d11c40b
diff --git libselinux-2.5/ChangeLog libselinux-2.5/ChangeLog
03c0649
index 24673dd..6588189 100644
d11c40b
--- libselinux-2.5/ChangeLog
d11c40b
+++ libselinux-2.5/ChangeLog
03c0649
@@ -1,3 +1,19 @@
03c0649
+	* Change the location of _selinux.so, from Petr Lautrbach.
27e80a6
+	* Clarify is_selinux_mls_enabled() description, from David King.
27e80a6
+	* Explain how to free policy type from selinux_getpolicytype(), from David King.
27e80a6
+	* Compare absolute pathname in matchpathcon -V, from Petr Lautrbach.
27e80a6
+	* Add selinux_snapperd_contexts_path(), from Petr Lautrbach.
fd9d183
+	* Modify audit2why analyze function to use loaded policy, from Joshua Brindle.
fd9d183
+	* Sort object files for deterministic linking order, from Laurent Bigonville.
fd9d183
+	* Respect CC and PKG_CONFIG environment variable, from Julien Pivotto.
fd9d183
+	* Avoid mounting /proc outside of selinux_init_load_policy(), from Stephen Smalley.
602edce
+	* Fix multiple spelling errors, from Laurent Bigonville.
7359ba5
+	* Fix typo in sefcontext_compile.8, from Petr Lautrbach and Milos Malik
d11c40b
+	* Fix location of selinuxfs mount point, from Dan Walsh.
d11c40b
+	* Only mount /proc if necessary, from Stephen Smalley.
d11c40b
+	* procattr: return einval for <= 0 pid args, from Daniel Cashman.
d11c40b
+	* procattr: return error on invalid pid_t input, from Daniel Cashman.
d11c40b
+
d11c40b
 2.5 2016-02-23
d11c40b
 	* selinux_restorecon.3 man page corrections, from Richard Haines.
d11c40b
 	* Add selinux_restorecon function, from Richard Haines.
c28c9a3
diff --git libselinux-2.5/Makefile libselinux-2.5/Makefile
e58e944
index 6142b60..bdf9de8 100644
c28c9a3
--- libselinux-2.5/Makefile
c28c9a3
+++ libselinux-2.5/Makefile
e58e944
@@ -1,4 +1,4 @@
e58e944
-SUBDIRS = src include utils man
e58e944
+SUBDIRS = src include utils man golang
e58e944
 
e58e944
 DISABLE_AVC ?= n
e58e944
 DISABLE_SETRANS ?= n
c28c9a3
diff --git libselinux-2.5/golang/Makefile libselinux-2.5/golang/Makefile
e58e944
new file mode 100644
e58e944
index 0000000..b75677b
e58e944
--- /dev/null
c28c9a3
+++ libselinux-2.5/golang/Makefile
e58e944
@@ -0,0 +1,22 @@
e58e944
+# Installation directories.
e58e944
+PREFIX ?= $(DESTDIR)/usr
e58e944
+LIBDIR ?= $(DESTDIR)/usr/lib
e58e944
+GODIR ?= $(LIBDIR)/golang/src/pkg/github.com/selinux
e58e944
+all:
e58e944
+
e58e944
+install: 
e58e944
+	[ -d $(GODIR) ] || mkdir -p $(GODIR)
e58e944
+	install -m 644 selinux.go $(GODIR)
e58e944
+
e58e944
+test:
e58e944
+	@mkdir selinux
e58e944
+	@cp selinux.go selinux
e58e944
+	GOPATH=$(pwd) go run test.go 
e58e944
+	@rm -rf selinux
e58e944
+
e58e944
+clean:
e58e944
+	@rm -f *~
e58e944
+	@rm -rf selinux
e58e944
+indent:
e58e944
+
e58e944
+relabel:
c28c9a3
diff --git libselinux-2.5/golang/selinux.go libselinux-2.5/golang/selinux.go
e58e944
new file mode 100644
e58e944
index 0000000..34bf6bb
e58e944
--- /dev/null
c28c9a3
+++ libselinux-2.5/golang/selinux.go
e58e944
@@ -0,0 +1,412 @@
e58e944
+package selinux
e58e944
+
e58e944
+/*
e58e944
+ The selinux package is a go bindings to libselinux required to add selinux
e58e944
+ support to docker.
e58e944
+
e58e944
+ Author Dan Walsh <dwalsh@redhat.com>
e58e944
+
e58e944
+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
e58e944
+ By Vaughan Newton
e58e944
+*/
e58e944
+
e58e944
+// #cgo pkg-config: libselinux
e58e944
+// #include <selinux/selinux.h>
e58e944
+// #include <stdlib.h>
e58e944
+import "C"
e58e944
+import (
e58e944
+	"bufio"
e58e944
+	"crypto/rand"
e58e944
+	"encoding/binary"
e58e944
+	"fmt"
e58e944
+	"io"
e58e944
+	"os"
e58e944
+	"path"
e58e944
+	"path/filepath"
e58e944
+	"regexp"
e58e944
+	"strings"
e58e944
+	"unsafe"
e58e944
+)
e58e944
+
e58e944
+var (
e58e944
+	assignRegex = regexp.MustCompile(`^([^=]+)=(.*)$`)
e58e944
+	mcsList     = make(map[string]bool)
e58e944
+)
e58e944
+
e58e944
+func Matchpathcon(path string, mode os.FileMode) (string, error) {
e58e944
+	var con C.security_context_t
e58e944
+	var scon string
e58e944
+	rc, err := C.matchpathcon(C.CString(path), C.mode_t(mode), &con)
e58e944
+	if rc == 0 {
e58e944
+		scon = C.GoString(con)
e58e944
+		C.free(unsafe.Pointer(con))
e58e944
+	}
e58e944
+	return scon, err
e58e944
+}
e58e944
+
e58e944
+func Setfilecon(path, scon string) (int, error) {
e58e944
+	rc, err := C.lsetfilecon(C.CString(path), C.CString(scon))
e58e944
+	return int(rc), err
e58e944
+}
e58e944
+
e58e944
+func Getfilecon(path string) (string, error) {
e58e944
+	var scon C.security_context_t
e58e944
+	var fcon string
e58e944
+	rc, err := C.lgetfilecon(C.CString(path), &scon)
e58e944
+	if rc >= 0 {
e58e944
+		fcon = C.GoString(scon)
e58e944
+		err = nil
e58e944
+	}
e58e944
+	return fcon, err
e58e944
+}
e58e944
+
e58e944
+func Setfscreatecon(scon string) (int, error) {
e58e944
+	var (
e58e944
+		rc  C.int
e58e944
+		err error
e58e944
+	)
e58e944
+	if scon != "" {
e58e944
+		rc, err = C.setfscreatecon(C.CString(scon))
e58e944
+	} else {
e58e944
+		rc, err = C.setfscreatecon(nil)
e58e944
+	}
e58e944
+	return int(rc), err
e58e944
+}
e58e944
+
e58e944
+func Getfscreatecon() (string, error) {
e58e944
+	var scon C.security_context_t
e58e944
+	var fcon string
e58e944
+	rc, err := C.getfscreatecon(&scon)
e58e944
+	if rc >= 0 {
e58e944
+		fcon = C.GoString(scon)
e58e944
+		err = nil
e58e944
+		C.freecon(scon)
e58e944
+	}
e58e944
+	return fcon, err
e58e944
+}
e58e944
+
e58e944
+func Getcon() string {
e58e944
+	var pcon C.security_context_t
e58e944
+	C.getcon(&pcon)
e58e944
+	scon := C.GoString(pcon)
e58e944
+	C.freecon(pcon)
e58e944
+	return scon
e58e944
+}
e58e944
+
e58e944
+func Getpidcon(pid int) (string, error) {
e58e944
+	var pcon C.security_context_t
e58e944
+	var scon string
e58e944
+	rc, err := C.getpidcon(C.pid_t(pid), &pcon)
e58e944
+	if rc >= 0 {
e58e944
+		scon = C.GoString(pcon)
e58e944
+		C.freecon(pcon)
e58e944
+		err = nil
e58e944
+	}
e58e944
+	return scon, err
e58e944
+}
e58e944
+
e58e944
+func Getpeercon(socket int) (string, error) {
e58e944
+	var pcon C.security_context_t
e58e944
+	var scon string
e58e944
+	rc, err := C.getpeercon(C.int(socket), &pcon)
e58e944
+	if rc >= 0 {
e58e944
+		scon = C.GoString(pcon)
e58e944
+		C.freecon(pcon)
e58e944
+		err = nil
e58e944
+	}
e58e944
+	return scon, err
e58e944
+}
e58e944
+
e58e944
+func Setexeccon(scon string) error {
e58e944
+	var val *C.char
e58e944
+	if !SelinuxEnabled() {
e58e944
+		return nil
e58e944
+	}
e58e944
+	if scon != "" {
e58e944
+		val = C.CString(scon)
e58e944
+	} else {
e58e944
+		val = nil
e58e944
+	}
e58e944
+	_, err := C.setexeccon(val)
e58e944
+	return err
e58e944
+}
e58e944
+
e58e944
+type Context struct {
e58e944
+	con []string
e58e944
+}
e58e944
+
e58e944
+func (c *Context) SetUser(user string) {
e58e944
+	c.con[0] = user
e58e944
+}
e58e944
+func (c *Context) GetUser() string {
e58e944
+	return c.con[0]
e58e944
+}
e58e944
+func (c *Context) SetRole(role string) {
e58e944
+	c.con[1] = role
e58e944
+}
e58e944
+func (c *Context) GetRole() string {
e58e944
+	return c.con[1]
e58e944
+}
e58e944
+func (c *Context) SetType(setype string) {
e58e944
+	c.con[2] = setype
e58e944
+}
e58e944
+func (c *Context) GetType() string {
e58e944
+	return c.con[2]
e58e944
+}
e58e944
+func (c *Context) SetLevel(mls string) {
e58e944
+	c.con[3] = mls
e58e944
+}
e58e944
+func (c *Context) GetLevel() string {
e58e944
+	return c.con[3]
e58e944
+}
e58e944
+func (c *Context) Get() string {
e58e944
+	return strings.Join(c.con, ":")
e58e944
+}
e58e944
+func (c *Context) Set(scon string) {
e58e944
+	c.con = strings.SplitN(scon, ":", 4)
e58e944
+}
e58e944
+func NewContext(scon string) Context {
e58e944
+	var con Context
e58e944
+	con.Set(scon)
e58e944
+	return con
e58e944
+}
e58e944
+
e58e944
+func SelinuxEnabled() bool {
e58e944
+	b := C.is_selinux_enabled()
e58e944
+	if b > 0 {
e58e944
+		return true
e58e944
+	}
e58e944
+	return false
e58e944
+}
e58e944
+
e58e944
+const (
e58e944
+	Enforcing  = 1
e58e944
+	Permissive = 0
e58e944
+	Disabled   = -1
e58e944
+)
e58e944
+
e58e944
+func SelinuxGetEnforce() int {
e58e944
+	return int(C.security_getenforce())
e58e944
+}
e58e944
+
e58e944
+func SelinuxGetEnforceMode() int {
e58e944
+	var enforce C.int
e58e944
+	C.selinux_getenforcemode(&enforce)
e58e944
+	return int(enforce)
e58e944
+}
e58e944
+
e58e944
+func mcsAdd(mcs string) {
e58e944
+	mcsList[mcs] = true
e58e944
+}
e58e944
+
e58e944
+func mcsDelete(mcs string) {
e58e944
+	mcsList[mcs] = false
e58e944
+}
e58e944
+
e58e944
+func mcsExists(mcs string) bool {
e58e944
+	return mcsList[mcs]
e58e944
+}
e58e944
+
e58e944
+func IntToMcs(id int, catRange uint32) string {
e58e944
+	if (id < 1) || (id > 523776) {
e58e944
+		return ""
e58e944
+	}
e58e944
+
e58e944
+	SETSIZE := int(catRange)
e58e944
+	TIER := SETSIZE
e58e944
+
e58e944
+	ORD := id
e58e944
+	for ORD > TIER {
e58e944
+		ORD = ORD - TIER
e58e944
+		TIER -= 1
e58e944
+	}
e58e944
+	TIER = SETSIZE - TIER
e58e944
+	ORD = ORD + TIER
e58e944
+	return fmt.Sprintf("s0:c%d,c%d", TIER, ORD)
e58e944
+}
e58e944
+
e58e944
+func uniqMcs(catRange uint32) string {
e58e944
+	var n uint32
e58e944
+	var c1, c2 uint32
e58e944
+	var mcs string
e58e944
+	for {
e58e944
+		binary.Read(rand.Reader, binary.LittleEndian, &n)
e58e944
+		c1 = n % catRange
e58e944
+		binary.Read(rand.Reader, binary.LittleEndian, &n)
e58e944
+		c2 = n % catRange
e58e944
+		if c1 == c2 {
e58e944
+			continue
e58e944
+		} else {
e58e944
+			if c1 > c2 {
e58e944
+				t := c1
e58e944
+				c1 = c2
e58e944
+				c2 = t
e58e944
+			}
e58e944
+		}
e58e944
+		mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
e58e944
+		if mcsExists(mcs) {
e58e944
+			continue
e58e944
+		}
e58e944
+		mcsAdd(mcs)
e58e944
+		break
e58e944
+	}
e58e944
+	return mcs
e58e944
+}
e58e944
+func freeContext(processLabel string) {
e58e944
+	var scon Context
e58e944
+	scon = NewContext(processLabel)
e58e944
+	mcsDelete(scon.GetLevel())
e58e944
+}
e58e944
+
e58e944
+func GetLxcContexts() (processLabel string, fileLabel string) {
e58e944
+	var val, key string
e58e944
+	var bufin *bufio.Reader
e58e944
+	if !SelinuxEnabled() {
e58e944
+		return
e58e944
+	}
e58e944
+	lxcPath := C.GoString(C.selinux_lxc_contexts_path())
e58e944
+	fileLabel = "system_u:object_r:svirt_sandbox_file_t:s0"
e58e944
+	processLabel = "system_u:system_r:svirt_lxc_net_t:s0"
e58e944
+
e58e944
+	in, err := os.Open(lxcPath)
e58e944
+	if err != nil {
e58e944
+		goto exit
e58e944
+	}
e58e944
+
e58e944
+	defer in.Close()
e58e944
+	bufin = bufio.NewReader(in)
e58e944
+
e58e944
+	for done := false; !done; {
e58e944
+		var line string
e58e944
+		if line, err = bufin.ReadString('\n'); err != nil {
e58e944
+			if err == io.EOF {
e58e944
+				done = true
e58e944
+			} else {
e58e944
+				goto exit
e58e944
+			}
e58e944
+		}
e58e944
+		line = strings.TrimSpace(line)
e58e944
+		if len(line) == 0 {
e58e944
+			// Skip blank lines
e58e944
+			continue
e58e944
+		}
e58e944
+		if line[0] == ';' || line[0] == '#' {
e58e944
+			// Skip comments
e58e944
+			continue
e58e944
+		}
e58e944
+		if groups := assignRegex.FindStringSubmatch(line); groups != nil {
e58e944
+			key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
e58e944
+			if key == "process" {
e58e944
+				processLabel = strings.Trim(val, "\"")
e58e944
+			}
e58e944
+			if key == "file" {
e58e944
+				fileLabel = strings.Trim(val, "\"")
e58e944
+			}
e58e944
+		}
e58e944
+	}
e58e944
+exit:
e58e944
+	var scon Context
e58e944
+	mcs := IntToMcs(os.Getpid(), 1024)
e58e944
+	scon = NewContext(processLabel)
e58e944
+	scon.SetLevel(mcs)
e58e944
+	processLabel = scon.Get()
e58e944
+	scon = NewContext(fileLabel)
e58e944
+	scon.SetLevel(mcs)
e58e944
+	fileLabel = scon.Get()
e58e944
+	return processLabel, fileLabel
e58e944
+}
e58e944
+
e58e944
+func CopyLevel(src, dest string) (string, error) {
e58e944
+	if !SelinuxEnabled() {
e58e944
+		return "", nil
e58e944
+	}
e58e944
+	if src == "" {
e58e944
+		return "", nil
e58e944
+	}
e58e944
+	rc, err := C.security_check_context(C.CString(src))
e58e944
+	if rc != 0 {
e58e944
+		return "", err
e58e944
+	}
e58e944
+	rc, err = C.security_check_context(C.CString(dest))
e58e944
+	if rc != 0 {
e58e944
+		return "", err
e58e944
+	}
e58e944
+	scon := NewContext(src)
e58e944
+	tcon := NewContext(dest)
e58e944
+	tcon.SetLevel(scon.GetLevel())
e58e944
+	return tcon.Get(), nil
e58e944
+}
e58e944
+
e58e944
+func RestoreCon(fpath string, recurse bool) error {
e58e944
+	var flabel string
e58e944
+	var err error
e58e944
+	var fs os.FileInfo
e58e944
+
e58e944
+	if !SelinuxEnabled() {
e58e944
+		return nil
e58e944
+	}
e58e944
+
e58e944
+	if recurse {
e58e944
+		var paths []string
e58e944
+		var err error
e58e944
+
e58e944
+		if paths, err = filepath.Glob(path.Join(fpath, "**", "*")); err != nil {
e58e944
+			return fmt.Errorf("Unable to find directory %v: %v", fpath, err)
e58e944
+		}
e58e944
+
e58e944
+		for _, fpath := range paths {
e58e944
+			if err = RestoreCon(fpath, false); err != nil {
e58e944
+				return fmt.Errorf("Unable to restore selinux context for %v: %v", fpath, err)
e58e944
+			}
e58e944
+		}
e58e944
+		return nil
e58e944
+	}
e58e944
+	if fs, err = os.Stat(fpath); err != nil {
e58e944
+		return fmt.Errorf("Unable stat %v: %v", fpath, err)
e58e944
+	}
e58e944
+
e58e944
+	if flabel, err = Matchpathcon(fpath, fs.Mode()); flabel == "" {
e58e944
+		return fmt.Errorf("Unable to get context for %v: %v", fpath, err)
e58e944
+	}
e58e944
+
e58e944
+	if rc, err := Setfilecon(fpath, flabel); rc != 0 {
e58e944
+		return fmt.Errorf("Unable to set selinux context for %v: %v", fpath, err)
e58e944
+	}
e58e944
+
e58e944
+	return nil
e58e944
+}
e58e944
+
e58e944
+func Test() {
e58e944
+	var plabel, flabel string
e58e944
+	if !SelinuxEnabled() {
e58e944
+		return
e58e944
+	}
e58e944
+
e58e944
+	plabel, flabel = GetLxcContexts()
e58e944
+	fmt.Println(plabel)
e58e944
+	fmt.Println(flabel)
e58e944
+	freeContext(plabel)
e58e944
+	plabel, flabel = GetLxcContexts()
e58e944
+	fmt.Println(plabel)
e58e944
+	fmt.Println(flabel)
e58e944
+	freeContext(plabel)
e58e944
+	if SelinuxEnabled() {
e58e944
+		fmt.Println("Enabled")
e58e944
+	} else {
e58e944
+		fmt.Println("Disabled")
e58e944
+	}
e58e944
+	fmt.Println("getenforce ", SelinuxGetEnforce())
e58e944
+	fmt.Println("getenforcemode ", SelinuxGetEnforceMode())
e58e944
+	flabel, _ = Matchpathcon("/home/dwalsh/.emacs", 0)
e58e944
+	fmt.Println(flabel)
e58e944
+	pid := os.Getpid()
e58e944
+	fmt.Printf("PID:%d MCS:%s\n", pid, IntToMcs(pid, 1023))
e58e944
+	fmt.Println(Getcon())
e58e944
+	fmt.Println(Getfilecon("/etc/passwd"))
e58e944
+	fmt.Println(Getpidcon(1))
e58e944
+	Setfscreatecon("unconfined_u:unconfined_r:unconfined_t:s0")
e58e944
+	fmt.Println(Getfscreatecon())
e58e944
+	Setfscreatecon("")
e58e944
+	fmt.Println(Getfscreatecon())
e58e944
+	fmt.Println(Getpidcon(1))
e58e944
+}
c28c9a3
diff --git libselinux-2.5/golang/test.go libselinux-2.5/golang/test.go
e58e944
new file mode 100644
e58e944
index 0000000..fed6de8
e58e944
--- /dev/null
c28c9a3
+++ libselinux-2.5/golang/test.go
e58e944
@@ -0,0 +1,9 @@
e58e944
+package main
e58e944
+
e58e944
+import (
e58e944
+	"./selinux"
e58e944
+)
e58e944
+
e58e944
+func main() {
e58e944
+	selinux.Test()
e58e944
+}
27e80a6
diff --git libselinux-2.5/include/selinux/selinux.h libselinux-2.5/include/selinux/selinux.h
27e80a6
index 2262086..3d8673f 100644
27e80a6
--- libselinux-2.5/include/selinux/selinux.h
27e80a6
+++ libselinux-2.5/include/selinux/selinux.h
27e80a6
@@ -544,6 +544,7 @@ extern const char *selinux_lxc_contexts_path(void);
27e80a6
 extern const char *selinux_x_context_path(void);
27e80a6
 extern const char *selinux_sepgsql_context_path(void);
27e80a6
 extern const char *selinux_openssh_contexts_path(void);
27e80a6
+extern const char *selinux_snapperd_contexts_path(void);
27e80a6
 extern const char *selinux_systemd_contexts_path(void);
27e80a6
 extern const char *selinux_contexts_path(void);
27e80a6
 extern const char *selinux_securetty_types_path(void);
602edce
diff --git libselinux-2.5/man/man3/avc_add_callback.3 libselinux-2.5/man/man3/avc_add_callback.3
602edce
index dbfe72d..bdbbadf 100644
602edce
--- libselinux-2.5/man/man3/avc_add_callback.3
602edce
+++ libselinux-2.5/man/man3/avc_add_callback.3
602edce
@@ -57,7 +57,7 @@ and will cause any SID to match.
602edce
 .I callback
602edce
 is the callback function provided by the userspace object manager.  The
602edce
 .I event
602edce
-argument indicates the security event which occured; the remaining arguments
602edce
+argument indicates the security event which occurred; the remaining arguments
602edce
 are interpreted according to the event as described below.  The return value
602edce
 of the callback should be zero on success, \-1 on error with
602edce
 .I errno
602edce
@@ -175,7 +175,7 @@ If the userspace AVC is running in threaded mode, callbacks registered via
602edce
 may be executed in the context of the netlink handler thread.  This will likely introduce synchronization issues requiring the use of locks.  See
602edce
 .BR avc_init (3).
602edce
 
602edce
-Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module.  The only security event that currently gets excercised is
602edce
+Support for dynamic revocation and retained permissions is mostly unimplemented in the SELinux kernel module.  The only security event that currently gets exercised is
602edce
 .BR AVC_CALLBACK_RESET .
602edce
 .
602edce
 .SH "AUTHOR"
602edce
diff --git libselinux-2.5/man/man3/avc_has_perm.3 libselinux-2.5/man/man3/avc_has_perm.3
602edce
index 7353952..3e9fca8 100644
602edce
--- libselinux-2.5/man/man3/avc_has_perm.3
602edce
+++ libselinux-2.5/man/man3/avc_has_perm.3
602edce
@@ -108,7 +108,7 @@ for the first time.
602edce
 Using an uninitialized structure will produce undefined behavior.
602edce
 .
602edce
 .SH "RETURN VALUE"
602edce
-If requested permissions are granted, zero is returned.  If requested permissions are denied or an error occured, \-1 is returned and
602edce
+If requested permissions are granted, zero is returned.  If requested permissions are denied or an error occurred, \-1 is returned and
602edce
 .I errno
602edce
 is set appropriately.
602edce
 
602edce
diff --git libselinux-2.5/man/man3/is_selinux_enabled.3 libselinux-2.5/man/man3/is_selinux_enabled.3
27e80a6
index f02052c..df62c22 100644
602edce
--- libselinux-2.5/man/man3/is_selinux_enabled.3
602edce
+++ libselinux-2.5/man/man3/is_selinux_enabled.3
602edce
@@ -3,7 +3,7 @@
602edce
 is_selinux_enabled \- check whether SELinux is enabled
602edce
 .
602edce
 .SH "NAME"
602edce
-is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Securty) MLS 
602edce
+is_selinux_mls_enabled \- check whether SELinux is enabled for (Multi Level Security) MLS
602edce
 .
602edce
 .SH "SYNOPSIS"
602edce
 .B #include <selinux/selinux.h>
27e80a6
@@ -18,7 +18,9 @@ returns 1 if SELinux is running or 0 if it is not.
27e80a6
 On error, \-1 is returned.
27e80a6
 
27e80a6
 .BR is_selinux_mls_enabled ()
27e80a6
-returns 1 if SELinux is running in MLS mode or 0 if it is not. 
27e80a6
+returns 1 if SELinux is capable of running in MLS mode or 0 if it is not. To
27e80a6
+determine the policy in use on the system, use
27e80a6
+.BR selinux_getpolicytype (3).
27e80a6
 .
27e80a6
 .SH "SEE ALSO"
27e80a6
 .BR selinux "(8)"
d11c40b
diff --git libselinux-2.5/man/man3/security_disable.3 libselinux-2.5/man/man3/security_disable.3
d11c40b
index c75ce0d..072923c 100644
d11c40b
--- libselinux-2.5/man/man3/security_disable.3
d11c40b
+++ libselinux-2.5/man/man3/security_disable.3
d11c40b
@@ -12,7 +12,7 @@ security_disable \- disable the SELinux kernel code at runtime
d11c40b
 disables the SELinux kernel code, unregisters selinuxfs from
d11c40b
 .IR /proc/filesystems ,
d11c40b
 and then unmounts
d11c40b
-.IR /selinux .
d11c40b
+.IR /sys/fs/selinux .
d11c40b
 .sp
d11c40b
 This function can only be called at runtime and prior to the initial policy
d11c40b
 load. After the initial policy load, the SELinux kernel code cannot be disabled,
27e80a6
diff --git libselinux-2.5/man/man3/selinux_getpolicytype.3 libselinux-2.5/man/man3/selinux_getpolicytype.3
27e80a6
index c947e2c..b219d42 100644
27e80a6
--- libselinux-2.5/man/man3/selinux_getpolicytype.3
27e80a6
+++ libselinux-2.5/man/man3/selinux_getpolicytype.3
27e80a6
@@ -13,7 +13,10 @@ Reads the contents of the
27e80a6
 .I /etc/selinux/config
27e80a6
 file to determine the SELinux policy used on the system, and sets
27e80a6
 .I \%policytype
27e80a6
-accordinly.
27e80a6
+accordingly. Free
27e80a6
+.I \%policytype
27e80a6
+with
27e80a6
+.BR free (3).
27e80a6
 .
27e80a6
 .SH "RETURN VALUE"
27e80a6
 On success, zero is returned.
d11c40b
diff --git libselinux-2.5/man/man3/selinux_status_open.3 libselinux-2.5/man/man3/selinux_status_open.3
d11c40b
index f779dd9..2d44be5 100644
d11c40b
--- libselinux-2.5/man/man3/selinux_status_open.3
d11c40b
+++ libselinux-2.5/man/man3/selinux_status_open.3
d11c40b
@@ -23,7 +23,7 @@ without invocation of system calls
d11c40b
 .SH "DESCRIPTION"
d11c40b
 Linux 2.6.37 or later provides a SELinux kernel status page; being mostly
d11c40b
 placed on
d11c40b
-.I /selinux/status
d11c40b
+.I /sys/fs/selinux/status
d11c40b
 entry. It enables userspace applications to mmap this page with read-only
d11c40b
 mode, then it informs some status without system call invocations.
d11c40b
 .sp
d11c40b
@@ -38,7 +38,7 @@ without system-call invocation or worker thread for monitoring.
d11c40b
 .BR selinux_status_open ()
d11c40b
 tries to
d11c40b
 .BR open (2)
d11c40b
-.I /selinux/status
d11c40b
+.I /sys/fs/selinux/status
d11c40b
 and
d11c40b
 .BR mmap (2)
d11c40b
 it in read-only mode. The file-descriptor and pointer to the page shall
d11c40b
diff --git libselinux-2.5/man/man8/avcstat.8 libselinux-2.5/man/man8/avcstat.8
d11c40b
index 204687d..2c4bce1 100644
d11c40b
--- libselinux-2.5/man/man8/avcstat.8
d11c40b
+++ libselinux-2.5/man/man8/avcstat.8
d11c40b
@@ -25,7 +25,7 @@ Display the cumulative values.
d11c40b
 .TP
d11c40b
 .B \-f
d11c40b
 Specifies the location of the AVC statistics file, defaulting to
d11c40b
-.IR /selinux/avc/cache_stats .
d11c40b
+.IR /sys/fs/selinux/avc/cache_stats .
d11c40b
 .
d11c40b
 .SH AUTHOR
d11c40b
 This manual page was written by Dan Walsh <dwalsh@redhat.com>.
7359ba5
diff --git libselinux-2.5/man/man8/sefcontext_compile.8 libselinux-2.5/man/man8/sefcontext_compile.8
7359ba5
index b77ff3a..4eae173 100644
7359ba5
--- libselinux-2.5/man/man8/sefcontext_compile.8
7359ba5
+++ libselinux-2.5/man/man8/sefcontext_compile.8
7359ba5
@@ -13,14 +13,14 @@ sefcontext_compile \- compile file context regular expression files
7359ba5
 .SH "DESCRIPTION"
7359ba5
 .B sefcontext_compile
7359ba5
 is used to compile file context regular expressions into
7359ba5
-.BR prce (3)
7359ba5
+.BR pcre (3)
7359ba5
 format.
7359ba5
 .sp
7359ba5
 The compiled file is used by libselinux file labeling functions.
7359ba5
 .sp
7359ba5
 By default
7359ba5
 .B sefcontext_compile
7359ba5
-writes the compiled prce file with the
7359ba5
+writes the compiled pcre file with the
7359ba5
 .B .bin
7359ba5
 suffix appended (e.g. \fIinputfile\fB.bin\fR).
7359ba5
 .SH OPTIONS
c28c9a3
diff --git libselinux-2.5/man/man8/selinux.8 libselinux-2.5/man/man8/selinux.8
e58e944
index 6f1034b..c9f188c 100644
c28c9a3
--- libselinux-2.5/man/man8/selinux.8
c28c9a3
+++ libselinux-2.5/man/man8/selinux.8
e58e944
@@ -91,11 +91,13 @@ This manual page was written by Dan Walsh <dwalsh@redhat.com>.
e58e944
 .BR sepolicy (8),
e58e944
 .BR system-config-selinux (8),
e58e944
 .BR togglesebool (8),
e58e944
-.BR restorecon (8),
e58e944
 .BR fixfiles (8),
e58e944
+.BR restorecon (8),
e58e944
 .BR setfiles (8),
e58e944
 .BR semanage (8),
e58e944
-.BR sepolicy(8)
e58e944
+.BR sepolicy(8),
e58e944
+.BR seinfo(8),
e58e944
+.BR sesearch(8)
e58e944
 
e58e944
 Every confined service on the system has a man page in the following format:
e58e944
 .br
fd9d183
diff --git libselinux-2.5/src/Makefile libselinux-2.5/src/Makefile
03c0649
index d0021ae..37d01af 100644
fd9d183
--- libselinux-2.5/src/Makefile
fd9d183
+++ libselinux-2.5/src/Makefile
fd9d183
@@ -5,6 +5,7 @@ PYTHON ?= python
fd9d183
 PYPREFIX ?= $(notdir $(PYTHON))
fd9d183
 RUBY ?= ruby
fd9d183
 RUBYPREFIX ?= $(notdir $(RUBY))
fd9d183
+PKG_CONFIG ?= pkg-config
fd9d183
 
fd9d183
 # Installation directories.
fd9d183
 PREFIX ?= $(DESTDIR)/usr
fd9d183
@@ -12,11 +13,11 @@ LIBDIR ?= $(PREFIX)/lib
fd9d183
 SHLIBDIR ?= $(DESTDIR)/lib
fd9d183
 INCLUDEDIR ?= $(PREFIX)/include
fd9d183
 PYLIBVER ?= $(shell $(PYTHON) -c 'import sys;print("python%d.%d" % sys.version_info[0:2])')
fd9d183
-PYINC ?= $(shell pkg-config --cflags $(PYPREFIX))
fd9d183
+PYINC ?= $(shell $(PKG_CONFIG) --cflags $(PYPREFIX))
fd9d183
 PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
fd9d183
 RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
fd9d183
 RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
fd9d183
-RUBYINC ?= $(shell pkg-config --cflags ruby)
fd9d183
+RUBYINC ?= $(shell $(PKG_CONFIG) --cflags ruby)
fd9d183
 RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
fd9d183
 LIBBASE ?= $(shell basename $(LIBDIR))
fd9d183
 
fd9d183
@@ -48,7 +49,7 @@ ifeq ($(DISABLE_BOOL),y)
fd9d183
 endif
fd9d183
 
fd9d183
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
fd9d183
-SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
fd9d183
+SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(sort $(wildcard *.c)))
fd9d183
 
fd9d183
 MAX_STACK_SIZE=32768
fd9d183
 
03c0649
@@ -155,7 +156,7 @@ install: all
03c0649
 
03c0649
 install-pywrap: pywrap
03c0649
 	test -d $(PYLIBDIR)/site-packages/selinux || install -m 755 -d $(PYLIBDIR)/site-packages/selinux
03c0649
-	install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/selinux/_selinux.so
03c0649
+	install -m 755 $(SWIGSO) $(PYLIBDIR)/site-packages/_selinux.so
03c0649
 	install -m 755 $(AUDIT2WHYSO) $(PYLIBDIR)/site-packages/selinux/audit2why.so
03c0649
 	install -m 644 $(SWIGPYOUT) $(PYLIBDIR)/site-packages/selinux/__init__.py
03c0649
 
fd9d183
diff --git libselinux-2.5/src/audit2why.c libselinux-2.5/src/audit2why.c
fd9d183
index 12745b3..abe1701 100644
fd9d183
--- libselinux-2.5/src/audit2why.c
fd9d183
+++ libselinux-2.5/src/audit2why.c
fd9d183
@@ -343,8 +343,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
fd9d183
 	if (rc < 0)
fd9d183
 		RETURN(BADTCON)
fd9d183
 
fd9d183
-	tclass = string_to_security_class(tclassstr);
fd9d183
-	if (!tclass)
fd9d183
+	rc = sepol_string_to_security_class(tclassstr, &tclass);
fd9d183
+	if (rc < 0)
fd9d183
 		RETURN(BADTCLASS)
fd9d183
 
fd9d183
 	/* Convert the permission list to an AV. */
fd9d183
@@ -365,8 +365,8 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
fd9d183
 		permstr = PyString_AsString( strObj );
fd9d183
 #endif
fd9d183
 		
fd9d183
-		perm = string_to_av_perm(tclass, permstr);
fd9d183
-		if (!perm)
fd9d183
+		rc = sepol_string_to_av_perm(tclass, permstr, &perm);
fd9d183
+		if (rc < 0)
fd9d183
 			RETURN(BADPERM)
fd9d183
 
fd9d183
 		av |= perm;
c28c9a3
diff --git libselinux-2.5/src/avc_sidtab.c libselinux-2.5/src/avc_sidtab.c
e58e944
index 9669264..c775430 100644
c28c9a3
--- libselinux-2.5/src/avc_sidtab.c
c28c9a3
+++ libselinux-2.5/src/avc_sidtab.c
e58e944
@@ -81,6 +81,11 @@ sidtab_context_to_sid(struct sidtab *s,
e58e944
 	int hvalue, rc = 0;
e58e944
 	struct sidtab_node *cur;
e58e944
 
e58e944
+	if (! ctx) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	*sid = NULL;
e58e944
 	hvalue = sidtab_hash(ctx);
e58e944
 
c28c9a3
diff --git libselinux-2.5/src/canonicalize_context.c libselinux-2.5/src/canonicalize_context.c
e58e944
index 7cf3139..364a746 100644
c28c9a3
--- libselinux-2.5/src/canonicalize_context.c
c28c9a3
+++ libselinux-2.5/src/canonicalize_context.c
e58e944
@@ -17,6 +17,11 @@ int security_canonicalize_context_raw(const char * con,
e58e944
 	size_t size;
e58e944
 	int fd, ret;
e58e944
 
e58e944
+	if (! con) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	if (!selinux_mnt) {
e58e944
 		errno = ENOENT;
e58e944
 		return -1;
c28c9a3
diff --git libselinux-2.5/src/check_context.c libselinux-2.5/src/check_context.c
e58e944
index 52063fa..234749c 100644
c28c9a3
--- libselinux-2.5/src/check_context.c
c28c9a3
+++ libselinux-2.5/src/check_context.c
e58e944
@@ -14,6 +14,11 @@ int security_check_context_raw(const char * con)
e58e944
 	char path[PATH_MAX];
e58e944
 	int fd, ret;
e58e944
 
e58e944
+	if (! con) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	if (!selinux_mnt) {
e58e944
 		errno = ENOENT;
e58e944
 		return -1;
c28c9a3
diff --git libselinux-2.5/src/compute_av.c libselinux-2.5/src/compute_av.c
e58e944
index 937e5c3..35ace7f 100644
c28c9a3
--- libselinux-2.5/src/compute_av.c
c28c9a3
+++ libselinux-2.5/src/compute_av.c
e58e944
@@ -26,6 +26,11 @@ int security_compute_av_flags_raw(const char * scon,
e58e944
 		return -1;
e58e944
 	}
e58e944
 
e58e944
+	if ((! scon) || (! tcon)) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	snprintf(path, sizeof path, "%s/access", selinux_mnt);
e58e944
 	fd = open(path, O_RDWR);
e58e944
 	if (fd < 0)
c28c9a3
diff --git libselinux-2.5/src/compute_create.c libselinux-2.5/src/compute_create.c
e58e944
index 9559d42..14a65d1 100644
c28c9a3
--- libselinux-2.5/src/compute_create.c
c28c9a3
+++ libselinux-2.5/src/compute_create.c
e58e944
@@ -64,6 +64,11 @@ int security_compute_create_name_raw(const char * scon,
e58e944
 		return -1;
e58e944
 	}
e58e944
 
e58e944
+	if ((! scon) || (! tcon)) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	snprintf(path, sizeof path, "%s/create", selinux_mnt);
e58e944
 	fd = open(path, O_RDWR);
e58e944
 	if (fd < 0)
c28c9a3
diff --git libselinux-2.5/src/compute_member.c libselinux-2.5/src/compute_member.c
e58e944
index 1fc7e41..065d996 100644
c28c9a3
--- libselinux-2.5/src/compute_member.c
c28c9a3
+++ libselinux-2.5/src/compute_member.c
e58e944
@@ -25,6 +25,11 @@ int security_compute_member_raw(const char * scon,
e58e944
 		return -1;
e58e944
 	}
e58e944
 
e58e944
+	if ((! scon) || (! tcon)) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	snprintf(path, sizeof path, "%s/member", selinux_mnt);
e58e944
 	fd = open(path, O_RDWR);
e58e944
 	if (fd < 0)
c28c9a3
diff --git libselinux-2.5/src/compute_relabel.c libselinux-2.5/src/compute_relabel.c
e58e944
index 4615aee..cc77f36 100644
c28c9a3
--- libselinux-2.5/src/compute_relabel.c
c28c9a3
+++ libselinux-2.5/src/compute_relabel.c
e58e944
@@ -25,6 +25,11 @@ int security_compute_relabel_raw(const char * scon,
e58e944
 		return -1;
e58e944
 	}
e58e944
 
e58e944
+	if ((! scon) || (! tcon)) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	snprintf(path, sizeof path, "%s/relabel", selinux_mnt);
e58e944
 	fd = open(path, O_RDWR);
e58e944
 	if (fd < 0)
c28c9a3
diff --git libselinux-2.5/src/compute_user.c libselinux-2.5/src/compute_user.c
e58e944
index b37c5d3..7703c26 100644
c28c9a3
--- libselinux-2.5/src/compute_user.c
c28c9a3
+++ libselinux-2.5/src/compute_user.c
e58e944
@@ -24,6 +24,11 @@ int security_compute_user_raw(const char * scon,
e58e944
 		return -1;
e58e944
 	}
e58e944
 
e58e944
+	if (! scon) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
 	snprintf(path, sizeof path, "%s/user", selinux_mnt);
e58e944
 	fd = open(path, O_RDWR);
e58e944
 	if (fd < 0)
fd9d183
diff --git libselinux-2.5/src/exception.sh libselinux-2.5/src/exception.sh
fd9d183
index b7cff7e..a58bf3f 100755
fd9d183
--- libselinux-2.5/src/exception.sh
fd9d183
+++ libselinux-2.5/src/exception.sh
fd9d183
@@ -15,6 +15,6 @@ echo "
fd9d183
 ;;
fd9d183
 esac
fd9d183
 }
fd9d183
-gcc -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
fd9d183
+${CC:-gcc} -x c -c -I../include - -aux-info temp.aux < ../include/selinux/selinux.h
fd9d183
 for i in `awk '/<stdin>.*extern int/ { print $6 }' temp.aux`; do except $i ; done 
fd9d183
 rm -f -- temp.aux -.o
27e80a6
diff --git libselinux-2.5/src/file_path_suffixes.h libselinux-2.5/src/file_path_suffixes.h
27e80a6
index d1f9b48..95b228b 100644
27e80a6
--- libselinux-2.5/src/file_path_suffixes.h
27e80a6
+++ libselinux-2.5/src/file_path_suffixes.h
27e80a6
@@ -24,6 +24,7 @@ S_(BINPOLICY, "/policy/policy")
27e80a6
     S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
27e80a6
     S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
27e80a6
     S_(OPENSSH_CONTEXTS, "/contexts/openssh_contexts")
27e80a6
+    S_(SNAPPERD_CONTEXTS, "/contexts/snapperd_contexts")
27e80a6
     S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
27e80a6
     S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
27e80a6
     S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
c28c9a3
diff --git libselinux-2.5/src/fsetfilecon.c libselinux-2.5/src/fsetfilecon.c
e58e944
index 52707d0..0cbe12d 100644
c28c9a3
--- libselinux-2.5/src/fsetfilecon.c
c28c9a3
+++ libselinux-2.5/src/fsetfilecon.c
e58e944
@@ -9,8 +9,12 @@
e58e944
 
e58e944
 int fsetfilecon_raw(int fd, const char * context)
e58e944
 {
e58e944
-	int rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1,
e58e944
-			 0);
e58e944
+	int rc;
e58e944
+	if (! context) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+	rc = fsetxattr(fd, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
e58e944
 	if (rc < 0 && errno == ENOTSUP) {
e58e944
 		char * ccontext = NULL;
e58e944
 		int err = errno;
d11c40b
diff --git libselinux-2.5/src/init.c libselinux-2.5/src/init.c
fd9d183
index 3db4de0..3c687a2 100644
d11c40b
--- libselinux-2.5/src/init.c
d11c40b
+++ libselinux-2.5/src/init.c
fd9d183
@@ -11,7 +11,6 @@
fd9d183
 #include <sys/vfs.h>
d11c40b
 #include <stdint.h>
d11c40b
 #include <limits.h>
fd9d183
-#include <sys/mount.h>
d11c40b
 
d11c40b
 #include "dso.h"
d11c40b
 #include "policy.h"
fd9d183
@@ -57,20 +56,15 @@ static int verify_selinuxmnt(const char *mnt)
d11c40b
 
d11c40b
 int selinuxfs_exists(void)
d11c40b
 {
d11c40b
-	int exists = 0, mnt_rc = 0;
fd9d183
+	int exists = 0;
d11c40b
 	FILE *fp = NULL;
d11c40b
 	char *buf = NULL;
d11c40b
 	size_t len;
d11c40b
 	ssize_t num;
d11c40b
 
d11c40b
-	mnt_rc = mount("proc", "/proc", "proc", 0, 0);
fd9d183
-
fd9d183
 	fp = fopen("/proc/filesystems", "r");
fd9d183
-	if (!fp) {
fd9d183
-		exists = 1; /* Fail as if it exists */
fd9d183
-		goto out;
fd9d183
-	}
fd9d183
-
fd9d183
+	if (!fp)
fd9d183
+		return 1; /* Fail as if it exists */
fd9d183
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
fd9d183
 
fd9d183
 	num = getline(&buf, &len, fp);
fd9d183
@@ -84,14 +78,6 @@ int selinuxfs_exists(void)
fd9d183
 
fd9d183
 	free(buf);
fd9d183
 	fclose(fp);
fd9d183
-
fd9d183
-out:
fd9d183
-#ifndef MNT_DETACH
fd9d183
-#define MNT_DETACH 2
fd9d183
-#endif
fd9d183
-	if (mnt_rc == 0)
fd9d183
-		umount2("/proc", MNT_DETACH);
fd9d183
-
fd9d183
 	return exists;
fd9d183
 }
fd9d183
 hidden_def(selinuxfs_exists)
fd9d183
diff --git libselinux-2.5/src/load_policy.c libselinux-2.5/src/load_policy.c
fd9d183
index 21ee58b..4f39fc7 100644
fd9d183
--- libselinux-2.5/src/load_policy.c
fd9d183
+++ libselinux-2.5/src/load_policy.c
fd9d183
@@ -17,6 +17,10 @@
fd9d183
 #include "policy.h"
fd9d183
 #include <limits.h>
fd9d183
 
fd9d183
+#ifndef MNT_DETACH
fd9d183
+#define MNT_DETACH 2
fd9d183
+#endif
fd9d183
+
fd9d183
 int security_load_policy(void *data, size_t len)
fd9d183
 {
fd9d183
 	char path[PATH_MAX];
fd9d183
@@ -348,11 +352,6 @@ int selinux_init_load_policy(int *enforce)
fd9d183
 		fclose(cfg);
fd9d183
 		free(buf);
fd9d183
 	}
fd9d183
-#ifndef MNT_DETACH
fd9d183
-#define MNT_DETACH 2
fd9d183
-#endif
fd9d183
-	if (rc == 0)
fd9d183
-		umount2("/proc", MNT_DETACH);
fd9d183
 
fd9d183
 	/* 
fd9d183
 	 * Determine the final desired mode.
fd9d183
@@ -400,11 +399,17 @@ int selinux_init_load_policy(int *enforce)
fd9d183
 			/* Only emit this error if selinux was not disabled */
fd9d183
 			fprintf(stderr, "Mount failed for selinuxfs on %s:  %s\n", SELINUXMNT, strerror(errno));
fd9d183
 		}
d11c40b
+
fd9d183
+		if (rc == 0)
fd9d183
+			umount2("/proc", MNT_DETACH);
fd9d183
                 
fd9d183
 		goto noload;
fd9d183
 	}
fd9d183
 	set_selinuxmnt(mntpoint);
d11c40b
 
fd9d183
+	if (rc == 0)
fd9d183
+		umount2("/proc", MNT_DETACH);
fd9d183
+
fd9d183
 	/*
fd9d183
 	 * Note:  The following code depends on having selinuxfs 
fd9d183
 	 * already mounted and selinuxmnt set above.
c28c9a3
diff --git libselinux-2.5/src/lsetfilecon.c libselinux-2.5/src/lsetfilecon.c
e58e944
index 1d3b28a..ea6d70b 100644
c28c9a3
--- libselinux-2.5/src/lsetfilecon.c
c28c9a3
+++ libselinux-2.5/src/lsetfilecon.c
e58e944
@@ -9,8 +9,13 @@
e58e944
 
e58e944
 int lsetfilecon_raw(const char *path, const char * context)
e58e944
 {
e58e944
-	int rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
e58e944
-			 0);
e58e944
+	int rc;
e58e944
+	if (! context) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+
e58e944
+	rc = lsetxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
e58e944
 	if (rc < 0 && errno == ENOTSUP) {
e58e944
 		char * ccontext = NULL;
e58e944
 		int err = errno;
c28c9a3
diff --git libselinux-2.5/src/matchpathcon.c libselinux-2.5/src/matchpathcon.c
27e80a6
index 5b495a0..a2f2c3e 100644
c28c9a3
--- libselinux-2.5/src/matchpathcon.c
c28c9a3
+++ libselinux-2.5/src/matchpathcon.c
e58e944
@@ -2,6 +2,7 @@
e58e944
 #include <string.h>
e58e944
 #include <errno.h>
e58e944
 #include <stdio.h>
e58e944
+#include <syslog.h>
e58e944
 #include "selinux_internal.h"
e58e944
 #include "label_internal.h"
e58e944
 #include "callbacks.h"
e58e944
@@ -62,7 +63,7 @@ static void
e58e944
 {
e58e944
 	va_list ap;
e58e944
 	va_start(ap, fmt);
e58e944
-	vfprintf(stderr, fmt, ap);
e58e944
+	vsyslog(LOG_ERR, fmt, ap);
e58e944
 	va_end(ap);
e58e944
 }
e58e944
 
27e80a6
@@ -470,6 +471,17 @@ int selinux_file_context_verify(const char *path, mode_t mode)
27e80a6
 	char * con = NULL;
27e80a6
 	char * fcontext = NULL;
27e80a6
 	int rc = 0;
27e80a6
+	char stackpath[PATH_MAX + 1];
27e80a6
+	char *p = NULL;
27e80a6
+
27e80a6
+	if (S_ISLNK(mode)) {
27e80a6
+		if (!realpath_not_final(path, stackpath))
27e80a6
+			path = stackpath;
27e80a6
+	} else {
27e80a6
+		p = realpath(path, stackpath);
27e80a6
+		if (p)
27e80a6
+			path = p;
27e80a6
+	}
27e80a6
 
27e80a6
 	rc = lgetfilecon_raw(path, &con);
27e80a6
 	if (rc == -1) {
d11c40b
diff --git libselinux-2.5/src/procattr.c libselinux-2.5/src/procattr.c
d11c40b
index 527a0a5..eee4612 100644
d11c40b
--- libselinux-2.5/src/procattr.c
d11c40b
+++ libselinux-2.5/src/procattr.c
d11c40b
@@ -70,9 +70,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
d11c40b
 	char *path;
d11c40b
 	pid_t tid;
d11c40b
 
d11c40b
-	if (pid > 0)
d11c40b
+	if (pid > 0) {
d11c40b
 		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
d11c40b
-	else {
d11c40b
+	} else if (pid == 0) {
d11c40b
 		rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
d11c40b
 		if (rc < 0)
d11c40b
 			return -1;
d11c40b
@@ -82,6 +82,9 @@ static int openattr(pid_t pid, const char *attr, int flags)
d11c40b
 		free(path);
d11c40b
 		tid = gettid();
d11c40b
 		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
d11c40b
+	} else {
d11c40b
+		errno = EINVAL;
d11c40b
+		return -1;
d11c40b
 	}
d11c40b
 	if (rc < 0)
d11c40b
 		return -1;
d11c40b
@@ -303,11 +306,21 @@ static int setprocattrcon(const char * context,
d11c40b
 #define getpidattr_def(fn, attr) \
d11c40b
 	int get##fn##_raw(pid_t pid, char **c)	\
d11c40b
 	{ \
d11c40b
-		return getprocattrcon_raw(c, pid, #attr); \
d11c40b
+		if (pid <= 0) { \
d11c40b
+			errno = EINVAL; \
d11c40b
+			return -1; \
d11c40b
+		} else { \
d11c40b
+			return getprocattrcon_raw(c, pid, #attr); \
d11c40b
+		} \
d11c40b
 	} \
d11c40b
 	int get##fn(pid_t pid, char **c)	\
d11c40b
 	{ \
d11c40b
-		return getprocattrcon(c, pid, #attr); \
d11c40b
+		if (pid <= 0) { \
d11c40b
+			errno = EINVAL; \
d11c40b
+			return -1; \
d11c40b
+		} else { \
d11c40b
+			return getprocattrcon(c, pid, #attr); \
d11c40b
+		} \
d11c40b
 	}
d11c40b
 
d11c40b
 all_selfattr_def(con, current)
27e80a6
diff --git libselinux-2.5/src/selinux_config.c libselinux-2.5/src/selinux_config.c
27e80a6
index bec5f3b..c519a77 100644
27e80a6
--- libselinux-2.5/src/selinux_config.c
27e80a6
+++ libselinux-2.5/src/selinux_config.c
27e80a6
@@ -50,7 +50,8 @@
27e80a6
 #define BOOLEAN_SUBS      27
27e80a6
 #define OPENSSH_CONTEXTS  28
27e80a6
 #define SYSTEMD_CONTEXTS  29
27e80a6
-#define NEL               30
27e80a6
+#define SNAPPERD_CONTEXTS 30
27e80a6
+#define NEL               31
27e80a6
 
27e80a6
 /* Part of one-time lazy init */
27e80a6
 static pthread_once_t once = PTHREAD_ONCE_INIT;
27e80a6
@@ -499,6 +500,13 @@ const char *selinux_openssh_contexts_path(void)
27e80a6
 
27e80a6
 hidden_def(selinux_openssh_contexts_path)
27e80a6
 
27e80a6
+const char *selinux_snapperd_contexts_path(void)
27e80a6
+{
27e80a6
+    return get_path(SNAPPERD_CONTEXTS);
27e80a6
+}
27e80a6
+
27e80a6
+hidden_def(selinux_snapperd_contexts_path)
27e80a6
+
27e80a6
 const char *selinux_systemd_contexts_path(void)
27e80a6
 {
27e80a6
 	return get_path(SYSTEMD_CONTEXTS);
27e80a6
diff --git libselinux-2.5/src/selinux_internal.h libselinux-2.5/src/selinux_internal.h
27e80a6
index 46566f6..9b9145c 100644
27e80a6
--- libselinux-2.5/src/selinux_internal.h
27e80a6
+++ libselinux-2.5/src/selinux_internal.h
27e80a6
@@ -84,6 +84,7 @@ hidden_proto(selinux_mkload_policy)
27e80a6
     hidden_proto(selinux_x_context_path)
27e80a6
     hidden_proto(selinux_sepgsql_context_path)
27e80a6
     hidden_proto(selinux_openssh_contexts_path)
27e80a6
+    hidden_proto(selinux_snapperd_contexts_path)
27e80a6
     hidden_proto(selinux_systemd_contexts_path)
27e80a6
     hidden_proto(selinux_path)
27e80a6
     hidden_proto(selinux_check_passwd_access)
c28c9a3
diff --git libselinux-2.5/src/setfilecon.c libselinux-2.5/src/setfilecon.c
e58e944
index d05969c..3f0200e 100644
c28c9a3
--- libselinux-2.5/src/setfilecon.c
c28c9a3
+++ libselinux-2.5/src/setfilecon.c
e58e944
@@ -9,8 +9,12 @@
e58e944
 
e58e944
 int setfilecon_raw(const char *path, const char * context)
e58e944
 {
e58e944
-	int rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1,
e58e944
-			0);
e58e944
+	int rc;
e58e944
+	if (! context) {
e58e944
+		errno=EINVAL;
e58e944
+		return -1;
e58e944
+	}
e58e944
+	rc = setxattr(path, XATTR_NAME_SELINUX, context, strlen(context) + 1, 0);
e58e944
 	if (rc < 0 && errno == ENOTSUP) {
e58e944
 		char * ccontext = NULL;
e58e944
 		int err = errno;
fd9d183
diff --git libselinux-2.5/utils/.gitignore libselinux-2.5/utils/.gitignore
fd9d183
index 060eaab..ed3bf0b 100644
fd9d183
--- libselinux-2.5/utils/.gitignore
fd9d183
+++ libselinux-2.5/utils/.gitignore
fd9d183
@@ -14,7 +14,12 @@ getseuser
fd9d183
 matchpathcon
fd9d183
 policyvers
fd9d183
 sefcontext_compile
fd9d183
+selabel_digest
fd9d183
+selabel_lookup
fd9d183
+selabel_lookup_best_match
fd9d183
+selabel_partial_match
fd9d183
 selinux_check_securetty_context
fd9d183
+selinux_restorecon
fd9d183
 selinuxenabled
fd9d183
 selinuxexeccon
fd9d183
 setenforce