Enable gating on tests

https://docs.fedoraproject.org/en-US/ci/gating/

.gitignore

@@ -214,3 +214,4 @@ libselinux-2.0.96.tgz
 /libselinux-2.9.tar.gz
 /libselinux-3.0-rc1.tar.gz
 /libselinux-3.0.tar.gz
+/libselinux-3.1.tar.gz

0001-libselinux-use-kernel-status-page-by-default.patch

@@ -0,0 +1,506 @@
+From 05bdc03130d741e53e1fb45a958d0a2c184be503 Mon Sep 17 00:00:00 2001
+From: Mike Palmiotto <mike.palmiotto@crunchydata.com>
+Date: Wed, 5 Aug 2020 15:43:12 -0400
+Subject: [PATCH] libselinux: use kernel status page by default
+
+Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
+/selinux/status") introduced the sestatus mechanism, which allows for
+mmap()'ing of the kernel status page as a replacement for avc_netlink.
+
+The mechanism was initially intended for userspace object managers that
+were calculating access decisions within their application and did not
+rely on the libselinux AVC implementation. In order to properly make use
+of sestatus within avc_has_perm(), the status mechanism needs to
+properly set avc internals during status events; else, avc_enforcing is
+never updated upon sestatus changes.
+
+This commit gets rid of the default avc_netlink_open() in
+avc_init_internal(), replacing it with selinux_status_open(). In the
+event that the kernel status page cannot be mapped, the netlink fallback
+will be used. By default, avc_has_perm_noaudit() and
+selinux_check_access() will now attempt to read the kernel status page,
+which removes a system call from two critical code paths.
+
+Since the AVC thread create/stop callbacks were intended to avoid a
+system call in the critical code path, they no longer need to be created
+by default. In the event that the kernel status page is successfully
+mapped, threads will not be created. Threads will still be
+created/stopped for the sestatus fallback codepaths.
+
+Userspace object managers that still need a netlink socket can call
+avc_netlink_acquire_fd() to open and/or obtain one.
+
+Update the manpage to reflect the new avc_netlink_acquire_fd()
+functionality.
+
+Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/avc_init.3            | 51 ++++++++++++--
+ libselinux/man/man3/avc_netlink_loop.3    |  8 +++
+ libselinux/man/man3/avc_open.3            | 36 +++++++++-
+ libselinux/man/man3/selinux_status_open.3 | 13 ++--
+ libselinux/src/avc.c                      | 15 ++---
+ libselinux/src/avc_internal.c             | 82 ++++++++++++++++-------
+ libselinux/src/avc_internal.h             |  4 ++
+ libselinux/src/checkAccess.c              |  2 +-
+ libselinux/src/sestatus.c                 | 24 +++++++
+ 9 files changed, 184 insertions(+), 51 deletions(-)
+
+diff --git a/libselinux/man/man3/avc_init.3 b/libselinux/man/man3/avc_init.3
+index e26c3be6071c..a5dc7c93c703 100644
+--- a/libselinux/man/man3/avc_init.3
++++ b/libselinux/man/man3/avc_init.3
+@@ -117,6 +117,8 @@ argument, which does not return under normal conditions.  The
+ callback should cancel the running thread referenced by 
+ .IR thread .
+ By default, threading is not used; see 
++.B KERNEL STATUS PAGE
++and
+ .B NETLINK NOTIFICATION
+ below.
+ 
+@@ -153,14 +155,49 @@ callback should destroy
+ .IR lock ,
+ freeing any resources associated with it.  The default behavior is not to perform any locking.  Note that undefined behavior may result if threading is used without appropriate locking.
+ .
+-.SH "NETLINK NOTIFICATION"
+-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
+-.BR avc_has_perm (3)
+-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
++.SH "KERNEL STATUS PAGE"
++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
++.BR mmap (2)
++SELinux status state in read-only mode to avoid system calls during the cache hit code path.
+ 
+-In the default single-threaded mode, the userspace AVC checks for new netlink messages at the start of each permission query.  If threading and locking callbacks are passed to
+ .BR avc_init ()
+-however, a dedicated thread will be started to listen on the netlink socket.  This may increase performance and will ensure that log messages are generated immediately rather than at the time of the next permission query.
++calls
++.BR selinux_status_open (3)
++to initialize the selinux status state. If successfully initialized, the userspace AVC will default to single-threaded mode and ignore the
++.B func_create_thread
++and
++.B func_stop_thread
++callbacks. All callbacks set via
++.BR selinux_set_callback (3)
++will still be honored.
++
++.BR avc_has_perm (3)
++and
++.BR selinux_check_access (3)
++both check for status updates through calls to
++.BR selinux_status_updated (3)
++at the start of each permission query and take the appropriate action.
++
++Two status types are currently implemented.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++.
++.SH "NETLINK NOTIFICATION"
++In the event that the kernel status page is not successfully
++.BR mmap (2)'ed
++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
++.B setenforce
++and
++.B policyload
++events will have the same results as for the status page implementation, but all status update checks will now require a system call.
++
++By default,
++.BR avc_open (3)
++does not set threading or locking callbacks. In the fallback case, the userspace AVC checks for new netlink messages at the start of each permission query. If threading and locking callbacks are passed to
++.BR avc_init (),
++a dedicated thread will be started to listen on the netlink socket.  This may increase performance in the absence of the status page and will ensure that log messages are generated immediately rather than at the time of the next permission query.
+ .
+ .SH "RETURN VALUE"
+ Functions with a return value return zero on success.  On error, \-1 is returned and
+@@ -192,5 +229,7 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
+ .
+ .SH "SEE ALSO"
+ .BR avc_open (3),
++.BR selinux_status_open (3),
++.BR selinux_status_updated (3),
+ .BR selinux_set_callback (3),
+ .BR selinux (8)
+diff --git a/libselinux/man/man3/avc_netlink_loop.3 b/libselinux/man/man3/avc_netlink_loop.3
+index c8268a124df0..f03d78138d8c 100644
+--- a/libselinux/man/man3/avc_netlink_loop.3
++++ b/libselinux/man/man3/avc_netlink_loop.3
+@@ -54,6 +54,11 @@ closes the netlink socket.  This function is called automatically by
+ returns the netlink socket descriptor number and informs the userspace AVC
+ not to check the socket descriptor automatically on calls to
+ .BR avc_has_perm (3).
++If no such socket descriptor exists,
++.BR avc_netlink_acquire_fd (3)
++will first call
++.BR avc_netlink_open (3)
++and then return the resulting fd.
+ 
+ .BR avc_netlink_release_fd ()
+ returns control of the netlink socket to the userspace AVC, re-enabling
+@@ -78,6 +83,9 @@ with a return value return zero on success.  On error, \-1 is returned and
+ .I errno
+ is set appropriately.
+ .
++.SH "AUTHOR"
++Originally KaiGai Kohei. Updated by Mike Palmiotto <mike.palmiotto@crunchydata.com>
++.
+ .SH "SEE ALSO"
+ .BR avc_open (3),
+ .BR selinux_set_callback (3),
+diff --git a/libselinux/man/man3/avc_open.3 b/libselinux/man/man3/avc_open.3
+index 5b275a8ee040..3090dd5077c7 100644
+--- a/libselinux/man/man3/avc_open.3
++++ b/libselinux/man/man3/avc_open.3
+@@ -46,10 +46,37 @@ include the following:
+ .B AVC_OPT_SETENFORCE
+ This option forces the userspace AVC into enforcing mode if the option value is non-NULL; permissive mode otherwise.  The system enforcing mode will be ignored.
+ .
+-.SH "NETLINK NOTIFICATION"
+-Beginning with version 2.6.4, the Linux kernel supports SELinux status change notification via netlink.  Two message types are currently implemented, indicating changes to the enforcing mode and to the loaded policy in the kernel, respectively.  The userspace AVC listens for these messages and takes the appropriate action, modifying the behavior of
++.SH "KERNEL STATUS PAGE"
++Linux kernel version 2.6.37 supports the SELinux kernel status page, enabling userspace applications to
++.BR mmap (2)
++SELinux status state in read-only mode to avoid system calls during the cache hit code path.
++
++.BR avc_open ()
++calls
++.BR selinux_status_open (3)
++to initialize the selinux status state.
++
+ .BR avc_has_perm (3)
+-to reflect the current enforcing mode and flushing the cache on receipt of a policy load notification.  Audit messages are produced when netlink notifications are processed.
++and
++.BR selinux_check_access (3)
++both check for status updates through calls to
++.BR selinux_status_updated (3)
++at the start of each permission query and take the appropriate action.
++
++Two status types are currently implemented.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++.
++.SH "NETLINK NOTIFICATION"
++In the event that the kernel status page is not successfully
++.BR mmap (2)'ed
++the AVC will default to the netlink fallback mechanism, which opens a netlink socket for receiving status updates.
++.B setenforce
++and
++.B policyload
++events will have the same results as for the status page implementation, but all status update checks will now require a system call.
+ .
+ .SH "RETURN VALUE"
+ Functions with a return value return zero on success.  On error, \-1 is returned and
+@@ -61,9 +88,12 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
+ .
+ .SH "SEE ALSO"
+ .BR selinux (8),
++.BR selinux_check_access (3),
+ .BR avc_has_perm (3),
+ .BR avc_context_to_sid (3),
+ .BR avc_cache_stats (3),
+ .BR avc_add_callback (3),
++.BR selinux_status_open (3),
++.BR selinux_status_updated (3),
+ .BR selinux_set_callback (3),
+ .BR security_compute_av (3)
+diff --git a/libselinux/man/man3/selinux_status_open.3 b/libselinux/man/man3/selinux_status_open.3
+index 2d44be57cbbc..5c9da2f61d19 100644
+--- a/libselinux/man/man3/selinux_status_open.3
++++ b/libselinux/man/man3/selinux_status_open.3
+@@ -48,7 +48,7 @@ Set 1 on the
+ argument to handle a case of older kernels without kernel status page support.
+ In this case, this function tries to open a netlink socket using
+ .BR avc_netlink_open (3)
+-and overwrite corresponding callbacks ( setenforce and policyload).
++and overwrite corresponding callbacks (setenforce and policyload).
+ Thus, we need to pay attention to the interaction with these interfaces,
+ when fallback mode is enabled.
+ .sp
+@@ -57,9 +57,14 @@ unmap the kernel status page and close its file descriptor, or close the
+ netlink socket if fallbacked.
+ .sp
+ .BR selinux_status_updated ()
+-informs us whether something has been updated since the last call.
+-It returns 0 if nothing was happened, however, 1 if something has been
+-updated in this duration, or \-1 on error.
++processes status update events. There are two kinds of status updates.
++.B setenforce
++events will change the effective enforcing state used within the AVC, and
++.B policyload
++events will result in a cache flush.
++
++This function returns 0 if there have been no updates since the last call,
++1 if there have been updates since the last call, or \-1 on error.
+ .sp
+ .BR selinux_status_getenforce ()
+ returns 0 if SELinux is running in permissive mode, 1 if enforcing mode,
+diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
+index b4648b2de170..8314d7ba3de6 100644
+--- a/libselinux/src/avc.c
++++ b/libselinux/src/avc.c
+@@ -50,7 +50,6 @@ struct avc_callback_node {
+ 	struct avc_callback_node *next;
+ };
+ 
+-static void *avc_netlink_thread = NULL;
+ static void *avc_lock = NULL;
+ static void *avc_log_lock = NULL;
+ static struct avc_node *avc_node_freelist = NULL;
+@@ -215,17 +214,13 @@ static int avc_init_internal(const char *prefix,
+ 		avc_enforcing = rc;
+ 	}
+ 
+-	rc = avc_netlink_open(0);
++	rc = selinux_status_open(1);
+ 	if (rc < 0) {
+ 		avc_log(SELINUX_ERROR,
+-			"%s:  can't open netlink socket: %d (%s)\n",
++			"%s: could not open selinux status page: %d (%s)\n",
+ 			avc_prefix, errno, strerror(errno));
+ 		goto out;
+ 	}
+-	if (avc_using_threads) {
+-		avc_netlink_thread = avc_create_thread(&avc_netlink_loop);
+-		avc_netlink_trouble = 0;
+-	}
+ 	avc_running = 1;
+       out:
+ 	return rc;
+@@ -557,9 +552,7 @@ void avc_destroy(void)
+ 
+ 	avc_get_lock(avc_lock);
+ 
+-	if (avc_using_threads)
+-		avc_stop_thread(avc_netlink_thread);
+-	avc_netlink_close();
++	selinux_status_close();
+ 
+ 	for (i = 0; i < AVC_CACHE_SLOTS; i++) {
+ 		node = avc_cache.slots[i];
+@@ -766,7 +759,7 @@ int avc_has_perm_noaudit(security_id_t ssid,
+ 		avd_init(avd);
+ 
+ 	if (!avc_using_threads && !avc_app_main_loop) {
+-		(void)avc_netlink_check_nb();
++		(void) selinux_status_updated();
+ 	}
+ 
+ 	if (!aeref) {
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 568a3d928ac1..4ef924527e10 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -53,6 +53,49 @@ int avc_enforcing = 1;
+ int avc_setenforce = 0;
+ int avc_netlink_trouble = 0;
+ 
++/* process setenforce events for netlink and sestatus */
++int avc_process_setenforce(int enforcing)
++{
++	int rc = 0;
++
++	avc_log(SELINUX_INFO,
++		"%s:  received setenforce notice (enforcing=%d)\n",
++		avc_prefix, enforcing);
++	if (avc_setenforce)
++		goto out;
++	avc_enforcing = enforcing;
++	if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
++		avc_log(SELINUX_ERROR,
++			"%s:  cache reset returned %d (errno %d)\n",
++			avc_prefix, rc, errno);
++		return rc;
++	}
++
++out:
++	return selinux_netlink_setenforce(enforcing);
++}
++
++/* process policyload events for netlink and sestatus */
++int avc_process_policyload(uint32_t seqno)
++{
++	int rc = 0;
++
++	avc_log(SELINUX_INFO,
++		"%s:  received policyload notice (seqno=%u)\n",
++		avc_prefix, seqno);
++	rc = avc_ss_reset(seqno);
++	if (rc < 0) {
++		avc_log(SELINUX_ERROR,
++			"%s:  cache reset returned %d (errno %d)\n",
++			avc_prefix, rc, errno);
++		return rc;
++	}
++
++	selinux_flush_class_cache();
++
++	return selinux_netlink_policyload(seqno);
++}
++
+ /* netlink socket code */
+ static int fd = -1;
+ 
+@@ -177,20 +220,7 @@ static int avc_netlink_process(void *buf)
+ 
+ 	case SELNL_MSG_SETENFORCE:{
+ 		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
+-		msg->val = !!msg->val;
+-		avc_log(SELINUX_INFO,
+-			"%s:  received setenforce notice (enforcing=%d)\n",
+-			avc_prefix, msg->val);
+-		if (avc_setenforce)
+-			break;
+-		avc_enforcing = msg->val;
+-		if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
+-			avc_log(SELINUX_ERROR,
+-				"%s:  cache reset returned %d (errno %d)\n",
+-				avc_prefix, rc, errno);
+-			return rc;
+-		}
+-		rc = selinux_netlink_setenforce(msg->val);
++		rc = avc_process_setenforce(!!msg->val);
+ 		if (rc < 0)
+ 			return rc;
+ 		break;
+@@ -198,18 +228,7 @@ static int avc_netlink_process(void *buf)
+ 
+ 	case SELNL_MSG_POLICYLOAD:{
+ 		struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
+-		avc_log(SELINUX_INFO,
+-			"%s:  received policyload notice (seqno=%u)\n",
+-			avc_prefix, msg->seqno);
+-		rc = avc_ss_reset(msg->seqno);
+-		if (rc < 0) {
+-			avc_log(SELINUX_ERROR,
+-				"%s:  cache reset returned %d (errno %d)\n",
+-				avc_prefix, rc, errno);
+-			return rc;
+-		}
+-		selinux_flush_class_cache();
+-		rc = selinux_netlink_policyload(msg->seqno);
++		rc = avc_process_policyload(msg->seqno);
+ 		if (rc < 0)
+ 			return rc;
+ 		break;
+@@ -284,6 +303,17 @@ void avc_netlink_loop(void)
+ 
+ int avc_netlink_acquire_fd(void)
+ {
++	if (fd < 0) {
++		int rc = 0;
++		rc = avc_netlink_open(0);
++		if (rc < 0) {
++			avc_log(SELINUX_ERROR,
++				"%s: could not open netlink socket: %d (%s)\n",
++				avc_prefix, errno, strerror(errno));
++			return rc;
++		}
++	}
++
+     avc_app_main_loop = 1;
+ 
+     return fd;
+diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
+index 3f8a6bb1cf84..da67affc9307 100644
+--- a/libselinux/src/avc_internal.h
++++ b/libselinux/src/avc_internal.h
+@@ -32,6 +32,10 @@ extern void (*avc_func_get_lock) (void *);
+ extern void (*avc_func_release_lock) (void *);
+ extern void (*avc_func_free_lock) (void *);
+ 
++/* selinux status processing for netlink and sestatus */
++extern int avc_process_setenforce(int enforcing);
++extern int avc_process_policyload(uint32_t seqno);
++
+ static inline void set_callbacks(const struct avc_memory_callback *mem_cb,
+ 				 const struct avc_log_callback *log_cb,
+ 				 const struct avc_thread_callback *thread_cb,
+diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
+index 3491fded7895..b337ea64f977 100644
+--- a/libselinux/src/checkAccess.c
++++ b/libselinux/src/checkAccess.c
+@@ -39,7 +39,7 @@ int selinux_check_access(const char *scon, const char *tcon, const char *class,
+ 	if (rc < 0)
+ 		return rc;
+ 
+-	(void) avc_netlink_check_nb();
++	(void) selinux_status_updated();
+ 
+        sclass = string_to_security_class(class);
+        if (sclass == 0) {
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index 86267ff89646..814e86ee10e7 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -39,11 +39,14 @@ struct selinux_status_t
+ static struct selinux_status_t *selinux_status = NULL;
+ static int			selinux_status_fd;
+ static uint32_t			last_seqno;
++static uint32_t			last_policyload;
+ 
+ static uint32_t			fallback_sequence;
+ static int			fallback_enforcing;
+ static int			fallback_policyload;
+ 
++static void			*fallback_netlink_thread = NULL;
++
+ /*
+  * read_sequence
+  *
+@@ -116,6 +119,15 @@ int selinux_status_updated(void)
+ 
+ 	if (last_seqno != curr_seqno)
+ 	{
++		if (avc_enforcing != (int) selinux_status->enforcing) {
++			if (avc_process_setenforce(selinux_status->enforcing) < 0)
++				return -1;
++		}
++		if (last_policyload != selinux_status->policyload) {
++			if (avc_process_policyload(selinux_status->policyload) < 0)
++				return -1;
++			last_policyload = selinux_status->policyload;
++		}
+ 		last_seqno = curr_seqno;
+ 		result = 1;
+ 	}
+@@ -282,6 +294,9 @@ int selinux_status_open(int fallback)
+ 	selinux_status_fd = fd;
+ 	last_seqno = (uint32_t)(-1);
+ 
++	/* No need to use avc threads if the kernel status page is available */
++	avc_using_threads = 0;
++
+ 	return 0;
+ 
+ error:
+@@ -305,6 +320,12 @@ error:
+ 		selinux_status_fd = avc_netlink_acquire_fd();
+ 		last_seqno = (uint32_t)(-1);
+ 
++		if (avc_using_threads)
++		{
++			fallback_netlink_thread = avc_create_thread(&avc_netlink_loop);
++			avc_netlink_trouble = 0;
++		}
++
+ 		fallback_sequence = 0;
+ 		fallback_enforcing = security_getenforce();
+ 		fallback_policyload = 0;
+@@ -333,6 +354,9 @@ void selinux_status_close(void)
+ 	/* fallback-mode */
+ 	if (selinux_status == MAP_FAILED)
+ 	{
++		if (avc_using_threads)
++			avc_stop_thread(fallback_netlink_thread);
++
+ 		avc_netlink_release_fd();
+ 		avc_netlink_close();
+ 		selinux_status = NULL;
+-- 
+2.29.0
+

0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch

@@ -1,214 +0,0 @@
-From b4ebb4534129a5d0f2e8a762015d089a0142b15f Mon Sep 17 00:00:00 2001
-From: Dan Walsh <dwalsh@redhat.com>
-Date: Mon, 23 Dec 2013 09:50:54 -0500
-Subject: [PATCH] Verify context input to funtions to make sure the context
- field is not null.
-
-Return errno EINVAL, to prevent segfault.
-
-Rejected by upstream https://marc.info/?l=selinux&m=145036088424584&w=2
-
-FIXME: use __attribute__(nonnull (arg-index, ...))
----
- libselinux/src/avc_sidtab.c           | 5 +++++
- libselinux/src/canonicalize_context.c | 5 +++++
- libselinux/src/check_context.c        | 5 +++++
- libselinux/src/compute_av.c           | 5 +++++
- libselinux/src/compute_create.c       | 5 +++++
- libselinux/src/compute_member.c       | 5 +++++
- libselinux/src/compute_relabel.c      | 5 +++++
- libselinux/src/compute_user.c         | 5 +++++
- libselinux/src/fsetfilecon.c          | 8 ++++++--
- libselinux/src/lsetfilecon.c          | 9 +++++++--
- libselinux/src/setfilecon.c           | 8 ++++++--
- 11 files changed, 59 insertions(+), 6 deletions(-)
-
-diff --git a/libselinux/src/avc_sidtab.c b/libselinux/src/avc_sidtab.c
-index 9669264d651a..c77543050b5e 100644
---- a/libselinux/src/avc_sidtab.c
-+++ b/libselinux/src/avc_sidtab.c
-@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
- 	int hvalue, rc = 0;
- 	struct sidtab_node *cur;
- 
-+	if (! ctx) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	*sid = NULL;
- 	hvalue = sidtab_hash(ctx);
- 
-diff --git a/libselinux/src/canonicalize_context.c b/libselinux/src/canonicalize_context.c
-index ba4c9a2c7d46..c81587254b80 100644
---- a/libselinux/src/canonicalize_context.c
-+++ b/libselinux/src/canonicalize_context.c
-@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
- 	size_t size;
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git a/libselinux/src/check_context.c b/libselinux/src/check_context.c
-index 8a7997f03598..5be8434849af 100644
---- a/libselinux/src/check_context.c
-+++ b/libselinux/src/check_context.c
-@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
- 	char path[PATH_MAX];
- 	int fd, ret;
- 
-+	if (! con) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	if (!selinux_mnt) {
- 		errno = ENOENT;
- 		return -1;
-diff --git a/libselinux/src/compute_av.c b/libselinux/src/compute_av.c
-index a47cffe98662..6d285a2e71c3 100644
---- a/libselinux/src/compute_av.c
-+++ b/libselinux/src/compute_av.c
-@@ -27,6 +27,11 @@ int security_compute_av_flags_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git a/libselinux/src/compute_create.c b/libselinux/src/compute_create.c
-index 0975aeac2224..3e6a48c16968 100644
---- a/libselinux/src/compute_create.c
-+++ b/libselinux/src/compute_create.c
-@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git a/libselinux/src/compute_member.c b/libselinux/src/compute_member.c
-index 4e2d221ef9ea..d1dd9772c951 100644
---- a/libselinux/src/compute_member.c
-+++ b/libselinux/src/compute_member.c
-@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git a/libselinux/src/compute_relabel.c b/libselinux/src/compute_relabel.c
-index 49f77ef3344c..c3db7c0ada4c 100644
---- a/libselinux/src/compute_relabel.c
-+++ b/libselinux/src/compute_relabel.c
-@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if ((! scon) || (! tcon)) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git a/libselinux/src/compute_user.c b/libselinux/src/compute_user.c
-index 7b8812155750..401fd107e363 100644
---- a/libselinux/src/compute_user.c
-+++ b/libselinux/src/compute_user.c
-@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
- 		return -1;
- 	}
- 
-+	if (! scon) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
- 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
- 	fd = open(path, O_RDWR | O_CLOEXEC);
- 	if (fd < 0)
-diff --git a/libselinux/src/fsetfilecon.c b/libselinux/src/fsetfilecon.c
-index 52707d05ddd4..0cbe12d844d2 100644
---- a/libselinux/src/fsetfilecon.c
-+++ b/libselinux/src/fsetfilecon.c
-@@ -9,8 +9,12 @@
- 
- int fsetfilecon_raw(int fd, const char * context)
- {
--	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git a/libselinux/src/lsetfilecon.c b/libselinux/src/lsetfilecon.c
-index 1d3b28a1c5fc..ea6d70b7584d 100644
---- a/libselinux/src/lsetfilecon.c
-+++ b/libselinux/src/lsetfilecon.c
-@@ -9,8 +9,13 @@
- 
- int lsetfilecon_raw(const char *path, const char * context)
- {
--	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			 0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+
-+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
-diff --git a/libselinux/src/setfilecon.c b/libselinux/src/setfilecon.c
-index d05969c6c2f3..3f0200e8febc 100644
---- a/libselinux/src/setfilecon.c
-+++ b/libselinux/src/setfilecon.c
-@@ -9,8 +9,12 @@
- 
- int setfilecon_raw(const char *path, const char * context)
- {
--	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
--			0);
-+	int rc;
-+	if (! context) {
-+		errno=EINVAL;
-+		return -1;
-+	}
-+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
- 	if (rc < 0 && errno == ENOTSUP) {
- 		char * ccontext = NULL;
- 		int err = errno;
--- 
-2.23.0
-

0002-libselinux-fix-build-order.patch

@@ -0,0 +1,27 @@
+From e7abd802d4d8541627c590424a6578348ee6032b Mon Sep 17 00:00:00 2001
+From: Stephen Smalley <stephen.smalley.work@gmail.com>
+Date: Thu, 6 Aug 2020 10:46:38 -0400
+Subject: [PATCH] libselinux: fix build order
+
+We need to install the include files before we try to build the source.
+Otherwise, make DESTDIR=~/obj install can fail if there are older
+headers under /usr/include.
+
+Signed-off-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index 16531fe95bf5..6a43b243f4da 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -1,4 +1,4 @@
+-SUBDIRS = src include utils man
++SUBDIRS = include src utils man
+ 
+ PKG_CONFIG ?= pkg-config
+ DISABLE_SETRANS ?= n
+-- 
+2.29.0
+

0003-libselinux-use-full-argument-specifiers-for-security.patch

@@ -0,0 +1,38 @@
+From 21fb5f20da225cff23fd811f57cdaec5e9d7badb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Thu, 20 Aug 2020 17:15:51 +0200
+Subject: [PATCH] libselinux: use full argument specifiers for
+ security_check_context in man page
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The argument for security_check_context(_raw) is defined as `const char *`.
+
+Say so in the man page.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/security_check_context.3 | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/man/man3/security_check_context.3 b/libselinux/man/man3/security_check_context.3
+index 2b9a2d4c8b6a..213ac282588f 100644
+--- a/libselinux/man/man3/security_check_context.3
++++ b/libselinux/man/man3/security_check_context.3
+@@ -5,9 +5,9 @@ security_check_context \- check the validity of a SELinux context
+ .SH "SYNOPSIS"
+ .B #include <selinux/selinux.h>
+ .sp
+-.BI "int security_check_context(char *" con );
++.BI "int security_check_context(const char *" con );
+ .sp
+-.BI "int security_check_context_raw(char *" con );
++.BI "int security_check_context_raw(const char *" con );
+ .
+ .SH "DESCRIPTION"
+ .BR security_check_context ()
+-- 
+2.29.0
+

0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch

@@ -0,0 +1,64 @@
+From 9e4480b921bb50f59b064e842362b26b87e36bbd Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Mon, 24 Aug 2020 09:44:16 -0400
+Subject: [PATCH] libselinux: Remove trailing slash on selabel_file lookups.
+
+Having a trailing slash on a file lookup, e.g. "/some/path/", can
+cause a different result, for example,  when file contexts are written to have
+the directory have a different label than the contents.  This is inconsistent
+with normal Linux behaviors where trailing slashes are ignored.
+
+Many callers already strip the trailing slash before the lookup or users
+revise the file contexts to work around this.  This fixes it comprehensively.
+
+v2: fix length issues
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/label_file.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 412904d14c06..6eeeea68aea4 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -854,6 +854,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 	struct saved_data *data = (struct saved_data *)rec->data;
+ 	struct spec *spec_arr = data->spec_arr;
+ 	int i, rc, file_stem;
++	size_t len;
+ 	mode_t mode = (mode_t)type;
+ 	char *clean_key = NULL;
+ 	const char *prev_slash, *next_slash;
+@@ -894,6 +895,27 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 		key = clean_key;
+ 	}
+ 
++	/* remove trailing slash */
++	len = strlen(key);
++	if (len == 0) {
++		errno = EINVAL;
++		goto finish;
++	}
++
++	if (key[len - 1] == '/') {
++		/* reuse clean_key from above if available */
++		if (!clean_key) {
++			clean_key = (char *) malloc(len);
++			if (!clean_key)
++				goto finish;
++
++			strncpy(clean_key, key, len - 1);
++		}
++
++		clean_key[len - 1] = '\0';
++		key = clean_key;
++	}
++
+ 	sub = selabel_sub_key(data, key);
+ 	if (sub)
+ 		key = sub;
+-- 
+2.29.0
+

0005-libselinux-safely-access-shared-memory-in-selinux_st.patch

@@ -0,0 +1,80 @@
+From ef902db9c842553fd1a6a81068f3d844d487f2fb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 25 Aug 2020 17:32:04 +0200
+Subject: [PATCH] libselinux: safely access shared memory in
+ selinux_status_updated()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Access the shared nenory safe in regard to consistent view of the SELinux
+kernel status page - not in regard to thread-safety.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/sestatus.c | 40 ++++++++++++++++++++++++---------------
+ 1 file changed, 25 insertions(+), 15 deletions(-)
+
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index 814e86ee10e7..ca2d3bbf9cb2 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -91,7 +91,9 @@ static inline uint32_t read_sequence(struct selinux_status_t *status)
+ int selinux_status_updated(void)
+ {
+ 	uint32_t	curr_seqno;
+-	int		result = 0;
++	uint32_t	tmp_seqno;
++	uint32_t	enforcing;
++	uint32_t	policyload;
+ 
+ 	if (selinux_status == NULL) {
+ 		errno = EINVAL;
+@@ -117,21 +119,29 @@ int selinux_status_updated(void)
+ 	if (last_seqno & 0x0001)
+ 		last_seqno = curr_seqno;
+ 
+-	if (last_seqno != curr_seqno)
+-	{
+-		if (avc_enforcing != (int) selinux_status->enforcing) {
+-			if (avc_process_setenforce(selinux_status->enforcing) < 0)
+-				return -1;
+-		}
+-		if (last_policyload != selinux_status->policyload) {
+-			if (avc_process_policyload(selinux_status->policyload) < 0)
+-				return -1;
+-			last_policyload = selinux_status->policyload;
+-		}
+-		last_seqno = curr_seqno;
+-		result = 1;
++	if (last_seqno == curr_seqno)
++		return 0;
++
++	/* sequence must not be changed during references */
++	do {
++		enforcing = selinux_status->enforcing;
++		policyload = selinux_status->policyload;
++		tmp_seqno = curr_seqno;
++		curr_seqno = read_sequence(selinux_status);
++	} while (tmp_seqno != curr_seqno);
++
++	if (avc_enforcing != (int) enforcing) {
++		if (avc_process_setenforce(enforcing) < 0)
++			return -1;
++	}
++	if (last_policyload != policyload) {
++		if (avc_process_policyload(policyload) < 0)
++			return -1;
++		last_policyload = policyload;
+ 	}
+-	return result;
++	last_seqno = curr_seqno;
++
++	return 1;
+ }
+ 
+ /*
+-- 
+2.29.0
+

0006-libselinux-initialize-last_policyload-in-selinux_sta.patch

@@ -0,0 +1,54 @@
+From a63f93d83b57f1a10712c5fcd29be246e8eff20d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 25 Aug 2020 17:32:05 +0200
+Subject: [PATCH] libselinux: initialize last_policyload in
+ selinux_status_open()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If not initialized to the current policyload count, an enforcing change
+will trigger policyload-callbacks in selinux_status_updated().
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/sestatus.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/libselinux/src/sestatus.c b/libselinux/src/sestatus.c
+index ca2d3bbf9cb2..9ff2785d876a 100644
+--- a/libselinux/src/sestatus.c
++++ b/libselinux/src/sestatus.c
+@@ -278,9 +278,10 @@ static int fallback_cb_policyload(int policyload)
+  */
+ int selinux_status_open(int fallback)
+ {
+-	int	fd;
+-	char	path[PATH_MAX];
+-	long	pagesize;
++	int		fd;
++	char		path[PATH_MAX];
++	long		pagesize;
++	uint32_t	seqno;
+ 
+ 	if (!selinux_mnt) {
+ 		errno = ENOENT;
+@@ -304,6 +305,14 @@ int selinux_status_open(int fallback)
+ 	selinux_status_fd = fd;
+ 	last_seqno = (uint32_t)(-1);
+ 
++	/* sequence must not be changed during references */
++	do {
++		seqno = read_sequence(selinux_status);
++
++		last_policyload = selinux_status->policyload;
++
++	} while (seqno != read_sequence(selinux_status));
++
+ 	/* No need to use avc threads if the kernel status page is available */
+ 	avc_using_threads = 0;
+ 
+-- 
+2.29.0
+

0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch

@@ -0,0 +1,71 @@
+From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Thu, 27 Aug 2020 08:58:39 -0400
+Subject: [PATCH] libselinux: Add new log callback levels for enforcing and
+ policy load notices.
+
+This will enable userspace object managers to send proper audits for policy
+loads and setenforce messages generated by the userspace AVC code.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/include/selinux/selinux.h       | 2 ++
+ libselinux/man/man3/selinux_set_callback.3 | 5 +++++
+ libselinux/src/avc_internal.c              | 4 ++--
+ 3 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
+index c22834e58418..ae98a92e393e 100644
+--- a/libselinux/include/selinux/selinux.h
++++ b/libselinux/include/selinux/selinux.h
+@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
+ #define SELINUX_WARNING		1
+ #define SELINUX_INFO		2
+ #define SELINUX_AVC		3
++#define SELINUX_POLICYLOAD	4
++#define SELINUX_SETENFORCE	5
+ #define SELINUX_TRANS_DIR	"/var/run/setrans"
+ 
+ /* Compute an access decision. */
+diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
+index a4c613ad5d85..6dfe5ff6050f 100644
+--- a/libselinux/man/man3/selinux_set_callback.3
++++ b/libselinux/man/man3/selinux_set_callback.3
+@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
+ .B SELINUX_INFO
+ 
+ .B SELINUX_AVC
++
++.B SELINUX_POLICYLOAD
++
++.B SELINUX_SETENFORCE
++
+ .
+ .TP
+ .B SELINUX_CB_AUDIT
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 4ef924527e10..572b2159c3ed 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
+ {
+ 	int rc = 0;
+ 
+-	avc_log(SELINUX_INFO,
++	avc_log(SELINUX_SETENFORCE,
+ 		"%s:  received setenforce notice (enforcing=%d)\n",
+ 		avc_prefix, enforcing);
+ 	if (avc_setenforce)
+@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
+ {
+ 	int rc = 0;
+ 
+-	avc_log(SELINUX_INFO,
++	avc_log(SELINUX_POLICYLOAD,
+ 		"%s:  received policyload notice (seqno=%u)\n",
+ 		avc_prefix, seqno);
+ 	rc = avc_ss_reset(seqno);
+-- 
+2.29.0
+

0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch

@@ -0,0 +1,30 @@
+From 075f9cfe7a0105e14e878b5617e80d391d016e08 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Fri, 11 Sep 2020 15:56:14 -0400
+Subject: [PATCH] libselinux: Fix selabel_lookup() for the root dir.
+
+9e4480b921bb ("Remove trailing slash on selabel_file lookups.") introduced
+a bug which turns the root directory lookup "/" into an empty string.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/label_file.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
+index 6eeeea68aea4..726394ca4332 100644
+--- a/libselinux/src/label_file.c
++++ b/libselinux/src/label_file.c
+@@ -902,7 +902,7 @@ static const struct spec **lookup_all(struct selabel_handle *rec,
+ 		goto finish;
+ 	}
+ 
+-	if (key[len - 1] == '/') {
++	if (len > 1 && key[len - 1] == '/') {
+ 		/* reuse clean_key from above if available */
+ 		if (!clean_key) {
+ 			clean_key = (char *) malloc(len);
+-- 
+2.29.0
+

0009-libselinux-Add-additional-log-callback-details-in-ma.patch

@@ -0,0 +1,38 @@
+From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 15 Sep 2020 13:33:31 -0400
+Subject: [PATCH] libselinux: Add additional log callback details in man page
+ for auditing.
+
+Add additional information about the log callback message types.  Indicate
+which types could be audited and the relevant audit record types for them.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
+index 6dfe5ff6050f..75f49b06d836 100644
+--- a/libselinux/man/man3/selinux_set_callback.3
++++ b/libselinux/man/man3/selinux_set_callback.3
+@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following:
+ 
+ .B SELINUX_SETENFORCE
+ 
++SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
++levels and are not auditable messages.
++
++The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
++audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
++values from libaudit, respectively.  If they are not audited, SELINUX_AVC should be
++considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
++SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
++
+ .
+ .TP
+ .B SELINUX_CB_AUDIT
+-- 
+2.29.0
+

0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch

@@ -0,0 +1,37 @@
+From 7ef5b1854f75056d23e60aabc86706dfed622669 Mon Sep 17 00:00:00 2001
+From: Chris PeBenito <chpebeni@linux.microsoft.com>
+Date: Tue, 15 Sep 2020 13:33:32 -0400
+Subject: [PATCH] libselinux: Change userspace AVC setenforce and policy load
+ messages to audit format.
+
+Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libselinux/src/avc_internal.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
+index 572b2159c3ed..53a99a1fe957 100644
+--- a/libselinux/src/avc_internal.c
++++ b/libselinux/src/avc_internal.c
+@@ -59,7 +59,7 @@ int avc_process_setenforce(int enforcing)
+ 	int rc = 0;
+ 
+ 	avc_log(SELINUX_SETENFORCE,
+-		"%s:  received setenforce notice (enforcing=%d)\n",
++		"%s:  op=setenforce lsm=selinux enforcing=%d res=1",
+ 		avc_prefix, enforcing);
+ 	if (avc_setenforce)
+ 		goto out;
+@@ -81,7 +81,7 @@ int avc_process_policyload(uint32_t seqno)
+ 	int rc = 0;
+ 
+ 	avc_log(SELINUX_POLICYLOAD,
+-		"%s:  received policyload notice (seqno=%u)\n",
++		"%s:  op=load_policy lsm=selinux seqno=%u res=1",
+ 		avc_prefix, seqno);
+ 	rc = avc_ss_reset(seqno);
+ 	if (rc < 0) {
+-- 
+2.29.0
+

0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch

@@ -0,0 +1,208 @@
+From d23342a9de2c30f72a3edb13455753caaf259589 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sun, 4 Oct 2020 16:03:39 +0200
+Subject: [PATCH] libselinux: convert matchpathcon to selabel_lookup()
+
+Function matchpathcon() is deprecated in favor of selabel_lookup() but
+program "matchpathcon" is much easier to use than "selabel_loopkup" to
+find the file context which would be applied to some files and
+directories.
+
+More precisely:
+
+    matchpathcon /path/to/my/file
+
+is easier to type and remember than:
+
+    selabel_lookup -b file -k /path/to/my/file
+
+It also allows performing multiple context searches in one command,
+where selabel_lookup cannot use multiple -k options.
+
+Migrate matchpathcon to the preferred API.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/utils/Makefile       |  2 -
+ libselinux/utils/matchpathcon.c | 87 ++++++++++++++-------------------
+ 2 files changed, 38 insertions(+), 51 deletions(-)
+
+diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
+index aa2d3e1b144f..b018a08acbe0 100644
+--- a/libselinux/utils/Makefile
++++ b/libselinux/utils/Makefile
+@@ -56,8 +56,6 @@ sefcontext_compile: LDLIBS += $(PCRE_LDLIBS) ../src/libselinux.a -lsepol
+ 
+ sefcontext_compile: sefcontext_compile.o ../src/regex.o
+ 
+-matchpathcon: CFLAGS += -Wno-deprecated-declarations
+-
+ all: $(TARGETS)
+ 
+ install: all
+diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
+index cc018d213f4c..a07e160dee71 100644
+--- a/libselinux/utils/matchpathcon.c
++++ b/libselinux/utils/matchpathcon.c
+@@ -1,15 +1,14 @@
+-#include <unistd.h>
+-#include <stdio.h>
+-#include <stdlib.h>
+-#include <getopt.h>
+ #include <errno.h>
+-#include <string.h>
++#include <getopt.h>
+ #include <limits.h>
+-#include <sys/types.h>
+-#include <sys/stat.h>
++#include <selinux/label.h>
+ #include <selinux/selinux.h>
+-#include <limits.h>
++#include <stdio.h>
+ #include <stdlib.h>
++#include <string.h>
++#include <sys/stat.h>
++#include <sys/types.h>
++#include <unistd.h>
+ 
+ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ {
+@@ -19,15 +18,21 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+ 	exit(1);
+ }
+ 
+-static int printmatchpathcon(const char *path, int header, int mode)
++static int printmatchpathcon(struct selabel_handle *hnd, const char *path, int header, int mode, int notrans)
+ {
+-	char *buf;
+-	int rc = matchpathcon(path, mode, &buf);
++	char *buf = NULL;
++	int rc;
++
++	if (notrans) {
++		rc = selabel_lookup_raw(hnd, &buf, path, mode);
++	} else {
++		rc = selabel_lookup(hnd, &buf, path, mode);
++	}
+ 	if (rc < 0) {
+ 		if (errno == ENOENT) {
+ 			buf = strdup("<<none>>");
+ 		} else {
+-			fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
++			fprintf(stderr, "selabel_lookup(%s) failed: %s\n", path,
+ 				strerror(errno));
+ 			return 1;
+ 		}
+@@ -66,15 +71,14 @@ static mode_t string_to_mode(char *s)
+ 
+ int main(int argc, char **argv)
+ {
+-	int i, init = 0, force_mode = 0;
++	int i, force_mode = 0;
+ 	int header = 1, opt;
+ 	int verify = 0;
+ 	int notrans = 0;
+ 	int error = 0;
+ 	int quiet = 0;
+-
+-	fprintf(stderr,
+-		"Deprecated, use selabel_lookup\n");
++	struct selabel_handle *hnd;
++	struct selinux_opt options[SELABEL_NOPT] = {};
+ 
+ 	if (argc < 2)
+ 		usage(argv[0]);
+@@ -96,23 +100,10 @@ int main(int argc, char **argv)
+ 			break;
+ 		case 'N':
+ 			notrans = 1;
+-			set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+ 			break;
+ 		case 'f':
+-			if (init) {
+-				fprintf(stderr,
+-					"%s:  -f and -p are exclusive\n",
+-					argv[0]);
+-				exit(1);
+-			}
+-			init = 1;
+-			if (matchpathcon_init(optarg)) {
+-				fprintf(stderr,
+-					"Error while processing %s:  %s\n",
+-					optarg,
+-					errno ? strerror(errno) : "invalid");
+-				exit(1);
+-			}
++			options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
++			options[SELABEL_OPT_PATH].value = optarg;
+ 			break;
+ 		case 'P':
+ 			if (selinux_set_policy_root(optarg) < 0 ) {
+@@ -124,20 +115,11 @@ int main(int argc, char **argv)
+ 			}
+ 			break;
+ 		case 'p':
+-			if (init) {
+-				fprintf(stderr,
+-					"%s:  -f and -p are exclusive\n",
+-					argv[0]);
+-				exit(1);
+-			}
+-			init = 1;
+-			if (matchpathcon_init_prefix(NULL, optarg)) {
+-				fprintf(stderr,
+-					"Error while processing %s:  %s\n",
+-					optarg,
+-					errno ? strerror(errno) : "invalid");
+-				exit(1);
+-			}
++			// This option has been deprecated since libselinux 2.5 (2016):
++			// https://github.com/SELinuxProject/selinux/commit/26e05da0fc2d0a4bd274320968a88f8acbb3b6a6
++			fprintf(stderr, "Warning: using %s -p is deprecated\n", argv[0]);
++			options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
++			options[SELABEL_OPT_SUBSET].value = optarg;
+ 			break;
+ 		case 'q':
+ 			quiet = 1;
+@@ -146,6 +128,13 @@ int main(int argc, char **argv)
+ 			usage(argv[0]);
+ 		}
+ 	}
++	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
++	if (!hnd) {
++		fprintf(stderr,
++			"Error while opening file contexts database: %s\n",
++			strerror(errno));
++		return -1;
++	}
+ 	for (i = optind; i < argc; i++) {
+ 		int rc, mode = 0;
+ 		struct stat buf;
+@@ -185,19 +174,19 @@ int main(int argc, char **argv)
+ 				if (rc >= 0) {
+ 					printf("%s has context %s, should be ",
+ 					       path, con);
+-					printmatchpathcon(path, 0, mode);
++					printmatchpathcon(hnd, path, 0, mode, notrans);
+ 					freecon(con);
+ 				} else {
+ 					printf
+ 					    ("actual context unknown: %s, should be ",
+ 					     strerror(errno));
+-					printmatchpathcon(path, 0, mode);
++					printmatchpathcon(hnd, path, 0, mode, notrans);
+ 				}
+ 			}
+ 		} else {
+-			error |= printmatchpathcon(path, header, mode);
++			error |= printmatchpathcon(hnd, path, header, mode, notrans);
+ 		}
+ 	}
+-	matchpathcon_fini();
++	selabel_close(hnd);
+ 	return error;
+ }
+-- 
+2.29.0
+

0012-libsepol-Bump-libsepol.so-version.patch

@@ -0,0 +1,45 @@
+From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:49 +0200
+Subject: [PATCH] libsepol: Bump libsepol.so version
+
+Previous commits removed some symbols and broke ABI, therefore we need to change
+SONAME.
+
+See the following quotes from distribution guidelines:
+
+https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
+
+Every time the shared library ABI changes in a way that may break
+binaries linked against older versions of the shared library, the SONAME
+of the library and the corresponding name for the binary package
+containing the runtime shared library should change.
+
+https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
+
+When new versions of the library are released, you should use an ABI
+comparison tool to check for ABI differences in the built shared
+libraries. If it detects any incompatibilities, bump the n number by
+one.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libselinux/src/load_policy.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 2aea826f863e..0034fa53d6e6 100644
+--- a/libselinux/src/load_policy.c
++++ b/libselinux/src/load_policy.c
+@@ -76,7 +76,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
+ #ifdef SHARED
+ 	char *errormsg = NULL;
+ 	void *libsepolh = NULL;
+-	libsepolh = dlopen("libsepol.so.1", RTLD_NOW);
++	libsepolh = dlopen("libsepol.so.2", RTLD_NOW);
+ 	if (libsepolh) {
+ 		usesepol = 1;
+ 		dlerror();
+-- 
+2.29.0
+

0013-libselinux-Add-build-option-to-disable-X11-backend.patch

@@ -0,0 +1,48 @@
+From db0f2f382e31c44eef8f636d5698f9f4b11b4eeb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
+Date: Mon, 12 Oct 2020 17:46:16 +0300
+Subject: [PATCH] libselinux: Add build option to disable X11 backend
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
+---
+ libselinux/Makefile     | 5 ++++-
+ libselinux/src/Makefile | 4 ++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index 6a43b243f4da..cb5872b7b090 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -17,7 +17,10 @@ endif
+ ifeq ($(DISABLE_BOOL),y)
+ 	DISABLE_FLAGS+= -DDISABLE_BOOL
+ endif
+-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST
++ifeq ($(DISABLE_X11),y)
++	DISABLE_FLAGS+= -DNO_X_BACKEND
++endif
++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
+ 
+ USE_PCRE2 ?= n
+ ifeq ($(USE_PCRE2),y)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index 190016e2af34..be0b6eec6f6d 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -126,6 +126,10 @@ DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
+ endif
+ 
++ifeq ($(DISABLE_X11),y)
++SRCS:= $(filter-out label_x.c, $(SRCS))
++endif
++
+ SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
+ 
+ all: $(LIBA) $(LIBSO) $(LIBPC)
+-- 
+2.29.0
+

0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch

@@ -1,4 +1,4 @@
-From c36e12a0ed7641a9baa13afa1730b04eda0be07b Mon Sep 17 00:00:00 2001
+From a2f09a2faf2950d15fad34f23c65df62ec0d942c Mon Sep 17 00:00:00 2001
 From: Miroslav Grepl <mgrepl@redhat.com>
 Date: Wed, 16 Jul 2014 08:28:03 +0200
 Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
@@ -8,7 +8,7 @@ Subject: [PATCH] Fix selinux man page to refer seinfo and sesearch tools.
  1 file changed, 3 insertions(+), 1 deletion(-)
 
 diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
-index e37aee6833b0..bf23b65579ca 100644
+index 31364271eed2..8b4fc3706989 100644
 --- a/libselinux/man/man8/selinux.8
 +++ b/libselinux/man/man8/selinux.8
 @@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
@@ -27,5 +27,5 @@ index e37aee6833b0..bf23b65579ca 100644
  Every confined service on the system has a man page in the following format:
  .br
 -- 
-2.23.0
+2.29.0
 

0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch

@@ -0,0 +1,59 @@
+From f870bd1ea6847840f1878490e090ef96ed708ac4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B6rn=20Bidar?= <bjorn.bidar@jolla.com>
+Date: Mon, 12 Oct 2020 19:07:22 +0300
+Subject: [PATCH] libselinux: LABEL_BACKEND_ANDROID add option to enable
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Add option to just enable the android label backend without disabling
+anything else eg. using ANDROID_HOST. Enable by default when using ANDROID_HOST.
+
+Signed-off-by: Björn Bidar <bjorn.bidar@jolla.com>
+---
+ libselinux/Makefile     | 3 ++-
+ libselinux/src/Makefile | 6 +++++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/Makefile b/libselinux/Makefile
+index cb5872b7b090..ac16c15e8d0a 100644
+--- a/libselinux/Makefile
++++ b/libselinux/Makefile
+@@ -4,6 +4,7 @@ PKG_CONFIG ?= pkg-config
+ DISABLE_SETRANS ?= n
+ DISABLE_RPM ?= n
+ ANDROID_HOST ?= n
++LABEL_BACKEND_ANDROID ?= n
+ ifeq ($(ANDROID_HOST),y)
+ 	override DISABLE_SETRANS=y
+ 	override DISABLE_BOOL=y
+@@ -20,7 +21,7 @@ endif
+ ifeq ($(DISABLE_X11),y)
+ 	DISABLE_FLAGS+= -DNO_X_BACKEND
+ endif
+-export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11
++export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST DISABLE_X11 LABEL_BACKEND_ANDROID
+ 
+ USE_PCRE2 ?= n
+ ifeq ($(USE_PCRE2),y)
+diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
+index be0b6eec6f6d..52c40f018f51 100644
+--- a/libselinux/src/Makefile
++++ b/libselinux/src/Makefile
+@@ -122,8 +122,12 @@ SRCS= callbacks.c freecon.c label.c label_file.c \
+ 	label_backends_android.c regex.c label_support.c \
+ 	matchpathcon.c setrans_client.c sha1.c booleans.c
+ else
+-DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
++LABEL_BACKEND_ANDROID=y
++endif
++
++ifneq ($(LABEL_BACKEND_ANDROIDT),y)
+ SRCS:= $(filter-out label_backends_android.c, $(SRCS))
++DISABLE_FLAGS+= -DNO_ANDROID_BACKEND
+ endif
+ 
+ ifeq ($(DISABLE_X11),y)
+-- 
+2.29.2
+

0016-selinux-8-mark-up-SELINUX-values.patch

@@ -0,0 +1,51 @@
+From c698cd8cbc98ab2f795d3c353c9f978c1758106d Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:38 +0100
+Subject: [PATCH] selinux(8): mark up SELINUX values
+
+Mark up the possible values of SELINUX (disabled, permissive, enforcing)
+for better readability.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 24 ++++++++++++------------
+ 1 file changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 8b4fc3706989..522d45960bf3 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -19,18 +19,18 @@ enabled or disabled, and if enabled, whether SELinux operates in
+ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+-any one of disabled, permissive, or enforcing to select one of these
+-options.  The disabled option completely disables the SELinux kernel
+-and application code, leaving the system running without any SELinux
+-protection.  The permissive option enables the SELinux code, but
+-causes it to operate in a mode where accesses that would be denied by
+-policy are permitted but audited.  The enforcing option enables the
+-SELinux code and causes it to enforce access denials as well as
+-auditing them.  Permissive mode may yield a different set of denials
+-than enforcing mode, both because enforcing mode will prevent an
+-operation from proceeding past the first denial and because some
+-application code will fall back to a less privileged mode of operation
+-if denied access.
++any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
++select one of these options.  The \fIdisabled\fR option completely
++disables the SELinux kernel and application code, leaving the system
++running without any SELinux protection.  The \fIpermissive\fR option
++enables the SELinux code, but causes it to operate in a mode where
++accesses that would be denied by policy are permitted but audited.  The
++\fIenforcing\fR option enables the SELinux code and causes it to enforce
++access denials as well as auditing them.  \fIpermissive\fR mode may
++yield a different set of denials than enforcing mode, both because
++enforcing mode will prevent an operation from proceeding past the first
++denial and because some application code will fall back to a less
++privileged mode of operation if denied access.
+ 
+ The
+ .I /etc/selinux/config
+-- 
+2.29.2
+

0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch

@@ -0,0 +1,57 @@
+From 225486048881d429e4b92ad24b65af7a1fc4c3a9 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Wed, 11 Nov 2020 17:23:39 +0100
+Subject: [PATCH] selinux(8): explain that runtime disable is deprecated
+
+Update the main SELinux manpage to explain that runtime disable (i.e.
+disabling SELinux using SELINUX=Disabled) is deprecated and recommend
+disabling SELinux only via the kernel boot parameter.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libselinux/man/man8/selinux.8 | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
+index 522d45960bf3..a36e286b1409 100644
+--- a/libselinux/man/man8/selinux.8
++++ b/libselinux/man/man8/selinux.8
+@@ -20,8 +20,8 @@ permissive mode or enforcing mode.  The
+ .B SELINUX
+ variable may be set to
+ any one of \fIdisabled\fR, \fIpermissive\fR, or \fIenforcing\fR to
+-select one of these options.  The \fIdisabled\fR option completely
+-disables the SELinux kernel and application code, leaving the system
++select one of these options.  The \fIdisabled\fR disables most of the
++SELinux kernel and application code, leaving the system
+ running without any SELinux protection.  The \fIpermissive\fR option
+ enables the SELinux code, but causes it to operate in a mode where
+ accesses that would be denied by policy are permitted but audited.  The
+@@ -32,6 +32,24 @@ enforcing mode will prevent an operation from proceeding past the first
+ denial and because some application code will fall back to a less
+ privileged mode of operation if denied access.
+ 
++.B NOTE:
++Disabling SELinux by setting
++.B SELINUX=disabled
++in
++.I /etc/selinux/config
++is deprecated and depending on kernel version and configuration it might
++not lead to SELinux being completely disabled.  Specifically, the
++SELinux hooks will still be executed internally, but the SELinux policy
++will not be loaded and no operation will be denied.  In such state, the
++system will act as if SELinux was disabled, although some operations
++might behave slightly differently.  To properly disable SELinux, it is
++recommended to use the
++.B selinux=0
++kernel boot option instead.  In that case SELinux will be disabled
++regardless of what is set in the
++.I /etc/selinux/config
++file.
++
+ The
+ .I /etc/selinux/config
+ configuration file also controls what policy
+-- 
+2.29.2
+

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+

libselinux.spec

@@ -1,25 +1,40 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.0-1
+%define libsepolver 3.1-5
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 3.0
-Release: 1%{?dist}
+Version: 3.1
+Release: 5%{?dist}
 License: Public Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
-Source0: https://github.com/SELinuxProject/selinux/releases/download/20191204/libselinux-3.0.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libselinux-3.1.tar.gz
 Source1: selinuxconlist.8
 Source2: selinuxdefcon.8
 Url: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N libselinux-3.0 -- libselinux
+# $ git format-patch -N libselinux-3.1 -- libselinux
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
-Patch0001: 0001-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
-Patch0002: 0002-Verify-context-input-to-funtions-to-make-sure-the-co.patch
+Patch0001: 0001-libselinux-use-kernel-status-page-by-default.patch
+Patch0002: 0002-libselinux-fix-build-order.patch
+Patch0003: 0003-libselinux-use-full-argument-specifiers-for-security.patch
+Patch0004: 0004-libselinux-Remove-trailing-slash-on-selabel_file-loo.patch
+Patch0005: 0005-libselinux-safely-access-shared-memory-in-selinux_st.patch
+Patch0006: 0006-libselinux-initialize-last_policyload-in-selinux_sta.patch
+Patch0007: 0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch
+Patch0008: 0008-libselinux-Fix-selabel_lookup-for-the-root-dir.patch
+Patch0009: 0009-libselinux-Add-additional-log-callback-details-in-ma.patch
+Patch0010: 0010-libselinux-Change-userspace-AVC-setenforce-and-polic.patch
+Patch0011: 0011-libselinux-convert-matchpathcon-to-selabel_lookup.patch
+Patch0012: 0012-libsepol-Bump-libsepol.so-version.patch
+Patch0013: 0013-libselinux-Add-build-option-to-disable-X11-backend.patch
+Patch0014: 0014-Fix-selinux-man-page-to-refer-seinfo-and-sesearch-to.patch
+Patch0015: 0015-libselinux-LABEL_BACKEND_ANDROID-add-option-to-enabl.patch
+Patch0016: 0016-selinux-8-mark-up-SELINUX-values.patch
+Patch0017: 0017-selinux-8-explain-that-runtime-disable-is-deprecated.patch
 # Patch list end
-BuildRequires: gcc
+BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel xz-devel
 BuildRequires: python3 python3-devel
 BuildRequires: systemd
@@ -95,6 +110,7 @@ export DISABLE_RPM="y"
 export USE_PCRE2="y"
 
 %set_build_flags
+CFLAGS="$CFLAGS -fno-semantic-interposition"
 
 # To support building the Python wrapper against multiple Python runtimes
 # Define a function, for how to perform a "build" of the python wrapper against
@@ -103,30 +119,23 @@ BuildPythonWrapper() {
   BinaryName=$1
 
   # Perform the build from the upstream Makefile:
-  make \
+  %make_build \
     PYTHON=$BinaryName \
-    LIBDIR="%{_libdir}" %{?_smp_mflags} \
+    LIBDIR="%{_libdir}" \
     pywrap
 }
 
-make clean
-make LIBDIR="%{_libdir}" %{?_smp_mflags} swigify
-make LIBDIR="%{_libdir}" %{?_smp_mflags} all
+%make_build LIBDIR="%{_libdir}" swigify
+%make_build LIBDIR="%{_libdir}" all
 
 BuildPythonWrapper %{__python3}
 
-make RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" %{?_smp_mflags} rubywrap
+%make_build RUBYINC="%{ruby_inc}" SHLIBDIR="%{_libdir}" LIBDIR="%{_libdir}" LIBSEPOLA="%{_libdir}/libsepol.a" rubywrap
 
 %install
 InstallPythonWrapper() {
   BinaryName=$1
 
-  make \
-    PYTHON=$BinaryName \
-    LIBDIR="%{_libdir}" %{?_smp_mflags} \
-    LIBSEPOLA="%{_libdir}/libsepol.a" \
-    pywrap
-
   make \
     PYTHON=$BinaryName \
     DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" \
@@ -146,7 +155,8 @@ echo "d %{_rundir}/setrans 0755 root root" > %{buildroot}%{_tmpfilesdir}/libseli
 
 InstallPythonWrapper %{__python3}
 
-make DESTDIR="%{buildroot}" LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}" RUBYINSTALL=%{ruby_vendorarchdir} install install-rubywrap
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}" BINDIR="%{_bindir}" SBINDIR="%{_sbindir}"
+make DESTDIR="%{buildroot}" RUBYINSTALL=%{ruby_vendorarchdir} install-rubywrap
 
 # Nuke the files we don't want to distribute
 rm -f %{buildroot}%{_sbindir}/compute_*
@@ -219,6 +229,43 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- selinux(8): explain that runtime disable is deprecated
+
+* Fri Oct 30 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
+- Use libsepol.so.2
+- Convert matchpathcon to selabel_lookup()
+- Change userspace AVC setenforce and policy load messages to audit
+  format
+- Remove trailing slash on selabel_file lookups
+- Use kernel status page by default
+
+* Wed Sep 02 2020 Jeff Law <law@redhat.com> - 3.1-3
+- Re-enable LTO
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+- Use -fno-semantic-interposition and more make macros
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Wed Jul  1 2020 Jeff Law <law@redhat.com> - 3.0-6
+- Disable LTO
+
+* Sat May 23 2020 Miro Hrončok <mhroncok@redhat.com> - 3.0-5
+- Rebuilt for Python 3.9
+
+* Thu Mar  5 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-4
+- Eliminate use of security_compute_user()
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Mamoru TASAKA <mtasaka@fedoraproject.org> - 3.0-2
+- F-32: rebuild against ruby27
+
 * Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
 - SELinux userspace 3.0 release
 

sources

@@ -1 +1 @@
-SHA512 (libselinux-3.0.tar.gz) = 6fd8c3711e25cb1363232e484268609b71d823975537b3863e403836222eba026abce8ca198f64dba6f4c1ea4deb7ecef68a0397b9656a67b363e4d74409cd95
+SHA512 (libselinux-3.1.tar.gz) = 57730cddd2d4751556d9e1f207c0f85119c81848f0620c16239e997150989e3f9a586a8c23861fd51ed89f7e084ad441190a58a288258a49a95f7beef7dbbb13