Anonymous avatar Anonymous committed 255e729

Import libsepol 2.1.0 (Release 2011-07-27).

Comments (0)

Files changed (174)

+utils/chkcon
+		  GNU LESSER GENERAL PUBLIC LICENSE
+		       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+     51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+		  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+  
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+			    NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+           How to Apply These Terms to Your New Libraries
+
+  If you develop a new library, and you want it to be of the greatest
+possible use to the public, we recommend making it free software that
+everyone can redistribute and change.  You can do so by permitting
+redistribution under these terms (or, alternatively, under the terms of the
+ordinary General Public License).
+
+  To apply these terms, attach the following notices to the library.  It is
+safest to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the library's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This library is free software; you can redistribute it and/or
+    modify it under the terms of the GNU Lesser General Public
+    License as published by the Free Software Foundation; either
+    version 2.1 of the License, or (at your option) any later version.
+
+    This library is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+    Lesser General Public License for more details.
+
+    You should have received a copy of the GNU Lesser General Public
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+
+Also add information on how to contact you by electronic and paper mail.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the library, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the
+  library `Frob' (a library for tweaking knobs) written by James Random Hacker.
+
+  <signature of Ty Coon>, 1 April 1990
+  Ty Coon, President of Vice
+
+That's all there is to it!
+
+
+2.1.0 2011-07-27
+	* Release, minor version bump
+
+2.0.46 2011-07-25
+	* Add role attribute support by Harry Ciao
+
+2.0.45 2011-05-02
+	* Warn if filename_trans rules are dropped by Steve Lawrence.
+
+2.0.44 2011-04-13
+	* Fixes for new role_transition class field by Eric Paris.
+	* Add libsepol support for filename_trans rules by Eric Paris.
+
+2.0.43 2011-04-11
+	* Add new class field in role_transition by Harry Ciao.
+
+2.0.42 2010-12-16
+	* Fix compliation under GCC 4.6 by Justin Mattock
+
+2.0.41 2009-11-18
+	* Fixed typo in error message from Manoj Srivastava.
+
+2.0.40 2009-10-29
+	* Add pkgconfig file from Eamon Walsh.
+
+2.0.39 2009-10-14
+	* Add support for building Xen policies from Paul Nuzzi.
+
+2.0.38 2009-09-01
+	* Check last offset in the module package against the file size.
+	Reported by Manoj Srivastava for bug filed by Max Kellermann.
+
+2.0.37 2009-07-07
+	* Add method to check disable dontaudit flag from Christopher Pardy.
+
+2.0.36 2009-03-25
+	* Fix boolean state smashing from Joshua Brindle.
+
+2.0.35 2009-02-19
+        * Fix alias field in module format, caused by boundary format change
+          from Caleb Case.
+
+2.0.34 2008-10-09
+	* Add bounds support from KaiGai Kohei.
+	* Fix invalid aliases bug from Joshua Brindle.
+
+2.0.33 2008-09-29
+	* Revert patch that removed expand_rule.
+
+2.0.32 2008-07-07
+	* Allow require then declare in the source policy from Joshua Brindle.
+
+2.0.31 2008-06-13
+	* Fix mls_semantic_level_expand() to handle a user require w/o MLS information from Stephen Smalley.
+
+2.0.30 2008-06-06
+	* Fix endianness bug in the handling of network node addresses from Stephen Smalley.
+	  Only affects big endian platforms.
+	  Bug reported by John Weeks of Sun upon policy mismatch between x86 and sparc.
+
+2.0.29 2008-05-27
+	* Merge user and role mapping support from Joshua Brindle.
+
+2.0.28 2008-05-05
+	* Fix mls_level_convert() to gracefully handle an empty user declaration/require from Stephen Smalley.
+
+2.0.27 2008-04-18
+	* Belatedly merge test for policy downgrade from Todd Miller.
+
+2.0.26 2008-03-24
+	* Add permissive domain support from Eric Paris.
+
+2.0.25 2008-03-04
+	* Drop unused ->buffer field from struct policy_file.
+
+2.0.24 2008-03-04
+	* Add policy_file_init() initalizer for struct policy_file and use it, from Todd C. Miller.
+
+2.0.23 2008-02-28
+	* Accept "Flask" as an alternate identifier string in kernel policies from Stephen Smalley.
+
+2.0.22 2008-02-28
+	* Add support for open_perms policy capability from Eric Paris.
+
+2.0.21 2008-02-20
+	* Fix invalid memory allocation in policydb_index_others() from Jason Tang.
+
+2.0.20 2008-02-04
+	* Port of Yuichi Nakamura's tune avtab to reduce memory usage patch from the kernel avtab to libsepol from Stephen Smalley.
+
+2.0.19 2008-02-02
+	* Add support for consuming avrule_blocks during expansion to reduce
+	  peak memory usage from Joshua Brindle.
+
+2.0.18 2008-01-02
+	* Added support for policy capabilities from Todd Miller.
+
+2.0.17 2007-12-21
+	* Prevent generation of policy.18 with MLS enabled from Todd Miller.
+
+2.0.16 2007-12-07
+	* print module magic number in hex on mismatch, from Todd Miller.
+
+2.0.15 2007-11-29
+	* clarify and reduce neverallow error reporting from Stephen Smalley.
+
+2.0.14 2007-11-05
+	* Reject self aliasing at link time from Stephen Smalley.
+
+2.0.13 2007-11-05
+	* Allow handle_unknown in base to be overridden by semanage.conf from Stephen Smalley.
+
+2.0.12 2007-10-11
+	* Fixed bug in require checking from Stephen Smalley.
+	* Added user hierarchy checking from Todd Miller.	
+
+2.0.11 2007-09-24
+	* Pass CFLAGS to CC even on link command, per Dennis Gilmore.
+
+2.0.10 2007-09-18
+	* Merged support for the handle_unknown policydb flag from Eric Paris.
+
+2.0.9 2007-08-29
+	* Moved next_entry and put_entry out-of-line to reduce code size from Ulrich Drepper.
+
+2.0.8 2007-08-28
+	* Fixed module_package_read_offsets bug introduced by the prior patch.
+
+2.0.7 2007-08-23
+	* Eliminate unaligned accesses from policy reading code from Stephen Smalley.
+
+2.0.6 2007-08-16
+	* Allow dontaudits to be turned off during policy expansion from
+	  Joshua Brindle.
+
+2.0.5 2007-08-01
+	* Fix sepol_context_clone to handle a NULL context correctly.
+          This happens for e.g. semanage_fcontext_set_con(sh, fcontext, NULL)
+	  to set the file context entry to "<<none>>".
+
+2.0.4 2007-06-20
+	* Merged error handling patch from Eamon Walsh.
+
+2.0.3 2007-04-13
+	* Merged add boolmap argument to expand_module_avrules() from Chris PeBenito.
+
+2.0.2 2007-03-30
+	* Merged fix from Karl to remap booleans at expand time to 
+	  avoid holes in the symbol table.
+
+2.0.1 2007-02-06
+	* Merged libsepol segfault fix from Stephen Smalley for when
+	  sensitivities are required but not present in the base.
+	
+2.0.0 2007-02-01
+	* Merged patch to add errcodes.h to libsepol by Karl MacMillan.
+	
+1.16.0 2007-01-18
+	* Updated version for stable branch.
+
+1.15.3 2006-11-27
+	* Merged patch to compile wit -fPIC instead of -fpic from
+	  Manoj Srivastava to prevent hitting the global offest table
+	  limit. Patch changed to include libselinux and libsemanage in
+	  addition to libselinux.
+1.15.2 2006-10-31
+	* Merged fix from Karl MacMillan for a segfault when linking
+	  non-MLS modules with users in them.
+
+1.15.1 2006-10-24
+	* Merged fix for version comparison that was preventing range
+	  transition rules from being written for a version 5 base policy
+	  from Darrel Goeddel.
+
+1.14 2006-10-17
+	* Updated version for release.
+
+1.12.28 2006-09-28
+	* Build libsepol's static object files with -fpic
+
+1.12.27 2006-09-28
+	* Merged mls user and range_transition support in modules
+	  from Darrel Goeddel
+
+1.12.26 2006-09-05
+	* Merged range transition enhancements and user format changes
+	  Darrel Goeddel
+
+1.12.25 2006-08-24
+	* Merged conditionally expand neverallows patch from Jeremy Mowery.
+	* Merged refactor expander patch from Jeremy Mowery.
+
+1.12.24 2006-08-03
+	* Merged libsepol unit tests from Joshua Brindle.
+
+1.12.23 2006-08-03
+	* Merged symtab datum patch from Karl MacMillan.
+
+1.12.22 2006-08-03
+	* Merged netfilter contexts support from Chris PeBenito.
+
+1.12.21 2006-07-28
+	* Merged helpful hierarchy check errors patch from Joshua Brindle.
+
+1.12.20 2006-07-25
+	* Merged semodule_deps patch from Karl MacMillan.
+	  This adds source module names to the avrule decls.
+
+1.12.19 2006-06-29
+	* Lindent.
+
+1.12.18 2006-06-26
+	* Merged optionals in base take 2 patch set from Joshua Brindle.
+
+1.12.17 2006-05-30
+	* Revert 1.12.16.
+
+1.12.16 2006-05-30
+	* Merged cleaner fix for bool_ids overflow from Karl MacMillan,
+	  replacing the prior patch.
+
+1.12.15 2006-05-30
+	* Merged fixes for several memory leaks in the error paths during
+	  policy read from Serge Hallyn.
+
+1.12.14 2006-05-25
+	* Fixed bool_ids overflow bug in cond_node_find and cond_copy_list,
+	  based on bug report and suggested fix by Cedric Roux.
+
+1.12.13 2006-05-24
+	* Merged sens_copy_callback, check_role_hierarchy_callback,
+	  and node_from_record fixes from Serge Hallyn.
+
+1.12.12 2006-05-22
+	* Added sepol_policydb_compat_net() interface for testing whether
+	  a policy requires the compatibility support for network checks
+	  to be enabled in the kernel.
+
+1.12.11 2006-05-17
+	* Merged patch to initialize sym_val_to_name arrays from Kevin Carr.
+	  Reworked to use calloc in the first place, and converted some other
+	  malloc/memset pairs to calloc calls.
+
+1.12.10 2006-05-08
+	* Merged patch to revert role/user decl upgrade from Karl MacMillan.
+
+1.12.9 2006-05-08
+	* Dropped tests from all Makefile target.
+
+1.12.8 2006-05-05
+	* Merged fix warnings patch from Karl MacMillan.
+
+1.12.7 2006-05-05
+	* Merged libsepol test framework patch from Karl MacMillan.
+
+1.12.6 2006-04-28
+	* Fixed cond_normalize to traverse the entire cond list at link time.
+
+1.12.5 2006-04-03
+	* Merged fix for leak of optional package sections from Ivan Gyurdiev.
+
+1.12.4 2006-03-29
+	* Generalize test for bitmap overflow in ebitmap_set_bit.
+
+1.12.3 2006-03-27
+	* Fixed attr_convert_callback and expand_convert_type_set
+	  typemap bug.
+
+1.12.2 2006-03-24
+	* Fixed avrule_block_write num_decls endian bug.
+
+1.12.1 2006-03-20
+	* Fixed sepol_module_package_write buffer overflow bug.
+
+1.12 2006-03-14
+	* Updated version for release.
+
+1.11.20 2006-03-08
+	* Merged cond_evaluate_expr fix from Serge Hallyn (IBM).
+	* Fixed bug in copy_avrule_list reported by Ivan Gyurdiev.
+
+1.11.19 2006-02-21
+	* Merged sepol_policydb_mls_enabled interface and error handling
+	  changes from Ivan Gyurdiev.
+	
+1.11.18 2006-02-16
+	* Merged node_expand_addr bugfix and node_compare* change from
+	  Ivan Gyurdiev.
+
+1.11.17 2006-02-15
+	* Merged nodes, ports: always prepend patch from Ivan Gyurdiev.
+	* Merged bug fix patch from Ivan Gyurdiev.
+
+1.11.16 2006-02-14
+	* Added a defined flag to level_datum_t for use by checkpolicy.
+
+1.11.15 2006-02-14
+	* Merged nodecon support patch from Ivan Gyurdiev.
+	* Merged cleanups patch from Ivan Gyurdiev.	
+
+1.11.14 2006-02-13
+	* Merged optionals in base patch from Joshua Brindle.
+	
+1.11.13 2006-02-07
+	* Merged seuser/user_extra support patch from Joshua Brindle.
+	* Merged fix patch from Ivan Gyurdiev.
+
+1.11.12 2006-02-02
+	* Merged clone record on set_con patch from Ivan Gyurdiev.	
+
+1.11.11 2006-02-01
+	* Merged assertion copying bugfix from Joshua Brindle.
+	* Merged sepol_av_to_string patch from Joshua Brindle.
+
+1.11.10 2006-01-30
+	* Merged cond_expr mapping and package section count bug fixes
+	  from Joshua Brindle.
+	* Merged improve port/fcontext API patch from Ivan Gyurdiev.	
+	* Merged fixes for overflow bugs on 64-bit from Ivan Gyurdiev.
+
+1.11.9 2006-01-12
+	* Merged size_t -> unsigned int patch from Ivan Gyurdiev.
+
+1.11.8 2006-01-09
+	* Merged 2nd const in APIs patch from Ivan Gyurdiev.
+
+1.11.7 2006-01-06
+	* Merged const in APIs patch from Ivan Gyurdiev.
+	* Merged compare2 function patch from Ivan Gyurdiev.
+
+1.11.6 2006-01-06
+	* Fixed hierarchy checker to only check allow rules.
+
+1.11.5 2006-01-05
+	* Merged further fixes from Russell Coker, specifically:
+	  - av_to_string overflow checking
+	  - sepol_context_to_string error handling
+	  - hierarchy checking memory leak fixes and optimizations
+	  - avrule_block_read variable initialization
+	* Marked deprecated code in genbools and genusers.
+
+1.11.4 2006-01-05
+	* Merged bugfix for sepol_port_modify from Russell Coker.
+
+1.11.3 2006-01-05
+	* Fixed bug in sepol_iface_modify error path noted by Ivan Gyurdiev.
+	* Merged port ordering patch from Ivan Gyurdiev.
+
+1.11.2 2006-01-04
+	* Merged patch series from Ivan Gyurdiev.
+	  This includes patches to:
+	  - support ordering of records in compare function
+	  - enable port interfaces
+	  - add interfaces for context validity and range checks
+	  - add include guards
+
+1.11.1 2005-12-16
+	* Fixed mls_range_cpy bug.
+
+1.10 2005-12-07
+	* Updated version for release.
+
+1.9.42 2005-12-05
+	* Dropped handle from user_del_role interface.	
+
+1.9.41 2005-11-28
+	* Merged remove defrole from sepol patch from Ivan Gyurdiev.
+
+1.9.40 2005-11-15
+	* Merged module function and map file cleanup from Ivan Gyurdiev.
+	* Merged MLS and genusers cleanups from Ivan Gyurdiev.
+
+1.9.39 2005-11-09
+	Prepare for removal of booleans* and *.users files.
+	* Cleaned up sepol_genbools to not regenerate the image if
+	  there were no changes in the boolean values, including the
+	  degenerate case where there are no booleans or booleans.local
+	  files.
+	* Cleaned up sepol_genusers to not warn on missing local.users.
+	
+1.9.38 2005-11-08
+	* Removed sepol_port_* from libsepol.map, as the port interfaces
+	  are not yet stable.
+
+1.9.37 2005-11-04
+	* Merged context destroy cleanup patch from Ivan Gyurdiev.
+
+1.9.36 2005-11-03
+	* Merged context_to_string interface change patch from Ivan Gyurdiev.
+
+1.9.35 2005-11-01
+	* Added src/dso.h and src/*_internal.h.
+	  Added hidden_def for exported symbols used within libsepol.
+	  Added hidden for symbols that should not be exported by
+	  the wildcards in libsepol.map.
+
+1.9.34 2005-10-31
+	* Merged record interface, record bugfix, and set_roles patches 
+	  from Ivan Gyurdiev.
+
+1.9.33 2005-10-27
+	* Merged count specification change from Ivan Gyurdiev.	
+
+1.9.32 2005-10-26
+	* Added further checking and error reporting to 
+	  sepol_module_package_read and _info.
+
+1.9.31 2005-10-26
+	* Merged sepol handle passing, DEBUG conversion, and memory leak
+	  fix patches from Ivan Gyurdiev.
+
+1.9.30 2005-10-25
+	* Removed processing of system.users from sepol_genusers and
+	  dropped delusers logic.
+
+1.9.29 2005-10-25
+	* Removed policydb_destroy from error path of policydb_read,
+	  since create/init/destroy/free of policydb is handled by the
+	  caller now.
+	* Fixed sepol_module_package_read to handle a failed policydb_read
+	  properly.
+
+1.9.28 2005-10-25
+	* Merged query/exists and count patches from Ivan Gyurdiev.
+
+1.9.27 2005-10-25
+	* Merged fix for pruned types in expand code from Joshua Brindle.
+	* Merged new module package format code from Joshua Brindle.
+
+1.9.26 2005-10-24
+	* Merged context interface cleanup, record conversion code, 
+	  key passing, and bug fix patches from Ivan Gyurdiev.               
+
+1.9.25 2005-10-21
+	* Merged users cleanup patch from Ivan Gyurdiev.
+
+1.9.24 2005-10-21
+	* Merged user record memory leak fix from Ivan Gyurdiev.
+	* Merged reorganize users patch from Ivan Gyurdiev.
+
+1.9.23 2005-10-19
+	* Added check flag to expand_module() to control assertion
+	  and hierarchy checking on expansion.
+
+1.9.22 2005-10-19
+	* Reworked check_assertions() and hierarchy_check_constraints()
+	  to take handles and use callback-based error reporting.
+	* Changed expand_module() to call check_assertions() and 
+	  hierarchy_check_constraints() prior to returning the expanded
+	  policy.
+
+1.9.21 2005-10-18
+	* Changed sepol_module_package_set_file_contexts to copy the
+	  file contexts data since it is internally managed.
+
+1.9.20 2005-10-18
+	* Added sepol_policy_file_set_handle interface to associate
+	  a handle with a policy file.
+	* Added handle argument to policydb_from_image/to_image.
+	* Added sepol_module_package_set_file_contexts interface.
+	* Dropped sepol_module_package_create_file interface.
+	* Reworked policydb_read/write, policydb_from_image/to_image, 
+	  and sepol_module_package_read/write to use callback-based error
+	  reporting system rather than DEBUG.  
+
+1.9.19 2005-10-17
+	* Reworked link_packages, link_modules, and expand_module to use
+	callback-based error reporting system rather than error buffering.
+
+1.9.18 2005-10-14
+	* Merged conditional expression mapping fix in the module linking
+	code from Joshua Brindle.
+
+1.9.17 2005-10-13
+	* Hid sepol_module_package type definition, and added get interfaces.
+
+1.9.16 2005-10-13
+	* Merged new callback-based error reporting system from Ivan
+	Gyurdiev.
+
+1.9.15 2005-10-13
+	* Merged support for require blocks inside conditionals from
+	Joshua Brindle (Tresys).
+
+1.9.14 2005-10-07
+	* Fixed use of policydb_from_image/to_image to ensure proper
+	init of policydb.
+
+1.9.13 2005-10-07
+	* Isolated policydb internal headers under <sepol/policydb/*.h>.
+	These headers should only be used by users of the static libsepol.
+	Created new <sepol/policydb.h> with new public types and interfaces
+	for shared libsepol.
+	Created new <sepol/module.h> with public types and interfaces moved
+	or wrapped from old module.h, link.h, and expand.h, adjusted for
+	new public types for policydb and policy_file.
+	Added public interfaces to libsepol.map.
+	Some implementation changes visible to users of the static libsepol:
+	1) policydb_read no longer calls policydb_init.
+	Caller must do so first.
+	2) policydb_init no longer takes policy_type argument.
+	Caller must set policy_type separately.
+	3) expand_module automatically enables the global branch.  
+	Caller no longer needs to do so.
+	4) policydb_write uses the policy_type and policyvers from the 
+	policydb itself, and sepol_set_policyvers() has been removed.
+	
+1.9.12 2005-10-06
+	* Merged function renaming and static cleanup from Ivan Gyurdiev.
+
+1.9.11 2005-10-05
+	* Merged bug fix for check_assertions handling of no assertions
+	from Joshua Brindle (Tresys).
+	
+1.9.10 2005-10-04
+	* Merged iterate patch from Ivan Gyurdiev.
+
+1.9.9 2005-10-03
+	* Merged MLS in modules patch from Joshua Brindle (Tresys).
+
+1.9.8 2005-09-30
+	* Merged pointer typedef elimination patch from Ivan Gyurdiev.
+	* Merged user list function, new mls functions, and bugfix patch
+	  from Ivan Gyurdiev.
+
+1.9.7 2005-09-28
+	* Merged sepol_get_num_roles fix from Karl MacMillan (Tresys).
+
+1.9.6 2005-09-23
+	* Merged bug fix patches from Joshua Brindle (Tresys).
+
+1.9.5 2005-09-21
+	* Merged boolean record and memory leak fix patches from Ivan
+	Gyurdiev.
+
+1.9.4 2005-09-19
+	* Merged interface record patch from Ivan Gyurdiev.
+
+1.9.3 2005-09-14
+	* Merged fix for sepol_enable/disable_debug from Ivan
+	Gyurdiev.
+
+1.9.2 2005-09-14
+	* Merged stddef.h patch and debug conversion patch from 
+	Ivan Gyurdiev.
+
+1.9.1 2005-09-09
+	* Fixed expand_avtab and expand_cond_av_list to keep separate
+	entries with identical keys but different enabled flags.
+
+1.8 2005-09-06
+	* Updated version for release.
+
+1.7.24 2005-08-31
+	* Fixed symtab_insert return value for duplicate declarations.
+
+1.7.23 2005-08-31
+	* Merged fix for memory error in policy_module_destroy from
+	Jason Tang (Tresys).
+
+1.7.22 2005-08-26
+	* Merged fix for memory leak in sepol_context_to_sid from
+	Jason Tang (Tresys).
+
+1.7.21 2005-08-25
+	* Merged fixes for resource leaks on error paths and
+	  change to scope_destroy from Joshua Brindle (Tresys).
+
+1.7.20 2005-08-23
+	* Merged more fixes for resource leaks on error paths 
+	  from Serge Hallyn (IBM).  Bugs found by Coverity. 
+
+1.7.19 2005-08-19
+	* Changed to treat all type conflicts as fatal errors.
+
+1.7.18 2005-08-18
+	* Merged several error handling fixes from 
+	  Serge Hallyn (IBM).  Bugs found by Coverity.	
+
+1.7.17 2005-08-15
+	* Fixed further memory leaks found by valgrind.
+
+1.7.16 2005-08-15
+	* Fixed several memory leaks found by valgrind.
+
+1.7.15 2005-08-12
+	* Fixed empty list test in cond_write_av_list.  Bug found by
+	  Coverity, reported by Serge Hallyn (IBM).
+	* Merged patch to policydb_write to check errors 
+	  when writing the type->attribute reverse map from
+	  Serge Hallyn (IBM).  Bug found by Coverity.
+	* Fixed policydb_destroy to properly handle NULL type_attr_map
+	  or attr_type_map.
+
+1.7.14 2005-08-12
+	* Fixed use of uninitialized data by expand_avtab_node by
+	  clearing type_val_to_struct in policydb_index_others.
+
+1.7.13 2005-08-11
+	* Improved memory use by SELinux by both reducing the avtab 
+	  node size and reducing the number of avtab nodes (by not
+	  expanding attributes in TE rules when possible).  Added
+	  expand_avtab and expand_cond_av_list functions for use by
+	  assertion checker, hierarchy checker, compatibility code,
+	  and dispol.  Added new inline ebitmap operators and converted
+	  existing users of ebitmaps to the new operators for greater 
+	  efficiency.
+	  Note:  The binary policy format version has been incremented to 
+	  version 20 as a result of these changes.
+
+1.7.12 2005-08-10
+	* Fixed bug in constraint_node_clone handling of name sets.
+
+1.7.11 2005-08-08
+	* Fix range_trans_clone to map the type values properly.
+
+1.7.10 2005-08-02
+	* Merged patch to move module read/write code from libsemanage
+	  to libsepol from Jason Tang (Tresys).
+
+1.7.9 2005-08-02
+	* Enabled further compiler warning flags and fixed them.
+
+1.7.8 2005-08-02
+	* Merged user, context, port records patch from Ivan Gyurdiev.
+	* Merged key extract function patch from Ivan Gyurdiev.
+
+1.7.7 2005-07-27
+	* Merged mls_context_to_sid bugfix from Ivan Gyurdiev.
+
+1.7.6 2005-07-26
+	* Merged context reorganization, memory leak fixes, 
+	  port and interface loading, replacements for genusers and
+	  genbools, debug traceback, and bugfix patches from Ivan Gyurdiev.
+	* Merged uninitialized variable bugfix from Dan Walsh.
+
+1.7.5 2005-07-18
+	* Merged debug support, policydb conversion functions from Ivan Gyurdiev (Red Hat).
+	* Removed genpolbools and genpolusers utilities.
+
+1.7.4 2005-07-18
+	* Merged hierarchy check fix from Joshua Brindle (Tresys).
+
+1.7.3 2005-07-13
+	* Merged header file cleanup and memory leak fix from Ivan Gyurdiev (Red Hat).
+
+1.7.2 2005-07-11
+	* Merged genbools debugging message cleanup from Red Hat.
+
+1.7.1 2005-07-06
+	* Merged loadable module support from Tresys Technology.
+
+1.6 2005-06-20
+	* Updated version for release.
+
+1.5.10 2005-05-19
+	* License changed to LGPL v2.1, see COPYING.
+
+1.5.9 2005-05-16
+	* Added sepol_genbools_policydb and sepol_genusers_policydb for
+	  audit2why.
+
+1.5.8 2005-05-13
+	* Added sepol_ prefix to Flask types to avoid 
+	  namespace collision with libselinux.
+
+1.5.7 2005-05-13
+	* Added sepol_compute_av_reason() for audit2why.
+
+1.5.6 2005-04-25
+	* Fixed bug in role hierarchy checker.
+
+1.5.5 2005-04-13
+	* Merged hierarchical type/role patch from Tresys Technology.
+	* Merged MLS fixes from Darrel Goeddel of TCS.
+
+1.5.4 2005-04-13
+	* Changed sepol_genusers to not delete users by default,
+	and added a sepol_set_delusers function to enable deletion.
+	Also, removed special case handling of system_u and user_u.
+	
+1.5.3 2005-03-29
+	* Merged booleans.local patch from Dan Walsh.
+
+1.5.2 2005-03-16
+	* Added man page for sepol_check_context.
+
+1.5.1 2005-03-15
+	* Added man page for sepol_genusers function.
+	* Merged man pages for genpolusers and chkcon from Manoj Srivastava.
+
+1.4 2005-03-09
+	* Updated version for release.
+
+1.3.8 2005-03-08
+	* Cleaned up error handling in sepol_genusers and sepol_genbools.
+
+1.3.7 2005-02-28
+	* Merged sepol_debug and fclose patch from Dan Walsh.
+
+1.3.6 2005-02-22
+	* Changed sepol_genusers to also use getline and correctly handle
+	  EOL.
+
+1.3.5 2005-02-17
+	* Merged range_transition support from Darrel Goeddel (TCS).
+
+1.3.4 2005-02-16
+	* Added sepol_genusers function.
+
+1.3.3 2005-02-14
+	* Merged endianness and compute_av patches from Darrel Goeddel (TCS).
+
+1.3.2 2005-02-09
+	* Changed relabel Makefile target to use restorecon.
+
+1.3.1 2005-01-26
+	* Merged enhanced MLS support from Darrel Goeddel (TCS).
+
+1.2.1 2005-01-19
+	* Merged build fix patch from Manoj Srivastava.
+
+1.2 2004-10-07
+	* MLS build fixes.
+	* Added sepol_set_policydb_from_file and sepol_check_context for setfiles.
+
+1.0 2004-08-19
+	* Initial public release.
+
+0.4 2004-08-13
+	* Merged patch from Dan Walsh to ignore case on booleans.
+	* Changed sepol_genbools* to preserve the original policy version.
+	* Replaced exported global variables with set functions. 
+	* Moved genpolbools utility from checkpolicy to libsepol.
+	* Added man pages for sepol_genbools* and genpolbools.
+
+0.3 2004-08-10
+	* Added ChangeLog, COPYING, spec file.
+	* Added sepol_genbools_array() for load_policy.
+	* Created libsepol.map to limit exported symbols in shared library. 
+
+0.2 2004-08-09
+	* Exported other functions for checkpolicy and friends.
+	* Renamed service and sidtab functions to avoid libselinux conflict.
+	* Removed original code from checkpolicy, which now uses libsepol.
+	* Code cleanup:  kill legacy references to kernel types/functions.
+
+0.1 2004-08-06
+	* Moved checkpolicy core logic into a library.
+	* Exported sepol_genbools() for load_policy.
+all: 
+	$(MAKE) -C src 
+	$(MAKE) -C utils
+
+install: 
+	$(MAKE) -C include install
+	$(MAKE) -C src install
+	$(MAKE) -C utils install
+	$(MAKE) -C man install
+
+relabel:
+	$(MAKE) -C src relabel
+
+clean:
+	$(MAKE) -C src clean
+	$(MAKE) -C utils clean
+	$(MAKE) -C tests clean
+
+indent:
+	$(MAKE) -C src $@
+	$(MAKE) -C include $@
+	$(MAKE) -C utils $@
+
+test:
+	$(MAKE) -C tests test
+
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+INCDIR ?= $(PREFIX)/include/sepol
+
+install:
+	test -d $(INCDIR) || install -m 755 -d $(INCDIR)
+	test -d $(INCDIR)/policydb || install -m 755 -d $(INCDIR)/policydb
+	install -m 644 $(wildcard sepol/*.h) $(INCDIR)
+	install -m 644 $(wildcard sepol/policydb/*.h) $(INCDIR)/policydb
+
+indent:
+	../../scripts/Lindent $(wildcard sepol/*.h)

include/sepol/boolean_record.h

+#ifndef _SEPOL_BOOLEAN_RECORD_H_
+#define _SEPOL_BOOLEAN_RECORD_H_
+
+#include <stddef.h>
+#include <sepol/handle.h>
+
+struct sepol_bool;
+struct sepol_bool_key;
+typedef struct sepol_bool sepol_bool_t;
+typedef struct sepol_bool_key sepol_bool_key_t;
+
+/* Key */
+extern int sepol_bool_key_create(sepol_handle_t * handle,
+				 const char *name, sepol_bool_key_t ** key);
+
+extern void sepol_bool_key_unpack(const sepol_bool_key_t * key,
+				  const char **name);
+
+extern int sepol_bool_key_extract(sepol_handle_t * handle,
+				  const sepol_bool_t * boolean,
+				  sepol_bool_key_t ** key_ptr);
+
+extern void sepol_bool_key_free(sepol_bool_key_t * key);
+
+extern int sepol_bool_compare(const sepol_bool_t * boolean,
+			      const sepol_bool_key_t * key);
+
+extern int sepol_bool_compare2(const sepol_bool_t * boolean,
+			       const sepol_bool_t * boolean2);
+
+/* Name */
+extern const char *sepol_bool_get_name(const sepol_bool_t * boolean);
+
+extern int sepol_bool_set_name(sepol_handle_t * handle,
+			       sepol_bool_t * boolean, const char *name);
+
+/* Value */
+extern int sepol_bool_get_value(const sepol_bool_t * boolean);
+
+extern void sepol_bool_set_value(sepol_bool_t * boolean, int value);
+
+/* Create/Clone/Destroy */
+extern int sepol_bool_create(sepol_handle_t * handle, sepol_bool_t ** bool_ptr);
+
+extern int sepol_bool_clone(sepol_handle_t * handle,
+			    const sepol_bool_t * boolean,
+			    sepol_bool_t ** bool_ptr);
+
+extern void sepol_bool_free(sepol_bool_t * boolean);
+
+#endif

include/sepol/booleans.h

+#ifndef _SEPOL_BOOLEANS_H_
+#define _SEPOL_BOOLEANS_H_
+
+#include <stddef.h>
+#include <sepol/policydb.h>
+#include <sepol/boolean_record.h>
+#include <sepol/handle.h>
+
+/*--------------compatibility--------------*/
+
+/* Given an existing binary policy (starting at 'data', with length 'len')
+   and a boolean configuration file named by 'boolpath', rewrite the binary
+   policy for the boolean settings in the boolean configuration file.
+   The binary policy is rewritten in place in memory.
+   Returns 0 upon success, or -1 otherwise. */
+extern int sepol_genbools(void *data, size_t len, char *boolpath);
+
+/* Given an existing binary policy (starting at 'data', with length 'len')
+   and boolean settings specified by the parallel arrays ('names', 'values')
+   with 'nel' elements, rewrite the binary policy for the boolean settings.
+   The binary policy is rewritten in place in memory.
+   Returns 0 upon success or -1 otherwise. */
+extern int sepol_genbools_array(void *data, size_t len,
+				char **names, int *values, int nel);
+/*---------------end compatbility------------*/
+
+/* Set the specified boolean */
+extern int sepol_bool_set(sepol_handle_t * handle,
+			  sepol_policydb_t * policydb,
+			  const sepol_bool_key_t * key,
+			  const sepol_bool_t * data);
+
+/* Return the number of booleans */
+extern int sepol_bool_count(sepol_handle_t * handle,
+			    const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if the specified boolean exists */
+extern int sepol_bool_exists(sepol_handle_t * handle,
+			     const sepol_policydb_t * policydb,
+			     const sepol_bool_key_t * key, int *response);
+
+/* Query a boolean - returns the boolean, or NULL if not found */
+extern int sepol_bool_query(sepol_handle_t * handle,
+			    const sepol_policydb_t * p,
+			    const sepol_bool_key_t * key,
+			    sepol_bool_t ** response);
+
+/* Iterate the booleans
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_bool_iterate(sepol_handle_t * handle,
+			      const sepol_policydb_t * policydb,
+			      int (*fn) (const sepol_bool_t * boolean,
+					 void *fn_arg), void *arg);
+
+#endif

include/sepol/context.h

+#ifndef _SEPOL_CONTEXT_H_
+#define _SEPOL_CONTEXT_H_
+
+#include <sepol/context_record.h>
+#include <sepol/policydb.h>
+#include <sepol/handle.h>
+
+/* -- Deprecated -- */
+
+extern int sepol_check_context(const char *context);
+
+/* -- End deprecated -- */
+
+extern int sepol_context_check(sepol_handle_t * handle,
+			       const sepol_policydb_t * policydb,
+			       const sepol_context_t * context);
+
+extern int sepol_mls_contains(sepol_handle_t * handle,
+			      const sepol_policydb_t * policydb,
+			      const char *mls1,
+			      const char *mls2, int *response);
+
+extern int sepol_mls_check(sepol_handle_t * handle,
+			   const sepol_policydb_t * policydb, const char *mls);
+#endif

include/sepol/context_record.h

+#ifndef _SEPOL_CONTEXT_RECORD_H_
+#define _SEPOL_CONTEXT_RECORD_H_
+
+#include <sepol/handle.h>
+
+struct sepol_context;
+typedef struct sepol_context sepol_context_t;
+
+/* We don't need a key, because the context is never stored
+ * in a data collection by itself */
+
+/* User */
+extern const char *sepol_context_get_user(const sepol_context_t * con);
+
+extern int sepol_context_set_user(sepol_handle_t * handle,
+				  sepol_context_t * con, const char *user);
+
+/* Role */
+extern const char *sepol_context_get_role(const sepol_context_t * con);
+
+extern int sepol_context_set_role(sepol_handle_t * handle,
+				  sepol_context_t * con, const char *role);
+
+/* Type */
+extern const char *sepol_context_get_type(const sepol_context_t * con);
+
+extern int sepol_context_set_type(sepol_handle_t * handle,
+				  sepol_context_t * con, const char *type);
+
+/* MLS */
+extern const char *sepol_context_get_mls(const sepol_context_t * con);
+
+extern int sepol_context_set_mls(sepol_handle_t * handle,
+				 sepol_context_t * con, const char *mls_range);
+
+/* Create/Clone/Destroy */
+extern int sepol_context_create(sepol_handle_t * handle,
+				sepol_context_t ** con_ptr);
+
+extern int sepol_context_clone(sepol_handle_t * handle,
+			       const sepol_context_t * con,
+			       sepol_context_t ** con_ptr);
+
+extern void sepol_context_free(sepol_context_t * con);
+
+/* Parse to/from string */
+extern int sepol_context_from_string(sepol_handle_t * handle,
+				     const char *str, sepol_context_t ** con);
+
+extern int sepol_context_to_string(sepol_handle_t * handle,
+				   const sepol_context_t * con, char **str_ptr);
+
+#endif

include/sepol/debug.h

+#ifndef _SEPOL_DEBUG_H_
+#define _SEPOL_DEBUG_H_
+
+#include <sepol/handle.h>
+
+/* Deprecated */
+extern void sepol_debug(int on);
+/* End deprecated */
+
+#define SEPOL_MSG_ERR  1
+#define SEPOL_MSG_WARN 2
+#define SEPOL_MSG_INFO 3
+
+extern int sepol_msg_get_level(sepol_handle_t * handle);
+
+extern const char *sepol_msg_get_channel(sepol_handle_t * handle);
+
+extern const char *sepol_msg_get_fname(sepol_handle_t * handle);
+
+/* Set the messaging callback. 
+ * By the default, the callback will print
+ * the message on standard output, in a 
+ * particular format. Passing NULL here
+ * indicates that messaging should be suppressed */
+extern void sepol_msg_set_callback(sepol_handle_t * handle,
+#ifdef __GNUC__
+				   __attribute__ ((format(printf, 3, 4)))
+#endif
+				   void (*msg_callback) (void *varg,
+							 sepol_handle_t *
+							 handle,
+							 const char *fmt, ...),
+				   void *msg_callback_arg);
+#endif

include/sepol/errcodes.h

+/* Author: Karl MacMillan <kmacmillan@mentalrootkit.com> */
+
+#ifndef __sepol_errno_h__
+#define __sepol_errno_h__
+
+#include <errno.h>
+
+#define SEPOL_OK             0
+
+/* These first error codes are defined for compatibility with
+ * previous version of libsepol. In the future, custome error
+ * codes that don't map to system error codes should be defined
+ * outside of the range of system error codes.
+ */
+#define SEPOL_ERR            -1
+#define SEPOL_ENOTSUP        -2  /* feature not supported in module language */
+#define SEPOL_EREQ           -3  /* requirements not met */
+
+/* Error codes that map to system error codes */
+#define SEPOL_ENOMEM         -ENOMEM
+#define SEPOL_ERANGE         -ERANGE
+#define SEPOL_EEXIST         -EEXIST
+#define SEPOL_ENOENT         -ENOENT
+
+#endif

include/sepol/handle.h

+#ifndef _SEPOL_HANDLE_H_
+#define _SEPOL_HANDLE_H_
+
+struct sepol_handle;
+typedef struct sepol_handle sepol_handle_t;
+
+/* Create and return a sepol handle. */
+sepol_handle_t *sepol_handle_create(void);
+
+/* Get whether or not dontaudits will be disabled, same values as
+ * specified by set_disable_dontaudit. This value reflects the state
+ * your system will be set to upon commit, not necessarily its
+ * current state.*/
+int sepol_get_disable_dontaudit(sepol_handle_t * sh);
+
+/* Set whether or not to disable dontaudits, 0 is default and does 
+ * not disable dontaudits, 1 disables them */
+void sepol_set_disable_dontaudit(sepol_handle_t * sh, int disable_dontaudit);
+
+/* Set whether module_expand() should consume the base policy passed in.
+ * This should reduce the amount of memory required to expand the policy. */
+void sepol_set_expand_consume_base(sepol_handle_t * sh, int consume_base);
+
+/* Destroy a sepol handle. */
+void sepol_handle_destroy(sepol_handle_t *);
+
+#endif

include/sepol/iface_record.h

+#ifndef _SEPOL_IFACE_RECORD_H_
+#define _SEPOL_IFACE_RECORD_H_
+
+#include <sepol/handle.h>
+#include <sepol/context_record.h>
+
+struct sepol_iface;
+struct sepol_iface_key;
+typedef struct sepol_iface sepol_iface_t;
+typedef struct sepol_iface_key sepol_iface_key_t;
+
+/* Key */
+extern int sepol_iface_compare(const sepol_iface_t * iface,
+			       const sepol_iface_key_t * key);
+
+extern int sepol_iface_compare2(const sepol_iface_t * iface,
+				const sepol_iface_t * iface2);
+
+extern void sepol_iface_key_unpack(const sepol_iface_key_t * key,
+				   const char **name);
+
+extern int sepol_iface_key_create(sepol_handle_t * handle,
+				  const char *name,
+				  sepol_iface_key_t ** key_ptr);
+
+extern int sepol_iface_key_extract(sepol_handle_t * handle,
+				   const sepol_iface_t * iface,
+				   sepol_iface_key_t ** key_ptr);
+
+extern void sepol_iface_key_free(sepol_iface_key_t * key);
+
+/* Name */
+extern const char *sepol_iface_get_name(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_name(sepol_handle_t * handle,
+				sepol_iface_t * iface, const char *name);
+
+/* Context */
+extern sepol_context_t *sepol_iface_get_ifcon(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_ifcon(sepol_handle_t * handle,
+				 sepol_iface_t * iface, sepol_context_t * con);
+
+extern sepol_context_t *sepol_iface_get_msgcon(const sepol_iface_t * iface);
+
+extern int sepol_iface_set_msgcon(sepol_handle_t * handle,
+				  sepol_iface_t * iface, sepol_context_t * con);
+
+/* Create/Clone/Destroy */
+extern int sepol_iface_create(sepol_handle_t * handle,
+			      sepol_iface_t ** iface_ptr);
+
+extern int sepol_iface_clone(sepol_handle_t * handle,
+			     const sepol_iface_t * iface,
+			     sepol_iface_t ** iface_ptr);
+
+extern void sepol_iface_free(sepol_iface_t * iface);
+
+#endif

include/sepol/interfaces.h

+#ifndef __SEPOL_INTERFACES_H_
+#define __SEPOL_INTERFACES_H_
+
+#include <sepol/policydb.h>
+#include <sepol/iface_record.h>
+#include <sepol/handle.h>
+
+/* Return the number of interfaces */
+extern int sepol_iface_count(sepol_handle_t * handle,
+			     const sepol_policydb_t * policydb,
+			     unsigned int *response);
+
+/* Check if an interface exists */
+extern int sepol_iface_exists(sepol_handle_t * handle,
+			      const sepol_policydb_t * policydb,
+			      const sepol_iface_key_t * key, int *response);
+
+/* Query an interface - returns the interface, 
+ * or NULL if not found */
+extern int sepol_iface_query(sepol_handle_t * handle,
+			     const sepol_policydb_t * policydb,
+			     const sepol_iface_key_t * key,
+			     sepol_iface_t ** response);
+
+/* Modify an interface, or add it, if the key
+ * is not found */
+extern int sepol_iface_modify(sepol_handle_t * handle,
+			      sepol_policydb_t * policydb,
+			      const sepol_iface_key_t * key,
+			      const sepol_iface_t * data);
+
+/* Iterate the interfaces
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_iface_iterate(sepol_handle_t * handle,
+			       const sepol_policydb_t * policydb,
+			       int (*fn) (const sepol_iface_t * iface,
+					  void *fn_arg), void *arg);
+
+#endif

include/sepol/module.h

+#ifndef _SEPOL_MODULE_H_
+#define _SEPOL_MODULE_H_
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+#include <sepol/handle.h>
+#include <sepol/policydb.h>
+
+struct sepol_module_package;
+typedef struct sepol_module_package sepol_module_package_t;
+
+/* Module package public interfaces. */
+
+extern int sepol_module_package_create(sepol_module_package_t ** p);
+
+extern void sepol_module_package_free(sepol_module_package_t * p);
+
+extern char *sepol_module_package_get_file_contexts(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_file_contexts_len(sepol_module_package_t
+							 * p);
+
+extern int sepol_module_package_set_file_contexts(sepol_module_package_t * p,
+						  char *data, size_t len);
+
+extern char *sepol_module_package_get_seusers(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_seusers_len(sepol_module_package_t * p);
+
+extern int sepol_module_package_set_seusers(sepol_module_package_t * p,
+					    char *data, size_t len);
+
+extern char *sepol_module_package_get_user_extra(sepol_module_package_t * p);
+
+extern size_t sepol_module_package_get_user_extra_len(sepol_module_package_t *
+						      p);
+
+extern int sepol_module_package_set_user_extra(sepol_module_package_t * p,
+					       char *data, size_t len);
+
+extern char *sepol_module_package_get_netfilter_contexts(sepol_module_package_t
+							 * p);
+
+extern size_t
+sepol_module_package_get_netfilter_contexts_len(sepol_module_package_t * p);
+
+extern int sepol_module_package_set_netfilter_contexts(sepol_module_package_t *
+						       p, char *data,
+						       size_t len);
+
+extern sepol_policydb_t *sepol_module_package_get_policy(sepol_module_package_t
+							 * p);
+
+extern int sepol_link_packages(sepol_handle_t * handle,
+			       sepol_module_package_t * base,
+			       sepol_module_package_t ** modules,
+			       int num_modules, int verbose);
+
+extern int sepol_module_package_read(sepol_module_package_t * mod,
+				     struct sepol_policy_file *file,
+				     int verbose);
+
+extern int sepol_module_package_info(struct sepol_policy_file *file,
+				     int *type, char **name, char **version);
+
+extern int sepol_module_package_write(sepol_module_package_t * p,
+				      struct sepol_policy_file *file);
+
+/* Module linking/expanding public interfaces. */
+
+extern int sepol_link_modules(sepol_handle_t * handle,
+			      sepol_policydb_t * base,
+			      sepol_policydb_t ** modules,
+			      size_t len, int verbose);
+
+extern int sepol_expand_module(sepol_handle_t * handle,
+			       sepol_policydb_t * base,
+			       sepol_policydb_t * out, int verbose, int check);
+
+#endif

include/sepol/node_record.h

+#ifndef _SEPOL_NODE_RECORD_H_
+#define _SEPOL_NODE_RECORD_H_
+
+#include <stddef.h>
+#include <sepol/context_record.h>
+#include <sepol/handle.h>
+
+struct sepol_node;
+struct sepol_node_key;
+typedef struct sepol_node sepol_node_t;
+typedef struct sepol_node_key sepol_node_key_t;
+
+#define SEPOL_PROTO_IP4 0
+#define SEPOL_PROTO_IP6 1
+
+/* Key */
+extern int sepol_node_compare(const sepol_node_t * node,
+			      const sepol_node_key_t * key);
+
+extern int sepol_node_compare2(const sepol_node_t * node,
+			       const sepol_node_t * node2);
+
+extern int sepol_node_key_create(sepol_handle_t * handle,
+				 const char *addr,
+				 const char *mask,
+				 int proto, sepol_node_key_t ** key_ptr);
+
+extern void sepol_node_key_unpack(const sepol_node_key_t * key,
+				  const char **addr,
+				  const char **mask, int *proto);
+
+extern int sepol_node_key_extract(sepol_handle_t * handle,
+				  const sepol_node_t * node,
+				  sepol_node_key_t ** key_ptr);
+
+extern void sepol_node_key_free(sepol_node_key_t * key);
+
+/* Address */
+extern int sepol_node_get_addr(sepol_handle_t * handle,
+			       const sepol_node_t * node, char **addr);
+
+extern int sepol_node_get_addr_bytes(sepol_handle_t * handle,
+				     const sepol_node_t * node,
+				     char **addr, size_t * addr_sz);
+
+extern int sepol_node_set_addr(sepol_handle_t * handle,
+			       sepol_node_t * node,
+			       int proto, const char *addr);
+
+extern int sepol_node_set_addr_bytes(sepol_handle_t * handle,
+				     sepol_node_t * node,
+				     const char *addr, size_t addr_sz);
+
+/* Netmask */
+extern int sepol_node_get_mask(sepol_handle_t * handle,
+			       const sepol_node_t * node, char **mask);
+
+extern int sepol_node_get_mask_bytes(sepol_handle_t * handle,
+				     const sepol_node_t * node,
+				     char **mask, size_t * mask_sz);
+
+extern int sepol_node_set_mask(sepol_handle_t * handle,
+			       sepol_node_t * node,
+			       int proto, const char *mask);
+
+extern int sepol_node_set_mask_bytes(sepol_handle_t * handle,
+				     sepol_node_t * node,
+				     const char *mask, size_t mask_sz);
+
+/* Protocol */
+extern int sepol_node_get_proto(const sepol_node_t * node);
+
+extern void sepol_node_set_proto(sepol_node_t * node, int proto);
+
+extern const char *sepol_node_get_proto_str(int proto);
+
+/* Context */
+extern sepol_context_t *sepol_node_get_con(const sepol_node_t * node);
+
+extern int sepol_node_set_con(sepol_handle_t * handle,
+			      sepol_node_t * node, sepol_context_t * con);
+
+/* Create/Clone/Destroy */
+extern int sepol_node_create(sepol_handle_t * handle, sepol_node_t ** node_ptr);
+
+extern int sepol_node_clone(sepol_handle_t * handle,
+			    const sepol_node_t * node,
+			    sepol_node_t ** node_ptr);
+
+extern void sepol_node_free(sepol_node_t * node);
+
+#endif

include/sepol/nodes.h

+#ifndef _SEPOL_NODES_H_
+#define _SEPOL_NODES_H_
+
+#include <sepol/handle.h>
+#include <sepol/policydb.h>
+#include <sepol/node_record.h>
+
+/* Return the number of nodes */
+extern int sepol_node_count(sepol_handle_t * handle,
+			    const sepol_policydb_t * p, unsigned int *response);
+
+/* Check if a node exists */
+extern int sepol_node_exists(sepol_handle_t * handle,
+			     const sepol_policydb_t * policydb,
+			     const sepol_node_key_t * key, int *response);
+
+/* Query a node - returns the node, or NULL if not found */
+extern int sepol_node_query(sepol_handle_t * handle,
+			    const sepol_policydb_t * policydb,
+			    const sepol_node_key_t * key,
+			    sepol_node_t ** response);
+
+/* Modify a node, or add it, if the key is not found */
+extern int sepol_node_modify(sepol_handle_t * handle,
+			     sepol_policydb_t * policydb,
+			     const sepol_node_key_t * key,
+			     const sepol_node_t * data);
+
+/* Iterate the nodes 
+ * The handler may return:
+ * -1 to signal an error condition,
+ * 1 to signal successful exit
+ * 0 to signal continue */
+
+extern int sepol_node_iterate(sepol_handle_t * handle,
+			      const sepol_policydb_t * policydb,
+			      int (*fn) (const sepol_node_t * node,
+					 void *fn_arg), void *arg);
+
+#endif

include/sepol/policydb.h

+#ifndef _SEPOL_POLICYDB_H_
+#define _SEPOL_POLICYDB_H_
+
+#include <stddef.h>
+#include <stdio.h>
+
+#include <sepol/handle.h>
+
+struct sepol_policy_file;
+typedef struct sepol_policy_file sepol_policy_file_t;
+
+struct sepol_policydb;
+typedef struct sepol_policydb sepol_policydb_t;
+
+/* Policy file public interfaces. */
+
+/* Create and free memory associated with a policy file. */
+extern int sepol_policy_file_create(sepol_policy_file_t ** pf);
+extern void sepol_policy_file_free(sepol_policy_file_t * pf);
+
+/*
+ * Set the policy file to represent a binary policy memory image.
+ * Subsequent operations using the policy file will read and write
+ * the image located at the specified address with the specified length.
+ * If 'len' is 0, then merely compute the necessary length upon  
+ * subsequent policydb write operations in order to determine the
+ * necessary buffer size to allocate.
+ */
+extern void sepol_policy_file_set_mem(sepol_policy_file_t * pf,
+				      char *data, size_t len);
+
+/*
+ * Get the size of the buffer needed to store a policydb write
+ * previously done on this policy file.
+ */
+extern int sepol_policy_file_get_len(sepol_policy_file_t * pf, size_t * len);
+
+/*
+ * Set the policy file to represent a FILE.
+ * Subsequent operations using the policy file will read and write
+ * to the FILE.
+ */
+extern void sepol_policy_file_set_fp(sepol_policy_file_t * pf, FILE * fp);
+
+/*
+ * Associate a handle with a policy file, for use in
+ * error reporting from subsequent calls that take the
+ * policy file as an argument.
+ */
+extern void sepol_policy_file_set_handle(sepol_policy_file_t * pf,
+					 sepol_handle_t * handle);
+
+/* Policydb public interfaces. */
+
+/* Create and free memory associated with a policydb. */
+extern int sepol_policydb_create(sepol_policydb_t ** p);
+extern void sepol_policydb_free(sepol_policydb_t * p);
+
+/* Legal types of policies that the policydb can represent. */
+#define SEPOL_POLICY_KERN	0
+#define SEPOL_POLICY_BASE	1
+#define SEPOL_POLICY_MOD	2
+
+/*
+ * Range of policy versions for the kernel policy type supported
+ * by this library.
+ */
+extern int sepol_policy_kern_vers_min(void);
+extern int sepol_policy_kern_vers_max(void);
+
+/*
+ * Set the policy type as specified, and automatically initialize the
+ * policy version accordingly to the maximum version supported for the
+ * policy type.  
+ * Returns -1 if the policy type is not legal.
+ */
+extern int sepol_policydb_set_typevers(sepol_policydb_t * p, unsigned int type);
+
+/*
+ * Set the policy version to a different value.
+ * Returns -1 if the policy version is not in the supported range for
+ * the (previously set) policy type.
+ */
+extern int sepol_policydb_set_vers(sepol_policydb_t * p, unsigned int vers);
+
+/* Set how to handle unknown class/perms. */
+#define SEPOL_DENY_UNKNOWN	    0
+#define SEPOL_REJECT_UNKNOWN	    2
+#define SEPOL_ALLOW_UNKNOWN	    4
+extern int sepol_policydb_set_handle_unknown(sepol_policydb_t * p,
+					     unsigned int handle_unknown);
+
+/* 
+ * Read a policydb from a policy file.
+ * This automatically sets the type and version based on the 
+ * image contents.
+ */
+extern int sepol_policydb_read(sepol_policydb_t * p, sepol_policy_file_t * pf);
+
+/*
+ * Write a policydb to a policy file.
+ * The generated image will be in the binary format corresponding 
+ * to the policy version associated with the policydb.
+ */
+extern int sepol_policydb_write(sepol_policydb_t * p, sepol_policy_file_t * pf);
+
+/*
+ * Extract a policydb from a binary policy memory image.  
+ * This is equivalent to sepol_policydb_read with a policy file
+ * set to refer to memory.
+ */
+extern int sepol_policydb_from_image(sepol_handle_t * handle,
+				     void *data, size_t len,
+				     sepol_policydb_t * p);
+
+/*
+ * Generate a binary policy memory image from a policydb.  
+ * This is equivalent to sepol_policydb_write with a policy file
+ * set to refer to memory, but internally handles computing the 
+ * necessary length and allocating an appropriately sized memory
+ * buffer for the caller.  
+ */
+extern int sepol_policydb_to_image(sepol_handle_t * handle,
+				   sepol_policydb_t * p,
+				   void **newdata, size_t * newlen);
+
+/* 
+ * Check whether the policydb has MLS enabled.
+ */
+extern int sepol_policydb_mls_enabled(const sepol_policydb_t * p);
+
+/*
+ * Check whether the compatibility mode for SELinux network
+ * checks should be enabled when using this policy.
+ */
+extern int sepol_policydb_compat_net(const sepol_policydb_t * p);
+
+#endif

include/sepol/policydb/avrule_block.h

+/* Authors: Jason Tang <jtang@tresys.com>
+ *
+ * Copyright (C) 2005 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your op