diff --exclude-from=exclude -N -u -r nsalibselinux/ChangeLog libselinux-2.0.70/ChangeLog
--- nsalibselinux/ChangeLog	2008-08-01 06:48:06.000000000 -0400
+++ libselinux-2.0.70/ChangeLog	2008-08-01 06:51:25.000000000 -0400
@@ -1,6 +1,3 @@
-2.0.70 2008-07-30
-	* Merge ruby bindings from Dan Walsh.
-
 2.0.69 2008-07-29
 	* Handle duplicate file context regexes as a fatal error from Stephen Smalley.
 	  This prevents adding them via semanage.
diff --exclude-from=exclude -N -u -r nsalibselinux/VERSION libselinux-2.0.70/VERSION
--- nsalibselinux/VERSION	2008-08-01 06:48:06.000000000 -0400
+++ libselinux-2.0.70/VERSION	2008-08-01 06:51:25.000000000 -0400
@@ -1 +1 @@
-2.0.70
+2.0.69
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxconlist.8 libselinux-2.0.70/man/man8/selinuxconlist.8
--- nsalibselinux/man/man8/selinuxconlist.8	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-2.0.70/man/man8/selinuxconlist.8	2008-08-01 06:51:25.000000000 -0400
@@ -0,0 +1,18 @@
+.TH "selinuxconlist" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxconlist \- list all SELinux context reachable for user
+.SH "SYNOPSIS"
+.B selinuxconlist [-l level] user [context]
+
+.SH "DESCRIPTION"
+.B selinuxconlist
+reports the list of context reachable for user from the current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxdefcon(8)
diff --exclude-from=exclude -N -u -r nsalibselinux/man/man8/selinuxdefcon.8 libselinux-2.0.70/man/man8/selinuxdefcon.8
--- nsalibselinux/man/man8/selinuxdefcon.8	1969-12-31 19:00:00.000000000 -0500
+++ libselinux-2.0.70/man/man8/selinuxdefcon.8	2008-08-01 06:51:25.000000000 -0400
@@ -0,0 +1,19 @@
+.TH "selinuxdefcon" "1" "7 May 2008" "dwalsh@redhat.com" "SELinux Command Line documentation"
+.SH "NAME"
+selinuxdefcon \- list default SELinux context for user 
+
+.SH "SYNOPSIS"
+.B selinuxdefcon [-l level] user [fromcon]
+
+.SH "DESCRIPTION"
+.B seconlist
+reports the default context for the specified user from current context or specified context
+
+.B \-l level
+mcs/mls level
+
+.SH AUTHOR	
+This manual page was written by Dan Walsh <dwalsh@redhat.com>.
+
+.SH "SEE ALSO"
+secon(8), selinuxconlist(8)
diff --exclude-from=exclude -N -u -r nsalibselinux/src/callbacks.c libselinux-2.0.70/src/callbacks.c
--- nsalibselinux/src/callbacks.c	2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.70/src/callbacks.c	2008-08-01 06:51:25.000000000 -0400
@@ -16,6 +16,7 @@
 {
 	int rc;
 	va_list ap;
+	if (is_selinux_enabled() == 0) return 0;
 	va_start(ap, fmt);
 	rc = vfprintf(stderr, fmt, ap);
 	va_end(ap);
diff --exclude-from=exclude -N -u -r nsalibselinux/src/matchpathcon.c libselinux-2.0.70/src/matchpathcon.c
--- nsalibselinux/src/matchpathcon.c	2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.70/src/matchpathcon.c	2008-08-01 06:51:25.000000000 -0400
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
+#include <syslog.h>
 #include "selinux_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
@@ -57,7 +58,7 @@
 {
 	va_list ap;
 	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
+	vsyslog(LOG_ERR, fmt, ap);
 	va_end(ap);
 }
 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/seusers.c libselinux-2.0.70/src/seusers.c
--- nsalibselinux/src/seusers.c	2008-06-12 23:25:14.000000000 -0400
+++ libselinux-2.0.70/src/seusers.c	2008-08-01 06:53:03.000000000 -0400
@@ -89,6 +89,62 @@
 
 int require_seusers hidden = 0;
 
+#include <pwd.h>
+#include <grp.h>
+
+static gid_t get_default_gid(const char *name) {
+	struct passwd pwstorage, *pwent = NULL;
+	gid_t gid = -1;
+	/* Allocate space for the getpwnam_r buffer */
+	long rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
+	if (rbuflen <= 0) return -1;
+	char *rbuf = malloc(rbuflen);
+	if (rbuf == NULL) return -1;
+
+	int retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
+	if (retval == 0 || pwent != NULL) {
+		gid = pwent->pw_gid;
+	}
+	free(rbuf);
+	return gid;
+}
+
+static int check_group(const char *group, const char *name, const gid_t gid) {
+	int match = 0;
+	int i, ng = 0;
+	gid_t *groups = NULL;
+	struct group gbuf, *grent = NULL;
+
+	long rbuflen = sysconf(_SC_GETGR_R_SIZE_MAX);
+	if (rbuflen <= 0)
+		return 0;
+	char *rbuf = malloc(rbuflen);
+	if (rbuf == NULL)
+		return 0;
+
+	if (getgrnam_r(group, &gbuf, rbuf, rbuflen, 
+		       &grent) != 0)
+		goto done;
+
+	if (getgrouplist(name, gid, NULL, &ng) < 0) {
+		groups = (gid_t *) malloc(sizeof (gid_t) * ng);
+		if (!groups) goto done;
+		if (getgrouplist(name, gid, groups, &ng) < 0) goto done;
+	}
+
+	for (i = 0; i < ng; i++) {
+		if (grent->gr_gid == groups[i]) {
+			match = 1;
+			goto done;
+		}
+	}
+
+ done:
+	free(groups);
+	free(rbuf);
+	return match;
+}
+
 int getseuserbyname(const char *name, char **r_seuser, char **r_level)
 {
 	FILE *cfg = NULL;
@@ -101,9 +157,14 @@
 	char *username = NULL;
 	char *seuser = NULL;
 	char *level = NULL;
+	char *groupseuser = NULL;
+	char *grouplevel = NULL;
 	char *defaultseuser = NULL;
 	char *defaultlevel = NULL;
 
+	gid_t gid = get_default_gid(name);
+	if ( gid == (gid_t) -1 ) goto nomatch;
+
 	cfg = fopen(selinux_usersconf_path(), "r");
 	if (!cfg)
 		goto nomatch;
@@ -124,31 +185,48 @@
 		if (!strcmp(username, name))
 			break;
 
-		if (!defaultseuser && !strcmp(username, "__default__")) {
-			free(username);
-			defaultseuser = seuser;
-			defaultlevel = level;
+		if (username[0] == '%' && 
+		    !groupseuser && 
+		    check_group(&username[1], name, gid)) {
+				groupseuser = seuser;
+				grouplevel = level;
 		} else {
-			free(username);
-			free(seuser);
-			free(level);
+			if (!defaultseuser && 
+			    !strcmp(username, "__default__")) {
+				defaultseuser = seuser;
+				defaultlevel = level;
+			} else {
+				free(seuser);
+				free(level);
+			}
 		}
+		free(username);
+		username = NULL;
 		seuser = NULL;
 	}
 
-	if (buffer)
-		free(buffer);
+	free(buffer);
 	fclose(cfg);
 
 	if (seuser) {
 		free(username);
 		free(defaultseuser);
 		free(defaultlevel);
+		free(groupseuser);
+		free(grouplevel);
 		*r_seuser = seuser;
 		*r_level = level;
 		return 0;
 	}
 
+	if (groupseuser) {
+		free(defaultseuser);
+		free(defaultlevel);
+		*r_seuser = groupseuser;
+		*r_level = grouplevel;
+		return 0;
+	}
+
 	if (defaultseuser) {
 		*r_seuser = defaultseuser;
 		*r_level = defaultlevel;