.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 522d45960bf3..a36e286b1409 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -20,8 +20,8 @@ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+ any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+-select one of these options.  The \fIdisabled\fR option completely
+-disables the SELinux kernel and application code, leaving the system
++select one of these options.  The \fIdisabled\fR disables most of the
++SELinux kernel and application code, leaving the system
+ running without any SELinux protection.  The \fIpermissive\fR option
+ enables the SELinux code, but causes it to operate in a mode where
+ accesses that would be denied by policy are permitted but audited.  The
+@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
+ denial and because some application code will fall back to a less
+ privileged mode of operation if denied access.
+ 
++.B NOTE:
++Disabling SELinux by setting
++.B SELINUX=disabled
++in
++.I /etc/selinux/config
++is deprecated and depending on kernel version and configuration it might
++not lead to SELinux being completely disabled.  Specifically, the
++SELinux hooks will still be executed internally, but the SELinux policy
++will not be loaded and no operation will be denied.  In such state, the
++system will act as if SELinux was disabled, although some operations
++might behave slightly differently.  To properly disable SELinux, it is
++recommended to use the
++.B selinux=0
++kernel boot option instead.  In that case SELinux will be disabled
++regardless of what is set in the
++.I /etc/selinux/config
++file.
++
+ The
+ .I /etc/selinux/config
+ configuration file also controls what policy
+-- 
+2.29.2
+

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libselinux
-# $Id: Makefile,v 1.2 2007/10/15 19:04:13 notting Exp $
-NAME := libselinux
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

STAGE1-libselinux

@@ -0,0 +1,24 @@
+# TLSFLAGS are set in order to avoid a bogus check in
+# libselinux/src/Makefile.
+srpm libselinux
+mcd $BUILDDIR/t-libselinux
+rsync -av $SRC/libselinux*/ ./
+# libselinux uses $prefix/include for both -I and *.pc, which
+# prevents cross compiling.
+sed 's@-I$(INCLUDEDIR)@@' < src/Makefile > src/Makefile.stage1
+mv src/Makefile.stage1 src/Makefile
+make $J \
+    CC=${TARGET}-gcc \
+    AS=${TARGET}-as \
+    AR=${TARGET}-ar \
+    STRIP=${TARGET}-strip \
+    RANLIB=${TARGET}-ranlib \
+    CFLAGS="" \
+    TLSFLAGS="" \
+    all
+ARGS="DESTDIR=${ROOTFS}"
+if [ "$SUFFIX" = "64" ]
+then
+    ARGS="$ARGS LIBDIR=${ROOTFS}/usr/lib64 SHLIBDIR=${ROOTFS}/usr/lib64"
+fi
+make $J $ARGS install

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+

libselinux-rhat.patch

@@ -1,109 +0,0 @@
-diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.90/man/man8/selinuxconlist.8
---- nsalibselinux/man/man8/selinuxconlist.8	1969-12-31 19:00:00.000000000 -0500
-+++ libselinux-2.0.90/man/man8/selinuxconlist.8	2010-01-18 16:52:28.000000000 -0500
-@@ -0,0 +1,18 @@
-+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
-+.SH "NAME"
-+selinuxconlist \- list all SELinux context reachable for user
-+.SH "SYNOPSIS"
-+.B selinuxconlist [-l level] user [context]
-+
-+.SH "DESCRIPTION"
-+.B selinuxconlist
-+reports the list of context reachable for user from the current context or specified context
-+
-+.B \-l level
-+mcs/mls level
-+
-+.SH AUTHOR	
-+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-+
-+.SH "SEE ALSO"
-+secon(8), selinuxdefcon(8)
-diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.90/man/man8/selinuxdefcon.8
---- nsalibselinux/man/man8/selinuxdefcon.8	1969-12-31 19:00:00.000000000 -0500
-+++ libselinux-2.0.90/man/man8/selinuxdefcon.8	2010-01-18 16:52:28.000000000 -0500
-@@ -0,0 +1,24 @@
-+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
-+.SH "NAME"
-+selinuxdefcon \- report default SELinux context for user 
-+
-+.SH "SYNOPSIS"
-+.B selinuxdefcon [-l level] user fromcon
-+
-+.SH "DESCRIPTION"
-+.B selinuxdefcon
-+reports the default context for the specified user from the specified context
-+
-+.B \-l level
-+mcs/mls level
-+
-+.SH EXAMPLE
-+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
-+.br
-+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-+
-+.SH AUTHOR	
-+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
-+
-+.SH "SEE ALSO"
-+secon(8), selinuxconlist(8)
-diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.90/src/callbacks.c
---- nsalibselinux/src/callbacks.c	2009-04-08 09:06:23.000000000 -0400
-+++ libselinux-2.0.90/src/callbacks.c	2010-01-18 16:52:28.000000000 -0500
-@@ -16,6 +16,7 @@
- {
- 	int rc;
- 	va_list ap;
-+	if (is_selinux_enabled() == 0) return 0;
- 	va_start(ap, fmt);
- 	rc = vfprintf(stderr, fmt, ap);
- 	va_end(ap);
-diff --exclude-from=exclude -N -u -r nsalibselinux/src/init.c libselinux-2.0.90/src/init.c
---- nsalibselinux/src/init.c	2009-07-14 11:16:03.000000000 -0400
-+++ libselinux-2.0.90/src/init.c	2010-01-18 16:52:28.000000000 -0500
-@@ -59,8 +59,10 @@
- 	}
- 	fclose(fp);
- 
--	if (!exists)
-+	if (!exists) {
-+		free(buf);
- 		return;
-+	}
- 
- 	/* At this point, the usual spot doesn't have an selinuxfs so
- 	 * we look around for it */
-diff --exclude-from=exclude -N -u -r nsalibselinux/src/label_file.c libselinux-2.0.90/src/label_file.c
---- nsalibselinux/src/label_file.c	2009-05-18 13:53:14.000000000 -0400
-+++ libselinux-2.0.90/src/label_file.c	2010-01-18 16:53:54.000000000 -0500
-@@ -20,6 +20,9 @@
- #include "callbacks.h"
- #include "label_internal.h"
- 
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+
- /*
-  * Internals, mostly moved over from matchpathcon.c
-  */
-diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.90/src/matchpathcon.c
---- nsalibselinux/src/matchpathcon.c	2009-03-06 14:41:45.000000000 -0500
-+++ libselinux-2.0.90/src/matchpathcon.c	2010-01-18 16:52:28.000000000 -0500
-@@ -2,6 +2,7 @@
- #include <string.h>
- #include <errno.h>
- #include <stdio.h>
-+#include <syslog.h>
- #include "selinux_internal.h"
- #include "label_internal.h"
- #include "callbacks.h"
-@@ -57,7 +58,7 @@
- {
- 	va_list ap;
- 	va_start(ap, fmt);
--	vfprintf(stderr, fmt, ap);
-+	vsyslog(LOG_ERR, fmt, ap);
- 	va_end(ap);
- }
- 

libselinux-tlssegneg.patch

@@ -1,23 +0,0 @@
---- libselinux-1.30.19/src/Makefile.notls	2006-08-01 14:16:38.000000000 -0400
-+++ libselinux-1.30.19/src/Makefile	2006-08-01 14:37:15.000000000 -0400
-@@ -24,6 +24,11 @@
- override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64
- RANLIB=ranlib
- 
-+ARCH := $(patsubst i%86,i386,$(shell uname -m))
-+ifneq (,$(filter i386,$(ARCH)))
-+TLSFLAGS += -mno-tls-direct-seg-refs
-+endif
-+
- SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
- 
- all: $(LIBA) $(LIBSO) 
-@@ -45,7 +50,7 @@
- 	ln -sf $@ $(TARGET) 
- 
- %.o:  %.c policy.h
--	$(CC) $(CFLAGS) -c -o $@ $<
-+	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
- 
- %.lo:  %.c policy.h
- 	$(CC) $(CFLAGS) -fpic -DSHARED -c -o $@ $<

libselinux-xaccel.patch

@@ -1,236 +0,0 @@
-diff -up libselinux-2.0.77/include/selinux/avc.h.pre.create.cache libselinux-2.0.77/include/selinux/avc.h
---- libselinux-2.0.77/include/selinux/avc.h.pre.create.cache	2009-01-27 14:47:32.000000000 -0500
-+++ libselinux-2.0.77/include/selinux/avc.h	2009-03-02 14:52:40.859167987 -0500
-@@ -353,6 +353,7 @@ int avc_compute_member(security_id_t ssi
- #define AVC_CALLBACK_AUDITALLOW_DISABLE	32
- #define AVC_CALLBACK_AUDITDENY_ENABLE	64
- #define AVC_CALLBACK_AUDITDENY_DISABLE	128
-+#define AVC_CALLBACK_ADD_CREATE		256
- 
- /**
-  * avc_add_callback - Register a callback for security events.
-diff -up libselinux-2.0.77/src/avc.c.pre.create.cache libselinux-2.0.77/src/avc.c
---- libselinux-2.0.77/src/avc.c.pre.create.cache	2009-01-27 14:47:32.000000000 -0500
-+++ libselinux-2.0.77/src/avc.c	2009-03-02 15:57:54.764288907 -0500
-@@ -20,6 +20,8 @@ struct avc_entry {
- 	security_id_t tsid;
- 	security_class_t tclass;
- 	struct av_decision avd;
-+	security_id_t	create_sid;
-+	unsigned	create_decided	:1;
- 	int used;		/* used recently */
- };
- 
-@@ -58,6 +60,11 @@ static struct avc_cache_stats cache_stat
- static struct avc_callback_node *avc_callbacks = NULL;
- static struct sidtab avc_sidtab;
- 
-+/* forward declaration */
-+static int avc_update_cache(uint32_t event, security_id_t ssid,
-+			    security_id_t tsid, security_class_t tclass,
-+			    access_vector_t perms, security_id_t create_sid);
-+
- static inline int avc_hash(security_id_t ssid,
- 			   security_id_t tsid, security_class_t tclass)
- {
-@@ -340,6 +347,16 @@ static inline struct avc_node *avc_recla
- 	return cur;
- }
- 
-+static inline void avc_clear_avc_entry(struct avc_entry *ae)
-+{
-+	ae->ssid = ae->tsid = ae->create_sid = NULL;
-+	ae->tclass = 0;
-+	ae->create_decided = 0;
-+	ae->avd.allowed = ae->avd.decided = 0;
-+	ae->avd.auditallow = ae->avd.auditdeny = 0;
-+	ae->used = 0;
-+}
-+
- static inline struct avc_node *avc_claim_node(security_id_t ssid,
- 					      security_id_t tsid,
- 					      security_class_t tclass)
-@@ -361,6 +378,7 @@ static inline struct avc_node *avc_claim
- 	}
- 
- 	hvalue = avc_hash(ssid, tsid, tclass);
-+	avc_clear_avc_entry(&new->ae);
- 	new->ae.used = 1;
- 	new->ae.ssid = ssid;
- 	new->ae.tsid = tsid;
-@@ -498,8 +516,8 @@ static int avc_insert(security_id_t ssid
-  * avc_remove - Remove AVC and sidtab entries for SID.
-  * @sid: security identifier to be removed
-  *
-- * Remove all AVC entries containing @sid as source
-- * or target, and remove @sid from the SID table.
-+ * Remove all AVC entries containing @sid as source, target, or
-+ * create_sid, and remove @sid from the SID table.
-  * Free the memory allocated for the structure corresponding
-  * to @sid.  After this function has been called, @sid must
-  * not be used until another call to avc_context_to_sid() has
-@@ -514,19 +532,15 @@ static void avc_remove(security_id_t sid
- 		cur = avc_cache.slots[i];
- 		prev = NULL;
- 		while (cur) {
--			if (sid == cur->ae.ssid || sid == cur->ae.tsid) {
-+			if (sid == cur->ae.ssid || sid == cur->ae.tsid ||
-+			    (cur->ae.create_decided && sid == cur->ae.create_sid)) {
- 				if (prev)
- 					prev->next = cur->next;
- 				else
- 					avc_cache.slots[i] = cur->next;
- 				tmp = cur;
- 				cur = cur->next;
--				tmp->ae.ssid = tmp->ae.tsid = NULL;
--				tmp->ae.tclass = 0;
--				tmp->ae.avd.allowed = tmp->ae.avd.decided = 0;
--				tmp->ae.avd.auditallow = tmp->ae.avd.auditdeny =
--				    0;
--				tmp->ae.used = 0;
-+				avc_clear_avc_entry(&tmp->ae);
- 				tmp->next = avc_node_freelist;
- 				avc_node_freelist = tmp;
- 				avc_cache.active_nodes--;
-@@ -570,11 +584,7 @@ int avc_reset(void)
- 		while (node) {
- 			tmp = node;
- 			node = node->next;
--			tmp->ae.ssid = tmp->ae.tsid = NULL;
--			tmp->ae.tclass = 0;
--			tmp->ae.avd.allowed = tmp->ae.avd.decided = 0;
--			tmp->ae.avd.auditallow = tmp->ae.avd.auditdeny = 0;
--			tmp->ae.used = 0;
-+			avc_clear_avc_entry(&tmp->ae);
- 			tmp->next = avc_node_freelist;
- 			avc_node_freelist = tmp;
- 			avc_cache.active_nodes--;
-@@ -896,24 +906,52 @@ int avc_compute_create(security_id_t ssi
- 		       security_class_t tclass, security_id_t *newsid)
- {
- 	int rc;
-+	struct avc_entry_ref aeref;
-+	security_context_t ctx = NULL;
-+
- 	*newsid = NULL;
-+
-+	avc_entry_ref_init(&aeref);
-+retry:
- 	avc_get_lock(avc_lock);
--	if (ssid->refcnt > 0 && tsid->refcnt > 0) {
--		security_context_t ctx = NULL;
--		rc = security_compute_create_raw(ssid->ctx, tsid->ctx, tclass,
--						 &ctx);
--		if (rc)
--			goto out;
--		rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
--		if (!rc)
--			(*newsid)->refcnt++;
--		freecon(ctx);
--	} else {
-+	if (ssid->refcnt <= 0 || tsid->refcnt <= 0) {
- 		errno = EINVAL;	/* bad reference count */
- 		rc = -1;
-+		goto out;
-+	}
-+
-+	rc = avc_lookup(ssid, tsid, tclass, 0, &aeref);
-+	if (!rc) {
-+		/* we found something in the avc */
-+		if (aeref.ae->create_decided) {
-+			*newsid = aeref.ae->create_sid;
-+			goto out;
-+		} else {
-+			goto compute;
-+		}
- 	}
-+	/* there is nothing in the avd for this tuple, so, lets get something */
-+	avc_release_lock(avc_lock);
-+	avc_has_perm_noaudit(ssid, tsid, tclass, 0, &aeref, NULL);
-+	goto retry;
-+
-+compute:
-+	rc = security_compute_create_raw(ssid->ctx, tsid->ctx, tclass,
-+					 &ctx);
-+	if (rc)
-+		goto out;
-+	rc = sidtab_context_to_sid(&avc_sidtab, ctx, newsid);
-+	if (rc)
-+		goto out;
-+
-+	avc_update_cache(AVC_CALLBACK_ADD_CREATE, ssid, tsid, tclass, 0,
-+			 *newsid);
-+
- out:
-+	if (*newsid)
-+		(*newsid)->refcnt++;
- 	avc_release_lock(avc_lock);
-+	freecon(ctx);
- 	return rc;
- }
- 
-@@ -978,7 +1016,8 @@ static inline int avc_sidcmp(security_id
- }
- 
- static inline void avc_update_node(uint32_t event, struct avc_node *node,
--				   access_vector_t perms)
-+				   access_vector_t perms,
-+				   security_id_t create_sid)
- {
- 	switch (event) {
- 	case AVC_CALLBACK_GRANT:
-@@ -1000,12 +1039,16 @@ static inline void avc_update_node(uint3
- 	case AVC_CALLBACK_AUDITDENY_DISABLE:
- 		node->ae.avd.auditdeny &= ~perms;
- 		break;
-+	case AVC_CALLBACK_ADD_CREATE:
-+		node->ae.create_sid = create_sid;
-+		node->ae.create_decided = 1;
-+		break;
- 	}
- }
- 
- static int avc_update_cache(uint32_t event, security_id_t ssid,
- 			    security_id_t tsid, security_class_t tclass,
--			    access_vector_t perms)
-+			    access_vector_t perms, security_id_t create_sid)
- {
- 	struct avc_node *node;
- 	int i;
-@@ -1019,7 +1062,7 @@ static int avc_update_cache(uint32_t eve
- 				if (avc_sidcmp(ssid, node->ae.ssid) &&
- 				    avc_sidcmp(tsid, node->ae.tsid) &&
- 				    tclass == node->ae.tclass) {
--					avc_update_node(event, node, perms);
-+					avc_update_node(event, node, perms, create_sid);
- 				}
- 			}
- 		}
-@@ -1027,7 +1070,7 @@ static int avc_update_cache(uint32_t eve
- 		/* apply to one node */
- 		node = avc_search_node(ssid, tsid, tclass, 0);
- 		if (node) {
--			avc_update_node(event, node, perms);
-+			avc_update_node(event, node, perms, create_sid);
- 		}
- 	}
- 
-@@ -1058,7 +1101,7 @@ static int avc_control(uint32_t event, s
- 	 * been invoked to update the cache state.
- 	 */
- 	if (event != AVC_CALLBACK_TRY_REVOKE)
--		avc_update_cache(event, ssid, tsid, tclass, perms);
-+		avc_update_cache(event, ssid, tsid, tclass, perms, NULL);
- 
- 	for (c = avc_callbacks; c; c = c->next) {
- 		if ((c->events & event) &&
-@@ -1080,7 +1123,7 @@ static int avc_control(uint32_t event, s
- 	if (event == AVC_CALLBACK_TRY_REVOKE) {
- 		/* revoke any unretained permissions */
- 		perms &= ~tretained;
--		avc_update_cache(event, ssid, tsid, tclass, perms);
-+		avc_update_cache(event, ssid, tsid, tclass, perms, NULL);
- 		*out_retained = tretained;
- 	}
- 
-

libselinux_swig_with_raw.patch

@@ -1,343 +0,0 @@
-Index: libselinux/src/selinuxswig.i
-===================================================================
---- libselinux/src/selinuxswig.i	(revision 2476)
-+++ libselinux/src/selinuxswig.i	(working copy)
-@@ -1,7 +1,9 @@
--/* Author: Dan Walsh
-+/* Authors: Dan Walsh
-+ *          James Athey
-  *
-  * Copyright (C) 2004-2005 Red Hat
-- * 
-+ * Copyright (C) 2007 Tresys Technology, LLC
-+ *
-  *  This library is free software; you can redistribute it and/or
-  *  modify it under the terms of the GNU Lesser General Public
-  *  License as published by the Free Software Foundation; either
-@@ -17,170 +19,47 @@
-  *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-  */
- 
--
- %module selinux
- %{
- 	#include "selinux/selinux.h"
--	#include "selinux/get_context_list.h"
- %}
--%apply int *OUTPUT { int * };
-+%apply int *OUTPUT { int *enforce };
- %apply int *OUTPUT { size_t * };
- 
--%typemap(in, numinputs=0) security_context_t *(security_context_t temp=NULL) {
--	$1 = &temp;
--}
--%typemap(argout) security_context_t * (char *temp=NULL) {
--	if (*$1)
--		temp = *$1;
--	else
--		temp = "";
--	$result = SWIG_Python_AppendOutput($result, PyString_FromString(temp));
--}
-+%typedef unsigned mode_t;
- 
--%typemap(in) security_context_t {
--	$1 = (security_context_t)PyString_AsString($input);
-+%typemap(in, numinputs=0) (char ***names, int *len) (char **temp1, int temp2) {
-+	$1 = &temp1;
-+	$2 = &temp2;
- }
- 
--%typedef unsigned mode_t;
--
--%include "../include/selinux/get_context_list.h"
--
--extern int is_selinux_enabled(void);
--extern int is_selinux_mls_enabled(void);
--extern void freecon(security_context_t con);
--extern void freeconary(security_context_t * con);
--extern int getcon(security_context_t *con);
--extern int setcon(security_context_t con);
--extern int getpidcon(int pid, security_context_t *con);
--extern int getprevcon(security_context_t *con);
--extern int getexeccon(security_context_t *con);
--extern int setexeccon(security_context_t con);
--extern int getfscreatecon(security_context_t *con);
--extern int setfscreatecon(security_context_t context);
--extern int getkeycreatecon(security_context_t *con);
--extern int setkeycreatecon(security_context_t context);
--extern int getsockcreatecon(security_context_t *con);
--extern int setsockcreatecon(security_context_t context);
--extern int getfilecon(const char *path, security_context_t *con);
--extern int lgetfilecon(const char *path, security_context_t *con);
--extern int fgetfilecon(int fd, security_context_t *con);
--extern int setfilecon(const char *path, security_context_t con);
--extern int lsetfilecon(const char *path, security_context_t con);
--extern int fsetfilecon(int fd, security_context_t con);
--extern int getpeercon(int fd, security_context_t *con);
--extern int selinux_mkload_policy(int preservebools);
--extern int selinux_init_load_policy(int *enforce);
--extern int security_set_boolean_list(size_t boolcnt, 
--				     SELboolean *boollist, 
--				     int permanent);
--extern int security_load_booleans(char *path);
--extern int security_check_context(security_context_t con);
--extern int security_canonicalize_context(security_context_t con,
--					 security_context_t *canoncon);
--extern int security_getenforce(void);
--extern int security_setenforce(int value);
--extern int security_policyvers(void);
--extern int security_get_boolean_names(char ***names, int *len);
--extern int security_get_boolean_pending(const char *name);
--extern int security_get_boolean_active(const char *name);
--extern int security_set_boolean(const char *name, int value);
--extern int security_commit_booleans(void);
--
--/* Set flags controlling operation of matchpathcon_init or matchpathcon. */
--#define MATCHPATHCON_BASEONLY 1 /* Only process the base file_contexts file. */
--#define MATCHPATHCON_NOTRANS  2 /* Do not perform any context translation. */
--extern void set_matchpathcon_flags(unsigned int flags);
--extern int matchpathcon_init(const char *path);
--extern int matchpathcon(const char *path,
--			mode_t mode,
--			security_context_t *con);
--
--extern int matchpathcon_init_prefix(const char *path,
--				    const char *prefix);
--extern void matchpathcon_fini(void);
--
--
--extern int matchmediacon(const char *media,
--		 security_context_t *con);
--
--extern int selinux_getenforcemode(int *enforce);
--extern const char *selinux_policy_root(void);
--extern const char *selinux_binary_policy_path(void);
--extern const char *selinux_failsafe_context_path(void);
--extern const char *selinux_removable_context_path(void);
--extern const char *selinux_default_context_path(void);
--extern const char *selinux_user_contexts_path(void);
--extern const char *selinux_file_context_path(void);
--extern const char *selinux_file_context_homedir_path(void);
--extern const char *selinux_file_context_local_path(void);
--extern const char *selinux_homedir_context_path(void);
--extern const char *selinux_media_context_path(void);
--extern const char *selinux_contexts_path(void);
--extern const char *selinux_securetty_types_path(void);
--extern const char *selinux_booleans_path(void);
--extern const char *selinux_customizable_types_path(void);
--extern const char *selinux_users_path(void);
--extern const char *selinux_usersconf_path(void);
--extern const char *selinux_translations_path(void);
--extern const char *selinux_netfilter_context_path(void);
--extern const char *selinux_path(void);
--#extern int selinux_check_passwd_access(access_vector_t requested);
--#extern int checkPasswdAccess(access_vector_t requested);
--
--extern int selinux_check_securetty_context(security_context_t tty_context);
--void set_selinuxmnt(char *mnt);
--
--#ifdef SWIGpython
--// This tells SWIG to treat char ** as a special case
--%typemap(in) char ** {
--  /* Check if is a list */
--  if (PyList_Check($input)) {
--    int size = PyList_Size($input);
--    int i = 0;
--    $1 = (char **) malloc((size+1)*sizeof(char *));
--    if ($1 == NULL) {
--	PyErr_SetString(PyExc_MemoryError,"Out of memory");
--	return NULL;
--    }
--    for (i = 0; i < size; i++) {
--      PyObject *o = PyList_GetItem($input,i);
--      if (PyString_Check(o))
--	$1[i] = PyString_AsString(PyList_GetItem($input,i));
--      else {
--	PyErr_SetString(PyExc_TypeError,"list must contain strings");
--	free($1);
--	return NULL;
--      }
--    }
--    $1[i] = 0;
--  } else {
--    PyErr_SetString(PyExc_TypeError,"not a list");
--    return NULL;
--  }
-+%typemap(freearg) (char ***names, int *len) {
-+	int i;
-+	if (*$1) {
-+		for (i = 0; i < *$2; i++) {
-+			free((*$1)[i]);
-+		}
-+		free(*$1);
-+	}
- }
--#endif
- 
--extern int rpm_execcon(unsigned int verified, 
--		       const char *filename, 
--		       char **, char **);
--
--extern int is_context_customizable (security_context_t scontext);
--
--extern int selinux_trans_to_raw_context(char *trans, 
--					security_context_t *rawp);
--extern int selinux_raw_to_trans_context(char *raw, 
--					security_context_t *transp);
--
--%typemap(in, numinputs=0) char **(char *temp=NULL) {
-+%typemap(in, numinputs=0) (security_context_t **) (security_context_t *temp) {
- 	$1 = &temp;
- }
- 
--%typemap(argout) char ** {
--	$result = SWIG_Python_AppendOutput($result, PyString_FromString(*$1));
-+%typemap(freearg) (security_context_t **) {
-+	if (*$1) freeconary(*$1);
- }
--extern int selinux_getpolicytype(char **enforce);
--extern int getseuserbyname(const char *linuxuser, char **seuser, char **level);
- 
--int selinux_file_context_cmp(const security_context_t a, const security_context_t b);
--int selinux_file_context_verify(const char *path, mode_t mode);
--int selinux_lsetfilecon_default(const char *path);
-+/* Ignore functions that don't make sense when wrapped */
-+%ignore freecon;
-+%ignore freeconary;
-+
-+/* Ignore functions that take a function pointer as an argument */
-+%ignore set_matchpathcon_printf;
-+%ignore set_matchpathcon_invalidcon;
-+%ignore set_matchpathcon_canoncon;
-+
-+%include "../include/selinux/selinux.h"
-+%include "../include/selinux/get_default_type.h"
-+%include "../include/selinux/get_context_list.h"
-Index: libselinux/src/selinuxswig_python.i
-===================================================================
---- libselinux/src/selinuxswig_python.i	(revision 0)
-+++ libselinux/src/selinuxswig_python.i	(revision 0)
-@@ -0,0 +1,101 @@
-+/* Author: James Athey
-+ *
-+ * Copyright (C) 2007 Tresys Technology, LLC
-+ *
-+ *  This library is free software; you can redistribute it and/or
-+ *  modify it under the terms of the GNU Lesser General Public
-+ *  License as published by the Free Software Foundation; either
-+ *  version 2.1 of the License, or (at your option) any later version.
-+ *
-+ *  This library is distributed in the hope that it will be useful,
-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ *  Lesser General Public License for more details.
-+ *
-+ *  You should have received a copy of the GNU Lesser General Public
-+ *  License along with this library; if not, write to the Free Software
-+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-+ */
-+
-+%module selinux
-+%{
-+	#include "selinux/selinux.h"
-+%}
-+
-+/* security_get_boolean_names() typemap */
-+%typemap(argout) (char ***names, int *len) {
-+	PyObject* list = PyList_New(*$2);
-+	int i;
-+	for (i = 0; i < *$2; i++) {
-+		PyList_SetItem(list, i, PyString_FromString((*$1)[i]));
-+	}
-+	$result = SWIG_Python_AppendOutput($result, list);
-+}
-+
-+/* Makes security_compute_user() return a Python list of contexts */
-+%typemap(argout) (security_context_t **con) {
-+	PyObject* plist;
-+	int i, len = 0;
-+	
-+	if (*$1) {
-+		while((*$1)[len])
-+			len++;
-+		plist = PyList_New(len);
-+		for (i = 0; i < len; i++) {
-+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
-+		}
-+	} else {
-+		plist = PyList_New(0);
-+	}
-+
-+	$result = SWIG_Python_AppendOutput($result, plist);
-+}
-+
-+/* Makes functions in get_context_list.h return a Python list of contexts */
-+%typemap(argout) (security_context_t **list) {
-+	PyObject* plist;
-+	int i;
-+	
-+	if (*$1) {
-+		plist = PyList_New(result);
-+		for (i = 0; i < result; i++) {
-+			PyList_SetItem(plist, i, PyString_FromString((*$1)[i]));
-+		}
-+	} else {
-+		plist = PyList_New(0);
-+	}
-+	/* Only return the Python list, don't need to return the length anymore */
-+	$result = plist;
-+}
-+
-+%typemap(in,noblock=1,numinputs=0) security_context_t * (security_context_t temp = 0) {
-+	$1 = &temp;
-+}
-+%typemap(freearg,match="in") security_context_t * "";
-+%typemap(argout,noblock=1) security_context_t * {
-+	if (*$1) {
-+		%append_output(SWIG_FromCharPtr(*$1));
-+		freecon(*$1);
-+	}
-+	else {
-+		Py_INCREF(Py_None);
-+		%append_output(Py_None);
-+	}
-+}
-+
-+%typemap(in,noblock=1,numinputs=0) char ** (char * temp = 0) {
-+	$1 = &temp;
-+}
-+%typemap(freearg,match="in") char ** "";
-+%typemap(argout,noblock=1) char ** {
-+	if (*$1) {
-+		%append_output(SWIG_FromCharPtr(*$1));
-+		free(*$1);
-+	}
-+	else {
-+		Py_INCREF(Py_None);
-+		%append_output(Py_None);
-+	}
-+}
-+
-+%include "selinuxswig.i"
---- libselinux-2.0.21/src/fsetfilecon.c~	2007-06-11 14:39:07.000000000 -0400
-+++ libselinux-2.0.21/src/fsetfilecon.c	2007-06-19 14:52:40.000000000 -0400
-@@ -13,7 +13,7 @@ int fsetfilecon_raw(int fd, security_con
- 			 0);
- }
- 
--hidden_def(setfilecon_raw)
-+hidden_def(fsetfilecon_raw)
- 
- int fsetfilecon(int fd, security_context_t context)
- {
---- libselinux-2.0.21/src/Makefile~	2007-06-11 14:39:07.000000000 -0400
-+++ libselinux-2.0.21/src/Makefile	2007-06-19 15:49:43.000000000 -0400
-@@ -12,7 +12,7 @@ LIBVERSION = 1
- 
- LIBA=libselinux.a 
- TARGET=libselinux.so
--SWIGIF= selinuxswig.i
-+SWIGIF= selinuxswig_python.i
- SWIGCOUT= selinuxswig_wrap.c
- SWIGLOBJ:= $(patsubst %.c,%.lo,$(SWIGCOUT)) 
- SWIGSO=_selinux.so

selinuxconlist.8

@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)

selinuxdefcon.8

@@ -0,0 +1,24 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- report default SELinux context for user 
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user fromcon
+
+.SH "DESCRIPTION"
+.B selinuxdefcon
+reports the default context for the specified user from the specified context
+
+.B \-l level
+mcs/mls level
+
+.SH EXAMPLE
+# selinuxdefcon jsmith system_u:system_r:sshd_t:s0
+.br
+unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)

sources

@@ -1 +1 @@
-87c744d919d632502ca91ca213c2168f  libselinux-2.0.90.tgz
+SHA512 (libselinux-3.1.tar.gz) = 57730cddd2d4751556d9e1f207c0f85119c81848f0620c16239e997150989e3f9a586a8c23861fd51ed89f7e084ad441190a58a288258a49a95f7beef7dbbb13

tests/getsebool/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/getsebool
+#   Description: Does getsebool work as expected?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/getsebool
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does getsebool work as expected?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+

tests/getsebool/PURPOSE

@@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/libselinux/Sanity/getsebool
+Author: Milos Malik <mmalik@redhat.com>
+
+Does getsebool work as expected?
+

tests/getsebool/runtest.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/getsebool
+#   Description: Does getsebool work as expected?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2017 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+if rlIsRHEL 5 6 ; then
+    SELINUX_FS_MOUNT="/selinux"
+else # RHEL-7 and above
+    SELINUX_FS_MOUNT="/sys/fs/selinux"
+fi
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-utils
+        rlRun "getsebool" 0,1
+        OUTPUT_FILE=`mktemp`
+    rlPhaseEnd
+
+    rlPhaseStartTest 
+        rlRun "getsebool -a"
+        rlRun "umount ${SELINUX_FS_MOUNT}"
+        rlRun "getsebool -a 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "selinux.*disabled" ${OUTPUT_FILE} -i
+        rlRun "mount -t selinuxfs none ${SELINUX_FS_MOUNT}"
+        rlRun "mkdir booleans"
+        rlRun "mount --bind ./booleans ${SELINUX_FS_MOUNT}/booleans"
+        rlRun "getsebool -a 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "unable to get boolean name.*no such file or directory" ${OUTPUT_FILE} -i
+        rlRun "getsebool xen_use_nfs 2>&1 | tee ${OUTPUT_FILE}"
+        rlAssertGrep "error getting active value for" ${OUTPUT_FILE} -i
+        rlRun "umount ${SELINUX_FS_MOUNT}/booleans"
+        rlRun "rmdir booleans"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+

tests/realpath_not_final-function/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/realpath_not_final-function
+#   Description: Test realpath_not_final function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/realpath_not_final-function
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test realpath_not_final function" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/realpath_not_final-function/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/realpath_not_final-function
+Description: Test realpath_not_final function
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/realpath_not_final-function/runtest.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/realpath_not_final-function
+#   Description: Test realpath_not_final function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        rlRun -l "gcc test.c -o test -lselinux -Wall -Wextra -std=c99"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        # syntax: ./test name [resolved_path]
+        rlRun "./test NULL" 139
+        rlRun "./test /somedir/somefile NULL" 255
+        rlRun "./test NULL NULL" 139
+
+        rlRun "./test /tmp | tee output"
+        rlRun "grep 'realpath_not_final: /tmp' output"
+
+        rlRun "./test //tmp | tee output"
+        rlRun "grep -E 'realpath_not_final: /tmp|realpath_not_final: //tmp' output"
+
+        rlRun "./test ///tmp | tee output"
+        rlRun "grep -E 'realpath_not_final: /tmp|realpath_not_final: //tmp' output"
+        
+        rlRun "./test ////tmp | tee output"
+        rlRun "grep -E 'realpath_not_final: /tmp|realpath_not_final: //tmp' output"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f test output"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/realpath_not_final-function/test.c

@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <linux/limits.h>
+
+int main (int argc, char **argv) {
+    if (argc < 2) {
+        printf("Invalid number of arguments\n");
+        return -1;
+    }
+
+    char *name;
+
+    if (strcmp(argv[1], "NULL") == 0) {
+        name = NULL;
+    }
+    else {
+        name = argv[1];
+    }
+
+    char *resolved_path;
+
+    if (argc == 3 && (strcmp(argv[1], "NULL") == 0)) {
+        resolved_path = NULL;
+    }
+    else {
+        resolved_path = malloc(PATH_MAX);
+
+        if (resolved_path == NULL) {
+            printf("Error while allocating memory\n");
+        }
+    }
+
+    printf("Executing: realpath_not_final(%s, resolved_path)\n", name);
+
+    int result = realpath_not_final(name, resolved_path);
+
+    printf("realpath_not_final: %s\n", resolved_path);
+
+    free(resolved_path);
+    return result;
+}

tests/selabel-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selabel-functions
+#   Description: Test selabel functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selabel-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test selabel functions" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/selabel-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selabel-functions
+Description: Test selabel functions
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/selabel-functions/runtest.sh

@@ -0,0 +1,858 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selabel-functions
+#   Description: Test selabel functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        if rlIsRHEL 6; then
+            rlRun -l "gcc test_open.c -o test_open -lselinux -Wall -Wextra -std=c99 -DRHEL6"
+            rlRun -l "gcc test_lookup.c -o test_lookup -lselinux -Wall -Wextra -std=c99 -DRHEL6"
+            rlRun -l "gcc test_stats.c -o test_stats -lselinux -Wall -Wextra -std=c99 -DRHEL6"
+        else
+            rlRun -l "gcc test_open.c -o test_open -lselinux -Wall -Wextra -std=c99"
+            rlRun -l "gcc test_lookup.c -o test_lookup -lselinux -Wall -Wextra -std=c99"
+            rlRun -l "gcc test_partial.c -o test_partial -lselinux -Wall -Wextra -std=c99"
+            rlRun -l "gcc test_best.c -o test_best -lselinux -Wall -Wextra -std=c99"
+            rlRun -l "gcc test_stats.c -o test_stats -lselinux -Wall -Wextra -std=c99"
+            rlRun -l "gcc test_digest.c -o test_digest -lselinux -Wall -Wextra -std=c99"
+        fi
+
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+    rlPhaseEnd
+
+    rlPhaseStartTest "selabel_open"
+        # syntax: ./test_open BACKEND OPT_PATH OPT_SUBSET OPT_VALIDATE OPT_BASEONLY [nopt]
+
+        rlLogInfo "Normal run"
+        rlRun "./test_open CTX_FILE NULL NULL 0 0"
+
+        rlLogInfo "Backends"
+        rlRun "./test_open CTX_MEDIA NULL NULL 0 0" 0
+        rlRun "./test_open CTX_X NULL NULL 0 0" 0
+        rlRun "./test_open CTX_DB NULL NULL 0 0" 0
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 0 0" 0
+            rlRun "./test_open 5 NULL NULL 0 0" 22
+        fi
+        rlRun "./test_open 2147483647 NULL NULL 0 0" 22
+
+        rlLogInfo "Parameter nopt"
+        rlRun "./test_open CTX_FILE NULL NULL 0 0 2147483647" 22,139
+        rlRun "./test_open CTX_MEDIA NULL NULL 0 0 2147483647" 22,139
+        rlRun "./test_open CTX_X NULL NULL 0 0 2147483647" 22,139
+        rlRun "./test_open CTX_DB NULL NULL 0 0 2147483647" 22,139
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 0 0 2147483647" 22,139
+        fi
+
+        rlRun "./test_open CTX_FILE NULL NULL 0 0 1"
+        rlRun "./test_open CTX_MEDIA NULL NULL 0 0 1"
+        rlRun "./test_open CTX_X NULL NULL 0 0 1"
+        rlRun "./test_open CTX_DB NULL NULL 0 0 1"
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 0 0 1"
+        fi
+
+        rlRun "./test_open CTX_FILE NULL NULL 0 0 0"
+        rlRun "./test_open CTX_MEDIA NULL NULL 0 0 0"
+        rlRun "./test_open CTX_X NULL NULL 0 0 0"
+        rlRun "./test_open CTX_DB NULL NULL 0 0 0"
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 0 0 0"
+        fi
+
+        rlRun "./test_open CTX_FILE NULL NULL 0 0 -1" 22,139
+        rlRun "./test_open CTX_MEDIA NULL NULL 0 0 -1" 22,139
+        rlRun "./test_open CTX_X NULL NULL 0 0 -1" 22,139
+        rlRun "./test_open CTX_DB NULL NULL 0 0 -1" 22,139
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 0 0 -1" 22,139
+        fi
+
+        rlLogInfo "Path option"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 0 0"
+        rlRun "./test_open CTX_MEDIA $TmpDir/my_contexts NULL 0 0"
+        rlRun "./test_open CTX_X $TmpDir/my_contexts NULL 0 0"
+        rlRun "./test_open CTX_DB $TmpDir/my_contexts NULL 0 0"
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP $TmpDir/my_contexts NULL 0 0"
+        fi
+
+        rlRun "./test_open CTX_FILE /nonexistent NULL 0 0" 2
+        rlRun "./test_open CTX_MEDIA /nonexistent NULL 0 0" 2
+        rlRun "./test_open CTX_X /nonexistent NULL 0 0" 2
+        rlRun "./test_open CTX_DB /nonexistent NULL 0 0" 2
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP /nonexistent NULL 0 0" 2
+        fi
+
+        rlLogInfo "Subset option"
+        rlRun "./test_open CTX_FILE NULL /etc 0 0"
+
+        rlLogInfo "Baseonly option"
+        rlRun "./test_open CTX_FILE NULL NULL 0 1"
+
+        rlLogInfo "Validate option"
+        rlRun "./test_open CTX_FILE NULL NULL 1 0"
+        rlRun "./test_open CTX_MEDIA NULL NULL 1 0"
+        rlRun "./test_open CTX_X NULL NULL 1 0"
+        rlRun "./test_open CTX_DB NULL NULL 1 0"
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_open CTX_ANDROID_PROP NULL NULL 1 0"
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "selabel_lookup and selabel_lookup_raw"
+        rlLogInfo "Handle"
+        rlRun "./test_lookup CTX_FILE NULL NULL 0 0 some_input 0 nohandle" 139
+        rlRun "./test_lookup CTX_MEDIA NULL NULL 0 0 some_input 0 nohandle" 139
+        rlRun "./test_lookup CTX_X NULL NULL 0 0 some_input 0 nohandle" 139
+        rlRun "./test_lookup CTX_DB NULL NULL 0 0 some_input 0 nohandle" 139
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_lookup CTX_ANDROID_PROP NULL NULL 0 0 some_input 0 nohandle" 139
+        fi
+
+        rlLogInfo "Path"
+        if rlIsRHEL 6; then
+            rlRun "./test_lookup CTX_FILE NULL NULL 0 0 NULL 0" 2,139
+            rlRun "./test_lookup CTX_MEDIA NULL NULL 0 0 NULL 0" 2,139
+            rlRun "./test_lookup CTX_X NULL NULL 0 0 NULL 0" 2,139
+            rlRun "./test_lookup CTX_DB NULL NULL 0 0 NULL 0" 2,139
+        else
+            rlRun "./test_lookup CTX_FILE NULL NULL 0 0 NULL 0" 22
+            rlRun "./test_lookup CTX_MEDIA NULL NULL 0 0 NULL 0" 22
+            rlRun "./test_lookup CTX_X NULL NULL 0 0 NULL 0" 22
+            rlRun "./test_lookup CTX_DB NULL NULL 0 0 NULL 0" 22
+            # ANDROID_PROP backend does not set handle and returns NULL as handle
+            # (see test_lookup.c for handling NULL handle)
+            rlRun "./test_lookup CTX_ANDROID_PROP NULL NULL 0 0 NULL 0" 255
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "validate option"
+        rlLogInfo "Invalid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        rlRun "grep 'line' output" 1
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+one
+EOF"
+        if rlIsRHEL 6; then
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        else
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        fi
+        rlRun "grep 'line 1 is missing fields' output"
+        
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir my_user_u:my_role_r:my_type_t:s0
+EOF"
+        if rlIsFedora "<27" || rlIsRHEL "<=7"; then
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        else
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        fi
+        rlRun "grep 'line 1 has invalid context my_user_u:my_role_r:my_type_t:s0' output"
+        
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir invalid_file_type system_u:object_r:var_t:s0
+EOF"
+        if rlIsRHEL 6; then
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        else
+            rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        fi
+        rlRun "grep 'line 1 has invalid file type invalid_file_type' output"
+        
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir <<none>>
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        rlRun "grep 'line 1' output" 1
+        
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+#$TmpDir system_u:object_r:var_t:s0
+$TmpDir system_u:object_r:var_t:s0 
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        rlRun "grep 'Multiple same specifications' output" 1
+
+        rlLogInfo "Two same rules for the same path"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir system_u:object_r:var_t:s0
+$TmpDir system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        rlRun "grep 'Multiple same specifications' output"
+
+        rlLogInfo "Two different rules for the same path"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir system_u:object_r:bin_t:s0
+$TmpDir system_u:object_r:usr_t:s0
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        rlRun "grep 'Multiple different specifications' output"
+
+        rlLogInfo "Two different rules for same path but with different file type"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir -- system_u:object_r:bin_t:s0
+$TmpDir -d system_u:object_r:usr_t:s0
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 0
+        rlRun "grep 'Multiple different specifications' output" 1
+
+        rlLogInfo "Two different rules for same path one general and one with file type"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir system_u:object_r:bin_t:s0
+$TmpDir -- system_u:object_r:usr_t:s0
+EOF"
+        rlRun "./test_open CTX_FILE $TmpDir/my_contexts NULL 1 0 2> >(tee output >&2)" 22
+        rlRun "grep 'Multiple different specifications' output"
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "file contexts files"
+        rlLogInfo "subs file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir system_u:object_r:var_t:s0
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.subs <<EOF
+/somepath $TmpDir
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somepath 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+        rlRun "rm -f $TmpDir/my_contexts.subs"
+        
+        rlLogInfo "subs_dist file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir system_u:object_r:var_t:s0
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.subs_dist <<EOF
+/somepath $TmpDir
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somepath 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+        rlRun "rm -f $TmpDir/my_contexts.subs_dist"
+
+        rlLogInfo "local file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.local <<EOF
+$TmpDir system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+        rlRun "rm -f $TmpDir/my_contexts.local"
+
+        rlLogInfo "homedirs file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.homedirs <<EOF
+$TmpDir system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+        rlRun "rm -f $TmpDir/my_contexts.homedirs"
+
+        rlLogInfo "Normal run"
+        rlRun "./test_lookup CTX_FILE NULL NULL 0 0 /nonexistent 0 | tee output" 0 \
+            "Run selabel_lookup"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:etc_runtime_t:s0' output" 0 \
+            "Check context returned by selabel_lookup"
+        rlRun "grep 'selabel_lookup_raw context: system_u:object_r:etc_runtime_t:s0' output" 0 \
+            "Check context returned by selabel_lookup_raw"
+
+        rlLogInfo "Context is <<none>>"
+        rlRun "./test_lookup CTX_FILE NULL NULL 0 0 /tmp/somefile 0 2> >(tee output >&2)" 2 \
+            "Run selabel_lookup on file with default context <<none>>"
+        rlRun "grep 'selabel_lookup - ERROR: No such file or directory' output" 0
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "media contexts files"
+        rlLogInfo "Valid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+floppy system_u:object_r:tmp_t:s0
+cdrom system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+floppy system_u:object_r:tmp_t:s0
+floppy system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+
+        rlLogInfo "No entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 2> >(tee output >&2)" 2
+        rlRun "grep 'selabel_lookup - ERROR: No such file or directory' output"
+
+        rlLogInfo "Invalid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+floppy
+EOF"
+        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 is missing fields' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+floppy some_u:some_r:some_t:s0
+EOF"
+        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 2> >(tee output >&2)" 22
+        rlRun "grep 'has invalid context some_u:some_r:some_t:s0' output"
+
+#        defaultContext=$(cat /etc/selinux/targeted/contexts/removable_context)
+
+#        rlLogInfo "empty contexts file"
+#        rlRun "cat > $TmpDir/my_contexts <<EOF
+#EOF"
+#        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 | tee output" 0
+#        rlRun "grep 'selabel_lookup context: $defaultContext' output" 0
+
+#        rlLogInfo "invalid contexts file"
+#        rlRun "cat > $TmpDir/my_contexts <<EOF
+#some_removable some_u:some_r:some_t:s0
+#EOF"
+#        rlRun "./test_lookup CTX_MEDIA $TmpDir/my_contexts NULL 1 0 floppy 0 | tee output" 0
+#        rlRun "grep 'selabel_lookup context: $defaultContext' output" 0
+
+        rlLogInfo "CTX_MEDIA backend"
+        # syntax: ./test_lookup CTX_MEDIA OPT_PATH NULL OPT_VALIDATE 0 path 0
+
+        rlLogInfo "Normal run"
+        rlRun "./test_lookup CTX_MEDIA NULL NULL 0 0 floppy 0 | tee output" 0 \
+            "Run selabel_lookup"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:removable_device_t:s0' output" 0 \
+            "Check context returned by selabel_lookup"
+        rlRun "grep 'selabel_lookup_raw context: system_u:object_r:removable_device_t:s0' output" 0 \
+            "Check context returned by selabel_lookup_raw"
+    rlPhaseEnd
+
+    rlPhaseStartTest "x contexts files"
+        rlLogInfo "Valid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+client * system_u:object_r:tmp_t:s0
+selection PRIMARY system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output"
+
+        rlLogInfo "Comments and empty lines"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+# some comment
+client * system_u:object_r:tmp_t:s0
+
+selection PRIMARY system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output"
+
+        rlLogInfo "Object names"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property * system_u:object_r:tmp_t:s0
+selection * system_u:object_r:var_t:s0
+extension * system_u:object_r:usr_t:s0
+event * system_u:object_r:man_t:s0
+client * system_u:object_r:lib_t:s0
+poly_property * system_u:object_r:bin_t:s0
+poly_selection * system_u:object_r:remote_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_SELN | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_EXT | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_EVENT | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:man_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_CLIENT | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:lib_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_POLYPROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:bin_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 '*' X_POLYSELN | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:remote_t:s0' output"
+
+        rlLogInfo "Empty file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN" 2
+
+        rlLogInfo "Invalid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 is missing fields' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property *
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 is missing fields' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+some_property * system_u:object_r:tmp_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 PRIMARY X_SELN 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 has invalid object type some_property' output"
+
+        rlLogInfo "Wildcard matching"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property * system_u:object_r:tmp_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 SOME_PROPERTY X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property CUT_BUFFER0 system_u:object_r:tmp_t:s0
+property * system_u:object_r:usr_t:s0
+property CUT_BUFFER1 system_u:object_r:var_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 CUT_BUFFER0 X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 CUT_BUFFER1 X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 CUT_BUFFER2 X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+
+        rlLogInfo "Substitution matching"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+property CUT_BUFFER? system_u:object_r:tmp_t:s0
+EOF"
+        rlRun "./test_lookup CTX_X $TmpDir/my_contexts NULL 1 0 CUT_BUFFER3 X_PROP | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+
+        rlLogInfo "Normal run"
+        rlRun "./test_lookup CTX_X NULL NULL 0 0 asdf X_CLIENT | tee output" 0 \
+            "Run selabel_lookup"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:remote_t:s0' output" 0 \
+            "Check context returned by selabel_lookup"
+        rlRun "grep 'selabel_lookup_raw context: system_u:object_r:remote_t:s0' output" 0 \
+            "Check context returned by selabel_lookup_raw"
+    rlPhaseEnd
+
+    rlPhaseStartTest "db contexts files"
+        rlLogInfo "Valid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+db_database     my_database     system_u:object_r:sepgsql_db_t:s0
+db_schema       my_schema       system_u:object_r:sepgsql_schema_t:s0
+db_view         my_view         system_u:object_r:sepgsql_view_t:s0
+db_table        my_table        system_u:object_r:sepgsql_table_t:s0
+db_column       my_column       system_u:object_r:var_t:s0
+db_tuple        my_tuple        system_u:object_r:tmp_t:s0
+db_procedure    my_procedure    system_u:object_r:sepgsql_proc_exec_t:s0
+db_sequence     my_sequence     system_u:object_r:sepgsql_seq_t:s0
+db_blob         my_blob         system_u:object_r:sepgsql_blob_t:s0
+EOF"
+        if rlIsRHEL ">=7" || rlIsFedora; then
+            rlRun "cat >> $TmpDir/my_contexts <<EOF
+db_language     my_language     system_u:object_r:sepgsql_lang_t:s0
+db_exception    my_exception    system_u:object_r:usr_t:s0
+db_datatype     my_datatype     system_u:object_r:bin_t:s0
+EOF"
+        fi
+
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_db_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_schema DB_SCHEMA | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_schema_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_view DB_VIEW | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_view_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_table DB_TABLE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_table_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_column DB_COLUMN | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_tuple DB_TUPLE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:tmp_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_procedure DB_PROCEDURE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_proc_exec_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_sequence DB_SEQUENCE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_seq_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_blob DB_BLOB | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_blob_t:s0' output"
+
+        if rlIsRHEL ">=7" || rlIsFedora; then
+            rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_language DB_LANGUAGE | tee output" 0
+            rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_lang_t:s0' output"
+            rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_exception DB_EXCEPTION | tee output" 0
+            rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+            rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_datatype DB_DATATYPE | tee output" 0
+            rlRun "grep 'selabel_lookup context: system_u:object_r:bin_t:s0' output"
+        fi
+
+        rlLogInfo "Comments and empty lines"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+# something
+
+db_database     my_database     system_u:object_r:sepgsql_db_t:s0
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_db_t:s0' output"
+
+        rlLogInfo "Wildcard matching"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+db_database     my_database     system_u:object_r:var_t:s0
+db_database     my_database*    system_u:object_r:bin_t:s0
+db_database     *               system_u:object_r:usr_t:s0
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database_asdf DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:bin_t:s0' output"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_asdf DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+db_database     *       system_u:object_r:usr_t:s0
+db_database     my_*    system_u:object_r:bin_t:s0
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database DB_DATABASE | tee output" 0
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output"
+
+        rlLogInfo "Empty file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 1 0 my_database DB_DATABASE " 2
+
+        rlLogInfo "Invalid entries"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+one
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 0 0 my_database DB_DATABASE 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 has invalid format' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+one two
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 0 0 my_database DB_DATABASE 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 has invalid format' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+one two three
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 0 0 my_database DB_DATABASE 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 has invalid object type one' output"
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+one two three four
+EOF"
+        rlRun "./test_lookup CTX_DB $TmpDir/my_contexts NULL 0 0 my_database DB_DATABASE 2> >(tee output >&2)" 2
+        rlRun "grep 'line 1 has invalid format' output"
+
+        rlLogInfo "Normal run"
+        rlRun "./test_lookup CTX_DB NULL NULL 0 0 my_database DB_DATABASE | tee output"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:sepgsql_db_t:s0' output"
+        rlRun "grep 'selabel_lookup_raw context: system_u:object_r:sepgsql_db_t:s0' output"
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "baseonly option"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir.* system_u:object_r:var_t:s0
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.subs <<EOF
+/somepath $TmpDir
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.local <<EOF
+$TmpDir/local system_u:object_r:bin_t:s0
+EOF"
+        rlRun "cat > $TmpDir/my_contexts.homedirs <<EOF
+$TmpDir/homedirs system_u:object_r:usr_t:s0
+EOF"
+
+        # without baseonly option, the rule in my_contexts will be overridden
+        # by a rule in my_contexts.local file
+        # .subs file should work even with baseonly option
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somepath/local 0 | tee output" 0 \
+            "Running selabel_open without baseonly option"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:bin_t:s0' output" 0
+
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 1 /somepath/local 0 | tee output" 0 \
+            "Running selabel_open with baseonly option"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+
+        # without baseonly option, the rule in my_contexts will be overridden
+        # by a rule in my_contexts.homedirs file
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somepath/homedirs 0 | tee output" 0 \
+            "Running selabel_open without baseonly option"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:usr_t:s0' output" 0
+
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 1 /somepath/homedirs 0 | tee output" 0 \
+            "Running selabel_open with baseonly option"
+        rlRun "grep 'selabel_lookup context: system_u:object_r:var_t:s0' output" 0
+
+        rlRun "rm -f $TmpDir/my_contexts.subs"
+        rlRun "rm -f $TmpDir/my_contexts.local"
+        rlRun "rm -f $TmpDir/my_contexts.homedirs"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "selabel_lookup advanced tests"
+        rlLogInfo "Custom file contexts file"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir my_user_u:my_role_r:my_type_t:s0
+EOF"
+
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: my_user_u:my_role_r:my_type_t:s0' output" 0
+
+        rlLogInfo "Rules for different file types"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+$TmpDir -- user_u:role_r:regular_type_t:s0
+$TmpDir -b user_u:role_r:block_type_t:s0
+$TmpDir -c user_u:role_r:char_type_t:s0
+$TmpDir -d user_u:role_r:dir_type_t:s0
+$TmpDir -p user_u:role_r:pipe_type_t:s0
+$TmpDir -l user_u:role_r:symlink_type_t:s0
+$TmpDir -s user_u:role_r:socket_type_t:s0
+EOF"
+
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0010000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:pipe_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0020000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:char_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0040000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:dir_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0060000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:block_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0100000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:regular_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0120000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:symlink_type_t:s0' output"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 $TmpDir 0140000 | tee output"
+        rlRun "grep 'selabel_lookup context: user_u:role_r:socket_type_t:s0' output"
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "selabel_partial_match"
+        # syntax: ./test_partial BACKEND OPT_PATH OPT_SUBSET OPT_VALIDATE OPT_BASEONLY path [nohandle]
+
+        rlLogInfo "nonsupporting backends"
+        rlRun "./test_partial CTX_MEDIA NULL NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: true' output" 0
+        rlRun "./test_partial CTX_DB NULL NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: true' output" 0
+        rlRun "./test_partial CTX_X NULL NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: true' output" 0
+
+        rlLogInfo "null as handle"
+        rlRun "./test_partial CTX_FILE NULL NULL 0 0 /somedir nohandle" 22,139
+        
+        rlLogInfo "nonexisting entry"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        rlRun "./test_partial CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: false' output" 0
+
+        rlLogInfo "full match"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/somedir user_u:role_r:type_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: user_u:role_r:type_t:s0' output"
+
+        rlRun "./test_partial CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: true' output" 0
+
+        rlLogInfo "partial match"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/somedir42 user_u:role_r:type_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        rlRun "./test_partial CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir | tee output" 0
+        rlRun "grep 'selabel_partial_match: true' output" 0
+    rlPhaseEnd
+    fi
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "selabel_best_match"
+        # syntax: ./test_best BACKEND OPT_PATH OPT_SUBSET OPT_VALIDATE OPT_BASEONLY path mode [nohandle]
+
+        rlLogInfo "nonsupported backends"
+        rlRun "./test_best CTX_MEDIA NULL NULL 0 0 /somedir 0" 95
+        rlRun "./test_best CTX_DB NULL NULL 0 0 /somedir 0" 95
+        rlRun "./test_best CTX_X NULL NULL 0 0 /somedir 0" 95
+
+        rlLogInfo "null as handle"
+        rlRun "./test_best CTX_FILE NULL NULL 0 0 /somedir 0 nohandle" 22,139
+
+        rlLogInfo "null as key"
+        rlRun "./test_best CTX_FILE NULL NULL 0 0 NULL 0" 22
+
+        rlLogInfo "nonexisting entry"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        rlLogInfo "exact match without aliases"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/somedir user_u:role_r:type_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: user_u:role_r:type_t:s0' output"
+
+        # same as selabel_lookup
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:type_t:s0' output"
+
+        rlLogInfo "regex match without aliases"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/some.* user_u:role_r:type_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: user_u:role_r:type_t:s0' output"
+
+        # same as selabel_lookup
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:type_t:s0' output"
+
+        rlLogInfo "exact match with exactly matching alias"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/somedir user_u:role_r:orig_t:s0
+/somesymlink user_u:role_r:link_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: user_u:role_r:orig_t:s0' output"
+
+        # original context should be chosen when found
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 /somesymlink | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:orig_t:s0' output"
+
+        rlLogInfo "no match with exactly matching alias"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/somesymlink user_u:role_r:type_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        # when there is no context for path, alias context should be chosen
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 /somesymlink | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:type_t:s0' output"
+
+        rlLogInfo "no match with multiple exactly matching aliases"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/firstsymlink user_u:role_r:first_t:s0
+/secondsymlink user_u:role_r:second_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        # with no context for path and multiple aliases, first exact match should be chosen
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 /firstsymlink /secondsymlink | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:first_t:s0' output"
+
+        rlLogInfo "no match with multiple regex matching aliases"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/short.* user_u:role_r:short_t:s0
+/verylong.* user_u:role_r:long_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0" 2
+
+        # with no context for path and multiple regex aliases, match with longest prefix should be chosen
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 /shortsymlink /verylongsymlink | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:long_t:s0' output"
+
+        rlLogInfo "regex match with multiple regex matching aliases"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+/some.* user_u:role_r:orig_t:s0
+/short.* user_u:role_r:short_t:s0
+/verylong.* user_u:role_r:long_t:s0
+EOF"
+        rlRun "./test_lookup CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 | tee output" 0
+        rlRun "grep 'selabel_lookup context: user_u:role_r:orig_t:s0' output"
+
+        # with regex matching context for path and multiple regex aliases, match with longest prefix should be chosen
+        # (among both original path and aliases)
+        rlRun "./test_best CTX_FILE $TmpDir/my_contexts NULL 0 0 /somedir 0 /shortsymlink /verylongsymlink | tee output" 0
+        rlRun "grep 'selabel_lookup_best_match context: user_u:role_r:long_t:s0' output"
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartTest "selabel_stats"
+        # syntax: ./test_stats BACKEND OPT_PATH OPT_VALIDATE [nohandle]
+
+        rlLogInfo "calling selabel_test - not checking output"
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        rlRun "./test_stats CTX_FILE $TmpDir/my_contexts 0" 0
+        rlRun "./test_stats CTX_MEDIA $TmpDir/my_contexts 0" 0
+        rlRun "./test_stats CTX_X $TmpDir/my_contexts 0" 0
+        rlRun "./test_stats CTX_DB $TmpDir/my_contexts 0" 0
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_stats CTX_ANDROID_PROP $TmpDir/my_contexts 0" 0
+        fi
+        
+        rlRun "./test_stats CTX_FILE $TmpDir/my_contexts 0 nohandle" 139
+    rlPhaseEnd
+
+    if rlIsRHEL ">=7" || rlIsFedora; then
+    rlPhaseStartTest "selabel_digest"
+        # syntax: ./test_digest BACKEND OPT_PATH OPT_VALIDATE OPT_DIGEST [nohandle]
+
+        rlRun "./test_digest CTX_FILE NULL 0 0" 22
+        rlRun "./test_digest CTX_FILE NULL 0 0 nohandle" 139
+
+        rlRun "./test_digest CTX_FILE NULL 0 1" 0
+        rlRun "./test_digest CTX_MEDIA NULL 0 1" 0
+        rlRun "./test_digest CTX_X NULL 0 1" 0
+        rlRun "./test_digest CTX_DB NULL 0 1" 0
+
+        rlRun "cat > $TmpDir/my_contexts <<EOF
+EOF"
+        if rlIsRHEL "7" || rlIsFedora "<26"; then
+            rlRun "./test_digest CTX_ANDROID_PROP $TmpDir/my_contexts 0 1" 0
+        fi
+    rlPhaseEnd
+    fi
+
+    rlPhaseStartCleanup
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+        rlRun "rm -f test_open test_lookup test_partial test_best test_stats test_digest output"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/selabel-functions/test_best.c

@@ -0,0 +1,159 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_SUBSET, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 },
+        { SELABEL_OPT_BASEONLY, (char *) 1 }
+    };
+
+    if (argc < 8) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+    if ((argc == 9) && (strcmp(argv[8], "nohandle") == 0)) {
+        hnd = NULL;
+    }
+    else {
+        // set file contexts path
+        if (strcmp(argv[2], "NULL") == 0) {
+            selabel_option[0].value = NULL;
+        }
+        else {
+            selabel_option[0].value = argv[2];
+        }
+
+        // set subset
+        if (strcmp(argv[3], "NULL") == 0) {
+            selabel_option[1].value = NULL;
+        }
+        else {
+            selabel_option[1].value = argv[3];
+        }
+
+        // set validate
+        if (strcmp(argv[4], "0") == 0) {
+            selabel_option[2].value = NULL;
+        }
+        else {
+            selabel_option[2].value = (char *) 1;
+        }
+
+        // set baseonly
+        if (strcmp(argv[5], "0") == 0) {
+            selabel_option[3].value = NULL;
+        }
+        else {
+            selabel_option[3].value = (char *) 1;
+        }
+
+        printf("selabel_options: "); 
+        printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+        printf("SELABEL_OPT_SUBSET = %s, ", selabel_option[1].value);
+        printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[2].value);
+        printf("SELABEL_OPT_BASEONLY = %ld\n", (long int)(intptr_t) selabel_option[3].value);
+
+        printf("Executing: selabel_open(SELABEL_%s, &selabel_option, 4)\n", argv[1]);
+
+        errno = 0;
+
+        if ((hnd = selabel_open(backend, selabel_option, 4)) == NULL) {
+            perror("selabel_open - ERROR");
+            return 255;
+        }
+    }
+
+    int result;
+    security_context_t selabel_context;
+    char *path;
+
+    if (strcmp(argv[6], "NULL") == 0) {
+        path = NULL;
+    }
+    else {
+        path = argv[6];
+    }
+
+    // notice the base 8
+    int mode = strtol(argv[7], NULL, 8);
+
+    int alias_cnt = argc-8;
+    const char **aliases = malloc((alias_cnt + 1)*sizeof(const char *));
+
+    if (aliases == NULL)
+        return 255;
+
+    printf("aliases:");
+
+    for (int i = 0; i < alias_cnt; i++) {
+        aliases[i] = argv[8 + i];
+        printf(" %s", argv[8 + i]);
+    }
+
+    printf("\n");
+
+    aliases[alias_cnt] = NULL;
+
+    printf("Executing: selabel_lookup_best_match(hnd, &selabel_context, %s, aliases, %d)\n", path, mode);
+
+    errno = 0;
+    int e1 = 0, e2 = 0;
+
+    if ((result = selabel_lookup_best_match(hnd, &selabel_context, path, aliases, mode)) == -1) {
+        e1 = errno;
+        perror("selabel_lookup_best_match - ERROR");
+    }
+    else {
+        printf("selabel_lookup_best_match context: %s\n", selabel_context);
+        freecon(selabel_context);
+    }
+
+    printf("Executing: selabel_lookup_best_match_raw(hnd, &selabel_context, %s, aliases, %d)\n", path, mode);
+
+    errno = 0;
+
+    if ((result = selabel_lookup_best_match_raw(hnd, &selabel_context, path, aliases, mode)) == -1) {
+        e2 = errno;
+        perror("selabel_lookup_best_match_raw - ERROR");
+    }
+    else {
+        printf("selabel_lookup_best_match_raw context: %s\n", selabel_context);
+        freecon(selabel_context);
+    }
+
+    if (hnd != NULL)
+        selabel_close(hnd);
+
+    if (e1 == e2)
+        return e1;
+    else
+        return 255;
+}

tests/selabel-functions/test_digest.c

@@ -0,0 +1,121 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 },
+        { SELABEL_OPT_DIGEST, (char *) 1 }
+    };
+
+    if (argc < 5) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+
+    if ((argc == 6) && (strcmp(argv[5], "nohandle") == 0)) {
+        hnd = NULL;
+    }
+    else {
+        // set file contexts path
+        if (strcmp(argv[2], "NULL") == 0) {
+            selabel_option[0].value = NULL;
+        }
+        else {
+            selabel_option[0].value = argv[2];
+        }
+
+        // set validate
+        if (strcmp(argv[3], "0") == 0) {
+            selabel_option[1].value = NULL;
+        }
+        else {
+            selabel_option[1].value = (char *) 1;
+        }
+
+        // set digest
+        if (strcmp(argv[4], "0") == 0) {
+            selabel_option[2].value = NULL;
+        }
+        else {
+            selabel_option[2].value = (char *) 1;
+        }
+
+        printf("selabel_options: "); 
+        printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+        printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[1].value);
+        printf("SELABEL_OPT_DIGEST = %ld, ", (long int)(intptr_t) selabel_option[2].value);
+
+        printf("Executing: selabel_open(SELABEL_%s, &selabel_option, 3)\n", argv[1]);
+
+        errno = 0;
+
+        if ((hnd = selabel_open(backend, selabel_option, 3)) == NULL) {
+            perror("selabel_open - ERROR");
+            return 255;
+        }
+    }
+
+    unsigned char *digest;
+    size_t digest_len;
+    char **specfiles;
+    size_t num_specfiles;
+    int result, e = 0;
+
+    printf("Executing: selabel_digest(hnd, digest, digest_len, specfiles, num_specfiles)\n");
+    
+    errno = 0;
+    
+    if ((result = selabel_digest(hnd, &digest, &digest_len, &specfiles, &num_specfiles)) == -1) {
+        e = errno;
+        perror("selabel_digest - ERROR");
+    }
+    else {
+        printf("digest_len: %lu\n", digest_len);
+
+        printf("digest: ");
+
+        for (size_t i = 0; i < digest_len; i++)
+            printf("%2x", digest[i]);
+
+        printf("\n");
+
+        printf("num_specfiles: %lu\n", num_specfiles);
+
+        printf("specfiles:\n");
+
+        for (size_t i = 0; i < num_specfiles; i++)
+            printf("specfile: %s\n", specfiles[i]);
+    }
+
+    if (hnd != NULL)
+        selabel_close(hnd);
+
+    return e;
+}

tests/selabel-functions/test_lookup.c

@@ -0,0 +1,189 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_SUBSET, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 },
+        { SELABEL_OPT_BASEONLY, (char *) 1 }
+    };
+
+    if (argc < 8) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+
+    if ((argc == 9) && (strcmp(argv[8], "nohandle") == 0)) {
+        hnd = NULL;
+    }
+    else {
+        // set file contexts path
+        if (strcmp(argv[2], "NULL") == 0) {
+            selabel_option[0].value = NULL;
+        }
+        else {
+            selabel_option[0].value = argv[2];
+        }
+
+        // set subset
+        if (strcmp(argv[3], "NULL") == 0) {
+            selabel_option[1].value = NULL;
+        }
+        else {
+            selabel_option[1].value = argv[3];
+        }
+
+        // set validate
+        if (strcmp(argv[4], "0") == 0) {
+            selabel_option[2].value = NULL;
+        }
+        else {
+            selabel_option[2].value = (char *) 1;
+        }
+
+        // set baseonly
+        if (strcmp(argv[5], "0") == 0) {
+            selabel_option[3].value = NULL;
+        }
+        else {
+            selabel_option[3].value = (char *) 1;
+        }
+
+        printf("selabel_options: "); 
+        printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+        printf("SELABEL_OPT_SUBSET = %s, ", selabel_option[1].value);
+        printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[2].value);
+        printf("SELABEL_OPT_BASEONLY = %ld\n", (long int)(intptr_t) selabel_option[3].value);
+
+        printf("Executing: selabel_open(SELABEL_%s, &selabel_option, 4)\n", argv[1]);
+
+        errno = 0;
+
+        if ((hnd = selabel_open(backend, selabel_option, 4)) == NULL) {
+            perror("selabel_open - ERROR");
+            return 255;
+        }
+    }
+
+    int result;
+    security_context_t selabel_context;
+    char *path;
+    int mode;
+    
+    if (strcmp(argv[7], "X_PROP") == 0)
+        mode = SELABEL_X_PROP;
+    else if (strcmp(argv[7], "X_SELN") == 0)
+        mode = SELABEL_X_SELN;
+    else if (strcmp(argv[7], "X_EXT") == 0)
+        mode = SELABEL_X_EXT;
+    else if (strcmp(argv[7], "X_EVENT") == 0)
+        mode = SELABEL_X_EVENT;
+    else if (strcmp(argv[7], "X_CLIENT") == 0)
+        mode = SELABEL_X_CLIENT;
+    else if (strcmp(argv[7], "X_POLYPROP") == 0)
+        mode = SELABEL_X_POLYPROP;
+    else if (strcmp(argv[7], "X_POLYSELN") == 0)
+        mode = SELABEL_X_POLYSELN;
+    else if (strcmp(argv[7], "DB_DATABASE") == 0)
+        mode = SELABEL_DB_DATABASE;
+    else if (strcmp(argv[7], "DB_SCHEMA") == 0)
+        mode = SELABEL_DB_SCHEMA;
+    else if (strcmp(argv[7], "DB_VIEW") == 0)
+        mode = SELABEL_DB_VIEW;
+    else if (strcmp(argv[7], "DB_TABLE") == 0)
+        mode = SELABEL_DB_TABLE;
+    else if (strcmp(argv[7], "DB_COLUMN") == 0)
+        mode = SELABEL_DB_COLUMN;
+    else if (strcmp(argv[7], "DB_TUPLE") == 0)
+        mode = SELABEL_DB_TUPLE;
+    else if (strcmp(argv[7], "DB_PROCEDURE") == 0)
+        mode = SELABEL_DB_PROCEDURE;
+    else if (strcmp(argv[7], "DB_SEQUENCE") == 0)
+        mode = SELABEL_DB_SEQUENCE;
+    else if (strcmp(argv[7], "DB_BLOB") == 0)
+        mode = SELABEL_DB_BLOB;
+#ifndef RHEL6
+    else if (strcmp(argv[7], "DB_LANGUAGE") == 0)
+        mode = SELABEL_DB_LANGUAGE;
+    else if (strcmp(argv[7], "DB_EXCEPTION") == 0)
+        mode = SELABEL_DB_EXCEPTION;
+    else if (strcmp(argv[7], "DB_DATATYPE") == 0)
+        mode = SELABEL_DB_DATATYPE;
+#endif
+    else
+        // notice the base 8
+        mode = strtol(argv[7], NULL, 8);
+    
+    int e1 = 0, e2 = 0;
+
+    if (strcmp(argv[6], "NULL") == 0) {
+        path = NULL;
+    }
+    else if (strcmp(argv[6], "'*'") == 0) {
+        path = "*";
+    }
+    else {
+        path = argv[6];
+    }
+
+    printf("Executing: selabel_lookup(hnd, &selabel_context, %s, %d)\n", path, mode);
+
+    errno = 0;
+    
+    if ((result = selabel_lookup(hnd, &selabel_context, path, mode)) == -1) {
+        e1 = errno;
+        perror("selabel_lookup - ERROR");
+    }
+    else {
+        printf("selabel_lookup context: %s\n", selabel_context);
+        freecon(selabel_context);
+    }
+
+    printf("Executing: selabel_lookup_raw(hnd, &selabel_context, %s, %d)\n", path, mode);
+
+    errno = 0;
+    
+    if ((result = selabel_lookup_raw(hnd, &selabel_context, path, mode)) == -1) {
+        e2 = errno;
+        perror("selabel_lookup_raw - ERROR");
+    }
+    else {
+        printf("selabel_lookup_raw context: %s\n", selabel_context);
+        freecon(selabel_context);
+    }
+
+    if (hnd != NULL)
+        selabel_close(hnd);
+
+    if (e1 == e2)
+        return e1;
+    else
+        return 255;
+}

tests/selabel-functions/test_open.c

@@ -0,0 +1,100 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    int nopt = 0;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_SUBSET, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 },
+        { SELABEL_OPT_BASEONLY, (char *) 1 }
+    };
+
+    if (argc < 6) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+    // set file contexts path
+    if (strcmp(argv[2], "NULL") == 0) {
+        selabel_option[0].value = NULL;
+	}
+	else {
+        selabel_option[0].value = argv[2];
+	}
+
+    // set subset
+    if (strcmp(argv[3], "NULL") == 0) {
+        selabel_option[1].value = NULL;
+	}
+	else {
+        selabel_option[1].value = argv[3];
+	}
+
+    // set validate
+    if (strcmp(argv[4], "0") == 0) {
+        selabel_option[2].value = NULL;
+	}
+	else {
+        selabel_option[2].value = (char *) 1;
+	}
+
+    // set baseonly
+    if (strcmp(argv[5], "0") == 0) {
+        selabel_option[3].value = NULL;
+	}
+	else {
+        selabel_option[3].value = (char *) 1;
+	}
+
+    if (argc == 7) {
+        nopt = strtol(argv[6], NULL, 10);
+    }
+    else {
+        nopt = 4;
+    }
+
+    printf("selabel_options: "); 
+    printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+    printf("SELABEL_OPT_SUBSET = %s, ", selabel_option[1].value);
+    printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[2].value);
+    printf("SELABEL_OPT_BASEONLY = %ld\n", (long int)(intptr_t) selabel_option[3].value);
+
+    printf("Executing: selabel_open(SELABEL_%s, &selabel_option, %d)\n\n", argv[1], nopt);
+
+    errno = 0;
+
+    if ((hnd = selabel_open(backend, selabel_option, nopt)) == NULL) {
+        int e = errno;
+        perror("selabel_open - ERROR");
+        return e;
+    }
+
+    selabel_close(hnd);
+    return 0;
+}

tests/selabel-functions/test_partial.c

@@ -0,0 +1,115 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_SUBSET, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 },
+        { SELABEL_OPT_BASEONLY, (char *) 1 }
+    };
+
+    if (argc < 7) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+    if ((argc == 8) && (strcmp(argv[7], "nohandle") == 0)) {
+        hnd = NULL;
+    }
+    else {
+        // set file contexts path
+        if (strcmp(argv[2], "NULL") == 0) {
+            selabel_option[0].value = NULL;
+        }
+        else {
+            selabel_option[0].value = argv[2];
+        }
+
+        // set subset
+        if (strcmp(argv[3], "NULL") == 0) {
+            selabel_option[1].value = NULL;
+        }
+        else {
+            selabel_option[1].value = argv[3];
+        }
+
+        // set validate
+        if (strcmp(argv[4], "0") == 0) {
+            selabel_option[2].value = NULL;
+        }
+        else {
+            selabel_option[2].value = (char *) 1;
+        }
+
+        // set baseonly
+        if (strcmp(argv[5], "0") == 0) {
+            selabel_option[3].value = NULL;
+        }
+        else {
+            selabel_option[3].value = (char *) 1;
+        }
+
+        printf("selabel_options: "); 
+        printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+        printf("SELABEL_OPT_SUBSET = %s, ", selabel_option[1].value);
+        printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[2].value);
+        printf("SELABEL_OPT_BASEONLY = %ld\n", (long int)(intptr_t) selabel_option[3].value);
+
+        printf("Executing: selabel_open(SELABEL_%s, &selabel_option, 4)\n", argv[1]);
+
+        errno = 0;
+
+        if ((hnd = selabel_open(backend, selabel_option, 4)) == NULL) {
+            int e = errno;
+            perror("selabel_open - ERROR");
+            return e;
+        }
+    }
+
+    char *path;
+
+    if (strcmp(argv[6], "NULL") == 0) {
+        path = NULL;
+    }
+    else {
+        path = argv[6];
+    }
+
+    printf("Executing: selabel_partial_match(hnd, %s)\n", path);
+
+    errno = 0;
+    
+    if (selabel_partial_match(hnd, path))
+        printf("selabel_partial_match: true\n");
+    else
+        printf("selabel_partial_match: false\n");
+
+    selabel_close(hnd);
+    return 0;
+}

tests/selabel-functions/test_stats.c

@@ -0,0 +1,83 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+
+int main (int argc, char **argv)
+{
+    struct selabel_handle *hnd = NULL;
+    unsigned int backend = 0;
+
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_PATH, NULL },
+        { SELABEL_OPT_VALIDATE, (char *) 1 }
+    };
+
+    if (argc < 4) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 255;
+    }
+
+    // set backend
+    if (strcmp(argv[1], "CTX_FILE") == 0)
+        backend = SELABEL_CTX_FILE;
+    else if (strcmp(argv[1], "CTX_MEDIA") == 0)
+        backend = SELABEL_CTX_MEDIA;
+    else if (strcmp(argv[1], "CTX_X") == 0)
+        backend = SELABEL_CTX_X;
+    else if (strcmp(argv[1], "CTX_DB") == 0)
+        backend = SELABEL_CTX_DB;
+#ifndef RHEL6
+    else if (strcmp(argv[1], "CTX_ANDROID_PROP") == 0)
+        backend = SELABEL_CTX_ANDROID_PROP;
+#endif
+    else
+        backend = strtoul(argv[1], NULL, 10);
+
+
+    if ((argc == 5) && (strcmp(argv[4], "nohandle") == 0)) {
+        hnd = NULL;
+    }
+    else {
+        // set file contexts path
+        if (strcmp(argv[2], "NULL") == 0) {
+            selabel_option[0].value = NULL;
+        }
+        else {
+            selabel_option[0].value = argv[2];
+        }
+
+        // set validate
+        if (strcmp(argv[3], "0") == 0) {
+            selabel_option[1].value = NULL;
+        }
+        else {
+            selabel_option[1].value = (char *) 1;
+        }
+
+        printf("selabel_options: "); 
+        printf("SELABEL_OPT_PATH = %s, ", selabel_option[0].value);
+        printf("SELABEL_OPT_VALIDATE = %ld, ", (long int)(intptr_t) selabel_option[1].value);
+
+        printf("Executing: selabel_open(SELABEL_%s, &selabel_option, 2)\n", argv[1]);
+
+        errno = 0;
+
+        if ((hnd = selabel_open(backend, selabel_option, 2)) == NULL) {
+            perror("selabel_open - ERROR");
+            return 255;
+        }
+    }
+
+    printf("Executing: selabel_stats(hnd)\n");
+    
+    selabel_stats(hnd);
+
+    if (hnd != NULL)
+        selabel_close(hnd);
+
+    return 0;
+}

tests/selinux_boolean_sub-function/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selinux_boolean_sub-function
+#   Description: Test selinux_boolean_sub function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selinux_boolean_sub-function
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test selinux_boolean_sub function" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-devel glibc gcc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/selinux_boolean_sub-function/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selinux_boolean_sub-function
+Description: Test selinux_boolean_sub function
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/selinux_boolean_sub-function/runtest.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selinux_boolean_sub-function
+#   Description: Test selinux_boolean_sub function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        rlRun -l "gcc test.c -o test -lselinux -Wall -Wextra -std=c99"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "./test NULL | tee output"
+        rlRun "grep 'selinux_boolean_sub: (null)' output"
+
+        rlRun "./test my_nonexisting_record | tee output"
+        rlRun "grep 'selinux_boolean_sub: my_nonexisting_record' output"
+    
+        policy_type="$(grep -E '^SELINUXTYPE=' /etc/selinux/config | cut -c13- | tr '[:upper:]' '[:lower:]' | tr -d ' ')"
+        line1="$(cat /etc/selinux/$policy_type/booleans.subs_dist | head -n 1)"
+        line2="$(cat /etc/selinux/$policy_type/booleans.subs_dist | head -n 7 | tail -n 1)"
+        line3="$(cat /etc/selinux/$policy_type/booleans.subs_dist | tail -n 1)"
+
+        input="$(echo $line1 | awk '{ print $1 }')"
+        output="$(echo $line1 | awk '{ print $2 }')"
+
+        rlRun "./test $input | tee output"
+        rlRun "grep 'selinux_boolean_sub: $output' output"
+
+        input="$(echo $line2 | awk '{ print $1 }')"
+        output="$(echo $line2 | awk '{ print $2 }')"
+
+        rlRun "./test $input | tee output"
+        rlRun "grep 'selinux_boolean_sub: $output' output"
+
+        input="$(echo $line3 | awk '{ print $1 }')"
+        output="$(echo $line3 | awk '{ print $2 }')"
+
+        rlRun "./test $input | tee output"
+        rlRun "grep 'selinux_boolean_sub: $output' output"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f test output"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/selinux_boolean_sub-function/test.c

@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+
+int main (int argc, char **argv) {
+    if (argc < 2) {
+        printf("Invalid number of arguments");
+        return -1;
+    }
+
+    char *boolean_name;
+
+    if (strcmp(argv[1], "NULL") == 0) {
+        boolean_name = NULL;
+    }
+    else {
+        boolean_name = argv[1];
+    }
+
+    printf("Executing: selinux_boolean_sub(%s)\n", boolean_name);
+
+    char *result = selinux_boolean_sub(boolean_name);
+
+    printf("selinux_boolean_sub: %s\n", result);
+
+    free(result);
+    return 0;
+}

tests/selinux_restorecon-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selinux_restorecon-functions
+#   Description: Test functions in selinux_restorecon.c
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selinux_restorecon-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test_restorecon.c test_exclude_list.c test_sehandle.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test functions in selinux_restorecon.c" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-devel glibc strace" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/selinux_restorecon-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selinux_restorecon-functions
+Description: Test functions in selinux_restorecon.c
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/selinux_restorecon-functions/runtest.sh

@@ -0,0 +1,367 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selinux_restorecon-functions
+#   Description: Test functions in selinux_restorecon.c
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+function createTestFiles {
+    rlLogInfo "Creating testing files"
+
+    TmpDir="/home/user/testdir"
+    rlRun "mkdir $TmpDir"
+
+    rlRun "pushd $TmpDir"
+
+    rlRun "mkdir -p a/b"
+
+    rlRun "touch afile"
+    rlRun "touch a/bfile"
+    rlRun "touch a/b/cfile"
+    
+    rlRun "popd"
+}
+
+function changeContext {
+    rlLogInfo "Changing context of testing files"
+
+    rlRun "pushd $TmpDir"
+
+    rlRun "chcon -t var_log_t ." 
+    rlRun "chcon -t var_log_t a"
+    rlRun "chcon -t var_log_t a/b"
+    rlRun "chcon -t var_log_t afile"
+    rlRun "chcon -t var_log_t a/bfile"
+    rlRun "chcon -t var_log_t a/b/cfile"
+    
+    rlRun "popd"
+}
+
+function deleteTestFiles {
+    rlLogInfo "Deleting testing files"
+
+    rlRun "rm -rf $TmpDir"
+}
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "strace"
+
+        rlRun -l "gcc test_restorecon.c -o test_restorecon -lselinux -pedantic -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_exclude_list.c -o test_exclude_list -lselinux -pedantic -Wall -Wextra -std=c99"
+        rlRun -l "gcc test_sehandle.c -o test_sehandle -lselinux -pedantic -Wall -Wextra -std=c99"
+
+        rlRun "useradd user"
+    rlPhaseEnd
+
+    rlPhaseStartTest "test call"
+        createTestFiles
+
+        rlRun "./test_restorecon $TmpDir" 0 "Calling selinux_restorecon"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "test call with flags"
+        createTestFiles
+
+        rlRun "./test_restorecon $TmpDir IGNORE_DIGEST IGNORE_DIGEST NOCHANGE VERBOSE PROGRESS RECURSE \
+            SET_SPECFILE_CTX REALPATH XDEV" 0 "Calling selinux_restorecon with all flags"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "invalid path"
+        rlRun "./test_restorecon EMPTY" 255 "Calling selinux_restorecon with empty path"
+
+        # should probably return both 139 (segfault) or 255, but it is not so important
+        rlRun "./test_restorecon NULL" 139,255 "Calling selinux_restorecon with null as path"
+        rlRun "./test_restorecon NULL REALPATH" 139,255 "Calling selinux_restorecon with null as path and REALPATH flag"
+        
+        rlRun "./test_restorecon /nonexistent" 255 "Calling selinux_restorecon with nonexisting path"
+    rlPhaseEnd
+
+    rlPhaseStartTest "no flags"
+        createTestFiles
+        changeContext
+
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir" 0 "Calling selinux_restorecon"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out | grep var_log_t" 1
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out | grep var_log_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out | grep var_log_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out | grep var_log_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out | grep var_log_t" 1
+        
+        rlLogInfo "Checking lsetxattr calls"
+        rlRun "grep lsetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out | grep user_home_t" 1
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out | grep user_home_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out | grep user_home_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out | grep user_home_t" 1
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out | grep user_home_t" 1
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "RECURSE flag"
+        createTestFiles
+        changeContext
+
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE" 0 "Calling selinux_restorecon with RECURSE flag"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out | grep var_log_t"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out | grep var_log_t"
+
+        rlLogInfo "Checking lsetxattr calls"
+        rlRun "grep lsetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out | grep user_home_t"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out | grep user_home_t"
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "NOCHANGE flag"
+        createTestFiles
+        changeContext
+
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE NOCHANGE" 0 "Calling selinux_restorecon with NOCHANGE flag"
+
+        rlLogInfo "Checking lsetxattr calls"
+        rlRun "grep lsetxattr strace.out" 1
+
+        rlRun "rm -f strace.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "/sys directory"
+        # directory that supports security.restorecon_last xattr
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon /var/log RECURSE NOCHANGE" 0 "Calling selinux_restorecon on /tmp"
+
+        rlRun "grep security.restorecon_last strace.out" 0
+
+        # directory that does not supports security.restorecon_last xattr
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon /sys RECURSE NOCHANGE" 0 "Calling selinux_restorecon on /sys"
+
+        rlRun "grep security.restorecon_last strace.out" 1
+
+        rlRun "rm -f strace.out"
+    rlPhaseEnd
+
+    rlPhaseStartTest "no IGNORE_DIGEST flag"
+        createTestFiles
+
+        # run restorecon first time
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE" 0 "Calling selinux_restorecon for the first time"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        # run restorecon second time
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE" 0 "Calling selinux_restorecon for the second time"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux" 1
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "IGNORE_DIGEST flag"
+        createTestFiles
+
+        # run restorecon first time
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE" 0 "Calling selinux_restorecon for the first time"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        # run restorecon second time
+        rlRun "strace -ostrace.out -s 64 ./test_restorecon $TmpDir RECURSE IGNORE_DIGEST" 0 "Calling selinux_restorecon for the second time"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "selinux_restorecon_set_exclude_list"
+        createTestFiles
+
+        # empty exclude list
+        rlRun "strace -ostrace.out -s 64 ./test_exclude_list EMPTY $TmpDir" 0 "Calling selinux_restorecon_set_exclude_list with empty list"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        # null as list
+        if rlIsFedora ">=26"; then
+            rlRun "strace -ostrace.out -s 64 ./test_exclude_list NULL $TmpDir" 139 "Calling selinux_restorecon_set_exclude_list with null as list"
+        else
+            rlRun "strace -ostrace.out -s 64 ./test_exclude_list NULL $TmpDir" 0 "Calling selinux_restorecon_set_exclude_list with null as list"
+
+            rlLogInfo "Checking lgetxattr calls"
+            rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+            rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+            rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+            rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+            rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+            rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+            rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+        fi
+
+        # exclude $TmpDir/a
+        rlRun "strace -ostrace.out -s 64 ./test_exclude_list $TmpDir/a $TmpDir" 0 "Calling selinux_restorecon_set_exclude_list"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out" 1
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out" 1
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out" 1
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out" 1
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartTest "selinux_restorecon_set_sehandle"
+        createTestFiles
+
+        # null sehandle
+        rlRun "./test_sehandle NULL $TmpDir" 139,255 "Calling selinux_restorecon_set_sehandle with null handle"
+
+        # invalid sehandle
+        rlRun "./test_sehandle INVALID $TmpDir" 139,255 "Calling selinux_restorecon_set_sehandle with invalid handle"
+
+        # default sehandle
+        rlRun "strace -ostrace.out -s 64 ./test_sehandle DEFAULT $TmpDir" 0 "Calling selinux_restorecon_set_sehandle with default handle"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        # custom sehandle
+        rlRun "strace -ostrace.out -s 64 ./test_sehandle CUSTOM $TmpDir" 0 "Calling selinux_restorecon_set_sehandle with custom handle"
+
+        rlLogInfo "Checking lgetxattr calls"
+        rlRun "grep lgetxattr strace.out | grep security.selinux > strace_xattr.out"
+
+        rlRun "grep \"\\\"$TmpDir\\\"\"             strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a\\\"\"           strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/afile\\\"\"       strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b\\\"\"         strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/bfile\\\"\"     strace_xattr.out"
+        rlRun "grep \"\\\"$TmpDir/a/b/cfile\\\"\"   strace_xattr.out"
+
+        rlRun "rm -f strace.out"
+        rlRun "rm -f strace_xattr.out"
+
+        deleteTestFiles
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f test_restorecon test_exclude_list test_sehandle"
+
+        rlRun "userdel -r user"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/selinux_restorecon-functions/test_exclude_list.c

@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/restorecon.h>
+
+int main(int argc, char **argv) {
+    char *path = NULL;
+    const char **list = NULL;
+    unsigned int flags = 0;
+
+    if (argc < 3) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 1;
+    }
+    
+    // set restorecon path
+    if (strcmp(argv[2], "EMPTY") == 0) {
+        path = "";
+    }
+    else if (strcmp(argv[2], "NULL") == 0) {
+        path = NULL;
+    }
+    else {
+        path = argv[2];
+    }
+
+    // set restorecon flags
+    flags |= SELINUX_RESTORECON_RECURSE;
+    flags |= SELINUX_RESTORECON_IGNORE_DIGEST;
+
+    // set exclude list
+    if (strcmp(argv[1], "NULL") == 0) {
+        list = NULL;
+    }
+    else if (strcmp(argv[1], "EMPTY") == 0) {
+        list = malloc(sizeof(char*));
+        list[0] = NULL;
+    }
+    else {
+        list = malloc(2*sizeof(char*));
+        list[0] = argv[1];
+        list[1] = NULL;
+    }
+
+    printf("Running selinux_restorecon_set_exclude_list();\n");
+
+    selinux_restorecon_set_exclude_list(list);
+
+    printf("Running selinux_restorecon(\"%s\", %#08x);\n", path, flags);
+
+    return selinux_restorecon(path, flags);
+}

tests/selinux_restorecon-functions/test_restorecon.c

@@ -0,0 +1,57 @@
+#include <stdio.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/restorecon.h>
+
+int main(int argc, char **argv) {
+    unsigned int flags = 0;
+    char *path = NULL;
+
+    if (argc < 2) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 1;
+    }
+
+    // set path
+    if (strcmp(argv[1], "EMPTY") == 0) {
+        path = "";
+    }
+    else if (strcmp(argv[1], "NULL") == 0) {
+        path = NULL;
+    }
+    else {
+        path = argv[1];
+    }
+    
+    // set flags (if any)
+    if (argc >= 3) {
+        for (int i = 2; i < argc; i++)
+            if (strcmp(argv[i], "IGNORE_DIGEST") == 0)
+                flags |= SELINUX_RESTORECON_IGNORE_DIGEST;
+            else if (strcmp(argv[i], "NOCHANGE") == 0)
+                flags |= SELINUX_RESTORECON_NOCHANGE;
+            else if (strcmp(argv[i], "VERBOSE") == 0)
+                flags |= SELINUX_RESTORECON_VERBOSE;
+            else if (strcmp(argv[i], "PROGRESS") == 0)
+                flags |= SELINUX_RESTORECON_PROGRESS;
+            else if (strcmp(argv[i], "RECURSE") == 0)
+                flags |= SELINUX_RESTORECON_RECURSE;
+            else if (strcmp(argv[i], "SET_SPECFILE_CTX") == 0)
+                flags |= SELINUX_RESTORECON_SET_SPECFILE_CTX;
+            else if (strcmp(argv[i], "REALPATH") == 0)
+                flags |= SELINUX_RESTORECON_REALPATH;
+            else if (strcmp(argv[i], "XDEV") == 0)
+                flags |= SELINUX_RESTORECON_XDEV;
+            else {
+                fprintf(stderr, "Invalid flag %s\n", argv[i]);
+                return 1;
+            }
+
+    }
+
+    printf("Running selinux_restorecon(\"%s\", %#08x);\n", path, flags);
+
+    return selinux_restorecon(path, flags);
+}

tests/selinux_restorecon-functions/test_sehandle.c

@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/restorecon.h>
+
+int main(int argc, char **argv) {
+    struct selabel_handle *hndl = NULL;
+    char *path = NULL;
+    unsigned int flags = 0;
+
+    if (argc < 3) {
+        fprintf(stderr, "Invalid number of arguments\n");
+        return 1;
+    }
+
+    // set restorecon path
+    if (strcmp(argv[2], "EMPTY") == 0) {
+        path = "";
+    }
+    else if (strcmp(argv[2], "NULL") == 0) {
+        path = NULL;
+    }
+    else {
+        path = argv[2];
+    }
+
+    // set restorecon flags
+    flags |= SELINUX_RESTORECON_RECURSE;
+    flags |= SELINUX_RESTORECON_IGNORE_DIGEST;
+
+    // set sehandle
+    if (strcmp(argv[1], "DEFAULT") == 0) {
+        hndl = selinux_restorecon_default_handle();
+
+        if (hndl == NULL) {
+            return 1;
+        }
+    }
+    else if (strcmp(argv[1], "INVALID") == 0) {
+        hndl = (struct selabel_handle *) 1;
+    }
+    else if (strcmp(argv[1], "NULL") == 0) {
+        hndl = NULL;
+    }
+    else if (strcmp(argv[1], "CUSTOM") == 0) {
+        struct selinux_opt options[] = {
+            { SELABEL_OPT_DIGEST, (char *)1 },
+            { SELABEL_OPT_BASEONLY, (char *)1 }
+        };
+
+        hndl = selabel_open(SELABEL_CTX_FILE, options, 2);
+    }
+
+    printf("Running selinux_restorecon_set_sehandle();\n");
+
+    selinux_restorecon_set_sehandle(hndl);
+
+    printf("Running selinux_restorecon(\"%s\", %#08x);\n", path, flags);
+
+    return selinux_restorecon(path, flags);
+}

tests/selinux_restorecon/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selinux_restorecon
+#   Description: Does selinux_restorecon work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selinux_restorecon
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does selinux_restorecon work correctly?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-utils attr" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHEL6 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+

tests/selinux_restorecon/PURPOSE

@@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selinux_restorecon
+Author: Milos Malik <mmalik@redhat.com>
+
+Does selinux_restorecon work correctly? The program was added in RHEL-7.3.
+

tests/selinux_restorecon/runtest.sh

@@ -0,0 +1,77 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selinux_restorecon
+#   Description: Does selinux_restorecon work correctly?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-utils
+    rlPhaseEnd
+
+    rlPhaseStartTest "valid options / combinations"
+        rlRun "selinux_restorecon --help" 0-255
+        for CUR_DIR in /boot /etc /opt /root /usr /var ; do
+            rlRun "setfattr -x security.restorecon_last ${CUR_DIR}" 0,1
+            rlRun "getfattr -m . -d ${CUR_DIR} | grep security.restorecon_last=" 1
+            rlRun "selinux_restorecon -R -d -C ${CUR_DIR} 2>&1 | grep -i \"updated digest for.*${CUR_DIR}\"" 1
+            rlRun "getfattr -m . -d ${CUR_DIR} | grep security.restorecon_last="
+            rlRun "selinux_restorecon -R -v -d -C ${CUR_DIR} 2>&1 | grep -i \"updated digest for.*${CUR_DIR}\""
+        done
+        rlRun "chcon -u unconfined_u /root"
+        rlRun "ls -dZ /root | grep unconfined_u:"
+        rlRun "selinux_restorecon -R -v -d -C /root 2>&1 | grep -i relabeled" 1
+        rlRun "ls -dZ /root | grep unconfined_u:"
+        rlRun "selinux_restorecon -R -v -d -C -F /root 2>&1 | grep -i relabeled"
+        rlRun "ls -dZ /root | grep system_u:"
+    rlPhaseEnd
+
+    rlPhaseStartTest "invalid options / combinations"
+        rlRun "selinux_restorecon -v -P 2>&1 | grep -i \"mutually exclusive\""
+        rlRun "selinux_restorecon -f 2>&1 | grep -i \"option requires an argument\""
+        rlRun "selinux_restorecon -p 2>&1 | grep -i \"option requires an argument\""
+        rlRun "selinux_restorecon /non-existent 2>&1 | grep -i \"No such file or directory\""
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        OUTPUT_FILE=`mktemp`
+        rlRun "selinux_restorecon -R -v -C /root 2>&1 | tee ${OUTPUT_FILE}"
+        rlRun "grep -q -e /sys/fs/selinux/ -e /sys/kernel/security/ ${OUTPUT_FILE}" 1
+        rlRun "selinux_restorecon -R -v -C -r /root 2>&1 | tee ${OUTPUT_FILE}"
+        rlRun "grep -q -e /sys/fs/selinux/ -e /sys/kernel/security/ ${OUTPUT_FILE}" 1
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+

tests/selinux_sestatus-functions/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selinux_sestatus-functions
+#   Description: Test sestatus.c functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selinux_sestatus-functions
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test sestatus.c functions" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux libselinux-devel glibc" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5 -RHEL6" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/selinux_sestatus-functions/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selinux_sestatus-functions
+Description: Test sestatus.c functions
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/selinux_sestatus-functions/runtest.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selinux_sestatus-functions
+#   Description: Test sestatus.c functions
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+
+        rlRun -l "gcc test.c -o test -lselinux -pedantic -Wall -Wextra -std=c99"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "./test > res.txt"
+        rlRun -l "cat res.txt"
+
+        SELINUX_MNT=$(cat /proc/mounts | grep selinux | cut -d " " -f 2)
+
+        rlRun "grep \"(before open) selinux_status_getenforce -1\" res.txt"
+        rlRun "grep \"(before open) selinux_status_policyload -1\" res.txt"
+        rlRun "grep \"(before open) selinux_status_deny_unknown -1\" res.txt"
+        rlRun "grep \"(before open) selinux_status_updated -1\" res.txt"
+        
+        rlRun "grep \"selinux_status_open 0\" res.txt"
+        rlRun "grep \"selinux_status_getenforce $(cat $SELINUX_MNT/enforce)\" res.txt"
+        rlRun "grep -E \"selinux_status_policyload [0-9]\" res.txt"
+        rlRun "grep \"selinux_status_deny_unknown $(cat $SELINUX_MNT/deny_unknown)\" res.txt"
+        rlRun "grep \"selinux_status_updated 0\" res.txt"
+        rlRun "grep \"selinux_status_close void\" res.txt"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f test"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/selinux_sestatus-functions/test.c

@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include <selinux/selinux.h> 
+#include <selinux/avc.h> 
+
+int main(__attribute__((unused)) int argc, __attribute__((unused)) char **argv) {
+    printf("(before open) selinux_status_getenforce %d\n",
+        selinux_status_getenforce());
+
+    printf("(before open) selinux_status_policyload %d\n",
+        selinux_status_policyload());
+
+    printf("(before open) selinux_status_deny_unknown %d\n",
+        selinux_status_deny_unknown());
+
+    printf("(before open) selinux_status_updated %d\n",
+        selinux_status_updated());
+
+
+    printf("selinux_status_open %d\n",
+        selinux_status_open(1));
+
+    printf("selinux_status_getenforce %d\n",
+        selinux_status_getenforce());
+
+    printf("selinux_status_policyload %d\n",
+        selinux_status_policyload());
+
+    printf("selinux_status_deny_unknown %d\n",
+        selinux_status_deny_unknown());
+
+    printf("selinux_status_updated %d\n",
+        selinux_status_updated());
+
+    printf("selinux_status_close void\n");
+    selinux_status_close();
+
+    return 0;
+}

tests/selinux_set_callback/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/selinux_set_callback
+#   Description: Test selinux_set_callback function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/selinux_set_callback
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE test_*.c
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh test_*.c
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Jan Zarsky <jzarsky@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Test selinux_set_callback function" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        libselinux gcc glibc libselinux-devel" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2+" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/selinux_set_callback/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/libselinux/Sanity/selinux_set_callback
+Description: Test selinux_set_callback function
+Author: Jan Zarsky <jzarsky@redhat.com>

tests/selinux_set_callback/runtest.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/selinux_set_callback
+#   Description: Test selinux_set_callback function
+#   Author: Jan Zarsky <jzarsky@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This program is free software: you can redistribute it and/or
+#   modify it under the terms of the GNU General Public License as
+#   published by the Free Software Foundation, either version 2 of
+#   the License, or (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE.  See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-devel
+        rlAssertRpm "glibc"
+        rlAssertRpm "gcc"
+
+        rlRun -l "gcc test_callback.c -o test_callback -lselinux -Wall -Wextra -Wno-unused-parameter -std=c99"
+    rlPhaseEnd
+
+    rlPhaseStartTest
+        rlRun "./test_callback > out 2> err"
+
+        rlRun "cat out"
+        rlRun "cat err"
+
+        rlRun "grep 'function my_log' out"
+        rlRun "grep 'function my_audit' out"
+        rlRun "grep 'function my_validate' out"
+        rlRun "grep 'function my_setenforce' out"
+        rlRun "grep 'function my_policyload' out"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rlRun "rm -f test_callback out err"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/selinux_set_callback/test_callback.c

@@ -0,0 +1,127 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <selinux/avc.h>
+#include <selinux/label.h>
+
+int validate_counter = 0;
+
+int my_log(int type, const char *fmt, ...) {
+    printf("function my_log, type: %d, fmt: %s\n", type, fmt);
+    return 0;
+}
+
+int my_audit(void *auditdata, security_class_t cls, char *msgbuf, size_t msgbufsize) {
+    printf("function my_audit, auditdata: %p, cls: %u, msgbuf: %s, msgbufsize: %lu\n", auditdata, cls, msgbuf, msgbufsize);
+    return 0;
+}
+
+int my_validate(char **ctx) {
+    if (validate_counter++ == 0)
+        printf("function my_validate, ctx: %p\n", (void *) ctx);
+
+    return 0;
+}
+
+int my_setenforce(int enforcing) {
+    printf("function my_setenforce, enforcing: %d\n", enforcing);
+    return 0;
+}
+
+int my_policyload(int seqno) {
+    printf("function my_policyload, seqno: %d\n", seqno);
+    return 0;
+}
+
+int main (int argc, char **argv) {
+    int exit_code = 0;
+
+    // LOG
+    printf("setting LOG callback\n");
+    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) my_log);
+    
+    if (selinux_get_callback(SELINUX_CB_LOG).func_log != my_log) {
+        printf("ERROR: selinux_get_callback() does not match\n");
+        exit_code = 1;
+    }
+
+    // AUDIT
+    printf("setting AUDIT callback\n");
+    selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) my_audit);
+    
+    if (selinux_get_callback(SELINUX_CB_AUDIT).func_audit != my_audit) {
+        printf("ERROR: selinux_get_callback() does not match\n");
+        exit_code = 1;
+    }
+
+    printf("calling avc_audit to call audit and log functions\n");
+    
+    avc_init("", NULL, NULL, NULL, NULL);
+    
+    struct security_id ssid = { "asdf", 5 };
+    struct security_id tsid = { "asdf", 5 };
+    struct av_decision avd = { 1, 0, 1, 0, 0, 0 };
+
+    avc_audit(&ssid, &tsid, 0, 1, &avd, 0, NULL);
+
+    // VALIDATE
+    printf("setting VALIDATE callback\n");
+    selinux_set_callback(SELINUX_CB_VALIDATE, (union selinux_callback) my_validate);
+    
+    if (selinux_get_callback(SELINUX_CB_VALIDATE).func_validate != my_validate) {
+        printf("ERROR: selinux_get_callback() does not match\n");
+        exit_code = 1;
+    }
+
+    struct selabel_handle *hnd = NULL;
+    struct selinux_opt selabel_option [] = {
+        { SELABEL_OPT_VALIDATE, (char *) 1 }
+    };
+
+    hnd = selabel_open(SELABEL_CTX_FILE, selabel_option, 1);
+    selabel_close(hnd);
+    
+    // SETENFORCE
+    printf("setting SETENFORCE callback\n");
+    selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) my_setenforce);
+    
+    if (selinux_get_callback(SELINUX_CB_SETENFORCE).func_setenforce != my_setenforce) {
+        printf("ERROR: selinux_get_callback() does not match\n");
+        exit_code = 1;
+    }
+
+    int enforcing = security_getenforce();
+
+    printf("calling security_setenforce to call setenforce function\n");
+
+    if (enforcing == 1) {
+        security_setenforce(0);
+        security_setenforce(1);
+    }
+    else {
+        security_setenforce(1);
+        security_setenforce(0);
+    }
+
+    // triggers callbacks
+    avc_has_perm_noaudit(&ssid, &tsid, 0, 1, NULL, &avd);
+    
+    // POLICYLOAD
+    printf("setting POLICYLOAD callback\n");
+    selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) my_policyload);
+    
+    if (selinux_get_callback(SELINUX_CB_POLICYLOAD).func_policyload != my_policyload) {
+        printf("ERROR: selinux_get_callback() does not match\n");
+        exit_code = 1;
+    }
+
+    selinux_mkload_policy(1);
+
+    // triggers callbacks
+    avc_has_perm_noaudit(&ssid, &tsid, 0, 1, NULL, &avd);
+
+    return exit_code;
+}

tests/setenforce/Makefile

@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/libselinux/Sanity/setenforce
+#   Description: Does setenforce work as expected? Does it produce correct audit messages?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/libselinux/Sanity/setenforce
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Milos Malik <mmalik@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     Does setenforce work as expected? Does it produce correct audit messages?" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          libselinux" >> $(METADATA)
+	@echo "Requires:        audit libselinux libselinux-utils e2fsprogs" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+	@echo "Releases:        -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+	rhts-lint $(METADATA)
+

tests/setenforce/PURPOSE

@@ -0,0 +1,5 @@
+PURPOSE of /CoreOS/libselinux/Sanity/setenforce
+Author: Milos Malik <mmalik@redhat.com>
+
+Does setenforce work as expected? Does it produce correct audit messages?
+

tests/setenforce/runtest.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/libselinux/Sanity/setenforce
+#   Description: Does setenforce work as expected? Does it produce correct audit messages?
+#   Author: Milos Malik <mmalik@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2016 Red Hat, Inc.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="libselinux"
+if rlIsRHEL 5 6 ; then
+    SELINUX_FS_MOUNT="/selinux"
+else # RHEL-7 and above
+    SELINUX_FS_MOUNT="/sys/fs/selinux"
+fi
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm ${PACKAGE}
+        rlAssertRpm ${PACKAGE}-utils
+        rlRun "setenforce --help" 0,1
+        OUTPUT_FILE=`mktemp`
+        export LC_ALL=en_US.utf8
+    rlPhaseEnd
+
+    rlPhaseStartTest "basic use"
+        START_DATE_TIME=`date "+%m/%d/%Y %T"`
+        sleep 1
+        rlRun "setenforce 1"
+        rlRun "grep 1 ${SELINUX_FS_MOUNT}/enforce"
+        rlRun "setenforce 0"
+        rlRun "grep 0 ${SELINUX_FS_MOUNT}/enforce"
+        rlRun "setenforce 1"
+        sleep 5
+        rlRun "ausearch --input-logs -m MAC_STATUS -i -ts ${START_DATE_TIME} | grep 'type=MAC_STATUS.*enforcing=1.*old_enforcing=0'"
+        rlRun "ausearch --input-logs -m MAC_STATUS -i -ts ${START_DATE_TIME} | grep 'type=MAC_STATUS.*enforcing=0.*old_enforcing=1'"
+        if rlIsRHEL ; then
+            rlRun "ausearch --input-logs -m MAC_STATUS -i -ts ${START_DATE_TIME} | grep 'type=SYSCALL.*comm=setenforce'"
+        fi
+    rlPhaseEnd
+
+    rlPhaseStartTest "extreme cases"
+        rlRun "umount ${SELINUX_FS_MOUNT}"
+        for OPTION in 1 0 Enforcing Permissive ; do
+            rlRun "setenforce ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
+            rlAssertGrep "selinux.*disabled" ${OUTPUT_FILE} -i
+        done
+        rlRun "mount -t selinuxfs none ${SELINUX_FS_MOUNT}"
+        rlRun "touch ./enforce"
+        rlRun "chattr +i ./enforce"
+        rlRun "mount --bind ./enforce ${SELINUX_FS_MOUNT}/enforce"
+        for OPTION in 1 0 Enforcing Permissive ; do
+            rlRun "setenforce ${OPTION} 2>&1 | tee ${OUTPUT_FILE}"
+            rlAssertGrep "setenforce.*failed" ${OUTPUT_FILE} -i
+        done
+        rlRun "umount ${SELINUX_FS_MOUNT}/enforce"
+        rlRun "chattr -i ./enforce"
+        rlRun "rm -f ./enforce"
+    rlPhaseEnd
+
+    rlPhaseStartCleanup
+        rm -f ${OUTPUT_FILE}
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
+

tests/tests.yml

@@ -0,0 +1,41 @@
+---
+# Test to run in classic context
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+      fmf_filter: "tier: 1 | component: libselinux"
+
+# Tests to run inside a container
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - container
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+    tests:
+    - selinux/libselinux/realpath_not_final-function
+    required_packages:
+    - libselinux
+    - libselinux-devel
+    - glibc
+    - gcc
+
+# Tests to run for Atomic Host
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - atomic
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+    tests:
+    - selinux/libselinux/getsebool
+    - selinux/libselinux/setenforce