diff --git a/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch b/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
new file mode 100644
index 0000000..3b2fbd8
--- /dev/null
+++ b/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
@@ -0,0 +1,67 @@
+From 1e84cb90b63bce841376140a7a80107e5ec1e1a8 Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Fri, 3 May 2019 06:27:51 +0000
+Subject: [PATCH] lsm: fix compiler error 'unused-result'
+
+Reading out the xattr 'security.selinux' of checkpointed sockets with
+fscanf() works (at least in theory) without checking the result of
+fscanf(). There are, however, multiple CI failures when ignoring the
+return value of fscanf().
+
+This adds ferror() to check if the stream has an actual error or if '-1'
+just mean EOF.
+
+Handle all errors of fscanf() // Andrei
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+Signed-off-by: Andrei Vagin <avagin@gmail.com>
+---
+ criu/lsm.c | 22 +++++++++++++---------
+ 1 file changed, 13 insertions(+), 9 deletions(-)
+
+diff --git a/criu/lsm.c b/criu/lsm.c
+index ef6ba112b3..9c9ac7f80e 100644
+--- a/criu/lsm.c
++++ b/criu/lsm.c
+@@ -33,8 +33,8 @@ static int apparmor_get_label(pid_t pid, char **profile_name)
+ 		return -1;
+ 
+ 	if (fscanf(f, "%ms", profile_name) != 1) {
+-		fclose(f);
+ 		pr_perror("err scanfing");
++		fclose(f);
+ 		return -1;
+ 	}
+ 
+@@ -111,19 +111,23 @@ static int selinux_get_label(pid_t pid, char **output)
+ static int selinux_get_sockcreate_label(pid_t pid, char **output)
+ {
+ 	FILE *f;
++	int ret;
+ 
+ 	f = fopen_proc(pid, "attr/sockcreate");
+ 	if (!f)
+ 		return -1;
+ 
+-	fscanf(f, "%ms", output);
+-	/*
+-	 * No need to check the result of fscanf(). If there is something
+-	 * in /proc/PID/attr/sockcreate it will be copied to *output. If
+-	 * there is nothing it will stay NULL. So whatever fscanf() does
+-	 * it should be correct.
+-	 */
+-
++	ret = fscanf(f, "%ms", output);
++	if (ret == -1 && errno != 0) {
++		pr_perror("Unable to parse /proc/%d/attr/sockcreate", pid);
++		/*
++		 * Only if the error indicator is set it is a real error.
++		 * -1 could also be EOF, which would mean that sockcreate
++		 * was just empty, which is the most common case.
++		 */
++		fclose(f);
++		return -1;
++	}
+ 	fclose(f);
+ 	return 0;
+ }
diff --git a/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch b/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
new file mode 100644
index 0000000..09446a6
--- /dev/null
+++ b/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
@@ -0,0 +1,44 @@
+From 80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@gmail.com>
+Date: Sat, 4 May 2019 20:01:52 -0700
+Subject: [PATCH] lsm: don't reset socket contex if SELinux is disabled
+
+Fixes #693
+---
+ criu/lsm.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/criu/lsm.c b/criu/lsm.c
+index 9c9ac7f80e..5921138392 100644
+--- a/criu/lsm.c
++++ b/criu/lsm.c
+@@ -134,7 +134,15 @@ static int selinux_get_sockcreate_label(pid_t pid, char **output)
+ 
+ int reset_setsockcreatecon()
+ {
+-	return setsockcreatecon_raw(NULL);
++	/* Currently this only works for SELinux. */
++	if (kdat.lsm != LSMTYPE__SELINUX)
++		return 0;
++
++	if (setsockcreatecon_raw(NULL)) {
++		pr_perror("Unable to reset socket SELinux context");
++		return -1;
++	}
++	return 0;
+ }
+ 
+ int run_setsockcreatecon(FdinfoEntry *e)
+@@ -147,7 +155,11 @@ int run_setsockcreatecon(FdinfoEntry *e)
+ 
+ 	ctx = e->xattr_security_selinux;
+ 	/* Writing to the FD using fsetxattr() did not work for some reason. */
+-	return setsockcreatecon_raw(ctx);
++	if (setsockcreatecon_raw(ctx)) {
++		pr_perror("Unable to set the %s socket SELinux context", ctx);
++		return -1;
++	}
++	return 0;
+ }
+ 
+ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
diff --git a/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch b/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
new file mode 100644
index 0000000..ec0cf00
--- /dev/null
+++ b/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
@@ -0,0 +1,40 @@
+From b9e9e3903c78ba5d243b4176e82bf4b82342cb6a Mon Sep 17 00:00:00 2001
+From: Adrian Reber <areber@redhat.com>
+Date: Sat, 4 May 2019 15:27:32 +0200
+Subject: [PATCH] lsm: fix compiler error on Fedora 30
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This fixes following compiler error:
+
+criu/lsm.c: In function ‘dump_xattr_security_selinux’:
+criu/include/log.h:51:2: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
+   51 |  print_on_level(LOG_ERROR,     \
+      |  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   52 |          "Error (%s:%d): " LOG_PREFIX fmt,  \
+      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+   53 |          __FILE__, __LINE__, ##__VA_ARGS__)
+      |          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+criu/lsm.c:166:3: note: in expansion of macro ‘pr_err’
+  166 |   pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
+      |   ^~~~~~
+
+Signed-off-by: Adrian Reber <areber@redhat.com>
+---
+ criu/lsm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/criu/lsm.c b/criu/lsm.c
+index 5921138392..420585ba4f 100644
+--- a/criu/lsm.c
++++ b/criu/lsm.c
+@@ -175,7 +175,7 @@ int dump_xattr_security_selinux(int fd, FdinfoEntry *e)
+ 	/* Get the size of the xattr. */
+ 	len = fgetxattr(fd, "security.selinux", ctx, 0);
+ 	if (len == -1) {
+-		pr_err("Reading xattr %s to FD %d failed\n", ctx, fd);
++		pr_err("Reading xattr security.selinux from FD %d failed\n", fd);
+ 		return -1;
+ 	}
+ 
diff --git a/criu.spec b/criu.spec
index d9d2a29..2f9c25d 100644
--- a/criu.spec
+++ b/criu.spec
@@ -12,7 +12,7 @@
 
 Name: criu
 Version: 3.12
-Release: 8%{?dist}
+Release: 9%{?dist}
 Provides: crtools = %{version}-%{release}
 Obsoletes: crtools <= 1.0-2
 Summary: Tool for Checkpoint/Restore in User-space
@@ -21,6 +21,9 @@ URL: http://criu.org/
 Source0: http://download.openvz.org/criu/criu-%{version}.tar.bz2
 
 Patch0: https://patch-diff.githubusercontent.com/raw/checkpoint-restore/criu/pull/685.patch
+Patch1: https://github.com/checkpoint-restore/criu/commit/1e84cb90b63bce841376140a7a80107e5ec1e1a8.patch
+Patch2: https://github.com/checkpoint-restore/criu/commit/80d90c5c59e9477d8a0c9eb727a0fc1bec2b01ea.patch
+Patch3: https://github.com/checkpoint-restore/criu/commit/b9e9e3903c78ba5d243b4176e82bf4b82342cb6a.patch
 
 %if 0%{?rhel} && 0%{?rhel} <= 7
 BuildRequires: perl
@@ -102,6 +105,9 @@ their content in human-readable form.
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %if 0%{?rhel} && 0%{?rhel} <= 7
 %patch100 -p1
@@ -175,6 +181,9 @@ rm -rf $RPM_BUILD_ROOT%{_libexecdir}/%{name}
 
 
 %changelog
+* Mon May 13 2019 Adrian Reber <adrian@lisas.de> - 3.12-9
+- Added additional fixup patches for the socket labelling
+
 * Sat May 04 2019 Adrian Reber <adrian@lisas.de> - 3.12-8
 - Patch for socket labelling has changed upstream