libselinux: Move everything to /usr.

[people/amarx/ipfire-3.x.git] / libselinux / patches / libselinux-rhat.patch2

diff --git a/libselinux/Makefile b/libselinux/Makefile
index 9feaf94..fd4f0b1 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,3 +1,5 @@
+SUBDIRS = src include utils man
+
 DISABLE_AVC ?= n
 DISABLE_SETRANS ?= n
 DISABLE_RPM ?= n
@@ -19,41 +21,24 @@ ifeq ($(DISABLE_SETRANS),y)
 endif
 export DISABLE_AVC DISABLE_SETRANS DISABLE_RPM DISABLE_BOOL EMFLAGS
 
-all: 
-	$(MAKE) -C src 
-	$(MAKE) -C utils
+all install relabel clean distclean indent:
+	@for subdir in $(SUBDIRS); do \
+		(cd $$subdir && $(MAKE) $@) || exit 1; \
+	done
 
 swigify: all
-	$(MAKE) -C src swigify
+	$(MAKE) -C src swigify $@
 
 pywrap: 
-	$(MAKE) -C src pywrap
+	$(MAKE) -C src pywrap $@
 
 rubywrap: 
-	$(MAKE) -C src rubywrap
-
-install: 
-	$(MAKE) -C include install
-	$(MAKE) -C src install
-	$(MAKE) -C utils install
-	$(MAKE) -C man install
+	$(MAKE) -C src rubywrap $@
 
 install-pywrap: 
-	$(MAKE) -C src install-pywrap 
+	$(MAKE) -C src install-pywrap $@
 
 install-rubywrap: 
-	$(MAKE) -C src install-rubywrap 
-
-relabel: 
-	$(MAKE) -C src relabel
-
-clean distclean:
-	$(MAKE) -C src $@
-	$(MAKE) -C utils clean
-
-indent:
-	$(MAKE) -C src $@
-	$(MAKE) -C utils $@
-	$(MAKE) -C include $@
+	$(MAKE) -C src install-rubywrap $@
 
 test:
diff --git a/libselinux/include/Makefile b/libselinux/include/Makefile
index 09bcea3..dd264d0 100644
--- a/libselinux/include/Makefile
+++ b/libselinux/include/Makefile
@@ -11,3 +11,6 @@ install: all
 indent:
 	../../scripts/Lindent $(wildcard selinux/*.h)
 
+distclean clean:
+	-rm -f selinux/*~
+
diff --git a/libselinux/include/selinux/avc.h b/libselinux/include/selinux/avc.h
index da18e41..87a2b12 100644
--- a/libselinux/include/selinux/avc.h
+++ b/libselinux/include/selinux/avc.h
@@ -130,7 +130,11 @@ struct avc_memory_callback {
 
 struct avc_log_callback {
 	/* log the printf-style format and arguments. */
-	void (*func_log) (const char *fmt, ...);
+	void
+#ifdef __GNUC__
+__attribute__ ((format(printf, 1, 2)))
+#endif
+	(*func_log) (const char *fmt, ...);
 	/* store a string representation of auditdata (corresponding
 	   to the given security class) into msgbuf. */
 	void (*func_audit) (void *auditdata, security_class_t cls,
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index 1a54307..f6eeb21 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -46,8 +46,10 @@ struct selabel_handle;
 #define SELABEL_OPT_PATH	3
 /* select a subset of the search space as an optimization (file backend) */
 #define SELABEL_OPT_SUBSET	4
+/* like subset, but an array of subsets */
+#define SELABEL_OPT_PREFIXES	5
 /* total number of options */
-#define SELABEL_NOPT		5
+#define SELABEL_NOPT		6
 
 /*
  * Label operations
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 2985f6f..e0b2dd4 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -139,7 +139,10 @@ struct av_decision {
 /* Structure for passing options, used by AVC and label subsystems */
 struct selinux_opt {
 	int type;
-	const char *value;
+	union {
+		const char *value;
+		const char **values;
+	};
 };
 
 /* Callback facilities */
@@ -410,6 +413,11 @@ extern int matchpathcon_init(const char *path);
    regexes that have stems that are prefixes of 'prefix'. */
 extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 
+/* Same as matchpathcon_init, but only load entries with
+ * regexes that have stems that are prefixes of the 'prefixes'
+ * array of entries.  The last entry must be NULL. */
+extern int matchpathcon_init_prefixes(const char *patch, const char **prefixes);
+
 /* Free the memory allocated by matchpathcon_init. */
 extern void matchpathcon_fini(void);
 
@@ -537,7 +545,7 @@ extern int selinux_check_securetty_context(const security_context_t tty_context)
    Normally, this is determined automatically during libselinux 
    initialization, but this is not always possible, e.g. for /sbin/init
    which performs the initial mount of selinuxfs. */
-void set_selinuxmnt(char *mnt);
+void set_selinuxmnt(const char *mnt);
 
 /* Check if selinuxfs exists as a kernel filesystem */
 int selinuxfs_exists(void);
diff --git a/libselinux/man/Makefile b/libselinux/man/Makefile
index a20a5d1..a53c4ad 100644
--- a/libselinux/man/Makefile
+++ b/libselinux/man/Makefile
@@ -13,3 +13,4 @@ install: all
 	install -m 644 man5/*.5 $(MAN5DIR)
 	install -m 644 man8/*.8 $(MAN8DIR)
 
+indent distclean clean:
diff --git a/libselinux/man/man3/matchpathcon.3 b/libselinux/man/man3/matchpathcon.3
index cdbb252..b6814ed 100644
--- a/libselinux/man/man3/matchpathcon.3
+++ b/libselinux/man/man3/matchpathcon.3
@@ -8,7 +8,9 @@ matchpathcon, matchpathcon_index \- get the default SELinux security context for
 
 .BI "int matchpathcon_init(const char *" path ");"
 
-.BI "int matchpathcon_init_prefix(const char *" path ", const char *" subset ");"
+.BI "int matchpathcon_init_prefix(const char *" path ", const char *" prefix ");"
+
+.BI "int matchpathcon_init_prefixes(const char *" path ", const char **" prefixes ");"
 
 .BI "int matchpathcon_fini(void);"
 .sp
@@ -50,6 +52,14 @@ by
 .I prefix.
 
 .sp
+.B matchpathcon_init_prefixes
+is the same as
+.B matchpathcon_init_prefix
+but takes an array of
+.I prefixes
+instead of a single prefix.  The last entry in the array must be NULL.
+
+.sp
 .B matchpathcon_fini
 frees the memory allocated by a prior call to
 .B matchpathcon_init.
diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 8674e37..fc5b120 100644
--- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3
@@ -37,8 +37,11 @@ structures of length
 .ta 4n 16n 24n
 .nf
 struct selinux_opt {
-	int	type;
-	const char	*value;
+	int type;
+	union {
+		const char *value;
+		const char **values;
+	};
 };
 .fi
 .ta
@@ -66,6 +69,13 @@ A non-null value for this option enables context validation.  By default,
 is used; a custom validation function can be provided via
 .BR selinux_set_callback (3).
 Note that an invalid context may not be treated as an error unless it is actually encountered during a lookup operation.
+.TP
+.B SELABEL_OPT_SUBSET
+A ":" separates string of path prefixes that tell the system to only loads entries with regular expressions that could match this strings. For example "/dev:/var/run:/tmp".  This option can cause the system to use less memory and work faster, but you should only use paths that begin with a prefix.
+.TP
+.B SELABEL_OPT_PATH
+A string representing an alternate path the the regular expressions.
+.sp
 
 .SH "BACKENDS"
 
@@ -99,4 +109,3 @@ Eamon Walsh <ewalsh@tycho.nsa.gov>
 .BR selabel_stats (3),
 .BR selinux_set_callback (3),
 .BR selinux (8)
-
diff --git a/libselinux/man/man8/selinux.8 b/libselinux/man/man8/selinux.8
index 1fc5b95..9f16f77 100644
--- a/libselinux/man/man8/selinux.8
+++ b/libselinux/man/man8/selinux.8
@@ -12,7 +12,7 @@ enforcement of many kinds of mandatory access control policies,
 including those based on the concepts of Type Enforcement®, Role-
 Based Access Control, and Multi-Level Security.  Background
 information and technical documentation about SELinux can be found at
-http://www.nsa.gov/selinux.
+http://www.nsa.gov/research/selinux.
 
 The
 .I /etc/selinux/config
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 1ddddb0..985842d 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -51,9 +51,29 @@ endif
 GENERATED=$(SWIGCOUT) $(SWIGRUBYCOUT) selinuxswig_python_exception.i
 SRCS= $(filter-out $(UNUSED_SRCS) $(GENERATED) audit2why.c, $(wildcard *.c))
 
+MAX_STACK_SIZE=32768
+
 OBJS= $(patsubst %.c,%.o,$(SRCS))
 LOBJS= $(patsubst %.c,%.lo,$(SRCS))
-CFLAGS ?= -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn -Wmissing-format-attribute
+CFLAGS ?= -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \
+          -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \
+          -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \
+          -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \
+          -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \
+          -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \
+          -Wdisabled-optimization -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat \
+          -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \
+          -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \
+          -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \
+          -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \
+          -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \
+          -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \
+          -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \
+          -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \
+          -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
+          -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
+          -Werror -Wno-aggregate-return -Wno-redundant-decls
+
 override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)
 RANLIB=ranlib
 
diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index 53610e8..f851659 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h
@@ -20,7 +20,7 @@
 extern void *(*avc_func_malloc) (size_t) hidden;
 extern void (*avc_func_free) (void *)hidden;
 
-extern void (*avc_func_log) (const char *, ...)hidden;
+extern void (*avc_func_log) (const char *, ...) __attribute__((__format__(printf,1,2))) hidden;
 extern void (*avc_func_audit) (void *, security_class_t, char *, size_t)hidden;
 
 extern int avc_using_threads hidden;
diff --git a/libselinux/src/callbacks.c b/libselinux/src/callbacks.c
index b245364..7c47222 100644
--- a/libselinux/src/callbacks.c
+++ b/libselinux/src/callbacks.c
@@ -16,6 +16,7 @@ default_selinux_log(int type __attribute__((unused)), const char *fmt, ...)
 {
 	int rc;
 	va_list ap;
+	if (is_selinux_enabled() == 0) return 0;
 	va_start(ap, fmt);
 	rc = vfprintf(stderr, fmt, ap);
 	va_end(ap);
diff --git a/libselinux/src/get_default_type.c b/libselinux/src/get_default_type.c
index ca3d291..27f2ae5 100644
--- a/libselinux/src/get_default_type.c
+++ b/libselinux/src/get_default_type.c
@@ -27,7 +27,8 @@ int get_default_type(const char *role, char **type)
 static int find_default_type(FILE * fp, const char *role, char **type)
 {
 	char buf[250];
-	char *ptr = "", *end, *t;
+	const char *ptr = "", *end;
+	char *t;
 	size_t len;
 	int found = 0;
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index 00afde7..6d1ef33 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -28,7 +28,7 @@ int obj_class_compat = 1;
    * The file system is read/write
    * then set this as the default file system.
 */
-static int verify_selinuxmnt(char *mnt)
+static int verify_selinuxmnt(const char *mnt)
 {
 	struct statfs sfbuf;
 	int rc;
@@ -139,7 +139,7 @@ void fini_selinuxmnt(void)
 
 hidden_def(fini_selinuxmnt)
 
-void set_selinuxmnt(char *mnt)
+void set_selinuxmnt(const char *mnt)
 {
 	selinux_mnt = strdup(mnt);
 }
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 7bc46cc..82a608c 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -27,6 +27,7 @@
  * Internals, mostly moved over from matchpathcon.c
  */
 
+#define MAX_PREFIX 100
 /* A file security context specification. */
 typedef struct spec {
 	struct selabel_lookup_rec lr;	/* holds contexts for lookup result */
@@ -276,7 +277,7 @@ static int compile_regex(struct saved_data *data, spec_t *spec, char **errbuf)
 
 
 static int process_line(struct selabel_handle *rec,
-			const char *path, const char *prefix,
+			const char *path, const char **prefix_array,
 			char *line_buf, int pass, unsigned lineno)
 {
 	int items, len;
@@ -310,12 +311,24 @@ static int process_line(struct selabel_handle *rec,
 	}
 
 	len = get_stem_from_spec(regex);
-	if (len && prefix && strncmp(prefix, regex, len)) {
-		/* Stem of regex does not match requested prefix, discard. */
-		free(regex);
-		free(type);
-		free(context);
-		return 0;
+	if (len && prefix_array[0]) {
+		int i = 0;
+		int found = 0;
+		while (i < MAX_PREFIX && prefix_array[i]) {
+			if (strncmp(prefix_array[i], regex, len) == 0) {
+				found = 1;
+				break;
+			}
+			i++;
+		}
+
+		if (! found) {
+			/* Stem of regex does not match requested prefix, discard. */
+			free(regex);
+			free(type);
+			free(context);
+			return 0;
+		}
 	}
 
 	if (pass == 1) {
@@ -397,7 +410,8 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 {
 	struct saved_data *data = (struct saved_data *)rec->data;
 	const char *path = NULL;
-	const char *prefix = NULL;
+	const char *static_prefix_array[2] = {NULL, };
+	const char **prefix_array = static_prefix_array;
 	FILE *fp;
 	FILE *localfp = NULL;
 	FILE *homedirfp = NULL;
@@ -418,7 +432,10 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 			path = opts[n].value;
 			break;
 		case SELABEL_OPT_SUBSET:
-			prefix = opts[n].value;
+			static_prefix_array[0] = opts[n].value;
+			break;
+		case SELABEL_OPT_PREFIXES:
+			prefix_array = opts[n].values;
 			break;
 		case SELABEL_OPT_BASEONLY:
 			baseonly = !!opts[n].value;
@@ -481,7 +498,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 		while (getline(&line_buf, &line_len, fp) > 0) {
 			if (data->nspec >= maxnspec)
 				break;
-			status = process_line(rec, path, prefix, line_buf, pass, ++lineno);
+			status = process_line(rec, path, prefix_array, line_buf, pass, ++lineno);
 			if (status)
 				goto finish;
 		}
@@ -497,7 +514,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 			while (getline(&line_buf, &line_len, homedirfp) > 0) {
 				if (data->nspec >= maxnspec)
 					break;
-				status = process_line(rec, homedir_path, prefix, line_buf, pass, ++lineno);
+				status = process_line(rec, homedir_path, prefix_array, line_buf, pass, ++lineno);
 				if (status)
 					goto finish;
 			}
@@ -507,7 +524,7 @@ static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 			while (getline(&line_buf, &line_len, localfp) > 0) {
 				if (data->nspec >= maxnspec)
 					break;
-				status = process_line(rec, local_path, prefix, line_buf, pass, ++lineno);
+				status = process_line(rec, local_path, prefix_array, line_buf, pass, ++lineno);
 				if (status)
 					goto finish;
 			}
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index f569664..10e29b9 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,7 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	char *mntpoint = NULL;
+	const char *mntpoint = NULL;
 	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
 		mntpoint = SELINUXMNT;
 	} else {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 48f7a11..ca87bd2 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
+#include <syslog.h>
 #include "selinux_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
@@ -62,7 +63,7 @@ static void
 {
 	va_list ap;
 	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
+	vsyslog(LOG_ERR, fmt, ap);
 	va_end(ap);
 }
 
@@ -292,6 +293,8 @@ static void matchpathcon_thread_destructor(void __attribute__((unused)) *ptr)
 	matchpathcon_fini();
 }
 
+void __attribute__((destructor)) matchpathcon_lib_destructor(void);
+
 void __attribute__((destructor)) matchpathcon_lib_destructor(void)
 {
 	if (destructor_key_initialized)
@@ -304,7 +307,7 @@ static void matchpathcon_init_once(void)
 		destructor_key_initialized = 1;
 }
 
-int matchpathcon_init_prefix(const char *path, const char *subset)
+int matchpathcon_init_prefixes(const char *path, const char **prefixes)
 {
 	if (!mycanoncon)
 		mycanoncon = default_canoncon;
@@ -312,15 +315,22 @@ int matchpathcon_init_prefix(const char *path, const char *subset)
 	__selinux_once(once, matchpathcon_init_once);
 	__selinux_setspecific(destructor_key, (void *)1);
 
-	options[SELABEL_OPT_SUBSET].type = SELABEL_OPT_SUBSET;
-	options[SELABEL_OPT_SUBSET].value = subset;
+	options[SELABEL_OPT_PREFIXES].type = SELABEL_OPT_PREFIXES;
+	options[SELABEL_OPT_PREFIXES].values = prefixes;
 	options[SELABEL_OPT_PATH].type = SELABEL_OPT_PATH;
 	options[SELABEL_OPT_PATH].value = path;
 
 	hnd = selabel_open(SELABEL_CTX_FILE, options, SELABEL_NOPT);
 	return hnd ? 0 : -1;
 }
+hidden_def(matchpathcon_init_prefixes)
+
+int matchpathcon_init_prefix(const char *path, const char *prefix)
+{
+	const char *prefixes[2] = { prefix, NULL };
 
+	return matchpathcon_init_prefixes(path, prefixes);
+}
 hidden_def(matchpathcon_init_prefix)
 
 int matchpathcon_init(const char *path)
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index f4c33df..f42cb7c 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -246,172 +246,172 @@ static const char *get_path(int idx)
 	return file_paths[idx];
 }
 
-const char *selinux_default_type_path()
+const char *selinux_default_type_path(void)
 {
 	return get_path(DEFAULT_TYPE);
 }
 
 hidden_def(selinux_default_type_path)
 
-const char *selinux_policy_root()
+const char *selinux_policy_root(void)
 {
 	__selinux_once(once, init_selinux_config);
 	return selinux_policyroot;
 }
 
-const char *selinux_path()
+const char *selinux_path(void)
 {
 	return selinux_rootpath;
 }
 
 hidden_def(selinux_path)
 
-const char *selinux_default_context_path()
+const char *selinux_default_context_path(void)
 {
 	return get_path(DEFAULT_CONTEXTS);
 }
 
 hidden_def(selinux_default_context_path)
 
-const char *selinux_securetty_types_path()
+const char *selinux_securetty_types_path(void)
 {
 	return get_path(SECURETTY_TYPES);
 }
 
 hidden_def(selinux_securetty_types_path)
 
-const char *selinux_failsafe_context_path()
+const char *selinux_failsafe_context_path(void)
 {
 	return get_path(FAILSAFE_CONTEXT);
 }
 
 hidden_def(selinux_failsafe_context_path)
 
-const char *selinux_removable_context_path()
+const char *selinux_removable_context_path(void)
 {
 	return get_path(REMOVABLE_CONTEXT);
 }
 
 hidden_def(selinux_removable_context_path)
 
-const char *selinux_binary_policy_path()
+const char *selinux_binary_policy_path(void)
 {
 	return get_path(BINPOLICY);
 }
 
 hidden_def(selinux_binary_policy_path)
 
-const char *selinux_file_context_path()
+const char *selinux_file_context_path(void)
 {
 	return get_path(FILE_CONTEXTS);
 }
 
 hidden_def(selinux_file_context_path)
 
-const char *selinux_homedir_context_path()
+const char *selinux_homedir_context_path(void)
 {
 	return get_path(HOMEDIR_CONTEXTS);
 }
 
 hidden_def(selinux_homedir_context_path)
 
-const char *selinux_media_context_path()
+const char *selinux_media_context_path(void)
 {
 	return get_path(MEDIA_CONTEXTS);
 }
 
 hidden_def(selinux_media_context_path)
 
-const char *selinux_customizable_types_path()
+const char *selinux_customizable_types_path(void)
 {
 	return get_path(CUSTOMIZABLE_TYPES);
 }
 
 hidden_def(selinux_customizable_types_path)
 
-const char *selinux_contexts_path()
+const char *selinux_contexts_path(void)
 {
 	return get_path(CONTEXTS_DIR);
 }
 
-const char *selinux_user_contexts_path()
+const char *selinux_user_contexts_path(void)
 {
 	return get_path(USER_CONTEXTS);
 }
 
 hidden_def(selinux_user_contexts_path)
 
-const char *selinux_booleans_path()
+const char *selinux_booleans_path(void)
 {
 	return get_path(BOOLEANS);
 }
 
 hidden_def(selinux_booleans_path)
 
-const char *selinux_users_path()
+const char *selinux_users_path(void)
 {
 	return get_path(USERS_DIR);
 }
 
 hidden_def(selinux_users_path)
 
-const char *selinux_usersconf_path()
+const char *selinux_usersconf_path(void)
 {
 	return get_path(SEUSERS);
 }
 
 hidden_def(selinux_usersconf_path)
 
-const char *selinux_translations_path()
+const char *selinux_translations_path(void)
 {
 	return get_path(TRANSLATIONS);
 }
 
 hidden_def(selinux_translations_path)
 
-const char *selinux_colors_path()
+const char *selinux_colors_path(void)
 {
 	return get_path(COLORS);
 }
 
 hidden_def(selinux_colors_path)
 
-const char *selinux_netfilter_context_path()
+const char *selinux_netfilter_context_path(void)
 {
 	return get_path(NETFILTER_CONTEXTS);
 }
 
 hidden_def(selinux_netfilter_context_path)
 
-const char *selinux_file_context_homedir_path()
+const char *selinux_file_context_homedir_path(void)
 {
 	return get_path(FILE_CONTEXTS_HOMEDIR);
 }
 
 hidden_def(selinux_file_context_homedir_path)
 
-const char *selinux_file_context_local_path()
+const char *selinux_file_context_local_path(void)
 {
 	return get_path(FILE_CONTEXTS_LOCAL);
 }
 
 hidden_def(selinux_file_context_local_path)
 
-const char *selinux_x_context_path()
+const char *selinux_x_context_path(void)
 {
 	return get_path(X_CONTEXTS);
 }
 
 hidden_def(selinux_x_context_path)
 
-const char *selinux_virtual_domain_context_path()
+const char *selinux_virtual_domain_context_path(void)
 {
 	return get_path(VIRTUAL_DOMAIN);
 }
 
 hidden_def(selinux_virtual_domain_context_path)
 
-const char *selinux_virtual_image_context_path()
+const char *selinux_virtual_image_context_path(void)
 {
 	return get_path(VIRTUAL_IMAGE);
 }
@@ -430,7 +430,7 @@ const char * selinux_file_context_subs_dist_path(void) {
 
 hidden_def(selinux_file_context_subs_dist_path)
 
-const char *selinux_sepgsql_context_path()
+const char *selinux_sepgsql_context_path(void)
 {
 	return get_path(SEPGSQL_CONTEXTS);
 }
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 710396a..9a3fc14 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -80,6 +80,7 @@ hidden_proto(selinux_mkload_policy)
     hidden_proto(selinux_path)
     hidden_proto(selinux_check_passwd_access)
     hidden_proto(selinux_check_securetty_context)
+    hidden_proto(matchpathcon_init_prefixes)
     hidden_proto(matchpathcon_init_prefix)
     hidden_proto(selinux_users_path)
     hidden_proto(selinux_usersconf_path);
diff --git a/libselinux/src/setrans_client.c b/libselinux/src/setrans_client.c
index e074142..9432f49 100644
--- a/libselinux/src/setrans_client.c
+++ b/libselinux/src/setrans_client.c
@@ -253,6 +253,8 @@ static void setrans_thread_destructor(void __attribute__((unused)) *unused)
 	free(prev_r2c_raw);
 }
 
+void __attribute__((destructor)) setrans_lib_destructor(void);
+
 void __attribute__((destructor)) setrans_lib_destructor(void)
 {
 	if (destructor_key_initialized)
diff --git a/libselinux/src/seusers.c b/libselinux/src/seusers.c
index b653cad..5cdf6c0 100644
--- a/libselinux/src/seusers.c
+++ b/libselinux/src/seusers.c
@@ -269,9 +269,10 @@ int getseuser(const char *username, const char *service,
 	size_t lineno = 0;
 	char *rec = NULL;
 	char *path=NULL;
+	FILE *fp = NULL;
 	if (asprintf(&path,"%s/logins/%s", selinux_policy_root(), username) <  0)
 		goto err;
-	FILE *fp = fopen(path, "r");
+	fp = fopen(path, "r");
 	free(path);
 	if (fp == NULL) goto err;
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
diff --git a/libselinux/src/stringrep.c b/libselinux/src/stringrep.c
index f0167e7..176ac34 100644
--- a/libselinux/src/stringrep.c
+++ b/libselinux/src/stringrep.c
@@ -305,28 +305,6 @@ err1:
 	return NULL;
 }
 
-void flush_class_cache(void)
-{
-	struct discover_class_node *cur = discover_class_cache, *prev = NULL;
-	size_t i;
-
-	while (cur != NULL) {
-		free(cur->name);
-
-		for (i=0 ; i<MAXVECTORS ; i++)
-			free(cur->perms[i]);
-
-		free(cur->perms);
-
-		prev = cur;
-		cur = cur->next;
-
-		free(prev);
-	}
-
-	discover_class_cache = NULL;
-}
-
 static security_class_t string_to_security_class_compat(const char *s)
 {
 	unsigned int val;
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 6f5aa52..d76ccfa 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -1,10 +1,28 @@
 # Installation directories.
 PREFIX ?= $(DESTDIR)/usr
 LIBDIR ?= $(PREFIX)/lib
-BINDIR ?= $(PREFIX)/sbin
-_BINDIR ?= $(DESTDIR)/sbin
-
-CFLAGS ?= -Werror -Wall -W
+USRBINDIR ?= $(PREFIX)/sbin
+SBINDIR ?= $(DESTDIR)/sbin
+
+MAX_STACK_SIZE=8192
+CFLAGS ?= -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissing-include-dirs \
+          -Wunused -Wunknown-pragmas -Wstrict-aliasing -Wshadow -Wpointer-arith \
+          -Wbad-function-cast -Wcast-align -Wwrite-strings -Wlogical-op -Waggregate-return \
+          -Wstrict-prototypes -Wold-style-definition -Wmissing-prototypes \
+          -Wmissing-declarations -Wmissing-noreturn -Wmissing-format-attribute \
+          -Wredundant-decls -Wnested-externs -Winline -Winvalid-pch -Wvolatile-register-var \
+          -Wdisabled-optimization -Wbuiltin-macro-redefined -Wmudflap -Wpacked-bitfield-compat \
+          -Wsync-nand -Wattributes -Wcoverage-mismatch -Wmultichar -Wcpp \
+          -Wdeprecated-declarations -Wdiv-by-zero -Wdouble-promotion -Wendif-labels -Wextra \
+          -Wformat-contains-nul -Wformat-extra-args -Wformat-zero-length -Wformat=2 -Wmultichar \
+          -Wnormalized=nfc -Woverflow -Wpointer-to-int-cast -Wpragmas -Wsuggest-attribute=const \
+          -Wsuggest-attribute=noreturn -Wsuggest-attribute=pure -Wtrampolines \
+          -Wno-missing-field-initializers -Wno-sign-compare -Wjump-misses-init \
+          -Wno-format-nonliteral -Wframe-larger-than=$(MAX_STACK_SIZE) -Wp,-D_FORTIFY_SOURCE=2 \
+          -fstack-protector-all --param=ssp-buffer-size=4 -fexceptions \
+          -fasynchronous-unwind-tables -fdiagnostics-show-option -funit-at-a-time \
+          -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
+          -Werror -Wno-aggregate-return -Wno-redundant-decls
 override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
 LDLIBS += -L../src -lselinux -L$(LIBDIR)
 
@@ -17,18 +35,18 @@ endif
 ifeq ($(DISABLE_BOOL),y)
 	UNUSED_TARGETS+=getsebool togglesebool
 endif
-TARGETS:= $(filter-out $(UNUSED_TARGETS) matchpathcon, $(TARGETS))
+TARGETS:= $(filter-out $(UNUSED_TARGETS), $(TARGETS))
 
-all: $(TARGETS) matchpathcon
+all: $(TARGETS)
 
 install: all
-	-mkdir -p $(BINDIR)
-	install -m 755 $(TARGETS) $(BINDIR)
-	-mkdir -p $(_BINDIR)
-	install -m 755 matchpathcon $(_BINDIR)
-	(cd $(BINDIR); 	ln -fs ../../sbin/matchpathcon)
+	-mkdir -p $(USRBINDIR)
+	install -m 755 $(TARGETS) $(USRBINDIR)
+	-mkdir -p $(SBINDIR)
 clean:
-	rm -f $(TARGETS) matchpathcon *.o *~
+	rm -f $(TARGETS) *.o *~
+
+distclean: clean
 
 indent:
 	../../scripts/Lindent $(wildcard *.[ch])
diff --git a/libselinux/utils/avcstat.c b/libselinux/utils/avcstat.c
index 772118a..7239ef2 100644
--- a/libselinux/utils/avcstat.c
+++ b/libselinux/utils/avcstat.c
@@ -43,7 +43,7 @@ static char buf[DEF_BUF_SIZE];
 /* selinuxfs mount point */
 extern char *selinux_mnt;
 
-static void die(const char *msg, ...)
+static __attribute__((__format__(printf,1,2))) void die(const char *msg, ...)
 {
 	va_list args;
 
@@ -118,7 +118,7 @@ int main(int argc, char **argv)
 			exit(0);
 		default:
 			usage();
-			die("unrecognized parameter", i);
+			die("unrecognized parameter '%c'", i);
 		}
 	}
 
diff --git a/libselinux/utils/getconlist.c b/libselinux/utils/getconlist.c
index 4f473e4..94c9bff 100644
--- a/libselinux/utils/getconlist.c
+++ b/libselinux/utils/getconlist.c
@@ -9,7 +9,7 @@
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
 
-void usage(char *name, char *detail, int rc)
+static void usage(const char *name, const char *detail, int rc)
 {
 	fprintf(stderr, "usage:  %s [-l level] user [context]\n", name);
 	if (detail)
diff --git a/libselinux/utils/getdefaultcon.c b/libselinux/utils/getdefaultcon.c
index e6eb98b..049e75c 100644
--- a/libselinux/utils/getdefaultcon.c
+++ b/libselinux/utils/getdefaultcon.c
@@ -9,7 +9,7 @@
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
 
-void usage(char *name, char *detail, int rc)
+static void usage(const char *name, const char *detail, int rc)
 {
 	fprintf(stderr, "usage:  %s [-l level] user fromcon\n", name);
 	if (detail)
diff --git a/libselinux/utils/getsebool.c b/libselinux/utils/getsebool.c
index cab2bb9..3a90449 100644
--- a/libselinux/utils/getsebool.c
+++ b/libselinux/utils/getsebool.c
@@ -6,7 +6,7 @@
 #include <string.h>
 #include <selinux/selinux.h>
 
-void usage(const char *progname)
+static void usage(const char *progname)
 {
 	fprintf(stderr, "usage:  %s -a or %s boolean...\n", progname, progname);
 	exit(1);
diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
index 5f0a4c2..b1adadd 100644
--- a/libselinux/utils/matchpathcon.c
+++ b/libselinux/utils/matchpathcon.c
@@ -13,7 +13,7 @@
 #include <stdlib.h>
 
 
-void usage(const char *progname)
+static void usage(const char *progname)
 {
 	fprintf(stderr,
 		"usage:  %s [-N] [-n] [-f file_contexts] [-p prefix] [-Vq] path...\n",
@@ -21,7 +21,7 @@ void usage(const char *progname)
 	exit(1);
 }
 
-int printmatchpathcon(char *path, int header, int mode)
+static int printmatchpathcon(const char *path, int header, int mode)
 {
 	char *buf;
 	int rc = matchpathcon(path, mode, &buf);
diff --git a/libselinux/utils/selinux_check_securetty_context.c b/libselinux/utils/selinux_check_securetty_context.c
index 95bfb7f..b158eb3 100644
--- a/libselinux/utils/selinux_check_securetty_context.c
+++ b/libselinux/utils/selinux_check_securetty_context.c
@@ -9,7 +9,7 @@
 #include <sys/errno.h>
 #include <selinux/selinux.h>
 
-void usage(const char *progname)
+static void usage(const char *progname)
 {
 	fprintf(stderr, "usage:  %s tty_context...\n", progname);
 	exit(1);
diff --git a/libselinux/utils/selinuxexeccon.c b/libselinux/utils/selinuxexeccon.c
index c55fde9..476f564 100644
--- a/libselinux/utils/selinuxexeccon.c
+++ b/libselinux/utils/selinuxexeccon.c
@@ -9,7 +9,7 @@
 #include <selinux/flask.h>
 #include <selinux/selinux.h>
 
-void usage(char *name, char *detail, int rc)
+static void usage(const char *name, const char *detail, int rc)
 {
 	fprintf(stderr, "usage:  %s command [ fromcon ]\n", name);
 	if (detail)
diff --git a/libselinux/utils/setenforce.c b/libselinux/utils/setenforce.c
index e45b804..df58597 100644
--- a/libselinux/utils/setenforce.c
+++ b/libselinux/utils/setenforce.c
@@ -6,7 +6,7 @@
 #include <strings.h>
 #include <selinux/selinux.h>
 
-void usage(const char *progname)
+static void usage(const char *progname)
 {
 	fprintf(stderr, "usage:  %s [ Enforcing | Permissive | 1 | 0 ]\n",
 		progname);
diff --git a/libselinux/utils/togglesebool.c b/libselinux/utils/togglesebool.c
index 680ed8d..ad0d2a2 100644
--- a/libselinux/utils/togglesebool.c
+++ b/libselinux/utils/togglesebool.c
@@ -10,7 +10,7 @@
 
 /* Attempt to rollback the transaction. No need to check error
    codes since this is rolling back something that blew up. */
-void rollback(int argc, char **argv)
+static void rollback(int argc, char **argv)
 {
 	int i;