diff --git a/.gitignore b/.gitignore
index a30f43c..1fb5b19 100644
--- a/.gitignore
+++ b/.gitignore
@@ -140,3 +140,4 @@ libsemanage-2.0.45.tgz
 /libsemanage-2.8-rc2.tar.gz
 /libsemanage-2.8-rc3.tar.gz
 /libsemanage-2.8.tar.gz
+/libsemanage-2.9-rc1.tar.gz
diff --git a/libsemanage-fedora.patch b/libsemanage-fedora.patch
index c309484..9ec3d72 100644
--- a/libsemanage-fedora.patch
+++ b/libsemanage-fedora.patch
@@ -1,82 +1,7 @@
-diff --git libsemanage-2.8/src/boolean_record.c libsemanage-2.8/src/boolean_record.c
-index 665c022..c234094 100644
---- libsemanage-2.8/src/boolean_record.c
-+++ libsemanage-2.8/src/boolean_record.c
-@@ -6,7 +6,9 @@
-  * Implements: record_key_t (Database Record Key)
-  */
- 
-+#include <string.h>
- #include <sepol/boolean_record.h>
-+#include "handle_internal.h"
- 
- typedef sepol_bool_t semanage_bool_t;
- typedef sepol_bool_key_t semanage_bool_key_t;
-@@ -84,10 +86,58 @@ hidden_def(semanage_bool_get_name)
- int semanage_bool_set_name(semanage_handle_t * handle,
- 			   semanage_bool_t * boolean, const char *name)
- {
--	int rc;
--	char *subname = selinux_boolean_sub(name);
-+	int rc = -1;
-+	const char *prefix = semanage_root();
-+	const char *storename = handle->conf->store_path;
-+	const char *selinux_root = selinux_policy_root();
-+	char *oldroot;
-+	char *olddir;
-+	char *subname = NULL;
-+	char *newroot = NULL;
-+	char *end;
-+
-+	if (!selinux_root)
-+		return -1;
-+
-+	oldroot = strdup(selinux_root);
-+	if (!oldroot)
-+		return -1;
-+	olddir = strdup(oldroot);
-+	if (!olddir)
-+		goto out;
-+	end = strrchr(olddir, '/');
-+	if (!end)
-+		goto out;
-+	end++;
-+	*end = '\0';
-+	rc = asprintf(&newroot, "%s%s%s", prefix, olddir, storename);
-+	if (rc < 0)
-+		goto out;
-+
-+	if (strcmp(oldroot, newroot)) {
-+		rc = selinux_set_policy_root(newroot);
-+		if (rc)
-+			goto out;
-+	}
-+
-+	subname = selinux_boolean_sub(name);
-+	if (!subname) {
-+		rc = -1;
-+		goto out;
-+	}
-+
-+	if (strcmp(oldroot, newroot)) {
-+		rc = selinux_set_policy_root(oldroot);
-+		if (rc)
-+			goto out;
-+	}
-+
- 	rc = sepol_bool_set_name(handle->sepolh, boolean, subname);
-+out:
- 	free(subname);
-+	free(oldroot);
-+	free(olddir);
-+	free(newroot);
- 	return rc;
- }
- 
-diff --git libsemanage-2.8/src/direct_api.c libsemanage-2.8/src/direct_api.c
+diff --git libsemanage-2.9-rc1/src/direct_api.c libsemanage-2.9-rc1/src/direct_api.c
 index c58961b..8e4d116 100644
---- libsemanage-2.8/src/direct_api.c
-+++ libsemanage-2.8/src/direct_api.c
+--- libsemanage-2.9-rc1/src/direct_api.c
++++ libsemanage-2.9-rc1/src/direct_api.c
 @@ -1028,7 +1028,7 @@ static int semanage_direct_write_langext(semanage_handle_t *sh,
  
  	fp = NULL;
@@ -126,32 +51,11 @@ index c58961b..8e4d116 100644
  	return status;
  }
  
-diff --git libsemanage-2.8/src/genhomedircon.c libsemanage-2.8/src/genhomedircon.c
-index 3e61b51..ac37667 100644
---- libsemanage-2.8/src/genhomedircon.c
-+++ libsemanage-2.8/src/genhomedircon.c
-@@ -361,7 +361,11 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
- 
- 	errno = 0;
- 	setpwent();
--	while ((pwbuf = getpwent()) != NULL) {
-+	while (1) {
-+		errno = 0;
-+		pwbuf = getpwent();
-+		if (pwbuf == NULL)
-+			break;
- 		if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
- 			continue;
- 		if (!semanage_list_find(shells, pwbuf->pw_shell))
-@@ -403,7 +407,6 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
- 		}
- 		free(path);
- 		path = NULL;
--		errno = 0;
- 	}
- 
- 	if (errno) {
-@@ -1074,10 +1077,20 @@ static int get_group_users(genhomedircon_settings_t * s,
+diff --git libsemanage-2.9-rc1/src/genhomedircon.c libsemanage-2.9-rc1/src/genhomedircon.c
+index 591941f..ac37667 100644
+--- libsemanage-2.9-rc1/src/genhomedircon.c
++++ libsemanage-2.9-rc1/src/genhomedircon.c
+@@ -1077,10 +1077,20 @@ static int get_group_users(genhomedircon_settings_t * s,
  
  	const char *grname = selogin + 1;
  
@@ -175,233 +79,3 @@ index 3e61b51..ac37667 100644
  
  	if (group == NULL) {
  		ERR(s->h_semanage, "Can't find group named %s\n", grname);
-@@ -1101,7 +1114,11 @@ static int get_group_users(genhomedircon_settings_t * s,
- 	}
- 
- 	setpwent();
--	while ((pw = getpwent()) != NULL) {
-+	while (1) {
-+		errno = 0;
-+		pw = getpwent();
-+		if (pw == NULL)
-+			break;
- 		// skip users who also have this group as their
- 		// primary group
- 		if (lfind(pw->pw_name, group->gr_mem, &nmembers,
-diff --git libsemanage-2.8/src/handle.c libsemanage-2.8/src/handle.c
-index a6567bd..e5109ae 100644
---- libsemanage-2.8/src/handle.c
-+++ libsemanage-2.8/src/handle.c
-@@ -58,6 +58,8 @@ const char * semanage_root(void)
- 	return private_semanage_root;
- }
- 
-+hidden_def(semanage_root);
-+
- semanage_handle_t *semanage_handle_create(void)
- {
- 	semanage_handle_t *sh = NULL;
-diff --git libsemanage-2.8/src/handle_internal.h libsemanage-2.8/src/handle_internal.h
-index 66ce270..d4b4d9c 100644
---- libsemanage-2.8/src/handle_internal.h
-+++ libsemanage-2.8/src/handle_internal.h
-@@ -5,8 +5,9 @@
- #include "dso.h"
- 
- hidden_proto(semanage_begin_transaction)
--    hidden_proto(semanage_handle_destroy)
--    hidden_proto(semanage_reload_policy)
--    hidden_proto(semanage_access_check)
--    hidden_proto(semanage_set_root)
-+hidden_proto(semanage_handle_destroy)
-+hidden_proto(semanage_reload_policy)
-+hidden_proto(semanage_access_check)
-+hidden_proto(semanage_set_root)
-+hidden_proto(semanage_root)
- #endif
-diff --git libsemanage-2.8/src/semanage_store.c libsemanage-2.8/src/semanage_store.c
-index f1984c5..58dded6 100644
---- libsemanage-2.8/src/semanage_store.c
-+++ libsemanage-2.8/src/semanage_store.c
-@@ -541,14 +541,18 @@ int semanage_create_store(semanage_handle_t * sh, int create)
- 	struct stat sb;
- 	const char *path = semanage_files[SEMANAGE_ROOT];
- 	int fd;
-+	mode_t mask;
- 
- 	if (stat(path, &sb) == -1) {
- 		if (errno == ENOENT && create) {
-+			mask = umask(0077);
- 			if (mkdir(path, S_IRWXU) == -1) {
-+				umask(mask);
- 				ERR(sh, "Could not create module store at %s.",
- 				    path);
- 				return -2;
- 			}
-+			umask(mask);
- 		} else {
- 			if (create)
- 				ERR(sh,
-@@ -567,12 +571,15 @@ int semanage_create_store(semanage_handle_t * sh, int create)
- 	path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL);
- 	if (stat(path, &sb) == -1) {
- 		if (errno == ENOENT && create) {
-+			mask = umask(0077);
- 			if (mkdir(path, S_IRWXU) == -1) {
-+				umask(mask);
- 				ERR(sh,
- 				    "Could not create module store, active subdirectory at %s.",
- 				    path);
- 				return -2;
- 			}
-+			umask(mask);
- 		} else {
- 			ERR(sh,
- 			    "Could not read from module store, active subdirectory at %s.",
-@@ -590,12 +597,15 @@ int semanage_create_store(semanage_handle_t * sh, int create)
- 	path = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_MODULES);
- 	if (stat(path, &sb) == -1) {
- 		if (errno == ENOENT && create) {
-+			mask = umask(0077);
- 			if (mkdir(path, S_IRWXU) == -1) {
-+				umask(mask);
- 				ERR(sh,
- 				    "Could not create module store, active modules subdirectory at %s.",
- 				    path);
- 				return -2;
- 			}
-+			umask(mask);
- 		} else {
- 			ERR(sh,
- 			    "Could not read from module store, active modules subdirectory at %s.",
-@@ -613,11 +623,14 @@ int semanage_create_store(semanage_handle_t * sh, int create)
- 	path = semanage_files[SEMANAGE_READ_LOCK];
- 	if (stat(path, &sb) == -1) {
- 		if (errno == ENOENT && create) {
-+			mask = umask(0077);
- 			if ((fd = creat(path, S_IRUSR | S_IWUSR)) == -1) {
-+				umask(mask);
- 				ERR(sh, "Could not create lock file at %s.",
- 				    path);
- 				return -2;
- 			}
-+			umask(mask);
- 			close(fd);
- 		} else {
- 			ERR(sh, "Could not read lock file at %s.", path);
-@@ -763,6 +776,7 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
- 	struct stat sb;
- 	struct dirent **names = NULL;
- 	char path[PATH_MAX], path2[PATH_MAX];
-+	mode_t mask;
- 
- 	if ((len = scandir(src, &names, semanage_filename_select, NULL)) == -1) {
- 		fprintf(stderr, "Could not read the contents of %s: %s\n", src, strerror(errno));
-@@ -770,10 +784,13 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
- 	}
- 
- 	if (stat(dst, &sb) != 0) {
-+		mask = umask(0077);
- 		if (mkdir(dst, S_IRWXU) != 0) {
-+			umask(mask);
- 			fprintf(stderr, "Could not create %s: %s\n", dst, strerror(errno));
- 			goto cleanup;
- 		}
-+		umask(mask);
- 	}
- 
- 	for (i = 0; i < len; i++) {
-@@ -785,14 +802,20 @@ static int semanage_copy_dir_flags(const char *src, const char *dst, int flag)
- 		}
- 		snprintf(path2, sizeof(path2), "%s/%s", dst, names[i]->d_name);
- 		if (S_ISDIR(sb.st_mode)) {
-+			mask = umask(0077);
- 			if (mkdir(path2, 0700) == -1 ||
- 			    semanage_copy_dir_flags(path, path2, flag) == -1) {
-+				umask(mask);
- 				goto cleanup;
- 			}
-+			umask(mask);
- 		} else if (S_ISREG(sb.st_mode) && flag == 1) {
-+			mask = umask(0077);
- 			if (semanage_copy_file(path, path2, sb.st_mode) < 0) {
-+				umask(mask);
- 				goto cleanup;
- 			}
-+			umask(mask);
- 		}
- 	}
- 	retval = 0;
-@@ -872,16 +895,20 @@ int semanage_mkdir(semanage_handle_t *sh, const char *path)
- {
- 	int status = 0;
- 	struct stat sb;
-+	mode_t mask;
- 
- 	/* check if directory already exists */
- 	if (stat(path, &sb) != 0) {
- 		/* make the modules directory */
-+		mask = umask(0077);
- 		if (mkdir(path, S_IRWXU) != 0) {
-+			umask(mask);
- 			ERR(sh, "Cannot make directory at %s", path);
- 			status = -1;
- 			goto cleanup;
- 
- 		}
-+		umask(mask);
- 	}
- 	else {
- 		/* check that it really is a directory */
-@@ -906,6 +933,7 @@ int semanage_make_sandbox(semanage_handle_t * sh)
- 	const char *sandbox = semanage_path(SEMANAGE_TMP, SEMANAGE_TOPLEVEL);
- 	struct stat buf;
- 	int errsv;
-+	mode_t mask;
- 
- 	if (stat(sandbox, &buf) == -1) {
- 		if (errno != ENOENT) {
-@@ -922,12 +950,15 @@ int semanage_make_sandbox(semanage_handle_t * sh)
- 		}
- 	}
- 
-+	mask = umask(0077);
- 	if (mkdir(sandbox, S_IRWXU) == -1 ||
- 	    semanage_copy_dir(semanage_path(SEMANAGE_ACTIVE, SEMANAGE_TOPLEVEL),
- 			      sandbox) == -1) {
-+		umask(mask);
- 		ERR(sh, "Could not copy files to sandbox %s.", sandbox);
- 		goto cleanup;
- 	}
-+	umask(mask);
- 	return 0;
- 
-       cleanup:
-diff --git libsemanage-2.8/src/seusers_local.c libsemanage-2.8/src/seusers_local.c
-index 413ebdd..a79e2d3 100644
---- libsemanage-2.8/src/seusers_local.c
-+++ libsemanage-2.8/src/seusers_local.c
-@@ -71,17 +71,18 @@ static int semanage_seuser_audit(semanage_handle_t * handle,
- 	const char *sep = "-";
- 	int rc = -1;
- 	strcpy(msg, "login");
-+	if (previous) {
-+		name = semanage_seuser_get_name(previous);
-+		psename = semanage_seuser_get_sename(previous);
-+		pmls = semanage_seuser_get_mlsrange(previous);
-+		proles = semanage_user_roles(handle, psename);
-+	}
- 	if (seuser) {
- 		name = semanage_seuser_get_name(seuser);
- 		sename = semanage_seuser_get_sename(seuser);
- 		mls = semanage_seuser_get_mlsrange(seuser);
- 		roles = semanage_user_roles(handle, sename);
- 	}
--	if (previous) {
--		psename = semanage_seuser_get_sename(previous);
--		pmls = semanage_seuser_get_mlsrange(previous);
--		proles = semanage_user_roles(handle, psename);
--	}
- 	if (audit_type != AUDIT_ROLE_REMOVE) {
- 		if (sename && (!psename || strcmp(psename, sename) != 0)) {
- 			strcat(msg,sep);
diff --git a/libsemanage.spec b/libsemanage.spec
index af13e12..ec2dfcc 100644
--- a/libsemanage.spec
+++ b/libsemanage.spec
@@ -1,16 +1,16 @@
-%define libsepolver 2.8-3
-%define libselinuxver 2.8-7
+%define libsepolver 2.9-0
+%define libselinuxver 2.9-0
 
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
-Version: 2.8
-Release: 8%{?dist}
+Version: 2.9
+Release: 0.rc1.1%{?dist}
 License: LGPLv2+
-Source: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/libsemanage-2.8.tar.gz
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20190125/libsemanage-2.9-rc1.tar.gz
 # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
 # run:
-# $ VERSION=2.8 ./make-fedora-selinux-patch.sh libsemanage
-# HEAD https://github.com/fedora-selinux/selinux/commit/10767636b5d9b8f3fa3cf3815e860f4ca4fcb247
+# $ VERSION=2.9-rc1 ./make-fedora-selinux-patch.sh libsemanage
+# HEAD https://github.com/fedora-selinux/selinux/commit/a69fe203e41c9493e13ffafa51908d17da6fa7a2
 Patch1: libsemanage-fedora.patch
 URL: https://github.com/SELinuxProject/selinux/wiki
 Source1: semanage.conf
@@ -87,7 +87,7 @@ The libsemanage-python3 package contains the python 3 bindings for developing
 SELinux management applications.
 
 %prep
-%autosetup -n libsemanage-%{version} -p 1
+%autosetup -n libsemanage-%{version}-rc1 -p 1
 
 
 %build
@@ -179,6 +179,9 @@ sed -i '1s%\(#! */usr/bin/python\)\([^3].*\|\)$%\13\2%' %{buildroot}%{_libexecdi
 %{_libexecdir}/selinux/semanage_migrate_store
 
 %changelog
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release
+
 * Mon Jan 21 2019 Petr Lautrbach <plautrba@redhat.com> - 2.8-8
 - Always set errno to 0 before calling getpwent()
 - Set selinux policy root around calls to selinux_boolean_sub
diff --git a/sources b/sources
index e8d8c66..3bcd7c0 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (libsemanage-2.8.tar.gz) = 53f09c79da168a79b853f55e0f1c20a96229df9d82929c514bcaf72697446ae836f7f0457fc0056d2418cc6d0712157faf0152881518fe84a1b1b9b9af17e7ef
+SHA512 (libsemanage-2.9-rc1.tar.gz) = ad17c450d32c50a65b09cdbde49a7a54708f3e50dc7f4fb1a90cd717448b5d4f7e231fd5742e5ee273b13dd07c702d69a724937c8147f74d271aceb7cd9f9748