Enable gating on tests

https://docs.fedoraproject.org/en-US/ci/gating/

.gitignore

@@ -148,3 +148,32 @@ libsepol-2.0.38.tgz
 libsepol-2.0.39.tgz
 libsepol-2.0.40.tgz
 libsepol-2.0.41.tgz
+/libsepol-2.0.42.tgz
+/libsepol-2.0.43.tgz
+/libsepol-2.0.44.tgz
+/libsepol-2.0.45.tgz
+/libsepol-2.1.0.tgz
+/libsepol-2.1.1.tgz
+/libsepol-2.1.2.tgz
+/libsepol-2.1.3.tgz
+/libsepol-2.1.4.tgz
+/libsepol-2.1.5.tgz
+/libsepol-2.1.7.tgz
+/libsepol-2.1.8.tgz
+/libsepol-2.1.9.tgz
+/libsepol-2.2.tgz
+/libsepol-2.3.tgz
+/libsepol-2.4.tar.gz
+/libsepol-2.5-rc1.tar.gz
+/libsepol-2.5.tar.gz
+/libsepol-2.6.tar.gz
+/libsepol-2.7.tar.gz
+/libsepol-2.8-rc1.tar.gz
+/libsepol-2.8-rc3.tar.gz
+/libsepol-2.8.tar.gz
+/libsepol-2.9-rc1.tar.gz
+/libsepol-2.9-rc2.tar.gz
+/libsepol-2.9.tar.gz
+/libsepol-3.0-rc1.tar.gz
+/libsepol-3.0.tar.gz
+/libsepol-3.1.tar.gz

0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch

@@ -0,0 +1,592 @@
+From 42ae834a7428c57f7b2a9f448adf4cf991fa3487 Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Fri, 31 Jul 2020 13:10:34 +0200
+Subject: [PATCH] libsepol,checkpolicy: optimize storage of filename
+ transitions
+
+In preparation to support a new policy format with a more optimal
+representation of filename transition rules, this patch applies an
+equivalent change from kernel commit c3a276111ea2 ("selinux: optimize
+storage of filename transitions").
+
+See the kernel commit's description [1] for the rationale behind this
+representation. This change doesn't bring any measurable difference of
+policy build performance (semodule -B) on Fedora.
+
+[1] https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git/commit/?id=c3a276111ea2572399281988b3129683e2a6b60b
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsepol/cil/src/cil_binary.c              |  26 ++---
+ libsepol/include/sepol/policydb/policydb.h |  15 ++-
+ libsepol/src/expand.c                      |  56 ++-------
+ libsepol/src/kernel_to_cil.c               |  24 +++-
+ libsepol/src/kernel_to_conf.c              |  24 +++-
+ libsepol/src/policydb.c                    | 125 +++++++++++++++------
+ libsepol/src/write.c                       |  46 ++++----
+ 7 files changed, 183 insertions(+), 133 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 62178d998468..7726685809af 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -1131,11 +1131,10 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
+ 	class_datum_t *sepol_obj = NULL;
+ 	struct cil_list *class_list;
+ 	type_datum_t *sepol_result = NULL;
+-	filename_trans_t *newkey = NULL;
+-	filename_trans_datum_t *newdatum = NULL, *otype = NULL;
+ 	ebitmap_t src_bitmap, tgt_bitmap;
+ 	ebitmap_node_t *node1, *node2;
+ 	unsigned int i, j;
++	uint32_t otype;
+ 	struct cil_list_item *c;
+ 	char *name = DATUM(typetrans->name)->name;
+ 
+@@ -1176,22 +1175,14 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
+ 				rc = __cil_get_sepol_class_datum(pdb, DATUM(c->data), &sepol_obj);
+ 				if (rc != SEPOL_OK) goto exit;
+ 
+-				newkey = cil_calloc(1, sizeof(*newkey));
+-				newdatum = cil_calloc(1, sizeof(*newdatum));
+-				newkey->stype = sepol_src->s.value;
+-				newkey->ttype = sepol_tgt->s.value;
+-				newkey->tclass = sepol_obj->s.value;
+-				newkey->name = cil_strdup(name);
+-				newdatum->otype = sepol_result->s.value;
+-
+-				rc = hashtab_insert(pdb->filename_trans,
+-						    (hashtab_key_t)newkey,
+-						    newdatum);
++				rc = policydb_filetrans_insert(
++					pdb, sepol_src->s.value, sepol_tgt->s.value,
++					sepol_obj->s.value, name, NULL,
++					sepol_result->s.value, &otype
++				);
+ 				if (rc != SEPOL_OK) {
+ 					if (rc == SEPOL_EEXIST) {
+-						otype = hashtab_search(pdb->filename_trans,
+-								(hashtab_key_t)newkey);
+-						if (newdatum->otype != otype->otype) {
++						if (sepol_result->s.value!= otype) {
+ 							cil_log(CIL_ERR, "Conflicting name type transition rules\n");
+ 						} else {
+ 							rc = SEPOL_OK;
+@@ -1199,9 +1190,6 @@ int __cil_typetransition_to_avtab(policydb_t *pdb, const struct cil_db *db, stru
+ 					} else {
+ 						cil_log(CIL_ERR, "Out of memory\n");
+ 					}
+-					free(newkey->name);
+-					free(newkey);
+-					free(newdatum);
+ 					if (rc != SEPOL_OK) {
+ 						goto exit;
+ 					}
+diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
+index 81b63fefbb20..c3180c611c64 100644
+--- a/libsepol/include/sepol/policydb/policydb.h
++++ b/libsepol/include/sepol/policydb/policydb.h
+@@ -162,15 +162,16 @@ typedef struct role_allow {
+ } role_allow_t;
+ 
+ /* filename_trans rules */
+-typedef struct filename_trans {
+-	uint32_t stype;
++typedef struct filename_trans_key {
+ 	uint32_t ttype;
+ 	uint32_t tclass;
+ 	char *name;
+-} filename_trans_t;
++} filename_trans_key_t;
+ 
+ typedef struct filename_trans_datum {
+-	uint32_t otype;		/* expected of new object */
++	ebitmap_t stypes;
++	uint32_t otype;
++	struct filename_trans_datum *next;
+ } filename_trans_datum_t;
+ 
+ /* Type attributes */
+@@ -591,6 +592,7 @@ typedef struct policydb {
+ 
+ 	/* file transitions with the last path component */
+ 	hashtab_t filename_trans;
++	uint32_t filename_trans_count;
+ 
+ 	ebitmap_t *type_attr_map;
+ 
+@@ -650,6 +652,11 @@ extern int policydb_load_isids(policydb_t * p, sidtab_t * s);
+ 
+ extern int policydb_sort_ocontexts(policydb_t *p);
+ 
++extern int policydb_filetrans_insert(policydb_t *p, uint32_t stype,
++				     uint32_t ttype, uint32_t tclass,
++				     const char *name, char **name_alloc,
++				     uint32_t otype, uint32_t *present_otype);
++
+ /* Deprecated */
+ extern int policydb_context_isvalid(const policydb_t * p,
+ 				    const context_struct_t * c);
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index 529e1d356a89..19e48c507236 100644
+--- a/libsepol/src/expand.c
++++ b/libsepol/src/expand.c
+@@ -1371,8 +1371,6 @@ static int copy_role_trans(expand_state_t * state, role_trans_rule_t * rules)
+ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *rules)
+ {
+ 	unsigned int i, j;
+-	filename_trans_t key, *new_trans;
+-	filename_trans_datum_t *otype;
+ 	filename_trans_rule_t *cur_rule;
+ 	ebitmap_t stypes, ttypes;
+ 	ebitmap_node_t *snode, *tnode;
+@@ -1380,7 +1378,7 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 
+ 	cur_rule = rules;
+ 	while (cur_rule) {
+-		uint32_t mapped_otype;
++		uint32_t mapped_otype, present_otype;
+ 
+ 		ebitmap_init(&stypes);
+ 		ebitmap_init(&ttypes);
+@@ -1401,15 +1399,14 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 
+ 		ebitmap_for_each_positive_bit(&stypes, snode, i) {
+ 			ebitmap_for_each_positive_bit(&ttypes, tnode, j) {
+-				key.stype = i + 1;
+-				key.ttype = j + 1;
+-				key.tclass = cur_rule->tclass;
+-				key.name = cur_rule->name;
+-				otype = hashtab_search(state->out->filename_trans,
+-						       (hashtab_key_t) &key);
+-				if (otype) {
++				rc = policydb_filetrans_insert(
++					state->out, i + 1, j + 1,
++					cur_rule->tclass, cur_rule->name,
++					NULL, mapped_otype, &present_otype
++				);
++				if (rc == SEPOL_EEXIST) {
+ 					/* duplicate rule, ignore */
+-					if (otype->otype == mapped_otype)
++					if (present_otype == mapped_otype)
+ 						continue;
+ 
+ 					ERR(state->handle, "Conflicting name-based type_transition %s %s:%s \"%s\":  %s vs %s",
+@@ -1417,44 +1414,11 @@ static int expand_filename_trans(expand_state_t *state, filename_trans_rule_t *r
+ 					    state->out->p_type_val_to_name[j],
+ 					    state->out->p_class_val_to_name[cur_rule->tclass - 1],
+ 					    cur_rule->name,
+-					    state->out->p_type_val_to_name[otype->otype - 1],
++					    state->out->p_type_val_to_name[present_otype - 1],
+ 					    state->out->p_type_val_to_name[mapped_otype - 1]);
+ 					return -1;
+-				}
+-
+-				new_trans = calloc(1, sizeof(*new_trans));
+-				if (!new_trans) {
+-					ERR(state->handle, "Out of memory!");
+-					return -1;
+-				}
+-
+-				new_trans->name = strdup(cur_rule->name);
+-				if (!new_trans->name) {
+-					ERR(state->handle, "Out of memory!");
+-					free(new_trans);
+-					return -1;
+-				}
+-				new_trans->stype = i + 1;
+-				new_trans->ttype = j + 1;
+-				new_trans->tclass = cur_rule->tclass;
+-
+-				otype = calloc(1, sizeof(*otype));
+-				if (!otype) {
+-					ERR(state->handle, "Out of memory!");
+-					free(new_trans->name);
+-					free(new_trans);
+-					return -1;
+-				}
+-				otype->otype = mapped_otype;
+-
+-				rc = hashtab_insert(state->out->filename_trans,
+-						    (hashtab_key_t)new_trans,
+-						    otype);
+-				if (rc) {
++				} else if (rc < 0) {
+ 					ERR(state->handle, "Out of memory!");
+-					free(otype);
+-					free(new_trans->name);
+-					free(new_trans);
+ 					return -1;
+ 				}
+ 			}
+diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
+index 958adc4cfc0a..c247b32f9e75 100644
+--- a/libsepol/src/kernel_to_cil.c
++++ b/libsepol/src/kernel_to_cil.c
+@@ -1841,21 +1841,35 @@ struct map_filename_trans_args {
+ 
+ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+ {
+-	filename_trans_t *ft = (filename_trans_t *)key;
++	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ 	filename_trans_datum_t *datum = data;
+ 	struct map_filename_trans_args *map_args = arg;
+ 	struct policydb *pdb = map_args->pdb;
+ 	struct strs *strs = map_args->strs;
+ 	char *src, *tgt, *class, *filename, *new;
++	struct ebitmap_node *node;
++	uint32_t bit;
++	int rc;
+ 
+-	src = pdb->p_type_val_to_name[ft->stype - 1];
+ 	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+ 	class = pdb->p_class_val_to_name[ft->tclass - 1];
+ 	filename = ft->name;
+-	new =  pdb->p_type_val_to_name[datum->otype - 1];
++	do {
++		new = pdb->p_type_val_to_name[datum->otype - 1];
++
++		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
++			src = pdb->p_type_val_to_name[bit];
++			rc = strs_create_and_add(strs,
++						 "(typetransition %s %s %s %s %s)",
++						 5, src, tgt, class, filename, new);
++			if (rc)
++				return rc;
++		}
++
++		datum = datum->next;
++	} while (datum);
+ 
+-	return strs_create_and_add(strs, "(typetransition %s %s %s %s %s)", 5,
+-				   src, tgt, class, filename, new);
++	return 0;
+ }
+ 
+ static int write_filename_trans_rules_to_cil(FILE *out, struct policydb *pdb)
+diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
+index 7cc91eb3d129..62bf706c1aa0 100644
+--- a/libsepol/src/kernel_to_conf.c
++++ b/libsepol/src/kernel_to_conf.c
+@@ -1822,21 +1822,35 @@ struct map_filename_trans_args {
+ 
+ static int map_filename_trans_to_str(hashtab_key_t key, void *data, void *arg)
+ {
+-	filename_trans_t *ft = (filename_trans_t *)key;
++	filename_trans_key_t *ft = (filename_trans_key_t *)key;
+ 	filename_trans_datum_t *datum = data;
+ 	struct map_filename_trans_args *map_args = arg;
+ 	struct policydb *pdb = map_args->pdb;
+ 	struct strs *strs = map_args->strs;
+ 	char *src, *tgt, *class, *filename, *new;
++	struct ebitmap_node *node;
++	uint32_t bit;
++	int rc;
+ 
+-	src = pdb->p_type_val_to_name[ft->stype - 1];
+ 	tgt = pdb->p_type_val_to_name[ft->ttype - 1];
+ 	class = pdb->p_class_val_to_name[ft->tclass - 1];
+ 	filename = ft->name;
+-	new =  pdb->p_type_val_to_name[datum->otype - 1];
++	do {
++		new = pdb->p_type_val_to_name[datum->otype - 1];
++
++		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
++			src = pdb->p_type_val_to_name[bit];
++			rc = strs_create_and_add(strs,
++						 "type_transition %s %s:%s %s \"%s\";",
++						 5, src, tgt, class, new, filename);
++			if (rc)
++				return rc;
++		}
++
++		datum = datum->next;
++	} while (datum);
+ 
+-	return strs_create_and_add(strs, "type_transition %s %s:%s %s \"%s\";", 5,
+-				   src, tgt, class, new, filename);
++	return 0;
+ }
+ 
+ static int write_filename_trans_rules_to_conf(FILE *out, struct policydb *pdb)
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index 3992ea56f092..0b98d50b8096 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -789,12 +789,12 @@ partial_name_hash(unsigned long c, unsigned long prevhash)
+ 
+ static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
+ {
+-	const struct filename_trans *ft = (const struct filename_trans *)k;
++	const filename_trans_key_t *ft = (const filename_trans_key_t *)k;
+ 	unsigned long hash;
+ 	unsigned int byte_num;
+ 	unsigned char focus;
+ 
+-	hash = ft->stype ^ ft->ttype ^ ft->tclass;
++	hash = ft->ttype ^ ft->tclass;
+ 
+ 	byte_num = 0;
+ 	while ((focus = ft->name[byte_num++]))
+@@ -805,14 +805,10 @@ static unsigned int filenametr_hash(hashtab_t h, const_hashtab_key_t k)
+ static int filenametr_cmp(hashtab_t h __attribute__ ((unused)),
+ 			  const_hashtab_key_t k1, const_hashtab_key_t k2)
+ {
+-	const struct filename_trans *ft1 = (const struct filename_trans *)k1;
+-	const struct filename_trans *ft2 = (const struct filename_trans *)k2;
++	const filename_trans_key_t *ft1 = (const filename_trans_key_t *)k1;
++	const filename_trans_key_t *ft2 = (const filename_trans_key_t *)k2;
+ 	int v;
+ 
+-	v = ft1->stype - ft2->stype;
+-	if (v)
+-		return v;
+-
+ 	v = ft1->ttype - ft2->ttype;
+ 	if (v)
+ 		return v;
+@@ -1409,9 +1405,12 @@ common_destroy, class_destroy, role_destroy, type_destroy, user_destroy,
+ static int filenametr_destroy(hashtab_key_t key, hashtab_datum_t datum,
+ 			      void *p __attribute__ ((unused)))
+ {
+-	struct filename_trans *ft = (struct filename_trans *)key;
++	filename_trans_key_t *ft = (filename_trans_key_t *)key;
++	filename_trans_datum_t *fd = datum;
++
+ 	free(ft->name);
+ 	free(key);
++	ebitmap_destroy(&fd->stypes);
+ 	free(datum);
+ 	return 0;
+ }
+@@ -2595,12 +2594,85 @@ int role_allow_read(role_allow_t ** r, struct policy_file *fp)
+ 	return 0;
+ }
+ 
++int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
++			      uint32_t tclass, const char *name,
++			      char **name_alloc, uint32_t otype,
++			      uint32_t *present_otype)
++{
++	filename_trans_key_t *ft, key;
++	filename_trans_datum_t *datum, *last;
++
++	key.ttype = ttype;
++	key.tclass = tclass;
++	key.name = (char *)name;
++
++	last = NULL;
++	datum = hashtab_search(p->filename_trans, (hashtab_key_t)&key);
++	while (datum) {
++		if (ebitmap_get_bit(&datum->stypes, stype - 1)) {
++			if (present_otype)
++				*present_otype = datum->otype;
++			return SEPOL_EEXIST;
++		}
++		if (datum->otype == otype)
++			break;
++		last = datum;
++		datum = datum->next;
++	}
++	if (!datum) {
++		datum = malloc(sizeof(*datum));
++		if (!datum)
++			return SEPOL_ENOMEM;
++
++		ebitmap_init(&datum->stypes);
++		datum->otype = otype;
++		datum->next = NULL;
++
++		if (last) {
++			last->next = datum;
++		} else {
++			char *name_dup;
++
++			if (name_alloc) {
++				name_dup = *name_alloc;
++				*name_alloc = NULL;
++			} else {
++				name_dup = strdup(name);
++				if (!name_dup) {
++					free(datum);
++					return SEPOL_ENOMEM;
++				}
++			}
++
++			ft = malloc(sizeof(*ft));
++			if (!ft) {
++				free(name_dup);
++				free(datum);
++				return SEPOL_ENOMEM;
++			}
++
++			ft->ttype = ttype;
++			ft->tclass = tclass;
++			ft->name = name_dup;
++
++			if (hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
++					   (hashtab_datum_t)datum)) {
++				free(name_dup);
++				free(datum);
++				free(ft);
++				return SEPOL_ENOMEM;
++			}
++		}
++	}
++
++	p->filename_trans_count++;
++	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
++}
++
+ int filename_trans_read(policydb_t *p, struct policy_file *fp)
+ {
+ 	unsigned int i;
+-	uint32_t buf[4], nel, len;
+-	filename_trans_t *ft;
+-	filename_trans_datum_t *otype;
++	uint32_t buf[4], nel, len, stype, ttype, tclass, otype;
+ 	int rc;
+ 	char *name;
+ 
+@@ -2610,16 +2682,8 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
+ 	nel = le32_to_cpu(buf[0]);
+ 
+ 	for (i = 0; i < nel; i++) {
+-		ft = NULL;
+-		otype = NULL;
+ 		name = NULL;
+ 
+-		ft = calloc(1, sizeof(*ft));
+-		if (!ft)
+-			goto err;
+-		otype = calloc(1, sizeof(*otype));
+-		if (!otype)
+-			goto err;
+ 		rc = next_entry(buf, fp, sizeof(uint32_t));
+ 		if (rc < 0)
+ 			goto err;
+@@ -2631,8 +2695,6 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
+ 		if (!name)
+ 			goto err;
+ 
+-		ft->name = name;
+-
+ 		rc = next_entry(name, fp, len);
+ 		if (rc < 0)
+ 			goto err;
+@@ -2641,13 +2703,13 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
+ 		if (rc < 0)
+ 			goto err;
+ 
+-		ft->stype = le32_to_cpu(buf[0]);
+-		ft->ttype = le32_to_cpu(buf[1]);
+-		ft->tclass = le32_to_cpu(buf[2]);
+-		otype->otype = le32_to_cpu(buf[3]);
++		stype  = le32_to_cpu(buf[0]);
++		ttype  = le32_to_cpu(buf[1]);
++		tclass = le32_to_cpu(buf[2]);
++		otype  = le32_to_cpu(buf[3]);
+ 
+-		rc = hashtab_insert(p->filename_trans, (hashtab_key_t) ft,
+-				    otype);
++		rc = policydb_filetrans_insert(p, stype, ttype, tclass, name,
++					       &name, otype, NULL);
+ 		if (rc) {
+ 			if (rc != SEPOL_EEXIST)
+ 				goto err;
+@@ -2657,16 +2719,11 @@ int filename_trans_read(policydb_t *p, struct policy_file *fp)
+ 			 * compatibility, do not reject such policies, just
+ 			 * ignore the duplicate.
+ 			 */
+-			free(ft);
+-			free(name);
+-			free(otype);
+-			/* continue, ignoring this one */
+ 		}
++		free(name);
+ 	}
+ 	return 0;
+ err:
+-	free(ft);
+-	free(otype);
+ 	free(name);
+ 	return -1;
+ }
+diff --git a/libsepol/src/write.c b/libsepol/src/write.c
+index 1fd6a16a248b..d3aee8d5bf22 100644
+--- a/libsepol/src/write.c
++++ b/libsepol/src/write.c
+@@ -571,44 +571,50 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
+ 
+ static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
+ {
+-	uint32_t buf[4];
++	uint32_t bit, buf[4];
+ 	size_t items, len;
+-	struct filename_trans *ft = (struct filename_trans *)key;
+-	struct filename_trans_datum *otype = data;
++	filename_trans_key_t *ft = (filename_trans_key_t *)key;
++	filename_trans_datum_t *datum = data;
++	ebitmap_node_t *node;
+ 	void *fp = ptr;
+ 
+ 	len = strlen(ft->name);
+-	buf[0] = cpu_to_le32(len);
+-	items = put_entry(buf, sizeof(uint32_t), 1, fp);
+-	if (items != 1)
+-		return POLICYDB_ERROR;
++	do {
++		ebitmap_for_each_positive_bit(&datum->stypes, node, bit) {
++			buf[0] = cpu_to_le32(len);
++			items = put_entry(buf, sizeof(uint32_t), 1, fp);
++			if (items != 1)
++				return POLICYDB_ERROR;
+ 
+-	items = put_entry(ft->name, sizeof(char), len, fp);
+-	if (items != len)
+-		return POLICYDB_ERROR;
++			items = put_entry(ft->name, sizeof(char), len, fp);
++			if (items != len)
++				return POLICYDB_ERROR;
+ 
+-	buf[0] = cpu_to_le32(ft->stype);
+-	buf[1] = cpu_to_le32(ft->ttype);
+-	buf[2] = cpu_to_le32(ft->tclass);
+-	buf[3] = cpu_to_le32(otype->otype);
+-	items = put_entry(buf, sizeof(uint32_t), 4, fp);
+-	if (items != 4)
+-		return POLICYDB_ERROR;
++			buf[0] = cpu_to_le32(bit + 1);
++			buf[1] = cpu_to_le32(ft->ttype);
++			buf[2] = cpu_to_le32(ft->tclass);
++			buf[3] = cpu_to_le32(datum->otype);
++			items = put_entry(buf, sizeof(uint32_t), 4, fp);
++			if (items != 4)
++				return POLICYDB_ERROR;
++		}
++
++		datum = datum->next;
++	} while (datum);
+ 
+ 	return 0;
+ }
+ 
+ static int filename_trans_write(struct policydb *p, void *fp)
+ {
+-	size_t nel, items;
++	size_t items;
+ 	uint32_t buf[1];
+ 	int rc;
+ 
+ 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+ 		return 0;
+ 
+-	nel =  p->filename_trans->nel;
+-	buf[0] = cpu_to_le32(nel);
++	buf[0] = cpu_to_le32(p->filename_trans_count);
+ 	items = put_entry(buf, sizeof(uint32_t), 1, fp);
+ 	if (items != 1)
+ 		return POLICYDB_ERROR;
+-- 
+2.29.0.rc2
+

0002-libsepol-implement-POLICYDB_VERSION_COMP_FTRANS.patch

@@ -0,0 +1,394 @@
+From 8206b8cb00392aab358f4eeae38f98850438085c Mon Sep 17 00:00:00 2001
+From: Ondrej Mosnacek <omosnace@redhat.com>
+Date: Fri, 31 Jul 2020 13:10:35 +0200
+Subject: [PATCH] libsepol: implement POLICYDB_VERSION_COMP_FTRANS
+
+Implement a new, more space-efficient form of storing filename
+transitions in the binary policy. The internal structures have already
+been converted to this new representation; this patch just implements
+reading/writing an equivalent representation from/to the binary policy.
+
+This new format reduces the size of Fedora policy from 7.6 MB to only
+3.3 MB (with policy optimization enabled in both cases). With the
+unconfined module disabled, the size is reduced from 3.3 MB to 2.4 MB.
+
+Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsepol/include/sepol/policydb/policydb.h |   3 +-
+ libsepol/src/policydb.c                    | 209 +++++++++++++++++----
+ libsepol/src/write.c                       |  73 ++++++-
+ 3 files changed, 242 insertions(+), 43 deletions(-)
+
+diff --git a/libsepol/include/sepol/policydb/policydb.h b/libsepol/include/sepol/policydb/policydb.h
+index c3180c611c64..9ef43abc2f12 100644
+--- a/libsepol/include/sepol/policydb/policydb.h
++++ b/libsepol/include/sepol/policydb/policydb.h
+@@ -755,10 +755,11 @@ extern int policydb_set_target_platform(policydb_t *p, int platform);
+ #define POLICYDB_VERSION_XPERMS_IOCTL	30 /* Linux-specific */
+ #define POLICYDB_VERSION_INFINIBAND		31 /* Linux-specific */
+ #define POLICYDB_VERSION_GLBLUB		32
++#define POLICYDB_VERSION_COMP_FTRANS	33 /* compressed filename transitions */
+ 
+ /* Range of policy versions we understand*/
+ #define POLICYDB_VERSION_MIN	POLICYDB_VERSION_BASE
+-#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_GLBLUB
++#define POLICYDB_VERSION_MAX	POLICYDB_VERSION_COMP_FTRANS
+ 
+ /* Module versions and specific changes*/
+ #define MOD_POLICYDB_VERSION_BASE		4
+diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
+index 0b98d50b8096..ce8f3ad77005 100644
+--- a/libsepol/src/policydb.c
++++ b/libsepol/src/policydb.c
+@@ -200,6 +200,13 @@ static struct policydb_compat_info policydb_compat[] = {
+ 	 .ocon_num = OCON_IBENDPORT + 1,
+ 	 .target_platform = SEPOL_TARGET_SELINUX,
+ 	},
++	{
++	 .type = POLICY_KERN,
++	 .version = POLICYDB_VERSION_COMP_FTRANS,
++	 .sym_num = SYM_NUM,
++	 .ocon_num = OCON_IBENDPORT + 1,
++	 .target_platform = SEPOL_TARGET_SELINUX,
++	},
+ 	{
+ 	 .type = POLICY_BASE,
+ 	 .version = MOD_POLICYDB_VERSION_BASE,
+@@ -2669,65 +2676,201 @@ int policydb_filetrans_insert(policydb_t *p, uint32_t stype, uint32_t ttype,
+ 	return ebitmap_set_bit(&datum->stypes, stype - 1, 1);
+ }
+ 
+-int filename_trans_read(policydb_t *p, struct policy_file *fp)
++static int filename_trans_read_one_compat(policydb_t *p, struct policy_file *fp)
+ {
+-	unsigned int i;
+-	uint32_t buf[4], nel, len, stype, ttype, tclass, otype;
++	uint32_t buf[4], len, stype, ttype, tclass, otype;
++	char *name = NULL;
+ 	int rc;
+-	char *name;
+ 
+ 	rc = next_entry(buf, fp, sizeof(uint32_t));
+ 	if (rc < 0)
+ 		return -1;
+-	nel = le32_to_cpu(buf[0]);
++	len = le32_to_cpu(buf[0]);
++	if (zero_or_saturated(len))
++		return -1;
+ 
+-	for (i = 0; i < nel; i++) {
+-		name = NULL;
++	name = calloc(len + 1, sizeof(*name));
++	if (!name)
++		return -1;
+ 
+-		rc = next_entry(buf, fp, sizeof(uint32_t));
+-		if (rc < 0)
+-			goto err;
+-		len = le32_to_cpu(buf[0]);
+-		if (zero_or_saturated(len))
++	rc = next_entry(name, fp, len);
++	if (rc < 0)
++		goto err;
++
++	rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
++	if (rc < 0)
++		goto err;
++
++	stype  = le32_to_cpu(buf[0]);
++	ttype  = le32_to_cpu(buf[1]);
++	tclass = le32_to_cpu(buf[2]);
++	otype  = le32_to_cpu(buf[3]);
++
++	rc = policydb_filetrans_insert(p, stype, ttype, tclass, name, &name,
++				       otype, NULL);
++	if (rc) {
++		if (rc != SEPOL_EEXIST)
+ 			goto err;
++		/*
++		 * Some old policies were wrongly generated with
++		 * duplicate filename transition rules.  For backward
++		 * compatibility, do not reject such policies, just
++		 * ignore the duplicate.
++		 */
++	}
++	free(name);
++	return 0;
++err:
++	free(name);
++	return -1;
++}
++
++static int filename_trans_check_datum(filename_trans_datum_t *datum)
++{
++	ebitmap_t stypes, otypes;
++	int rc = -1;
++
++	ebitmap_init(&stypes);
++	ebitmap_init(&otypes);
++
++	while (datum) {
++		if (ebitmap_get_bit(&otypes, datum->otype))
++			goto out;
++
++		if (ebitmap_set_bit(&otypes, datum->otype, 1))
++			goto out;
++
++		if (ebitmap_match_any(&stypes, &datum->stypes))
++			goto out;
+ 
+-		name = calloc(len + 1, sizeof(*name));
+-		if (!name)
++		if (ebitmap_union(&stypes, &datum->stypes))
++			goto out;
++
++		datum = datum->next;
++	}
++	rc = 0;
++out:
++	ebitmap_destroy(&stypes);
++	ebitmap_destroy(&otypes);
++	return rc;
++}
++
++static int filename_trans_read_one(policydb_t *p, struct policy_file *fp)
++{
++	filename_trans_key_t *ft = NULL;
++	filename_trans_datum_t **dst, *datum, *first = NULL;
++	unsigned int i;
++	uint32_t buf[3], len, ttype, tclass, ndatum;
++	char *name = NULL;
++	int rc;
++
++	rc = next_entry(buf, fp, sizeof(uint32_t));
++	if (rc < 0)
++		return -1;
++	len = le32_to_cpu(buf[0]);
++	if (zero_or_saturated(len))
++		return -1;
++
++	name = calloc(len + 1, sizeof(*name));
++	if (!name)
++		return -1;
++
++	rc = next_entry(name, fp, len);
++	if (rc < 0)
++		goto err;
++
++	rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
++	if (rc < 0)
++		goto err;
++
++	ttype = le32_to_cpu(buf[0]);
++	tclass = le32_to_cpu(buf[1]);
++	ndatum = le32_to_cpu(buf[2]);
++	if (ndatum == 0)
++		goto err;
++
++	dst = &first;
++	for (i = 0; i < ndatum; i++) {
++		datum = malloc(sizeof(*datum));
++		if (!datum)
+ 			goto err;
+ 
+-		rc = next_entry(name, fp, len);
++		*dst = datum;
++
++		/* ebitmap_read() will at least init the bitmap */
++		rc = ebitmap_read(&datum->stypes, fp);
+ 		if (rc < 0)
+ 			goto err;
+ 
+-		rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
++		rc = next_entry(buf, fp, sizeof(uint32_t));
+ 		if (rc < 0)
+ 			goto err;
+ 
+-		stype  = le32_to_cpu(buf[0]);
+-		ttype  = le32_to_cpu(buf[1]);
+-		tclass = le32_to_cpu(buf[2]);
+-		otype  = le32_to_cpu(buf[3]);
++		datum->otype = le32_to_cpu(buf[0]);
+ 
+-		rc = policydb_filetrans_insert(p, stype, ttype, tclass, name,
+-					       &name, otype, NULL);
+-		if (rc) {
+-			if (rc != SEPOL_EEXIST)
+-				goto err;
+-			/*
+-			 * Some old policies were wrongly generated with
+-			 * duplicate filename transition rules.  For backward
+-			 * compatibility, do not reject such policies, just
+-			 * ignore the duplicate.
+-			 */
+-		}
+-		free(name);
++		p->filename_trans_count += ebitmap_cardinality(&datum->stypes);
++
++		dst = &datum->next;
+ 	}
++	*dst = NULL;
++
++	if (ndatum > 1 && filename_trans_check_datum(first))
++		goto err;
++
++	ft = malloc(sizeof(*ft));
++	if (!ft)
++		goto err;
++
++	ft->ttype = ttype;
++	ft->tclass = tclass;
++	ft->name = name;
++
++	rc = hashtab_insert(p->filename_trans, (hashtab_key_t)ft,
++			    (hashtab_datum_t)first);
++	if (rc)
++		goto err;
++
+ 	return 0;
+ err:
++	free(ft);
+ 	free(name);
++	while (first) {
++		datum = first;
++		first = first->next;
++
++		ebitmap_destroy(&datum->stypes);
++		free(datum);
++	}
+ 	return -1;
+ }
+ 
++int filename_trans_read(policydb_t *p, struct policy_file *fp)
++{
++	unsigned int i;
++	uint32_t buf[1], nel;
++	int rc;
++
++	rc = next_entry(buf, fp, sizeof(uint32_t));
++	if (rc < 0)
++		return -1;
++	nel = le32_to_cpu(buf[0]);
++
++	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
++		for (i = 0; i < nel; i++) {
++			rc = filename_trans_read_one_compat(p, fp);
++			if (rc < 0)
++				return -1;
++		}
++	} else {
++		for (i = 0; i < nel; i++) {
++			rc = filename_trans_read_one(p, fp);
++			if (rc < 0)
++				return -1;
++		}
++	}
++	return 0;
++}
++
+ static int ocontext_read_xen(struct policydb_compat_info *info,
+ 	policydb_t *p, struct policy_file *fp)
+ {
+diff --git a/libsepol/src/write.c b/libsepol/src/write.c
+index d3aee8d5bf22..84bcaf3f57ca 100644
+--- a/libsepol/src/write.c
++++ b/libsepol/src/write.c
+@@ -569,7 +569,7 @@ static int role_allow_write(role_allow_t * r, struct policy_file *fp)
+ 	return POLICYDB_SUCCESS;
+ }
+ 
+-static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
++static int filename_write_one_compat(hashtab_key_t key, void *data, void *ptr)
+ {
+ 	uint32_t bit, buf[4];
+ 	size_t items, len;
+@@ -605,6 +605,54 @@ static int filename_write_helper(hashtab_key_t key, void *data, void *ptr)
+ 	return 0;
+ }
+ 
++static int filename_write_one(hashtab_key_t key, void *data, void *ptr)
++{
++	uint32_t buf[3];
++	size_t items, len, ndatum;
++	filename_trans_key_t *ft = (filename_trans_key_t *)key;
++	filename_trans_datum_t *datum;
++	void *fp = ptr;
++
++	len = strlen(ft->name);
++	buf[0] = cpu_to_le32(len);
++	items = put_entry(buf, sizeof(uint32_t), 1, fp);
++	if (items != 1)
++		return POLICYDB_ERROR;
++
++	items = put_entry(ft->name, sizeof(char), len, fp);
++	if (items != len)
++		return POLICYDB_ERROR;
++
++	ndatum = 0;
++	datum = data;
++	do {
++		ndatum++;
++		datum = datum->next;
++	} while (datum);
++
++	buf[0] = cpu_to_le32(ft->ttype);
++	buf[1] = cpu_to_le32(ft->tclass);
++	buf[2] = cpu_to_le32(ndatum);
++	items = put_entry(buf, sizeof(uint32_t), 3, fp);
++	if (items != 3)
++		return POLICYDB_ERROR;
++
++	datum = data;
++	do {
++		if (ebitmap_write(&datum->stypes, fp))
++			return POLICYDB_ERROR;
++
++		buf[0] = cpu_to_le32(datum->otype);
++		items = put_entry(buf, sizeof(uint32_t), 1, fp);
++		if (items != 1)
++			return POLICYDB_ERROR;
++
++		datum = datum->next;
++	} while (datum);
++
++	return 0;
++}
++
+ static int filename_trans_write(struct policydb *p, void *fp)
+ {
+ 	size_t items;
+@@ -614,16 +662,23 @@ static int filename_trans_write(struct policydb *p, void *fp)
+ 	if (p->policyvers < POLICYDB_VERSION_FILENAME_TRANS)
+ 		return 0;
+ 
+-	buf[0] = cpu_to_le32(p->filename_trans_count);
+-	items = put_entry(buf, sizeof(uint32_t), 1, fp);
+-	if (items != 1)
+-		return POLICYDB_ERROR;
++	if (p->policyvers < POLICYDB_VERSION_COMP_FTRANS) {
++		buf[0] = cpu_to_le32(p->filename_trans_count);
++		items = put_entry(buf, sizeof(uint32_t), 1, fp);
++		if (items != 1)
++			return POLICYDB_ERROR;
+ 
+-	rc = hashtab_map(p->filename_trans, filename_write_helper, fp);
+-	if (rc)
+-		return rc;
++		rc = hashtab_map(p->filename_trans, filename_write_one_compat,
++				 fp);
++	} else {
++		buf[0] = cpu_to_le32(p->filename_trans->nel);
++		items = put_entry(buf, sizeof(uint32_t), 1, fp);
++		if (items != 1)
++			return POLICYDB_ERROR;
+ 
+-	return 0;
++		rc = hashtab_map(p->filename_trans, filename_write_one, fp);
++	}
++	return rc;
+ }
+ 
+ static int role_set_write(role_set_t * x, struct policy_file *fp)
+-- 
+2.29.0.rc2
+

0003-libsepol-cil-Validate-constraint-expressions-before-.patch

@@ -0,0 +1,172 @@
+From 685f577aa01ed378374cde9c0105b19c18ca7c07 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 9 Sep 2020 16:57:12 -0400
+Subject: [PATCH] libsepol/cil: Validate constraint expressions before adding
+ to binary policy
+
+CIL was not correctly determining the depth of constraint expressions
+which prevented it from giving an error when the max depth was exceeded.
+This allowed invalid policy binaries with constraint expressions exceeding
+the max depth to be created.
+
+Validate the constraint expression using the same logic that is used
+when reading the binary policy. This includes checking the depth of the
+the expression.
+
+Reported-by: Jonathan Hettwer <j2468h@gmail.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c    | 48 ++++++++++++++++++++++++++++++++
+ libsepol/cil/src/cil_build_ast.c | 20 ++++---------
+ 2 files changed, 53 insertions(+), 15 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 7726685809af..c8e41f09e53f 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -2713,6 +2713,49 @@ int __cil_constrain_expr_to_sepol_expr(policydb_t *pdb, const struct cil_db *db,
+ 	return SEPOL_OK;
+ }
+ 
++int __cil_validate_constrain_expr(constraint_expr_t *sepol_expr)
++{
++	constraint_expr_t *e;
++	int depth = -1;
++
++	for (e = sepol_expr; e != NULL; e = e->next) {
++		switch (e->expr_type) {
++		case CEXPR_NOT:
++			if (depth < 0) {
++				cil_log(CIL_ERR,"Invalid constraint expression\n");
++				return SEPOL_ERR;
++			}
++			break;
++		case CEXPR_AND:
++		case CEXPR_OR:
++			if (depth < 1) {
++				cil_log(CIL_ERR,"Invalid constraint expression\n");
++				return SEPOL_ERR;
++			}
++			depth--;
++			break;
++		case CEXPR_ATTR:
++		case CEXPR_NAMES:
++			if (depth == (CEXPR_MAXDEPTH - 1)) {
++				cil_log(CIL_ERR,"Constraint expression exceeded max allowable depth\n");
++				return SEPOL_ERR;
++			}
++			depth++;
++			break;
++		default:
++			cil_log(CIL_ERR,"Invalid constraint expression\n");
++			return SEPOL_ERR;
++		}
++	}
++
++	if (depth != 0) {
++		cil_log(CIL_ERR,"Invalid constraint expression\n");
++		return SEPOL_ERR;
++	}
++
++	return SEPOL_OK;
++}
++
+ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, struct cil_symtab_datum *class, struct cil_list *perms, struct cil_list *expr)
+ {
+ 	int rc = SEPOL_ERR;
+@@ -2736,6 +2779,11 @@ int cil_constrain_to_policydb_helper(policydb_t *pdb, const struct cil_db *db, s
+ 		goto exit;
+ 	}
+ 
++	rc = __cil_validate_constrain_expr(sepol_expr);
++	if (rc != SEPOL_OK) {
++		goto exit;
++	}
++
+ 	sepol_constrain->expr = sepol_expr;
+ 	sepol_constrain->next = sepol_class->constraints;
+ 	sepol_class->constraints = sepol_constrain;
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 60ecaaff3060..870c6923b4de 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -2738,7 +2738,7 @@ exit:
+ 	return SEPOL_ERR;
+ }
+ 
+-static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr, int *depth)
++static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
+ {
+ 	int rc = SEPOL_ERR;
+ 	enum cil_flavor op;
+@@ -2750,12 +2750,6 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
+ 		goto exit;
+ 	}
+ 
+-	if (*depth > CEXPR_MAXDEPTH) {
+-		cil_log(CIL_ERR, "Max depth of %d exceeded for constraint expression\n", CEXPR_MAXDEPTH);
+-		rc = SEPOL_ERR;
+-		goto exit;
+-	}
+-
+ 	op = __cil_get_constraint_operator_flavor(current->data);
+ 
+ 	rc = cil_verify_constraint_expr_syntax(current, op);
+@@ -2769,14 +2763,13 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
+ 	case CIL_CONS_DOM:
+ 	case CIL_CONS_DOMBY:
+ 	case CIL_CONS_INCOMP:
+-		(*depth)++;
+ 		rc = __cil_fill_constraint_leaf_expr(current, flavor, op, expr);
+ 		if (rc != SEPOL_OK) {
+ 			goto exit;
+ 		}
+ 		break;
+ 	case CIL_NOT:
+-		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr, depth);
++		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr);
+ 		if (rc != SEPOL_OK) {
+ 			goto exit;
+ 		}
+@@ -2785,11 +2778,11 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
+ 		cil_list_append(*expr, CIL_LIST, lexpr);
+ 		break;
+ 	default:
+-		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr, depth);
++		rc = __cil_fill_constraint_expr(current->next->cl_head, flavor, &lexpr);
+ 		if (rc != SEPOL_OK) {
+ 			goto exit;
+ 		}
+-		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr, depth);
++		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr);
+ 		if (rc != SEPOL_OK) {
+ 			cil_list_destroy(&lexpr, CIL_TRUE);
+ 			goto exit;
+@@ -2801,8 +2794,6 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
+ 		break;
+ 	}
+ 
+-	(*depth)--;
+-
+ 	return SEPOL_OK;
+ exit:
+ 
+@@ -2812,13 +2803,12 @@ exit:
+ int cil_gen_constraint_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
+ {
+ 	int rc = SEPOL_ERR;
+-	int depth = 0;
+ 
+ 	if (current->cl_head == NULL) {
+ 		goto exit;
+ 	}
+ 
+-	rc = __cil_fill_constraint_expr(current->cl_head, flavor, expr, &depth);
++	rc = __cil_fill_constraint_expr(current->cl_head, flavor, expr);
+ 	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}
+-- 
+2.29.0.rc2
+

0004-libsepol-cil-Validate-conditional-expressions-before.patch

@@ -0,0 +1,172 @@
+From 734e4beb55cb53d3370201838caa4850b2a6d276 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 9 Sep 2020 16:57:02 -0400
+Subject: [PATCH] libsepol/cil: Validate conditional expressions before adding
+ to binary policy
+
+CIL was not correctly determining the depth of conditional expressions
+which prevented it from giving an error when the max depth was exceeded.
+This allowed invalid policy binaries to be created.
+
+Validate the conditional expression using the same logic that is used
+when evaluating a conditional expression. This includes checking the
+depth of the expression.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c    | 50 ++++++++++++++++++++++++++++++++
+ libsepol/cil/src/cil_build_ast.c | 26 +++++------------
+ 2 files changed, 57 insertions(+), 19 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index c8e41f09e53f..50cc7f757c62 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -2176,6 +2176,51 @@ static int __cil_cond_expr_to_sepol_expr(policydb_t *pdb, struct cil_list *cil_e
+ 	return SEPOL_OK;
+ }
+ 
++int __cil_validate_cond_expr(cond_expr_t *cond_expr)
++{
++	cond_expr_t *e;
++	int depth = -1;
++
++	for (e = cond_expr; e != NULL; e = e->next) {
++		switch (e->expr_type) {
++		case COND_BOOL:
++			if (depth == (COND_EXPR_MAXDEPTH - 1)) {
++				cil_log(CIL_ERR,"Conditional expression exceeded max allowable depth\n");
++				return SEPOL_ERR;
++			}
++			depth++;
++			break;
++		case COND_NOT:
++			if (depth < 0) {
++				cil_log(CIL_ERR,"Invalid conditional expression\n");
++				return SEPOL_ERR;
++			}
++			break;
++		case COND_OR:
++		case COND_AND:
++		case COND_XOR:
++		case COND_EQ:
++		case COND_NEQ:
++			if (depth < 1) {
++				cil_log(CIL_ERR,"Invalid conditional expression\n");
++				return SEPOL_ERR;
++			}
++			depth--;
++			break;
++		default:
++			cil_log(CIL_ERR,"Invalid conditional expression\n");
++			return SEPOL_ERR;
++		}
++	}
++
++	if (depth != 0) {
++		cil_log(CIL_ERR,"Invalid conditional expression\n");
++		return SEPOL_ERR;
++	}
++
++	return SEPOL_OK;
++}
++
+ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_tree_node *node)
+ {
+ 	int rc = SEPOL_ERR;
+@@ -2204,6 +2249,11 @@ int cil_booleanif_to_policydb(policydb_t *pdb, const struct cil_db *db, struct c
+ 		goto exit;
+ 	}
+ 
++	rc = __cil_validate_cond_expr(tmp_cond->expr);
++	if (rc != SEPOL_OK) {
++		goto exit;
++	}
++
+ 	tmp_cond->true_list = &tmp_cl;
+ 
+ 	rc = cond_normalize_expr(pdb, tmp_cond);
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 870c6923b4de..3aabb05ec534 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -2548,18 +2548,13 @@ static enum cil_flavor __cil_get_expr_operator_flavor(const char *op)
+ 	else return CIL_NONE;
+ }
+ 
+-static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth);
++static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr);
+ 
+-static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth)
++static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr)
+ {
+ 	int rc = SEPOL_ERR;
+ 	enum cil_flavor op;
+ 
+-	if (flavor == CIL_BOOL && *depth > COND_EXPR_MAXDEPTH) {
+-		cil_log(CIL_ERR, "Max depth of %d exceeded for boolean expression\n", COND_EXPR_MAXDEPTH);
+-		goto exit;
+-	}
+-
+ 	op = __cil_get_expr_operator_flavor(current->data);
+ 
+ 	rc = cil_verify_expr_syntax(current, op, flavor);
+@@ -2572,26 +2567,20 @@ static int __cil_fill_expr_helper(struct cil_tree_node *current, enum cil_flavor
+ 		current = current->next;
+ 	}
+ 
+-	if (op == CIL_NONE || op == CIL_ALL) {
+-		(*depth)++;
+-	}
+-
+ 	for (;current != NULL; current = current->next) {
+-		rc = __cil_fill_expr(current, flavor, expr, depth);
++		rc = __cil_fill_expr(current, flavor, expr);
+ 		if (rc != SEPOL_OK) {
+ 			goto exit;
+ 		}
+ 	}
+ 
+-	(*depth)--;
+-
+ 	return SEPOL_OK;
+ 
+ exit:
+ 	return rc;
+ }
+ 
+-static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr, int *depth)
++static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list *expr)
+ {
+ 	int rc = SEPOL_ERR;
+ 
+@@ -2605,7 +2594,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
+ 	} else {
+ 		struct cil_list *sub_expr;
+ 		cil_list_init(&sub_expr, flavor);
+-		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr, depth);
++		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr);
+ 		if (rc != SEPOL_OK) {
+ 			cil_list_destroy(&sub_expr, CIL_TRUE);
+ 			goto exit;
+@@ -2623,14 +2612,13 @@ exit:
+ int cil_gen_expr(struct cil_tree_node *current, enum cil_flavor flavor, struct cil_list **expr)
+ {
+ 	int rc = SEPOL_ERR;
+-	int depth = 0;
+ 
+ 	cil_list_init(expr, flavor);
+ 
+ 	if (current->cl_head == NULL) {
+-		rc = __cil_fill_expr(current, flavor, *expr, &depth);
++		rc = __cil_fill_expr(current, flavor, *expr);
+ 	} else {
+-		rc = __cil_fill_expr_helper(current->cl_head, flavor, *expr, &depth);
++		rc = __cil_fill_expr_helper(current->cl_head, flavor, *expr);
+ 	}
+ 
+ 	if (rc != SEPOL_OK) {
+-- 
+2.29.0.rc2
+

0005-libsepol-cil-Fix-neverallow-checking-involving-class.patch

@@ -0,0 +1,50 @@
+From a152653b9a43fe2c776d239efc2d46d336555bc8 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 15 Sep 2020 14:48:06 -0400
+Subject: [PATCH] libsepol/cil: Fix neverallow checking involving classmaps
+
+When classmaps used in a neverallow were being expanded during CIL
+neverallow checking, an empty classmapping in the list of
+classmappings for a classmap would cause the classmap expansion to
+stop and the rest of the classmapping of the classmap to be ignored.
+This would mean that not all of the classes and permissions associated
+with the classmap would be used to check for a neverallow violation.
+
+Do not end the expansion of a classmap when one classmapping is empty.
+
+Reported-by: Jonathan Hettwer <j2468h@gmail.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
+---
+ libsepol/cil/src/cil_binary.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 50cc7f757c62..36720eda4549 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -4363,15 +4363,13 @@ static int __cil_rule_to_sepol_class_perms(policydb_t *pdb, struct cil_list *cla
+ 
+ 				rc = __cil_perms_to_datum(cp->perms, sepol_class, &data);
+ 				if (rc != SEPOL_OK) goto exit;
+-				if (data == 0) {
+-					/* No permissions */
+-					return SEPOL_OK;
++				if (data != 0) { /* Only add if there are permissions */
++					cpn = cil_malloc(sizeof(class_perm_node_t));
++					cpn->tclass = sepol_class->s.value;
++					cpn->data = data;
++					cpn->next = *sepol_class_perms;
++					*sepol_class_perms = cpn;
+ 				}
+-				cpn = cil_malloc(sizeof(class_perm_node_t));
+-				cpn->tclass = sepol_class->s.value;
+-				cpn->data = data;
+-				cpn->next = *sepol_class_perms;
+-				*sepol_class_perms = cpn;
+ 			} else { /* MAP */
+ 				struct cil_list_item *j = NULL;
+ 				cil_list_for_each(j, cp->perms) {
+-- 
+2.29.0.rc2
+

0006-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch

@@ -0,0 +1,90 @@
+From 521e6a2f478a4c7a7c198c017d4d12e8667d89e7 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sat, 3 Oct 2020 15:19:08 +0200
+Subject: [PATCH] libsepol/cil: fix signed overflow caused by using (1 << 31) -
+ 1
+
+When compiling SELinux userspace tools with -ftrapv (this option
+generates traps for signed overflow on addition, subtraction,
+multiplication operations, instead of silently wrapping around),
+semodule crashes when running the tests from
+scripts/ci/fedora-test-runner.sh in a Fedora 32 virtual machine:
+
+    [root@localhost selinux-testsuite]# make test
+    make -C policy load
+    make[1]: Entering directory '/root/selinux-testsuite/policy'
+    # Test for "expand-check = 0" in /etc/selinux/semanage.conf
+    # General policy build
+    make[2]: Entering directory '/root/selinux-testsuite/policy/test_policy'
+    Compiling targeted test_policy module
+    Creating targeted test_policy.pp policy package
+    rm tmp/test_policy.mod.fc
+    make[2]: Leaving directory '/root/selinux-testsuite/policy/test_policy'
+    # General policy load
+    domain_fd_use --> off
+    /usr/sbin/semodule -i test_policy/test_policy.pp test_mlsconstrain.cil test_overlay_defaultrange.cil test_add_levels.cil test_glblub.cil
+    make[1]: *** [Makefile:174: load] Aborted (core dumped)
+
+Using "coredumpctl gdb" leads to the following strack trace:
+
+    (gdb) bt
+    #0  0x00007f608fe4fa25 in raise () from /lib64/libc.so.6
+    #1  0x00007f608fe38895 in abort () from /lib64/libc.so.6
+    #2  0x00007f6090028aca in __addvsi3.cold () from /lib64/libsepol.so.1
+    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
+        at ../cil/src/cil_binary.c:1551
+    #4  0x00007f60900970dd in __cil_permx_bitmap_to_sepol_xperms_list (xperms=0xb650a30, xperms_list=0x7ffce2653b18)
+        at ../cil/src/cil_binary.c:1596
+    #5  0x00007f6090097286 in __cil_avrulex_ioctl_to_policydb (k=0xb8ec200 "@\023\214\022\006", datum=0xb650a30,
+        args=0x239a640) at ../cil/src/cil_binary.c:1649
+    #6  0x00007f609003f1e5 in hashtab_map (h=0x41f8710, apply=0x7f60900971da <__cil_avrulex_ioctl_to_policydb>,
+        args=0x239a640) at hashtab.c:234
+    #7  0x00007f609009ea19 in cil_binary_create_allocated_pdb (db=0x2394f10, policydb=0x239a640)
+        at ../cil/src/cil_binary.c:4969
+    #8  0x00007f609009d19d in cil_binary_create (db=0x2394f10, policydb=0x7ffce2653d30) at ../cil/src/cil_binary.c:4329
+    #9  0x00007f609008ec23 in cil_build_policydb_create_pdb (db=0x2394f10, sepol_db=0x7ffce2653d30)
+        at ../cil/src/cil.c:631
+    #10 0x00007f608fff4bf3 in semanage_direct_commit () from /lib64/libsemanage.so.1
+    #11 0x00007f608fff9fae in semanage_commit () from /lib64/libsemanage.so.1
+    #12 0x0000000000403e2b in main (argc=7, argv=0x7ffce2655058) at semodule.c:753
+
+    (gdb) f 3
+    #3  0x00007f6090096f59 in __avrule_xperm_setrangebits (low=30, high=30, xperms=0x8b9eea0)
+        at ../cil/src/cil_binary.c:1551
+    1551     xperms->perms[i] |= XPERM_SETBITS(h) - XPERM_SETBITS(low);
+
+A signed integer overflow therefore occurs in XPERM_SETBITS(h):
+
+    #define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
+
+This macro is expanded with h=31, so "(1 << 31) - 1" is computed:
+
+* (1 << 31) = -0x80000000 is the lowest signed 32-bit integer value
+* (1 << 31) - 1 overflows the capacity of a signed 32-bit integer and
+  results in 0x7fffffff (which is unsigned)
+
+Using unsigned integers (with "1U") fixes the crash, as
+(1U << 31) = 0x80000000U has no overflowing issues.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+Acked-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsepol/cil/src/cil_binary.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
+index 36720eda4549..e417c5c28b8b 100644
+--- a/libsepol/cil/src/cil_binary.c
++++ b/libsepol/cil/src/cil_binary.c
+@@ -1526,7 +1526,7 @@ int cil_avrule_to_policydb(policydb_t *pdb, const struct cil_db *db, struct cil_
+ /* index of the u32 containing the permission */
+ #define XPERM_IDX(x) (x >> 5)
+ /* set bits 0 through x-1 within the u32 */
+-#define XPERM_SETBITS(x) ((1 << (x & 0x1f)) - 1)
++#define XPERM_SETBITS(x) ((1U << (x & 0x1f)) - 1)
+ /* low value for this u32 */
+ #define XPERM_LOW(x) (x << 5)
+ /* high value for this u32 */
+-- 
+2.29.0.rc2
+

0007-libsepol-drop-confusing-BUG_ON-macro.patch

@@ -0,0 +1,77 @@
+From 64387cb37379fc8f135eeecd2bd9fdf3c591c763 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sat, 3 Oct 2020 15:34:19 +0200
+Subject: [PATCH] libsepol: drop confusing BUG_ON macro
+
+Contrary to Linux kernel, BUG_ON() does not halt the execution, in
+libsepol/src/services.c. Instead it displays an error message and
+continues the execution.
+
+This means that this code does not prevent an out-of-bound write from
+happening:
+
+    case CEXPR_AND:
+        BUG_ON(sp < 1);
+        sp--;
+        s[sp] &= s[sp + 1];
+
+Use if(...){BUG();rc=-EINVAL;goto out;} constructions instead, to make
+sure that the array access is always in-bound.
+
+This issue has been found using clang's static analyzer:
+https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-50a861.html#EndPath
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/src/services.c | 19 +++++++++++++++----
+ 1 file changed, 15 insertions(+), 4 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index 90da1f4efef3..beb0711f6680 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -67,7 +67,6 @@
+ #include "flask.h"
+ 
+ #define BUG() do { ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
+-#define BUG_ON(x) do { if (x) ERR(NULL, "Badness at %s:%d", __FILE__, __LINE__); } while (0)
+ 
+ static int selinux_enforcing = 1;
+ 
+@@ -469,18 +468,30 @@ static int constraint_expr_eval_reason(context_struct_t *scontext,
+ 		/* Now process each expression of the constraint */
+ 		switch (e->expr_type) {
+ 		case CEXPR_NOT:
+-			BUG_ON(sp < 0);
++			if (sp < 0) {
++				BUG();
++				rc = -EINVAL;
++				goto out;
++			}
+ 			s[sp] = !s[sp];
+ 			cat_expr_buf(expr_list[expr_counter], "not");
+ 			break;
+ 		case CEXPR_AND:
+-			BUG_ON(sp < 1);
++			if (sp < 1) {
++				BUG();
++				rc = -EINVAL;
++				goto out;
++			}
+ 			sp--;
+ 			s[sp] &= s[sp + 1];
+ 			cat_expr_buf(expr_list[expr_counter], "and");
+ 			break;
+ 		case CEXPR_OR:
+-			BUG_ON(sp < 1);
++			if (sp < 1) {
++				BUG();
++				rc = -EINVAL;
++				goto out;
++			}
+ 			sp--;
+ 			s[sp] |= s[sp + 1];
+ 			cat_expr_buf(expr_list[expr_counter], "or");
+-- 
+2.29.0.rc2
+

0008-libsepol-silence-potential-NULL-pointer-dereference-.patch

@@ -0,0 +1,66 @@
+From c97d63c6b40c71c693d3b5bb25628869a95dff24 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Sat, 3 Oct 2020 15:56:58 +0200
+Subject: [PATCH] libsepol: silence potential NULL pointer dereference warning
+
+When find_avtab_node() is called with key->specified & AVTAB_XPERMS and
+xperms=NULL, xperms is being dereferenced. This is detected as a
+"NULL pointer dereference issue" by static analyzers.
+
+Even though it does not make much sense to call find_avtab_node() in a
+way which triggers the NULL pointer dereference issue, static analyzers
+have a hard time with calls such as:
+
+    node = find_avtab_node(handle, avtab, &avkey, cond, NULL);
+
+... where xperms=NULL.
+
+So, make the function report an error instead of crashing.
+
+Here is an example of report from clang's static analyzer:
+https://558-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-10-02-065849-6375-1/report-d86a57.html#EndPath
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/src/expand.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
+index 19e48c507236..eac7e4507d02 100644
+--- a/libsepol/src/expand.c
++++ b/libsepol/src/expand.c
+@@ -1570,17 +1570,22 @@ static avtab_ptr_t find_avtab_node(sepol_handle_t * handle,
+ 
+ 	/* AVTAB_XPERMS entries are not necessarily unique */
+ 	if (key->specified & AVTAB_XPERMS) {
+-		node = avtab_search_node(avtab, key);
+-		while (node) {
+-			if ((node->datum.xperms->specified == xperms->specified) &&
+-				(node->datum.xperms->driver == xperms->driver)) {
+-				match = 1;
+-				break;
++		if (xperms == NULL) {
++			ERR(handle, "searching xperms NULL");
++			node = NULL;
++		} else {
++			node = avtab_search_node(avtab, key);
++			while (node) {
++				if ((node->datum.xperms->specified == xperms->specified) &&
++					(node->datum.xperms->driver == xperms->driver)) {
++					match = 1;
++					break;
++				}
++				node = avtab_search_node_next(node, key->specified);
+ 			}
+-			node = avtab_search_node_next(node, key->specified);
++			if (!match)
++				node = NULL;
+ 		}
+-		if (!match)
+-			node = NULL;
+ 	} else {
+ 		node = avtab_search_node(avtab, key);
+ 	}
+-- 
+2.29.0.rc2
+

0009-libsepol-Get-rid-of-the-old-and-duplicated-symbols.patch

@@ -0,0 +1,193 @@
+From ae58e84b4fd825b6cd2c67f3856ac35557c45e9c Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:47 +0200
+Subject: [PATCH] libsepol: Get rid of the old and duplicated symbols
+
+Versioned duplicate symbols cause problems for LTO. These symbols were
+introduced during the CIL integration several releases ago and were only
+consumed by other SELinux userspace components.
+
+Fixes: https://github.com/SELinuxProject/selinux/issues/245
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsepol/cil/src/cil.c       | 84 ------------------------------------
+ libsepol/src/libsepol.map.in |  5 ---
+ 2 files changed, 89 deletions(-)
+
+diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
+index a3c6a2934c72..95bdb5e5854c 100644
+--- a/libsepol/cil/src/cil.c
++++ b/libsepol/cil/src/cil.c
+@@ -51,27 +51,6 @@
+ #include "cil_policy.h"
+ #include "cil_strpool.h"
+ 
+-#if !defined(SHARED) || defined(ANDROID) || defined(__APPLE__)
+-    #define DISABLE_SYMVER 1
+-#endif
+-
+-#ifndef DISABLE_SYMVER
+-asm(".symver cil_build_policydb_pdb,        cil_build_policydb@LIBSEPOL_1.0");
+-asm(".symver cil_build_policydb_create_pdb, cil_build_policydb@@LIBSEPOL_1.1");
+-
+-asm(".symver cil_compile_pdb,   cil_compile@LIBSEPOL_1.0");
+-asm(".symver cil_compile_nopdb, cil_compile@@LIBSEPOL_1.1");
+-
+-asm(".symver cil_userprefixes_to_string_pdb,   cil_userprefixes_to_string@LIBSEPOL_1.0");
+-asm(".symver cil_userprefixes_to_string_nopdb, cil_userprefixes_to_string@@LIBSEPOL_1.1");
+-
+-asm(".symver cil_selinuxusers_to_string_pdb,   cil_selinuxusers_to_string@LIBSEPOL_1.0");
+-asm(".symver cil_selinuxusers_to_string_nopdb, cil_selinuxusers_to_string@@LIBSEPOL_1.1");
+-
+-asm(".symver cil_filecons_to_string_pdb,   cil_filecons_to_string@LIBSEPOL_1.0");
+-asm(".symver cil_filecons_to_string_nopdb, cil_filecons_to_string@@LIBSEPOL_1.1");
+-#endif
+-
+ int cil_sym_sizes[CIL_SYM_ARRAY_NUM][CIL_SYM_NUM] = {
+ 	{64, 64, 64, 1 << 13, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64},
+ 	{64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64, 64},
+@@ -549,11 +528,7 @@ exit:
+ 	return rc;
+ }
+ 
+-#ifdef DISABLE_SYMVER
+ int cil_compile(struct cil_db *db)
+-#else
+-int cil_compile_nopdb(struct cil_db *db)
+-#endif
+ {
+ 	int rc = SEPOL_ERR;
+ 
+@@ -597,33 +572,7 @@ exit:
+ 	return rc;
+ }
+ 
+-#ifndef DISABLE_SYMVER
+-int cil_compile_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db)
+-{
+-	return cil_compile_nopdb(db);
+-}
+-
+-int cil_build_policydb_pdb(cil_db_t *db, sepol_policydb_t *sepol_db)
+-{
+-	int rc;
+-
+-	cil_log(CIL_INFO, "Building policy binary\n");
+-	rc = cil_binary_create_allocated_pdb(db, sepol_db);
+-	if (rc != SEPOL_OK) {
+-		cil_log(CIL_ERR, "Failed to generate binary\n");
+-		goto exit;
+-	}
+-
+-exit:
+-	return rc;
+-}
+-#endif
+-
+-#ifdef DISABLE_SYMVER
+ int cil_build_policydb(cil_db_t *db, sepol_policydb_t **sepol_db)
+-#else
+-int cil_build_policydb_create_pdb(cil_db_t *db, sepol_policydb_t **sepol_db)
+-#endif
+ {
+ 	int rc;
+ 
+@@ -1371,11 +1320,7 @@ const char * cil_node_to_string(struct cil_tree_node *node)
+ 	return "<unknown>";
+ }
+ 
+-#ifdef DISABLE_SYMVER
+ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
+-#else
+-int cil_userprefixes_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
+-#endif
+ {
+ 	int rc = SEPOL_ERR;
+ 	size_t str_len = 0;
+@@ -1420,13 +1365,6 @@ exit:
+ 
+ }
+ 
+-#ifndef DISABLE_SYMVER
+-int cil_userprefixes_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
+-{
+-	return cil_userprefixes_to_string_nopdb(db, out, size);
+-}
+-#endif
+-
+ static int cil_cats_to_ebitmap(struct cil_cats *cats, struct ebitmap* cats_ebitmap)
+ {
+ 	int rc = SEPOL_ERR;
+@@ -1614,11 +1552,7 @@ static int __cil_level_to_string(struct cil_level *lvl, char *out)
+ 	return str_tmp - out;
+ }
+ 
+-#ifdef DISABLE_SYMVER
+ int cil_selinuxusers_to_string(struct cil_db *db, char **out, size_t *size)
+-#else
+-int cil_selinuxusers_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
+-#endif
+ {
+ 	size_t str_len = 0;
+ 	int buf_pos = 0;
+@@ -1675,18 +1609,7 @@ int cil_selinuxusers_to_string_nopdb(struct cil_db *db, char **out, size_t *size
+ 	return SEPOL_OK;
+ }
+ 
+-#ifndef DISABLE_SYMVER
+-int cil_selinuxusers_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
+-{
+-	return cil_selinuxusers_to_string_nopdb(db, out, size);
+-}
+-#endif
+-
+-#ifdef DISABLE_SYMVER
+ int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size)
+-#else
+-int cil_filecons_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
+-#endif
+ {
+ 	uint32_t i = 0;
+ 	int buf_pos = 0;
+@@ -1804,13 +1727,6 @@ int cil_filecons_to_string_nopdb(struct cil_db *db, char **out, size_t *size)
+ 	return SEPOL_OK;
+ }
+ 
+-#ifndef DISABLE_SYMVER
+-int cil_filecons_to_string_pdb(struct cil_db *db, __attribute__((unused)) sepol_policydb_t *sepol_db, char **out, size_t *size)
+-{
+-	return cil_filecons_to_string_nopdb(db, out, size);
+-}
+-#endif
+-
+ void cil_set_disable_dontaudit(struct cil_db *db, int disable_dontaudit)
+ {
+ 	db->disable_dontaudit = disable_dontaudit;
+diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
+index f08c2a861693..98da9789b71b 100644
+--- a/libsepol/src/libsepol.map.in
++++ b/libsepol/src/libsepol.map.in
+@@ -1,19 +1,14 @@
+ LIBSEPOL_1.0 {
+   global:
+ 	cil_add_file;
+-	cil_build_policydb;
+-	cil_compile;
+ 	cil_db_destroy;
+ 	cil_db_init;
+-	cil_filecons_to_string;
+-	cil_selinuxusers_to_string;
+ 	cil_set_disable_dontaudit;
+ 	cil_set_disable_neverallow;
+ 	cil_set_handle_unknown;
+ 	cil_set_log_handler;
+ 	cil_set_log_level;
+ 	cil_set_preserve_tunables;
+-	cil_userprefixes_to_string;
+ 	expand_module_avrules;
+ 	sepol_bool_clone;
+ 	sepol_bool_compare;
+-- 
+2.29.0.rc2
+

0010-libsepol-Drop-deprecated-functions.patch

@@ -0,0 +1,134 @@
+From 506c7b95b802ab157fe9ae1dae22fab12c515306 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:48 +0200
+Subject: [PATCH] libsepol: Drop deprecated functions
+
+These functions were converted to no-op by commit
+c3f9492d7ff0 ("selinux: Remove legacy local boolean and user code") and
+left in libsepol/src/deprecated_functions.c to preserve API/ABI. As we
+change libsepol ABI dropping duplicate symbols it's time to drop these
+functions too.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsepol/include/sepol/booleans.h |  5 ----
+ libsepol/include/sepol/users.h    |  6 ----
+ libsepol/src/deprecated_funcs.c   | 50 -------------------------------
+ libsepol/src/libsepol.map.in      |  4 ---
+ 4 files changed, 65 deletions(-)
+ delete mode 100644 libsepol/src/deprecated_funcs.c
+
+diff --git a/libsepol/include/sepol/booleans.h b/libsepol/include/sepol/booleans.h
+index 06d2230c395d..25229057dbd7 100644
+--- a/libsepol/include/sepol/booleans.h
++++ b/libsepol/include/sepol/booleans.h
+@@ -10,11 +10,6 @@
+ extern "C" {
+ #endif
+ 
+-/* These two functions are deprecated. See src/deprecated_funcs.c */
+-extern int sepol_genbools(void *data, size_t len, const char *boolpath);
+-extern int sepol_genbools_array(void *data, size_t len,
+-				char **names, int *values, int nel);
+-
+ /* Set the specified boolean */
+ extern int sepol_bool_set(sepol_handle_t * handle,
+ 			  sepol_policydb_t * policydb,
+diff --git a/libsepol/include/sepol/users.h b/libsepol/include/sepol/users.h
+index 70158ac41e40..156d1adb2d60 100644
+--- a/libsepol/include/sepol/users.h
++++ b/libsepol/include/sepol/users.h
+@@ -10,12 +10,6 @@
+ extern "C" {
+ #endif
+ 
+-/* These two functions are deprecated. See src/deprecated_funcs.c */
+-extern int sepol_genusers(void *data, size_t len,
+-			  const char *usersdir,
+-			  void **newdata, size_t * newlen);
+-extern void sepol_set_delusers(int on);
+-
+ /* Modify the user, or add it, if the key is not found */
+ extern int sepol_user_modify(sepol_handle_t * handle,
+ 			     sepol_policydb_t * policydb,
+diff --git a/libsepol/src/deprecated_funcs.c b/libsepol/src/deprecated_funcs.c
+deleted file mode 100644
+index d0dab7dfcb4a..000000000000
+--- a/libsepol/src/deprecated_funcs.c
++++ /dev/null
+@@ -1,50 +0,0 @@
+-#include <stdio.h>
+-#include "debug.h"
+-
+-/*
+- * Need to keep these stubs for the libsepol interfaces exported in
+- * libsepol.map.in, as they are part of the shared library ABI.
+- */
+-
+-static const char *msg = "Deprecated interface";
+-
+-/*
+- * These two functions are deprecated and referenced in:
+- *	include/libsepol/users.h
+- */
+-int sepol_genusers(void *data __attribute((unused)),
+-		   size_t len __attribute((unused)),
+-		   const char *usersdir __attribute((unused)),
+-		   void **newdata __attribute((unused)),
+-		   size_t *newlen __attribute((unused)))
+-{
+-	WARN(NULL, "%s", msg);
+-	return -1;
+-}
+-
+-void sepol_set_delusers(int on __attribute((unused)))
+-{
+-	WARN(NULL, "%s", msg);
+-}
+-
+-/*
+- * These two functions are deprecated and referenced in:
+- *	include/libsepol/booleans.h
+- */
+-int sepol_genbools(void *data __attribute((unused)),
+-		   size_t len __attribute((unused)),
+-		   const char *booleans __attribute((unused)))
+-{
+-	WARN(NULL, "%s", msg);
+-	return -1;
+-}
+-
+-int sepol_genbools_array(void *data __attribute((unused)),
+-			 size_t len __attribute((unused)),
+-			 char **names __attribute((unused)),
+-			 int *values __attribute((unused)),
+-			 int nel __attribute((unused)))
+-{
+-	WARN(NULL, "%s", msg);
+-	return -1;
+-}
+diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
+index 98da9789b71b..eb5721257638 100644
+--- a/libsepol/src/libsepol.map.in
++++ b/libsepol/src/libsepol.map.in
+@@ -45,9 +45,6 @@ LIBSEPOL_1.0 {
+ 	sepol_context_to_string;
+ 	sepol_debug;
+ 	sepol_expand_module;
+-	sepol_genbools;
+-	sepol_genbools_array;
+-	sepol_genusers;
+ 	sepol_get_disable_dontaudit;
+ 	sepol_get_preserve_tunables;
+ 	sepol_handle_create;
+@@ -213,7 +210,6 @@ LIBSEPOL_1.0 {
+ 	sepol_port_set_port;
+ 	sepol_port_set_proto;
+ 	sepol_port_set_range;
+-	sepol_set_delusers;
+ 	sepol_set_disable_dontaudit;
+ 	sepol_set_expand_consume_base;
+ 	sepol_set_policydb_from_file;
+-- 
+2.29.0.rc2
+

0011-libsepol-Bump-libsepol.so-version.patch

@@ -0,0 +1,45 @@
+From 4a142ac46a116feb9f978eaec68a30efef979c73 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 9 Oct 2020 15:00:49 +0200
+Subject: [PATCH] libsepol: Bump libsepol.so version
+
+Previous commits removed some symbols and broke ABI, therefore we need to change
+SONAME.
+
+See the following quotes from distribution guidelines:
+
+https://www.debian.org/doc/debian-policy/ch-sharedlibs.html#run-time-shared-libraries
+
+Every time the shared library ABI changes in a way that may break
+binaries linked against older versions of the shared library, the SONAME
+of the library and the corresponding name for the binary package
+containing the runtime shared library should change.
+
+https://docs.fedoraproject.org/en-US/packaging-guidelines/#_downstream_so_name_versioning
+
+When new versions of the library are released, you should use an ABI
+comparison tool to check for ABI differences in the built shared
+libraries. If it detects any incompatibilities, bump the n number by
+one.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ libsepol/src/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
+index 8d466f56ed0e..dc8b1773d974 100644
+--- a/libsepol/src/Makefile
++++ b/libsepol/src/Makefile
+@@ -7,7 +7,7 @@ RANLIB ?= ranlib
+ CILDIR ?= ../cil
+ 
+ VERSION = $(shell cat ../VERSION)
+-LIBVERSION = 1
++LIBVERSION = 2
+ 
+ LEX = flex
+ CIL_GENERATED = $(CILDIR)/src/cil_lexer.c
+-- 
+2.29.0.rc2
+

0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch

@@ -0,0 +1,170 @@
+From 3b26f0566698926ba38cbf3fa702f3ff78862c5e Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Tue, 20 Oct 2020 09:28:56 -0400
+Subject: [PATCH] libsepol/cil: Give error for more than one true or false
+ block
+
+Both tunableif and booleanif use conditional blocks (either true or
+false). No ordering is imposed, so a false block can be first (or even
+the only) block. Checks are made to ensure that the first and second
+(if it exists) blocks are either true or false, but no checks are made
+to ensure that there is only one true and/or one false block. If there
+are more than one true or false block, only the first will be used and
+the other will be ignored.
+
+Create a function, cil_verify_conditional_blocks(), that gives an error
+along with a message if more than one true or false block is specified
+and call that function when building tunableif and booleanif blocks in
+the AST.
+
+Signed-off-by: James Carter <jwcart2@gmail.com>
+Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
+---
+ libsepol/cil/src/cil_build_ast.c | 44 +++++---------------------------
+ libsepol/cil/src/cil_verify.c    | 35 +++++++++++++++++++++++++
+ libsepol/cil/src/cil_verify.h    |  1 +
+ 3 files changed, 42 insertions(+), 38 deletions(-)
+
+diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
+index 3aabb05ec534..a895583404a7 100644
+--- a/libsepol/cil/src/cil_build_ast.c
++++ b/libsepol/cil/src/cil_build_ast.c
+@@ -2821,7 +2821,6 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
+ 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
+ 	struct cil_booleanif *bif = NULL;
+ 	struct cil_tree_node *next = NULL;
+-	struct cil_tree_node *cond = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+ 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
+@@ -2841,27 +2840,12 @@ int cil_gen_boolif(struct cil_db *db, struct cil_tree_node *parse_current, struc
+ 		goto exit;
+ 	}
+ 
+-	cond = parse_current->next->next;
+-
+-	/* Destroying expr tree after stack is created*/
+-	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-		cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-		rc = SEPOL_ERR;
+-		cil_log(CIL_ERR, "Conditional neither true nor false\n");
++	rc = cil_verify_conditional_blocks(parse_current->next->next);
++	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}
+ 
+-	if (cond->next != NULL) {
+-		cond = cond->next;
+-		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-			cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-			rc = SEPOL_ERR;
+-			cil_log(CIL_ERR, "Conditional neither true nor false\n");
+-			goto exit;
+-		}
+-	}
+-
+-
++	/* Destroying expr tree */
+ 	next = parse_current->next->next;
+ 	cil_tree_subtree_destroy(parse_current->next);
+ 	parse_current->next = next;
+@@ -2905,7 +2889,6 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 	int syntax_len = sizeof(syntax)/sizeof(*syntax);
+ 	struct cil_tunableif *tif = NULL;
+ 	struct cil_tree_node *next = NULL;
+-	struct cil_tree_node *cond = NULL;
+ 	int rc = SEPOL_ERR;
+ 
+ 	if (db == NULL || parse_current == NULL || ast_node == NULL) {
+@@ -2924,27 +2907,12 @@ int cil_gen_tunif(struct cil_db *db, struct cil_tree_node *parse_current, struct
+ 		goto exit;
+ 	}
+ 
+-	cond = parse_current->next->next;
+-
+-	if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-		cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-		rc = SEPOL_ERR;
+-		cil_log(CIL_ERR, "Conditional neither true nor false\n");
++	rc = cil_verify_conditional_blocks(parse_current->next->next);
++	if (rc != SEPOL_OK) {
+ 		goto exit;
+ 	}
+ 
+-	if (cond->next != NULL) {
+-		cond = cond->next;
+-
+-		if (cond->cl_head->data != CIL_KEY_CONDTRUE &&
+-			cond->cl_head->data != CIL_KEY_CONDFALSE) {
+-			rc = SEPOL_ERR;
+-			cil_log(CIL_ERR, "Conditional neither true nor false\n");
+-			goto exit;
+-		}
+-	}
+-
+-	/* Destroying expr tree after stack is created*/
++	/* Destroying expr tree */
+ 	next = parse_current->next->next;
+ 	cil_tree_subtree_destroy(parse_current->next);
+ 	parse_current->next = next;
+diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
+index c73bbeee371b..6706e21921fe 100644
+--- a/libsepol/cil/src/cil_verify.c
++++ b/libsepol/cil/src/cil_verify.c
+@@ -324,6 +324,41 @@ exit:
+ 	return SEPOL_ERR;
+ }
+ 
++int cil_verify_conditional_blocks(struct cil_tree_node *current)
++{
++	int found_true = CIL_FALSE;
++	int found_false = CIL_FALSE;
++
++	if (current->cl_head->data == CIL_KEY_CONDTRUE) {
++		found_true = CIL_TRUE;
++	} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
++		found_false = CIL_TRUE;
++	} else {
++		cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
++		return SEPOL_ERR;
++	}
++
++	current = current->next;
++	if (current != NULL) {
++		if (current->cl_head->data == CIL_KEY_CONDTRUE) {
++			if (found_true) {
++				cil_tree_log(current, CIL_ERR, "More than one true block in conditional");
++				return SEPOL_ERR;
++			}
++		} else if (current->cl_head->data == CIL_KEY_CONDFALSE) {
++			if (found_false) {
++				cil_tree_log(current, CIL_ERR, "More than one false block in conditional");
++				return SEPOL_ERR;
++			}
++		} else {
++			cil_tree_log(current, CIL_ERR, "Expected true or false block in conditional");
++			return SEPOL_ERR;
++		}
++	}
++
++	return SEPOL_OK;
++}
++
+ int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list)
+ {
+ 	struct cil_list_item *i;
+diff --git a/libsepol/cil/src/cil_verify.h b/libsepol/cil/src/cil_verify.h
+index bda1565fced5..905761b0a19c 100644
+--- a/libsepol/cil/src/cil_verify.h
++++ b/libsepol/cil/src/cil_verify.h
+@@ -61,6 +61,7 @@ int __cil_verify_syntax(struct cil_tree_node *parse_current, enum cil_syntax s[]
+ int cil_verify_expr_syntax(struct cil_tree_node *current, enum cil_flavor op, enum cil_flavor expr_flavor);
+ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_flavor r_flavor, enum cil_flavor op, enum cil_flavor expr_flavor);
+ int cil_verify_constraint_expr_syntax(struct cil_tree_node *current, enum cil_flavor op);
++int cil_verify_conditional_blocks(struct cil_tree_node *current);
+ int cil_verify_no_self_reference(struct cil_symtab_datum *datum, struct cil_list *datum_list);
+ int __cil_verify_ranges(struct cil_list *list);
+ int __cil_verify_ordered_node_helper(struct cil_tree_node *node, uint32_t *finished, void *extra_args);
+-- 
+2.29.2
+

0013-libsepol-free-memory-when-realloc-fails.patch

@@ -0,0 +1,81 @@
+From a2bd2a8ea5ef687e8b4dc2694f7d5e99a1ec2a06 Mon Sep 17 00:00:00 2001
+From: Nicolas Iooss <nicolas.iooss@m4x.org>
+Date: Thu, 12 Nov 2020 21:24:06 +0100
+Subject: [PATCH] libsepol: free memory when realloc() fails
+
+In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
+grow the memory, the function returns NULL without freeing class_buf.
+This leads to a memory leak which is reported by clang's static
+analyzer:
+https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
+
+Fix the memory leak by calling free(class_buf).
+
+While at it, use size_t insted of int to store the size of the buffer
+which is growing.
+
+Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ libsepol/src/services.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/libsepol/src/services.c b/libsepol/src/services.c
+index beb0711f6680..72b39657cd2e 100644
+--- a/libsepol/src/services.c
++++ b/libsepol/src/services.c
+@@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 	else
+ 		state_num = mls + 2;
+ 
+-	int class_buf_len = 0;
+-	int new_class_buf_len;
+-	int len, buf_used;
++	size_t class_buf_len = 0;
++	size_t new_class_buf_len;
++	size_t buf_used;
++	int len;
+ 	char *class_buf = NULL, *p;
+ 	char *new_class_buf = NULL;
+ 
+ 	while (1) {
+ 		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
+ 		new_class_buf = realloc(class_buf, new_class_buf_len);
+-			if (!new_class_buf)
+-				return NULL;
++		if (!new_class_buf) {
++			free(class_buf);
++			return NULL;
++		}
+ 		class_buf_len = new_class_buf_len;
+ 		class_buf = new_class_buf;
+ 		buf_used = 0;
+@@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 
+ 		/* Add statement type */
+ 		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 
+ 		/* Add class entry */
+@@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 		buf_used += len;
+ 		len = snprintf(p, class_buf_len - buf_used, "%s ",
+ 				policydb->p_class_val_to_name[tclass - 1]);
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 
+ 		/* Add permission entries (validatetrans does not have perms) */
+@@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
+ 		} else {
+ 			len = snprintf(p, class_buf_len - buf_used, "(");
+ 		}
+-		if (len < 0 || len >= class_buf_len - buf_used)
++		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
+ 			continue;
+ 		break;
+ 	}
+-- 
+2.29.2
+

Makefile

@@ -1,21 +0,0 @@
-# Makefile for source rpm: libsepol
-# $Id$
-NAME := libsepol
-SPECFILE = $(firstword $(wildcard *.spec))
-
-define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
-endef
-
-MAKEFILE_COMMON := $(shell $(find-makefile-common))
-
-ifeq ($(MAKEFILE_COMMON),)
-# attempt a checkout
-define checkout-makefile-common
-test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
-endef
-
-MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
-endif
-
-include $(MAKEFILE_COMMON)

STAGE1-libsepol

@@ -0,0 +1,18 @@
+srpm libsepol
+mcd $BUILDDIR/t-libsepol
+rsync -av $SRC/libsepol*/ ./
+make $J \
+    CC=${TARGET}-gcc \
+    AS=${TARGET}-as \
+    AR=${TARGET}-ar \
+    STRIP=${TARGET}-strip \
+    RANLIB=${TARGET}-ranlib \
+    CFLAGS="" \
+    TLSFLAGS="" \
+    all
+ARGS="DESTDIR=${ROOTFS}"
+if [ "$SUFFIX" = "64" ]
+then
+    ARGS="$ARGS LIBDIR=${ROOTFS}/usr/lib64 SHLIBDIR=${ROOTFS}/usr/lib64"
+fi
+make $J $ARGS install

gating.yaml

@@ -0,0 +1,16 @@
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_testing
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+
+--- !Policy
+product_versions:
+  - fedora-*
+decision_context: bodhi_update_push_stable
+subject_type: koji_build
+rules:
+  - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional}
+

libsepol-rhat.patch

@@ -1,237 +0,0 @@
-diff --exclude-from=exclude -N -u -r nsalibsepol/include/sepol/policydb/conditional.h libsepol-2.0.1/include/sepol/policydb/conditional.h
---- nsalibsepol/include/sepol/policydb/conditional.h	2006-11-16 17:14:15.000000000 -0500
-+++ libsepol-2.0.1/include/sepol/policydb/conditional.h	2007-03-28 14:13:02.000000000 -0400
-@@ -100,6 +100,8 @@
- 				   cond_node_t * needle, cond_node_t * haystack,
- 				   int *was_created);
- 
-+extern cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node);
-+
- extern cond_node_t *cond_node_search(policydb_t * p, cond_node_t * list,
- 				     cond_node_t * cn);
- 
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/conditional.c libsepol-2.0.1/src/conditional.c
---- nsalibsepol/src/conditional.c	2006-11-16 17:14:24.000000000 -0500
-+++ libsepol-2.0.1/src/conditional.c	2007-03-28 14:13:02.000000000 -0400
-@@ -26,9 +26,6 @@
- 
- #include "private.h"
- 
--#undef min
--#define min(a,b) (((a) < (b)) ? (a) : (b))
--
- /* move all type rules to top of t/f lists to help kernel on evaluation */
- static void cond_optimize(cond_av_list_t ** l)
- {
-@@ -136,6 +133,38 @@
- 	return 1;
- }
- 
-+/* Create a new conditional node, optionally copying
-+ * the conditional expression from an existing node.
-+ * If node is NULL then a new node will be created
-+ * with no conditional expression.
-+ */
-+cond_node_t *cond_node_create(policydb_t * p, cond_node_t * node)
-+{
-+	cond_node_t *new_node;
-+	unsigned int i;
-+
-+	new_node = (cond_node_t *)malloc(sizeof(cond_node_t));
-+	if (!new_node) {
-+		return NULL;
-+	}
-+	memset(new_node, 0, sizeof(cond_node_t));
-+
-+	if (node) {
-+		new_node->expr = cond_copy_expr(node->expr);
-+		if (!new_node->expr) {
-+			free(new_node);
-+			return NULL;
-+		}
-+		new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
-+		new_node->nbools = node->nbools;
-+		for (i = 0; i < min(node->nbools, COND_MAX_BOOLS); i++)
-+			new_node->bool_ids[i] = node->bool_ids[i];
-+		new_node->expr_pre_comp = node->expr_pre_comp;
-+	}
-+
-+	return new_node;
-+}
-+
- /* Find a conditional (the needle) within a list of existing ones (the
-  * haystack) that has a matching expression.  If found, return a
-  * pointer to the existing node, setting 'was_created' to 0.
-@@ -145,9 +174,6 @@
- 			    cond_node_t * needle, cond_node_t * haystack,
- 			    int *was_created)
- {
--	cond_node_t *new_node;
--	unsigned int i;
--
- 	while (haystack) {
- 		if (cond_expr_equal(needle, haystack)) {
- 			*was_created = 0;
-@@ -156,26 +182,8 @@
- 		haystack = haystack->next;
- 	}
- 	*was_created = 1;
--	new_node = (cond_node_t *) malloc(sizeof(cond_node_t));
--	if (!new_node) {
--		return NULL;
--	}
--	memset(new_node, 0, sizeof(cond_node_t));
--	new_node->expr = cond_copy_expr(needle->expr);
--	if (!new_node->expr) {
--		free(new_node);
--		return NULL;
--	}
--	new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
--	new_node->nbools = needle->nbools;
--	for (i = 0; i < min(needle->nbools, COND_MAX_BOOLS); i++)
--		new_node->bool_ids[i] = needle->bool_ids[i];
--	new_node->expr_pre_comp = needle->expr_pre_comp;
--	new_node->true_list = NULL;
--	new_node->false_list = NULL;
--	new_node->avtrue_list = NULL;
--	new_node->avfalse_list = NULL;
--	return new_node;
-+
-+	return cond_node_create(p, needle);
- }
- 
- /* return either a pre-existing matching node or create a new node */
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/expand.c libsepol-2.0.1/src/expand.c
---- nsalibsepol/src/expand.c	2007-02-07 12:11:48.000000000 -0500
-+++ libsepol-2.0.1/src/expand.c	2007-03-28 14:13:02.000000000 -0400
-@@ -35,10 +35,12 @@
- #include <assert.h>
- 
- #include "debug.h"
-+#include "private.h"
- 
- typedef struct expand_state {
- 	int verbose;
- 	uint32_t *typemap;
-+	uint32_t *boolmap;
- 	policydb_t *base;
- 	policydb_t *out;
- 	sepol_handle_t *handle;
-@@ -791,8 +793,8 @@
- 		return -1;
- 	}
- 
--	new_bool->s.value = bool->s.value;
- 	state->out->p_bools.nprim++;
-+	new_bool->s.value = state->out->p_bools.nprim;
- 
- 	ret = hashtab_insert(state->out->p_bools.table,
- 			     (hashtab_key_t) new_id,
-@@ -804,6 +806,8 @@
- 		return -1;
- 	}
- 
-+	state->boolmap[bool->s.value - 1] = new_bool->s.value;
-+
- 	new_bool->state = bool->state;
- 
- 	return 0;
-@@ -1555,12 +1559,35 @@
- 	return 0;
- }
- 
-+static int cond_node_map_bools(expand_state_t * state, cond_node_t * cn)
-+{
-+	cond_expr_t *cur;
-+	unsigned int i;
-+
-+	cur = cn->expr;
-+	while (cur) {
-+		if (cur->bool)
-+			cur->bool = state->boolmap[cur->bool - 1];
-+		cur = cur->next;
-+	}
-+
-+	for (i = 0; i < min(cn->nbools, COND_MAX_BOOLS); i++)
-+		cn->bool_ids[i] = state->boolmap[cn->bool_ids[i] - 1];
-+
-+	if (cond_normalize_expr(state->out, cn)) {
-+		ERR(state->handle, "Error while normalizing conditional");
-+		return -1;
-+	}
-+
-+	return 0;
-+}
-+
- /* copy the nodes in *reverse* order -- the result is that the last
-  * given conditional appears first in the policy, so as to match the
-  * behavior of the upstream compiler */
- static int cond_node_copy(expand_state_t * state, cond_node_t * cn)
- {
--	cond_node_t *new_cond;
-+	cond_node_t *new_cond, *tmp;
- 
- 	if (cn == NULL) {
- 		return 0;
-@@ -1573,11 +1600,26 @@
- 		return -1;
- 	}
- 
--	new_cond = cond_node_search(state->out, state->out->cond_list, cn);
-+	/* create a new temporary conditional node with the booleans
-+	 * mapped */
-+	tmp = cond_node_create(state->base, cn);
-+	if (!tmp) {
-+		ERR(state->handle, "Out of memory");
-+		return -1;
-+	}
-+
-+	if (cond_node_map_bools(state, tmp)) {
-+		ERR(state->handle, "Error mapping booleans");
-+		return -1;
-+	}
-+
-+	new_cond = cond_node_search(state->out, state->out->cond_list, tmp);
- 	if (!new_cond) {
-+		cond_node_destroy(tmp);
- 		ERR(state->handle, "Out of memory!");
- 		return -1;
- 	}
-+	cond_node_destroy(tmp);
- 
- 	if (cond_avrule_list_copy
- 	    (state->out, cn->avtrue_list, &state->out->te_cond_avtab,
-@@ -2210,6 +2252,12 @@
- 		goto cleanup;
- 	}
- 
-+	state.boolmap = (uint32_t *)calloc(state.base->p_bools.nprim, sizeof(uint32_t));
-+	if (!state.boolmap) {
-+		ERR(handle, "Out of memory!");
-+		goto cleanup;
-+	}
-+
- 	/* order is important - types must be first */
- 
- 	/* copy types */
-@@ -2364,6 +2412,7 @@
- 
-       cleanup:
- 	free(state.typemap);
-+	free(state.boolmap);
- 	return retval;
- }
- 
-diff --exclude-from=exclude -N -u -r nsalibsepol/src/private.h libsepol-2.0.1/src/private.h
---- nsalibsepol/src/private.h	2007-02-07 12:11:48.000000000 -0500
-+++ libsepol-2.0.1/src/private.h	2007-03-28 14:13:02.000000000 -0400
-@@ -24,6 +24,9 @@
- #define le64_to_cpu(x) bswap_64(x)
- #endif
- 
-+#undef min
-+#define min(a,b) (((a) < (b)) ? (a) : (b))
-+
- /* Policy compatibility information. */
- struct policydb_compat_info {
- 	unsigned int type;

libsepol.spec

@@ -1,13 +1,33 @@
-Summary: SELinux binary policy manipulation library 
+Summary: SELinux binary policy manipulation library
 Name: libsepol
-Version: 2.0.41
-Release: 2%{?dist}
+Version: 3.1
+Release: 5%{?dist}
 License: LGPLv2+
-Group: System Environment/Libraries
-Source: http://www.nsa.gov/selinux/archives/libsepol-%{version}.tgz
-URL: http://www.selinuxproject.org
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+Source0: https://github.com/SELinuxProject/selinux/releases/download/20200710/libsepol-3.1.tar.gz
+URL: https://github.com/SELinuxProject/selinux/wiki
+# $ git clone https://github.com/fedora-selinux/selinux.git
+# $ cd selinux
+# $ git format-patch -N libsepol-3.1 -- libsepol
+# $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+# Patch list start
+Patch0001: 0001-libsepol-checkpolicy-optimize-storage-of-filename-tr.patch
+Patch0002: 0002-libsepol-implement-POLICYDB_VERSION_COMP_FTRANS.patch
+Patch0003: 0003-libsepol-cil-Validate-constraint-expressions-before-.patch
+Patch0004: 0004-libsepol-cil-Validate-conditional-expressions-before.patch
+Patch0005: 0005-libsepol-cil-Fix-neverallow-checking-involving-class.patch
+Patch0006: 0006-libsepol-cil-fix-signed-overflow-caused-by-using-1-3.patch
+Patch0007: 0007-libsepol-drop-confusing-BUG_ON-macro.patch
+Patch0008: 0008-libsepol-silence-potential-NULL-pointer-dereference-.patch
+Patch0009: 0009-libsepol-Get-rid-of-the-old-and-duplicated-symbols.patch
+Patch0010: 0010-libsepol-Drop-deprecated-functions.patch
+Patch0011: 0011-libsepol-Bump-libsepol.so-version.patch
+Patch0012: 0012-libsepol-cil-Give-error-for-more-than-one-true-or-fa.patch
+Patch0013: 0013-libsepol-free-memory-when-realloc-fails.patch
+# Patch list end
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: flex
+Obsoletes: %{name}-compat = 3.1-4
 
 %description
 Security-enhanced Linux is a feature of the Linux® kernel and a number
@@ -27,8 +47,7 @@ on binary policies such as customizing policy boolean settings.
 
 %package devel
 Summary: Header files and libraries used to build policy manipulation tools
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
+Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description devel
 The libsepol-devel package contains the libraries and header files
@@ -36,54 +55,43 @@ needed for developing applications that manipulate binary policies.
 
 %package static
 Summary: static libraries used to build policy manipulation tools
-Group: Development/Libraries
-Requires: %{name}-devel = %{version}-%{release}
+Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 
 %description static
 The libsepol-static package contains the static libraries and header files
 needed for developing applications that manipulate binary policies. 
 
 %prep
-%setup -q
+%autosetup -p 2 -n libsepol-%{version}
+
 # sparc64 is an -fPIC arch, so we need to fix it here
 %ifarch sparc64
 sed -i 's/fpic/fPIC/g' src/Makefile
 %endif
 
 %build
-make clean
-make %{?_smp_mflags} CFLAGS="%{optflags}"
+%set_build_flags
+CFLAGS="$CFLAGS -fno-semantic-interposition"
+%make_build
 
 %install
-rm -rf ${RPM_BUILD_ROOT}
 mkdir -p ${RPM_BUILD_ROOT}/%{_lib} 
 mkdir -p ${RPM_BUILD_ROOT}/%{_libdir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_includedir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_bindir} 
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man3
 mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8
-make DESTDIR="${RPM_BUILD_ROOT}" LIBDIR="${RPM_BUILD_ROOT}%{_libdir}" SHLIBDIR="${RPM_BUILD_ROOT}/%{_lib}" install
+%make_install LIBDIR="%{_libdir}" SHLIBDIR="%{_libdir}"
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolbools
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/genpolusers
 rm -f ${RPM_BUILD_ROOT}%{_bindir}/chkcon
 rm -rf ${RPM_BUILD_ROOT}%{_mandir}/man8
-
-%clean
-rm -rf ${RPM_BUILD_ROOT}
-
-%post
-/sbin/ldconfig
-[ -x /sbin/telinit ] && [ -p /dev/initctl ]  && /sbin/telinit U
-exit 0
-
-%postun -p /sbin/ldconfig
+rm -rf ${RPM_BUILD_ROOT}%{_mandir}/ru/man8
 
 %files static
-%defattr(-,root,root)
 %{_libdir}/libsepol.a
 
 %files devel
-%defattr(-,root,root)
 %{_libdir}/libsepol.so
 %{_libdir}/pkgconfig/libsepol.pc
 %{_includedir}/sepol/*.h
@@ -91,12 +99,390 @@ exit 0
 %dir %{_includedir}/sepol
 %dir %{_includedir}/sepol/policydb
 %{_includedir}/sepol/policydb/*.h
+%dir %{_includedir}/sepol/cil
+%{_includedir}/sepol/cil/*.h
 
 %files
-%defattr(-,root,root)
-/%{_lib}/libsepol.so.1
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_libdir}/libsepol.so.2
 
 %changelog
+* Fri Nov 20 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-5
+- Drop and obsolete libsepol-compat subpackage
+- cil: Give error for more than one true or false block
+
+* Fri Oct 23 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-4
+- Drop deprecated functions and duplicated symbols
+- Dange library version to libsepol.so.2
+- temporary ship -compat with libsepol.so.1
+- Re-enable LTO flags
+
+* Mon Jul 27 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-3
+- Disable LTO cflags
+- Drop telinit from % post sciptlet
+
+* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 3.1-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+- Use set_build_flags and -fno-semantic-interposition
+
+* Fri Jul 10 2020 Petr Lautrbach <plautrba@redhat.com> - 3.1-1
+- SELinux userspace 3.1 release
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 28 2020 Petr Lautrbach <plautrba@redhat.com> - 3.0-2
+- Fix -fno-common issues discovered by GCC 10
+
+* Fri Dec  6 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-1
+- SELinux userspace 3.0 release
+
+* Mon Nov 11 2019 Petr Lautrbach <plautrba@redhat.com> - 3.0-0.rc.1
+- SELinux userspace 3.0-rc1 release
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Mar 18 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-1
+- SELinux userspace 2.9 release
+
+* Wed Mar  6 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc2.1
+- SELinux userspace 2.9-rc2 release
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9-0.rc1.1.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jan 25 2019 Petr Lautrbach <plautrba@redhat.com> - 2.9-0.rc1.1
+- SELinux userspace 2.9-rc1 release
+
+* Tue Nov 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-3
+- Fix RESOURCE_LEAK coverity scan defects
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri May 25 2018 Petr Lautrbach <plautrba@workstation> - 2.8-1
+- SELinux userspace 2.8 release
+
+* Mon May 14 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-0.rc3.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Mon Apr 23 2018 Petr Lautrbach <plautrba@redhat.com> - 2.0-0.rc1.1
+- SELinux userspace 2.8-rc1 release candidate
+
+* Wed Mar 21 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-6
+- Prevent freeing unitialized value in ibendport handling
+- Add support for the SCTP portcon keyword
+- Export sepol_polcap_getnum/name functions
+
+* Tue Mar 13 2018 Petr Lautrbach <plautrba@redhat.com> - 2.7-5
+- cil: Create new keep field for type attribute sets
+- build: follow standard semantics for DESTDIR and PREFIX
+- cil: show an error when cil_expr_to_string() fails
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.7-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Nov 22 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-3
+- free ibendport device names
+
+* Fri Oct 20 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-2
+- reset pointer after free in cil_strpool_destroy()
+- cil: Add ability to redeclare types[attributes]
+- cil: Keep attributes used by generated attributes in neverallow rules
+- use IN6ADDR_ANY_INIT to initialize IPv6 addresses
+- fix memory leak in sepol_bool_query()
+- cil: drop wrong unused attribute
+- cil: fix -Wwrite-strings warning
+- cil: __cil_post_db_neverallow_attr_helper() does not use extra_args
+
+* Mon Aug 07 2017 Petr Lautrbach <plautrba@redhat.com> - 2.7-1
+- Update to upstream release 2017-08-04
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Sun Jul 30 2017 Florian Weimer <fweimer@redhat.com> - 2.6-4
+- Rebuild with binutils fix for ppc64le (#1475636)
+
+* Fri Jul 28 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-3
+- Fix neverallow bug when checking conditional policy
+- Destroy the expanded level when mls_semantic_level_expand() fails
+- Do not seg fault on sepol_*_key_free(NULL)
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sun Feb 12 2017 Petr Lautrbach <plautrba@redhat.com> - 2.6-1
+- Update to upstream release 2016-10-14
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.5-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Oct 03 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-10
+- Check for too many permissions in classes and commons in CIL
+- Fix xperm mapping between avrule and avtab
+- tests: Fix mispelling of optimization option
+- Fix unused/uninitialized variables on mac build
+- Produce more meaningful error messages for conflicting type rules in CIL
+- make "make test" fail when a CUnit test fails
+- tests: fix g_b_role_2 test
+- Change which attributes CIL keeps in the binary policy
+- Port str_read() from kernel and remove multiple occurances of similar code
+- Use calloc instead of malloc for all the *_to_val_structs
+- Fix bugs found by AFL
+- Fix memory leak in expand.c
+- Fix invalid read when policy file is corrupt
+- Fix possible use of uninitialized variables
+
+* Mon Aug 01 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-9
+- Warn instead of fail if permission is not resolved
+- Ignore object_r when adding userrole mappings to policydb
+
+* Thu Jul 14 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-8
+- Add missing return to sepol_node_query()
+- Add missing <stdarg.h> include
+
+* Thu Jun 23 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-7
+- Correctly detect unknown classes in sepol_string_to_security_class
+- Sort object files for deterministic linking order
+- Fix neverallowxperm checking on attributes
+- Remove libsepol.map when cleaning
+- Add high-level language line marking support to CIL
+
+* Fri May 06 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-6
+- Change logic of bounds checking to match change in kernel
+- Fix multiple spelling errors
+
+* Mon May 02 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-5
+- Only apply bounds checking to source types in rules
+- Fix CIL and not add an attribute as a type in the attr_type_map
+
+* Fri Apr 29 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-4
+- Build policy on systems not supporting DCCP protocol
+- Fix extended permissions neverallow checking
+- Fix CIL neverallow and bounds checking
+- Android.mk: Add -D_GNU_SOURCE to common_cflags
+
+* Fri Apr 08 2016 Petr Lautrbach <plautrba@redhat.com> - 2.5-3
+- Fix bug in CIL when resetting classes
+- Add support for portcon dccp protocol
+
+* Sun Feb 28 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-2
+- Use fully versioned arch-specific requires
+
+* Tue Feb 23 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-1
+- Update to upstream release 2016-02-23
+
+* Sun Feb 21 2016 Petr Lautrbach <plautrba@redhat.com> 2.5-0.1.rc1
+- Update to upstream rc1 release 2016-01-07
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Aug 25 2015 Michal Srb <msrb@redhat.com> - 2.4-3
+- Improve compatibility with Python 3 SWIG bindings
+- Resolves: rhbz#1247714
+
+* Fri Aug 14 2015 Adam Jackson <ajax@redhat.com> 2.4-2
+- Pass ldflags to make so hardening works
+
+* Mon Apr 13 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-0.1
+- Update to upstream release 2.4
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 2.3-3
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue May 6 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-1
+- Update to upstream 
+	* Improve error message for name-based transition conflicts.
+	* Revert libsepol: filename_trans: use some better sorting to compare and merge.
+	* Report source file and line information for neverallow failures.
+	* Fix valgrind errors in constraint_expr_eval_reason from Richard Haines.
+	* Add sepol_validate_transition_reason_buffer function from Richard Haines.
+
+* Thu Oct 31 2013 Dan Walsh <dwalsh@redhat.com> - 2.2-1
+- Update to upstream 
+- Richard Haines patch V1 Allow constraint denials to be determined.
+- Add separate role declarations as required by modern checkpolicy.
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.9-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Thu Feb 7 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.9-1
+- Update to upstream 
+- filename_trans: use some better sorting to compare and merge
+- coverity fixes
+- implement default type policy syntax
+- Fix memory leak issues found by Klocwork
+- Add CONTRAINT_NAMES to the kernel 
+
+* Sun Jan 27 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.8-8
+- Update to latest patches from eparis/Upstream
+
+* Fri Jan 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.8-7
+- Update to latest patches from eparis/Upstream
+
+* Tue Jan 8 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.8-6
+- Fix libsepol.stack messages in audit2allow/audit2why
+
+* Fri Jan 4 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.8-5
+- Update to latest patches from eparis/Upstream
+
+* Tue Nov 27 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
+- Update Richard Haines patch to show constraint information
+
+* Mon Nov 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
+- Add sepol_compute_av_reason_buffer patch from Richard Haines
+
+* Wed Sep 19 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-2
+- Revert patch that was attempting to expand filetrans attributes, but is breaking filetrans rules
+
+* Thu Sep 13 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.8-1
+- Update to upstream 
+	* fix neverallow checking on attributes
+	* Move context_copy() after switch block in ocontext_copy_*().
+	* check for missing initial SID labeling statement.
+	* Add always_check_network policy capability
+	* role_fix_callback skips out-of-scope roles during expansion.
+
+* Mon Jul 30 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.7-4
+- Try new patches
+
+* Tue Jul 24 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.7-3
+- Revert patches
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 4 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.7-1
+- Update to upstream 
+	* reserve policycapability for redhat testing of ptrace child
+	* cosmetic changes to make the source easier to read
+	* prepend instead of append to filename_trans list
+	* Android/MacOS X build support
+	* allocate enough space to hold filename in trans rules
+
+* Mon Apr 23 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.5-3
+- Fix off by one error that is causing file_name transition rules to be expanded- incorrectly on i686 machines
+
+* Tue Apr 17 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
+- Add support for ptrace_child
+
+* Thu Mar 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
+- Update to upstream 
+  * checkpolicy: implement new default labeling behaviors
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.4-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-5
+- Update to match eparis pool
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-4
+- Additional fix for default transitioning labeling for semodule
+
+* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-3
+- Add Eparis patch for handling of default transition labeling
+
+* Mon Dec 5 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-2
+- Allow policy to specify the source of target for generating the default user,role 
+- or mls label for a new target.
+
+* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.4-1
+- Update to upstream 
+	* regenerate .pc on VERSION change
+	* Move ebitmap_* functions from mcstrans to libsepol
+	* expand: do filename_trans type comparison on mapped representation
+
+* Mon Oct 31 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-2
+-The filename_trans code had a bug where duplicate detection was being
+done between the unmapped type value of a new rule and the type value of
+rules already in policy.  This meant that duplicates were not being
+silently dropped and were instead outputting a message that there was a
+problem.  It made things hard because the message WAS using the mapped
+type to convert to the string representation, so it didn't look like a
+dup!
+
+* Mon Sep 19 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.3-1
+-Update to upstream
+	* Skip writing role attributes for policy.X and
+	* Indicate when boolean is indeed a tunable.
+	* Separate tunable from boolean during compile.
+	* Write and read TUNABLE flags in related
+	* Copy and check the cond_bool_datum_t.flags during link.
+	* Permanently discard disabled branches of tunables in
+	* Skip tunable identifier and cond_node_t in expansion.
+	* Create a new preserve_tunables flag
+	* Preserve tunables when required by semodule program.
+	* setools expects expand_module_avrules to be an exported
+	* tree: default make target to all not
+
+* Thu Sep 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-3
+- Add patch to handle preserving tunables
+
+* Thu Sep 1 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-2
+- export expand_module_avrules 
+
+* Thu Aug 18 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.2-0
+- Update to upstream 
+	* Only call role_fix_callback for base.p_roles during expansion.
+	* use mapped role number instead of module role number
+
+* Mon Aug 1 2011 Dan Walsh <dwalsh@redhat.com> 2.1.1-1
+- Update to upstream 
+	* Minor fix to reading policy with filename transition rules
+
+* Wed Jul 27 2011 Dan Walsh <dwalsh@redhat.com> 2.1.0-1
+- Update to upstream 
+	* Release, minor version bump
+
+* Tue May 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.45-1
+- Update to upstream 
+  * Warn if filename_trans rules are dropped by Steve Lawrence.
+
+* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> 2.0.44-2
+- Fixes for new role_transition class field by Eric Paris.
+
+* Thu Apr 14 2011 Dan Walsh <dwalsh@redhat.com> 2.0.44-1
+-Update to upstream
+	* Fixes for new role_transition class field by Eric Paris.
+	* Add libsepol support for filename_trans rules by Eric Paris.
+
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> 2.0.43-3
+- re-add Erics patch for filename transitions
+	
+* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> 2.0.43-1
+-Update to upstream
+	* Add new class field in role_transition by Harry Ciao.
+
+* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.42-3
+- Apply Eparis Patch
+  This patch add libsepol support for filename_trans rules.  These rules
+allow on to make labeling decisions for new objects based partially on
+the last path component.  They are stored in a list.  If we find that
+the number of rules grows to an significant size I will likely choose to
+store these in a hash, both in libsepol and in the kernel.  But as long
+as the number of such rules stays small, this should be good.
+
+* Tue Feb 08 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.42-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Tue Dec 21 2010 Dan Walsh <dwalsh@redhat.com> 2.0.42-1
+- Upgrade to latest from NSA
+  * Fix compliation under GCC 4.6 by Justin Mattock
+
+* Thu Feb 18 2010 Dan Walsh <dwalsh@redhat.com> 2.0.41-3
+- Fix libsepol.pc file
+
 * Thu Jan 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.41-2
 - Resolve specfile problems
 Resolves: #555835
@@ -109,7 +495,7 @@ Resolves: #555835
 - Upgrade to latest from NSA
   * Add pkgconfig file from Eamon Walsh.
 
-* Tue Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
+* Wed Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.39-1
 - Upgrade to latest from NSA
   * Add support for building Xen policies from Paul Nuzzi.
 
@@ -367,7 +753,7 @@ Resolves: #555835
     a policy requires the compatibility support for network checks
     to be enabled in the kernel.
 
-* Thu May 15 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
+* Thu May 18 2006 Dan Walsh <dwalsh@redhat.com> 1.12.11-1
 - Upgrade to latest from NSA
   * Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
     Reworked to use calloc in the first place, and converted some other
@@ -474,7 +860,7 @@ Resolves: #555835
 - Upgrade to latest from NSA
   * Merged 2nd const in APIs patch from Ivan Gyurdiev.
 
-* Fri Jan 7 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
+* Fri Jan 6 2006 Dan Walsh <dwalsh@redhat.com> 1.11.7-1
 - Upgrade to latest from NSA
   * Merged const in APIs patch from Ivan Gyurdiev.
   * Merged compare2 function patch from Ivan Gyurdiev.
@@ -710,7 +1096,7 @@ Resolves: #555835
   * Merged fix for sepol_enable/disable_debug from Ivan
   Gyurdiev.
 
-* Mon Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
+* Wed Sep 14 2005 Dan Walsh <dwalsh@redhat.com> 1.9.1-2
 - Upgrade to latest from NSA
   * Merged stddef.h patch and debug conversion patch from 
   Ivan Gyurdiev.

sources

@@ -1 +1 @@
-3520d0884b65227ac2fc7afbbd4367d5  libsepol-2.0.41.tgz
+SHA512 (libsepol-3.1.tar.gz) = 4b5f4e82853ff3e9b4fac2dbdea5c2fc3bb7b508af912217ac4b75da6540fbcd77aa314ab95cd9dfa94fbc4a885000656a663c1a152f65b4cf6970ea0b6034ab

tests/tests.yml

@@ -0,0 +1,12 @@
+---
+# Tests that run in all contexts
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    - container
+    repositories:
+    - repo: "https://src.fedoraproject.org/tests/selinux.git"
+      dest: "selinux"
+      fmf_filter: "tier: 1 | component: libsepol"