public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
From: Petr Lautrbach <lautrbach@redhat.com>
To: git-commits@fedoraproject.org
Subject: [rpms/libselinux] rawhide: SELinux userspace 3.11 release
Date: Wed, 01 Jul 2026 19:36:26 GMT	[thread overview]
Message-ID: <178293458652.1.5830165486301475632.rpms-libselinux-41d874fcf881@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/libselinux
Branch : rawhide
Commit : 41d874fcf8813b7531ab920c23e1bb050503fce9
Author : Petr Lautrbach <lautrbach@redhat.com>
Date   : 2026-07-01T21:36:01+02:00
Stats  : +409/-276 in 5 file(s)
URL    : https://src.fedoraproject.org/rpms/libselinux/c/41d874fcf8813b7531ab920c23e1bb050503fce9?branch=rawhide

Log:
SELinux userspace 3.11 release

---
diff --git a/.gitignore b/.gitignore
index 2dc4d9d..2243b75 100644
--- a/.gitignore
+++ b/.gitignore
@@ -248,3 +248,5 @@ libselinux-2.0.96.tgz
 /libselinux-3.10-rc2.tar.gz.asc
 /libselinux-3.10.tar.gz
 /libselinux-3.10.tar.gz.asc
+/libselinux-3.11.tar.gz
+/libselinux-3.11.tar.gz.asc

diff --git a/0001-Use-SHA-2-instead-of-SHA-1.patch b/0001-Use-SHA-2-instead-of-SHA-1.patch
index 7ae78c2..3473914 100644
--- a/0001-Use-SHA-2-instead-of-SHA-1.patch
+++ b/0001-Use-SHA-2-instead-of-SHA-1.patch
@@ -1,4 +1,4 @@
-From 4780b755bb1171f5aa4cd7545535839d451a2070 Mon Sep 17 00:00:00 2001
+From cbaf1040c655bd544eedca3b8e070720dfc3b2be Mon Sep 17 00:00:00 2001
 From: Petr Lautrbach <plautrba@redhat.com>
 Date: Fri, 30 Jul 2021 14:14:37 +0200
 Subject: [PATCH] Use SHA-2 instead of SHA-1
@@ -13,28 +13,28 @@ The use of SHA-1 in RHEL9 is deprecated
  libselinux/man/man3/selinux_restorecon.3      |  18 +-
  .../man/man3/selinux_restorecon_xattr.3       |   2 +-
  libselinux/src/Makefile                       |   2 +-
- libselinux/src/label_file.c                   |  40 +--
- libselinux/src/label_internal.h               |  10 +-
- libselinux/src/label_support.c                |  10 +-
- libselinux/src/selinux_restorecon.c           |  24 +-
- libselinux/src/sha1.c                         | 223 -------------
- libselinux/src/sha1.h                         |  85 -----
+ libselinux/src/label_file.c                   |  46 +--
+ libselinux/src/label_internal.h               |  18 +-
+ libselinux/src/label_support.c                |  17 +-
+ libselinux/src/selinux_restorecon.c           |  48 ++-
+ libselinux/src/sha1.c                         | 284 -----------------
+ libselinux/src/sha1.h                         |  68 ----
  libselinux/src/sha256.c                       | 294 ++++++++++++++++++
  libselinux/src/sha256.h                       |  89 ++++++
  libselinux/utils/selabel_digest.c             |  26 +-
  .../selabel_get_digests_all_partial_matches.c |  28 +-
- 17 files changed, 471 insertions(+), 396 deletions(-)
+ 17 files changed, 501 insertions(+), 455 deletions(-)
  delete mode 100644 libselinux/src/sha1.c
  delete mode 100644 libselinux/src/sha1.h
  create mode 100644 libselinux/src/sha256.c
  create mode 100644 libselinux/src/sha256.h
 
 diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
-index ce189a3ae2fe..ce77d32dfed1 100644
+index 05e1fd569980..0e683ff2ad3c 100644
 --- a/libselinux/include/selinux/label.h
 +++ b/libselinux/include/selinux/label.h
-@@ -120,13 +120,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
- 					 const char *key, const char **aliases, int type);
+@@ -123,13 +123,13 @@ extern int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con,
+ 					 int type);
  
  /**
 - * selabel_digest - Retrieve the SHA1 digest and the list of specfiles used to
@@ -51,7 +51,7 @@ index ce189a3ae2fe..ce77d32dfed1 100644
   * @num_specfiles: number of specfiles in the list.
   *
 diff --git a/libselinux/include/selinux/restorecon.h b/libselinux/include/selinux/restorecon.h
-index 5be6542c2a91..210f65fdb709 100644
+index 6680589ec659..c8356de9ebeb 100644
 --- a/libselinux/include/selinux/restorecon.h
 +++ b/libselinux/include/selinux/restorecon.h
 @@ -43,8 +43,8 @@ extern int selinux_restorecon_parallel(const char *pathname,
@@ -63,7 +63,7 @@ index 5be6542c2a91..210f65fdb709 100644
 + * Force the checking of labels even if the stored SHA256 digest
 + * matches the specfiles SHA256 digest (requires CAP_SYS_ADMIN).
   */
- #define SELINUX_RESTORECON_IGNORE_DIGEST		0x00001
+ #define SELINUX_RESTORECON_IGNORE_DIGEST 0x00001
  /*
 diff --git a/libselinux/man/man3/selabel_digest.3 b/libselinux/man/man3/selabel_digest.3
 index 56a008f00df0..5f7c42533d0e 100644
@@ -97,7 +97,7 @@ index 0e03e1be111e..14ab888d2e03 100644
  .BR selabel_digest (3)
  .
 diff --git a/libselinux/man/man3/selinux_restorecon.3 b/libselinux/man/man3/selinux_restorecon.3
-index 218aaf6d2ae5..5f6d4b386429 100644
+index 9bcd3d42bb45..3f283c4f4273 100644
 --- a/libselinux/man/man3/selinux_restorecon.3
 +++ b/libselinux/man/man3/selinux_restorecon.3
 @@ -36,7 +36,7 @@ If this is a directory and the
@@ -138,7 +138,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
  extended attribute as described in the
  .B NOTES
  section.
-@@ -179,12 +179,12 @@ for fetching the ignored (skipped) error count after
+@@ -179,7 +179,7 @@ for fetching the ignored (skipped) error count after
  or
  .BR selinux_restorecon_parallel (3)
  completes with success. In case any errors were skipped during the file tree
@@ -146,6 +146,9 @@ index 218aaf6d2ae5..5f6d4b386429 100644
 +walk, the specfile entries SHA256 digest will not have been written to the
  .IR security.sehash
  extended attribute.
+ .sp
+@@ -197,7 +197,7 @@ Use this option when relabeling untrusted directories that might
+ contain hard links to files owned by others.
  .RE
  .sp
 -The behavior regarding the checking and updating of the SHA1 digest described
@@ -153,7 +156,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
  above is the default behavior. It is possible to change this by first calling
  .BR selabel_open (3)
  and not enabling the
-@@ -247,7 +247,7 @@ To improve performance when relabeling file systems recursively (e.g. the
+@@ -260,7 +260,7 @@ To improve performance when relabeling file systems recursively (e.g. the
  .B SELINUX_RESTORECON_RECURSE
  flag is set)
  .BR selinux_restorecon ()
@@ -162,7 +165,7 @@ index 218aaf6d2ae5..5f6d4b386429 100644
  .BR selabel_get_digests_all_partial_matches (3)
  to an extended attribute named
  .IR security.sehash
-@@ -269,7 +269,7 @@ Should any of the specfile entries have changed, then when
+@@ -282,7 +282,7 @@ Should any of the specfile entries have changed, then when
  .BR selinux_restorecon ()
  is run again with the
  .B SELINUX_RESTORECON_RECURSE
@@ -185,7 +188,7 @@ index c56326814b94..098c840fc59b 100644
  .BR selabel_open (3)
  must be called specifying the required
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
-index 41cfbdca490c..658a4c3d80e0 100644
+index 9ecdbd4d0af8..fde55cd681c2 100644
 --- a/libselinux/src/Makefile
 +++ b/libselinux/src/Makefile
 @@ -130,7 +130,7 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \
@@ -198,10 +201,10 @@ index 41cfbdca490c..658a4c3d80e0 100644
  endif
  
 diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
-index 189a5ed26eb7..312bb584d6b4 100644
+index 0c0499eb0365..938a0e2a5fb3 100644
 --- a/libselinux/src/label_file.c
 +++ b/libselinux/src/label_file.c
-@@ -1780,7 +1780,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
+@@ -2244,7 +2244,7 @@ static struct lookup_result *lookup_common(struct selabel_handle *rec,
  
  /*
   * Returns true if the digest of all partial matched contexts is the same as
@@ -210,7 +213,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
   * digest will always be returned. The caller must free any returned digests.
   */
  static bool get_digests_all_partial_matches(struct selabel_handle *rec,
-@@ -1789,39 +1789,39 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
+@@ -2253,40 +2253,40 @@ static bool get_digests_all_partial_matches(struct selabel_handle *rec,
  					    uint8_t **xattr_digest,
  					    size_t *digest_len)
  {
@@ -220,13 +223,17 @@ index 189a5ed26eb7..312bb584d6b4 100644
 -				     read_digest, SHA1_HASH_SIZE
 +				     read_digest, SHA256_HASH_SIZE
  #ifdef __APPLE__
- 				     , 0, 0
+ 				     ,
+ 				     0, 0
  #endif /* __APPLE __ */
- 				    );
+-	);
 -	uint8_t hash_digest[SHA1_HASH_SIZE];
+-	bool status =
+-		selabel_hash_all_partial_matches(rec, pathname, hash_digest);
++				    );
 +	uint8_t hash_digest[SHA256_HASH_SIZE];
- 	bool status = selabel_hash_all_partial_matches(rec, pathname,
- 						       hash_digest);
++	bool status = selabel_hash_all_partial_matches(rec, pathname,
++						       hash_digest);
  
  	*xattr_digest = NULL;
  	*calculated_digest = NULL;
@@ -255,13 +262,13 @@ index 189a5ed26eb7..312bb584d6b4 100644
  	}
  
 -	if (status && read_size == SHA1_HASH_SIZE &&
--		memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
+-	    memcmp(read_digest, hash_digest, SHA1_HASH_SIZE) == 0)
 +	if (status && read_size == SHA256_HASH_SIZE &&
 +		memcmp(read_digest, hash_digest, SHA256_HASH_SIZE) == 0)
  		return true;
  
  	return false;
-@@ -1840,22 +1840,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec, const char *key
+@@ -2307,22 +2307,22 @@ static bool hash_all_partial_matches(struct selabel_handle *rec,
  		return false;
  	}
  
@@ -271,9 +278,9 @@ index 189a5ed26eb7..312bb584d6b4 100644
 +	Sha256Initialise(&context);
  
  	for (const struct lookup_result *m = matches; m; m = m->next) {
- 		const char* regex_str = m->regex_str;
+ 		const char *regex_str = m->regex_str;
  		uint8_t file_kind = m->file_kind;
- 		const char* ctx_raw = m->lr->ctx_raw;
+ 		const char *ctx_raw = m->lr->ctx_raw;
  
 -		Sha1Update(&context, regex_str, strlen(regex_str) + 1);
 -		Sha1Update(&context, &file_kind, sizeof(file_kind));
@@ -293,7 +300,7 @@ index 189a5ed26eb7..312bb584d6b4 100644
  	free_lookup_result(matches);
  	return true;
 diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
-index 743dbf9472cf..4180df92f405 100644
+index 4ff39d96f9f5..dd426a824cab 100644
 --- a/libselinux/src/label_internal.h
 +++ b/libselinux/src/label_internal.h
 @@ -13,7 +13,7 @@
@@ -305,7 +312,7 @@ index 743dbf9472cf..4180df92f405 100644
  
  #if defined(ANDROID) || defined(__APPLE__)
  // Android and Mac do not have fgets_unlocked()
-@@ -47,15 +47,15 @@ int selabel_service_init(struct selabel_handle *rec,
+@@ -41,19 +41,19 @@ int selabel_service_init(struct selabel_handle *rec,
   */
  
  /*
@@ -319,12 +326,20 @@ index 743dbf9472cf..4180df92f405 100644
 +#define DIGEST_SPECFILE_SIZE SHA256_HASH_SIZE
  #define DIGEST_FILES_MAX 8
  struct selabel_digest {
--	unsigned char *digest;	/* SHA1 digest of specfiles */
+-	unsigned char *digest; /* SHA1 digest of specfiles */
+-	unsigned char *hashbuf; /* buffer to hold specfiles */
+-	size_t hashbuf_size; /* buffer size */
+-	size_t specfile_cnt; /* how many specfiles processed */
+-	char **specfile_list; /* and their names */
 +	unsigned char *digest;	/* SHA256 digest of specfiles */
- 	unsigned char *hashbuf;	/* buffer to hold specfiles */
- 	size_t hashbuf_size;	/* buffer size */
- 	size_t specfile_cnt;	/* how many specfiles processed */
-@@ -111,7 +111,7 @@ struct selabel_handle {
++	unsigned char *hashbuf;	/* buffer to hold specfiles */
++	size_t hashbuf_size;	/* buffer size */
++	size_t specfile_cnt;	/* how many specfiles processed */
++	char **specfile_list;	/* and their names */
+ };
+ 
+ extern int digest_add_specfile(struct selabel_digest *digest, FILE *fp,
+@@ -101,7 +101,7 @@ struct selabel_handle {
  	 */
  	char *spec_file;
  
@@ -334,33 +349,37 @@ index 743dbf9472cf..4180df92f405 100644
  };
  
 diff --git a/libselinux/src/label_support.c b/libselinux/src/label_support.c
-index 978ba828c159..daba26941ae7 100644
+index cc5c279e88fa..aea5ed19b45a 100644
 --- a/libselinux/src/label_support.c
 +++ b/libselinux/src/label_support.c
-@@ -120,7 +120,7 @@ int  read_spec_entries(char *line_buf, size_t nread, const char **errbuf, int nu
+@@ -131,28 +131,27 @@ int read_spec_entries(char *line_buf, size_t nread, const char **errbuf,
  /* Once all the specfiles are in the hash_buf, generate the hash. */
- void  digest_gen_hash(struct selabel_digest *digest)
+ void digest_gen_hash(struct selabel_digest *digest)
  {
 -	Sha1Context context;
 +	Sha256Context context;
  	size_t remaining_size;
  	const unsigned char *ptr;
+-	const uint32_t chunkSize = UINT32_MAX >> 3;
  
-@@ -128,19 +128,19 @@ void  digest_gen_hash(struct selabel_digest *digest)
+ 	/* If SELABEL_OPT_DIGEST not set then just return */
  	if (!digest)
  		return;
  
 -	Sha1Initialise(&context);
 +	Sha256Initialise(&context);
  
- 	/* Process in blocks of UINT32_MAX bytes */
+ 	/* Process in blocks of chunkSize bytes */
  	remaining_size = digest->hashbuf_size;
  	ptr = digest->hashbuf;
- 	while (remaining_size > UINT32_MAX) {
--		Sha1Update(&context, ptr, UINT32_MAX);
+-	while (remaining_size > chunkSize) {
+-		Sha1Update(&context, ptr, chunkSize);
+-		remaining_size -= chunkSize;
+-		ptr += chunkSize;
++	while (remaining_size > UINT32_MAX) {
 +		Sha256Update(&context, ptr, UINT32_MAX);
- 		remaining_size -= UINT32_MAX;
- 		ptr += UINT32_MAX;
++		remaining_size -= UINT32_MAX;
++		ptr += UINT32_MAX;
  	}
 -	Sha1Update(&context, ptr, remaining_size);
 +	Sha256Update(&context, ptr, remaining_size);
@@ -371,19 +390,19 @@ index 978ba828c159..daba26941ae7 100644
  	digest->hashbuf = NULL;
  }
 diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
-index bc6ed935a4ad..93bd7779249b 100644
+index b34d8e60bb5b..d48d5a83ed6e 100644
 --- a/libselinux/src/selinux_restorecon.c
 +++ b/libselinux/src/selinux_restorecon.c
-@@ -37,7 +37,7 @@
+@@ -38,7 +38,7 @@
  #include "callbacks.h"
  #include "selinux_internal.h"
  #include "label_file.h"
 -#include "sha1.h"
 +#include "sha256.h"
  
- #define STAR_COUNT 1024
- 
-@@ -306,7 +306,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
+ static struct selabel_handle *fc_sehandle = NULL;
+ static bool selabel_no_digest;
+@@ -360,7 +360,7 @@ static uint64_t exclude_non_seclabel_mounts(void)
  static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  			   bool delete_all)
  {
@@ -392,7 +411,7 @@ index bc6ed935a4ad..93bd7779249b 100644
  	size_t i, digest_len = 0;
  	int rc;
  	enum digest_result digest_result;
-@@ -330,15 +330,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -385,15 +385,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	}
  
  	/* Convert entry to a hex encoded string. */
@@ -411,7 +430,7 @@ index bc6ed935a4ad..93bd7779249b 100644
  
  	digest_result = match ? MATCH : NOMATCH;
  
-@@ -358,7 +358,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -414,7 +414,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	/* Now add entries to link list. */
  	new_entry = malloc(sizeof(struct dir_xattr));
  	if (!new_entry) {
@@ -420,7 +439,7 @@ index bc6ed935a4ad..93bd7779249b 100644
  		goto oom;
  	}
  	new_entry->next = NULL;
-@@ -366,15 +366,15 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+@@ -422,11 +422,17 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
  	new_entry->directory = strdup(directory);
  	if (!new_entry->directory) {
  		free(new_entry);
@@ -429,49 +448,112 @@ index bc6ed935a4ad..93bd7779249b 100644
  		goto oom;
  	}
  
--	new_entry->digest = strdup(sha1_buf);
+-	new_entry->digest = sha1_buf;
 +	new_entry->digest = strdup(sha256_buf);
- 	if (!new_entry->digest) {
- 		free(new_entry->directory);
- 		free(new_entry);
--		free(sha1_buf);
++	if (!new_entry->digest) {
++		free(new_entry->directory);
++		free(new_entry);
 +		free(sha256_buf);
- 		goto oom;
- 	}
++		goto oom;
++	}
  
-@@ -388,7 +388,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 	new_entry->result = digest_result;
+ 
+@@ -437,7 +443,7 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ 		dir_xattr_last->next = new_entry;
  		dir_xattr_last = new_entry;
  	}
- 
--	free(sha1_buf);
+-
 +	free(sha256_buf);
  	return 0;
  
  oom:
-@@ -778,7 +778,7 @@ err:
+@@ -891,6 +897,11 @@ err:
+ 	goto out1;
+ }
+ 
++struct dir_hash_node {
++	char *path;
++	uint8_t digest[SHA256_HASH_SIZE];
++	struct dir_hash_node *next;
++};
+ /*
+  * Returns true if the digest of all partial matched contexts is the same as
+  * the one saved by setxattr. Otherwise returns false and sets @have_digest
+@@ -898,7 +909,7 @@ err:
+  * relabeling this directory.
+  */
+ static bool check_context_match_for_dir(const char *pathname,
+-					uint8_t digest_out[SHA1_HASH_SIZE],
++					uint8_t digest_out[SHA256_HASH_SIZE],
+ 					bool *have_digest)
+ {
+ 	bool status;
+@@ -918,8 +929,8 @@ static bool check_context_match_for_dir(const char *pathname,
  
- struct dir_hash_node {
- 	char *path;
+ 	/* Save digest of all matched contexts for the current directory. */
+ 	if (calculated_digest) {
+-		assert(digest_len == SHA1_HASH_SIZE);
+-		memcpy(digest_out, calculated_digest, SHA1_HASH_SIZE);
++		assert(digest_len == SHA256_HASH_SIZE);
++		memcpy(digest_out, calculated_digest, SHA256_HASH_SIZE);
+ 		*have_digest = true;
+ 	}
+ 
+@@ -934,7 +945,7 @@ struct walk_level {
+ 	dev_t dev;
+ 	ino_t ino;
+ 	size_t pathlen;
 -	uint8_t digest[SHA1_HASH_SIZE];
 +	uint8_t digest[SHA256_HASH_SIZE];
- 	struct dir_hash_node *next;
+ 	bool write_digest;
  };
- /*
-@@ -1284,7 +1284,7 @@ static int selinux_restorecon_common(const char *pathname_orig,
- 			if (setxattr(current->path,
- 			    RESTORECON_PARTIAL_MATCH_DIGEST,
- 			    current->digest,
--			    SHA1_HASH_SIZE, 0) < 0) {
-+			    SHA256_HASH_SIZE, 0) < 0) {
+ 
+@@ -1227,7 +1238,7 @@ static int walk_next(struct rest_state *state, int *ent_fd, int *rd_fd,
+ 			    !state->skipped_errors &&
+ 			    fsetxattr(dirfd(top->dirp),
+ 				      RESTORECON_PARTIAL_MATCH_DIGEST,
+-				      top->digest, SHA1_HASH_SIZE, 0) < 0) {
++				      top->digest, SHA256_HASH_SIZE, 0) < 0) {
  				selinux_log(SELINUX_ERROR,
- 					    "setxattr failed: %s: %m\n",
- 					    current->path);
+ 					    "Could not set digest on %s: %m\n",
+ 					    state->pathbuf);
+@@ -1398,7 +1409,7 @@ static void *selinux_restorecon_thread(void *arg)
+ 				continue;
+ 			}
+ 
+-			uint8_t digest[SHA1_HASH_SIZE];
++			uint8_t digest[SHA256_HASH_SIZE];
+ 			bool have_digest = false;
+ 
+ 			if (descend && state->setrestorecondigest &&
+@@ -1430,7 +1441,7 @@ static void *selinux_restorecon_thread(void *arg)
+ 						&state->stack[state->depth - 1];
+ 
+ 					memcpy(wl->digest, digest,
+-					       SHA1_HASH_SIZE);
++					       SHA256_HASH_SIZE);
+ 					wl->write_digest = true;
+ 				}
+ 			}
+@@ -1768,6 +1779,11 @@ static int selinux_restorecon_common(const char *pathname_orig,
+ 	if (state.saved_errno)
+ 		goto out;
+ 
++	/*
++	 * Note: Digest writing now happens in walk_pop() during traversal,
++	 * not at the end. This FTS-based code is obsolete.
++	 */
++
+ 	skipped_errors = state.skipped_errors;
+ 
+ out:
 diff --git a/libselinux/src/sha1.c b/libselinux/src/sha1.c
 deleted file mode 100644
-index 452b0cc2ad5a..000000000000
+index 279625ee177f..000000000000
 --- a/libselinux/src/sha1.c
 +++ /dev/null
-@@ -1,223 +0,0 @@
+@@ -1,284 +0,0 @@
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  LibSha1
 -//
@@ -506,10 +588,9 @@ index 452b0cc2ad5a..000000000000
 -//  TYPES
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -
--typedef union
--{
--    uint8_t     c [64];
--    uint32_t    l [16];
+-typedef union {
+-	uint8_t c[64];
+-	uint32_t l[16];
 -} CHAR64LONG16;
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -519,79 +600,157 @@ index 452b0cc2ad5a..000000000000
 -#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
 -
 -// blk0() and blk() perform the initial expand.
--#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
--    |(rol(block->l[i],8)&0x00FF00FF))
+-#define blk0(i)                                              \
+-	(block->l[i] = (rol(block->l[i], 24) & 0xFF00FF00) | \
+-		       (rol(block->l[i], 8) & 0x00FF00FF))
 -
--#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
--    ^block->l[(i+2)&15]^block->l[i&15],1))
+-#define blk(i)                                                          \
+-	(block->l[i & 15] =                                             \
+-		 rol(block->l[(i + 13) & 15] ^ block->l[(i + 8) & 15] ^ \
+-			     block->l[(i + 2) & 15] ^ block->l[i & 15], \
+-		     1))
 -
 -// (R0+R1), R2, R3, R4 are the different operations used in SHA1
--#define R0(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk0(i)+ 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R1(v,w,x,y,z,i)  do { z += ((w&(x^y))^y)     + blk(i) + 0x5A827999 + rol(v,5); w=rol(w,30); } while (0)
--#define R2(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0x6ED9EBA1 + rol(v,5); w=rol(w,30); } while (0)
--#define R3(v,w,x,y,z,i)  do { z += (((w|x)&y)|(w&x)) + blk(i) + 0x8F1BBCDC + rol(v,5); w=rol(w,30); } while (0)
--#define R4(v,w,x,y,z,i)  do { z += (w^x^y)           + blk(i) + 0xCA62C1D6 + rol(v,5); w=rol(w,30); } while (0)
--
+-#define R0(v, w, x, y, z, i)                                                 \
+-	do {                                                                 \
+-		z += ((w & (x ^ y)) ^ y) + blk0(i) + 0x5A827999 + rol(v, 5); \
+-		w = rol(w, 30);                                              \
+-	} while (0)
+-#define R1(v, w, x, y, z, i)                                                \
+-	do {                                                                \
+-		z += ((w & (x ^ y)) ^ y) + blk(i) + 0x5A827999 + rol(v, 5); \
+-		w = rol(w, 30);                                             \
+-	} while (0)
+-#define R2(v, w, x, y, z, i)                                        \
+-	do {                                                        \
+-		z += (w ^ x ^ y) + blk(i) + 0x6ED9EBA1 + rol(v, 5); \
+-		w = rol(w, 30);                                     \
+-	} while (0)
+-#define R3(v, w, x, y, z, i)                                           \
+-	do {                                                           \
+-		z += (((w | x) & y) | (w & x)) + blk(i) + 0x8F1BBCDC + \
+-		     rol(v, 5);                                        \
+-		w = rol(w, 30);                                        \
+-	} while (0)
+-#define R4(v, w, x, y, z, i)                                        \
+-	do {                                                        \
+-		z += (w ^ x ^ y) + blk(i) + 0xCA62C1D6 + rol(v, 5); \
+-		w = rol(w, 30);                                     \
+-	} while (0)
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  TransformFunction
 -//
 -//  Hash a single 512-bit block. This is the core of the algorithm
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--ignore_unsigned_overflow_
--static
--void
--    TransformFunction
--    (
--        uint32_t            state[5],
--        const uint8_t       buffer[64]
--    )
+-ignore_unsigned_overflow_ static void
+-TransformFunction(uint32_t state[5], const uint8_t buffer[64])
 -{
--    uint32_t            a;
--    uint32_t            b;
--    uint32_t            c;
--    uint32_t            d;
--    uint32_t            e;
--    CHAR64LONG16        workspace;
--    CHAR64LONG16*       block = &workspace;
+-	uint32_t a;
+-	uint32_t b;
+-	uint32_t c;
+-	uint32_t d;
+-	uint32_t e;
+-	CHAR64LONG16 workspace;
+-	CHAR64LONG16 *block = &workspace;
 -
--    memcpy(block, buffer, 64);
+-	memcpy(block, buffer, 64);
 -
--    // Copy context->state[] to working vars
--    a = state[0];
--    b = state[1];
--    c = state[2];
--    d = state[3];
--    e = state[4];
+-	// Copy context->state[] to working vars
+-	a = state[0];
+-	b = state[1];
+-	c = state[2];
+-	d = state[3];
+-	e = state[4];
 -
--    // 4 rounds of 20 operations each. Loop unrolled.
--    R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
--    R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
--    R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
--    R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
--    R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
--    R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
--    R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
--    R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
--    R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
--    R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
--    R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
--    R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
--    R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
--    R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
--    R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
--    R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
--    R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
--    R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
--    R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
--    R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
+-	// 4 rounds of 20 operations each. Loop unrolled.
+-	R0(a, b, c, d, e, 0);
+-	R0(e, a, b, c, d, 1);
+-	R0(d, e, a, b, c, 2);
+-	R0(c, d, e, a, b, 3);
+-	R0(b, c, d, e, a, 4);
+-	R0(a, b, c, d, e, 5);
+-	R0(e, a, b, c, d, 6);
+-	R0(d, e, a, b, c, 7);
+-	R0(c, d, e, a, b, 8);
+-	R0(b, c, d, e, a, 9);
+-	R0(a, b, c, d, e, 10);
+-	R0(e, a, b, c, d, 11);
+-	R0(d, e, a, b, c, 12);
+-	R0(c, d, e, a, b, 13);
+-	R0(b, c, d, e, a, 14);
+-	R0(a, b, c, d, e, 15);
+-	R1(e, a, b, c, d, 16);
+-	R1(d, e, a, b, c, 17);
+-	R1(c, d, e, a, b, 18);
+-	R1(b, c, d, e, a, 19);
+-	R2(a, b, c, d, e, 20);
+-	R2(e, a, b, c, d, 21);
+-	R2(d, e, a, b, c, 22);
+-	R2(c, d, e, a, b, 23);
+-	R2(b, c, d, e, a, 24);
+-	R2(a, b, c, d, e, 25);
+-	R2(e, a, b, c, d, 26);
+-	R2(d, e, a, b, c, 27);
+-	R2(c, d, e, a, b, 28);
+-	R2(b, c, d, e, a, 29);
+-	R2(a, b, c, d, e, 30);
+-	R2(e, a, b, c, d, 31);
+-	R2(d, e, a, b, c, 32);
+-	R2(c, d, e, a, b, 33);
+-	R2(b, c, d, e, a, 34);
+-	R2(a, b, c, d, e, 35);
+-	R2(e, a, b, c, d, 36);
+-	R2(d, e, a, b, c, 37);
+-	R2(c, d, e, a, b, 38);
+-	R2(b, c, d, e, a, 39);
+-	R3(a, b, c, d, e, 40);
+-	R3(e, a, b, c, d, 41);
+-	R3(d, e, a, b, c, 42);
+-	R3(c, d, e, a, b, 43);
+-	R3(b, c, d, e, a, 44);
+-	R3(a, b, c, d, e, 45);
+-	R3(e, a, b, c, d, 46);
+-	R3(d, e, a, b, c, 47);
+-	R3(c, d, e, a, b, 48);
+-	R3(b, c, d, e, a, 49);
+-	R3(a, b, c, d, e, 50);
+-	R3(e, a, b, c, d, 51);
+-	R3(d, e, a, b, c, 52);
+-	R3(c, d, e, a, b, 53);
+-	R3(b, c, d, e, a, 54);
+-	R3(a, b, c, d, e, 55);
+-	R3(e, a, b, c, d, 56);
+-	R3(d, e, a, b, c, 57);
+-	R3(c, d, e, a, b, 58);
+-	R3(b, c, d, e, a, 59);
+-	R4(a, b, c, d, e, 60);
+-	R4(e, a, b, c, d, 61);
+-	R4(d, e, a, b, c, 62);
+-	R4(c, d, e, a, b, 63);
+-	R4(b, c, d, e, a, 64);
+-	R4(a, b, c, d, e, 65);
+-	R4(e, a, b, c, d, 66);
+-	R4(d, e, a, b, c, 67);
+-	R4(c, d, e, a, b, 68);
+-	R4(b, c, d, e, a, 69);
+-	R4(a, b, c, d, e, 70);
+-	R4(e, a, b, c, d, 71);
+-	R4(d, e, a, b, c, 72);
+-	R4(c, d, e, a, b, 73);
+-	R4(b, c, d, e, a, 74);
+-	R4(a, b, c, d, e, 75);
+-	R4(e, a, b, c, d, 76);
+-	R4(d, e, a, b, c, 77);
+-	R4(c, d, e, a, b, 78);
+-	R4(b, c, d, e, a, 79);
 -
--    // Add the working vars back into context.state[]
--    state[0] += a;
--    state[1] += b;
--    state[2] += c;
--    state[3] += d;
--    state[4] += e;
+-	// Add the working vars back into context.state[]
+-	state[0] += a;
+-	state[1] += b;
+-	state[2] += c;
+-	state[3] += d;
+-	state[4] += e;
 -}
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -603,20 +762,16 @@ index 452b0cc2ad5a..000000000000
 -//
 -//  Initialises an SHA1 Context. Use this to initialise/reset a context.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Initialise
--    (
--        Sha1Context*                Context
--    )
+-void Sha1Initialise(Sha1Context *Context)
 -{
--    // SHA1 initialization constants
--    Context->State[0] = 0x67452301;
--    Context->State[1] = 0xEFCDAB89;
--    Context->State[2] = 0x98BADCFE;
--    Context->State[3] = 0x10325476;
--    Context->State[4] = 0xC3D2E1F0;
--    Context->Count[0] = 0;
--    Context->Count[1] = 0;
+-	// SHA1 initialization constants
+-	Context->State[0] = 0x67452301;
+-	Context->State[1] = 0xEFCDAB89;
+-	Context->State[2] = 0x98BADCFE;
+-	Context->State[3] = 0x10325476;
+-	Context->State[4] = 0xC3D2E1F0;
+-	Context->Count[0] = 0;
+-	Context->Count[1] = 0;
 -}
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -625,41 +780,32 @@ index 452b0cc2ad5a..000000000000
 -//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 -//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Update
--    (
--        Sha1Context*        Context,
--        const void*         Buffer,
--        uint32_t            BufferSize
--    )
+-void Sha1Update(Sha1Context *Context, const void *Buffer, uint32_t BufferSize)
 -{
--    uint32_t    i;
--    uint32_t    j;
+-	uint32_t i;
+-	uint32_t j;
 -
--    j = (Context->Count[0] >> 3) & 63;
--    if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3))
--    {
--        Context->Count[1]++;
--    }
+-	j = (Context->Count[0] >> 3) & 63;
+-	if ((Context->Count[0] += BufferSize << 3) < (BufferSize << 3)) {
+-		Context->Count[1]++;
+-	}
 -
--    Context->Count[1] += (BufferSize >> 29);
--    if ((j + BufferSize) > 63)
--    {
--        i = 64 - j;
--        memcpy(&Context->Buffer[j], Buffer, i);
--        TransformFunction(Context->State, Context->Buffer);
--        for (; i + 63 < BufferSize; i += 64)
--        {
--            TransformFunction(Context->State, (const uint8_t*)Buffer + i);
--        }
--        j = 0;
--    }
--    else
--    {
--        i = 0;
--    }
+-	Context->Count[1] += (BufferSize >> 29);
+-	if ((j + BufferSize) > 63) {
+-		i = 64 - j;
+-		memcpy(&Context->Buffer[j], Buffer, i);
+-		TransformFunction(Context->State, Context->Buffer);
+-		for (; i + 63 < BufferSize; i += 64) {
+-			TransformFunction(Context->State,
+-					  (const uint8_t *)Buffer + i);
+-		}
+-		j = 0;
+-	} else {
+-		i = 0;
+-	}
 -
--    memcpy(&Context->Buffer[j], &((const uint8_t*)Buffer)[i], BufferSize - i);
+-	memcpy(&Context->Buffer[j], &((const uint8_t *)Buffer)[i],
+-	       BufferSize - i);
 -}
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -668,39 +814,36 @@ index 452b0cc2ad5a..000000000000
 -//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 -//  calling this, Sha1Initialised must be used to reuse the context.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void 
--    Sha1Finalise
--    (
--        Sha1Context*                Context,
--        SHA1_HASH*                  Digest
--    )
+-void Sha1Finalise(Sha1Context *Context, SHA1_HASH *Digest)
 -{
--    uint32_t    i;
--    uint8_t     finalcount[8];
+-	uint32_t i;
+-	uint8_t finalcount[8];
 -
--    for (i = 0; i < 8; i++)
--    {
--        finalcount[i] = (unsigned char)((Context->Count[(i >= 4 ? 0 : 1)]
--         >> ((3-(i & 3)) * 8) ) & 255);  // Endian independent
--    }
--    Sha1Update(Context, (const uint8_t*)"\x80", 1);
--    while ((Context->Count[0] & 504) != 448)
--    {
--        Sha1Update(Context, (const uint8_t*)"\0", 1);
--    }
+-	for (i = 0; i < 8; i++) {
+-		finalcount[i] =
+-			(unsigned char)((Context->Count[(i >= 4 ? 0 : 1)] >>
+-					 ((3 - (i & 3)) * 8)) &
+-					255); // Endian independent
+-	}
+-	Sha1Update(Context, (const uint8_t *)"\x80", 1);
+-	while ((Context->Count[0] & 504) != 448) {
+-		Sha1Update(Context, (const uint8_t *)"\0", 1);
+-	}
 -
--    Sha1Update(Context, finalcount, 8);  // Should cause a Sha1TransformFunction()
--    for (i = 0; i < SHA1_HASH_SIZE; i++)
--    {
--        Digest->bytes[i] = (uint8_t)((Context->State[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
--    }
+-	Sha1Update(Context, finalcount,
+-		   8); // Should cause a Sha1TransformFunction()
+-	for (i = 0; i < SHA1_HASH_SIZE; i++) {
+-		Digest->bytes[i] = (uint8_t)((Context->State[i >> 2] >>
+-					      ((3 - (i & 3)) * 8)) &
+-					     255);
+-	}
 -}
 diff --git a/libselinux/src/sha1.h b/libselinux/src/sha1.h
 deleted file mode 100644
-index f83a6e7ed7ba..000000000000
+index fbf4d65538fb..000000000000
 --- a/libselinux/src/sha1.h
 +++ /dev/null
-@@ -1,85 +0,0 @@
+@@ -1,68 +0,0 @@
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  LibSha1
 -//
@@ -728,18 +871,16 @@ index f83a6e7ed7ba..000000000000
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -
 -// Sha1Context - This must be initialised using Sha1Initialised. Do not modify the contents of this structure directly.
--typedef struct
--{
--    uint32_t        State[5];
--    uint32_t        Count[2];
--    uint8_t         Buffer[64];
+-typedef struct {
+-	uint32_t State[5];
+-	uint32_t Count[2];
+-	uint8_t Buffer[64];
 -} Sha1Context;
 -
--#define SHA1_HASH_SIZE           ( 160 / 8 )
+-#define SHA1_HASH_SIZE (160 / 8)
 -
--typedef struct
--{
--    uint8_t      bytes [SHA1_HASH_SIZE];
+-typedef struct {
+-	uint8_t bytes[SHA1_HASH_SIZE];
 -} SHA1_HASH;
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
@@ -751,11 +892,7 @@ index f83a6e7ed7ba..000000000000
 -//
 -//  Initialises an SHA1 Context. Use this to initialise/reset a context.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Initialise
--    (
--        Sha1Context*                Context
--    );
+-void Sha1Initialise(Sha1Context *Context);
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  Sha1Update
@@ -763,13 +900,7 @@ index f83a6e7ed7ba..000000000000
 -//  Adds data to the SHA1 context. This will process the data and update the internal state of the context. Keep on
 -//  calling this function until all the data has been added. Then call Sha1Finalise to calculate the hash.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Update
--    (
--        Sha1Context*        Context,
--        const void*         Buffer,
--        uint32_t            BufferSize
--    );
+-void Sha1Update(Sha1Context *Context, const void *Buffer, uint32_t BufferSize);
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -//  Sha1Finalise
@@ -777,12 +908,7 @@ index f83a6e7ed7ba..000000000000
 -//  Performs the final calculation of the hash and returns the digest (20 byte buffer containing 160bit hash). After
 -//  calling this, Sha1Initialised must be used to reuse the context.
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
--void
--    Sha1Finalise
--    (
--        Sha1Context*                Context,
--        SHA1_HASH*                  Digest
--    );
+-void Sha1Finalise(Sha1Context *Context, SHA1_HASH *Digest);
 -
 -///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 -#endif //_sha1_h_
@@ -1182,13 +1308,13 @@ index 000000000000..406ed869cd82
 +        SHA256_HASH*        Digest          // [in]
 +    );
 diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c
-index 47aad21ff1fb..8bcd44a1dc73 100644
+index 2c395db6f84f..77c1b1131e31 100644
 --- a/libselinux/utils/selabel_digest.c
 +++ b/libselinux/utils/selabel_digest.c
-@@ -13,8 +13,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+@@ -13,8 +13,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
  		"Where:\n\t"
  		"-b  The backend - \"file\", \"media\", \"x\", \"db\" or "
- 			"\"prop\"\n\t"
+ 		"\"prop\"\n\t"
 -		"-v  Run \"cat <specfile_list> | openssl dgst -sha1 -hex\"\n\t"
 -		"    on the list of specfiles to compare the SHA1 digests.\n\t"
 +		"-v  Run \"cat <specfile_list> | openssl dgst -sha256 -hex\"\n\t"
@@ -1196,7 +1322,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
  		"-B  Use base specfiles only (valid for \"-b file\" only).\n\t"
  		"-i  Do not request a digest.\n\t"
  		"-f  Optional file containing the specs (defaults to\n\t"
-@@ -61,12 +61,12 @@ int main(int argc, char **argv)
+@@ -63,12 +63,12 @@ int main(int argc, char **argv)
  	int rc, opt, validate = 0;
  	char *baseonly = NULL, *file = NULL, *digest = (char *)1;
  	char **specfiles = NULL;
@@ -1210,17 +1336,17 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
 +	char *sha256_buf = NULL;
  
  	struct selabel_handle *hnd;
- 	struct selinux_opt selabel_option[] = {
-@@ -136,7 +136,7 @@ int main(int argc, char **argv)
+ 	struct selinux_opt selabel_option[] = { { SELABEL_OPT_PATH, file },
+@@ -138,7 +138,7 @@ int main(int argc, char **argv)
  		return -1;
  	}
  
 -	rc = selabel_digest(hnd, &sha1_digest, &digest_len, &specfiles,
 +	rc = selabel_digest(hnd, &sha256_digest, &digest_len, &specfiles,
- 							    &num_specfiles);
+ 			    &num_specfiles);
  
  	if (rc) {
-@@ -151,19 +151,19 @@ int main(int argc, char **argv)
+@@ -153,19 +153,19 @@ int main(int argc, char **argv)
  		goto err;
  	}
  
@@ -1229,7 +1355,7 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
 +	sha256_buf = malloc(digest_len * 2 + 1);
 +	if (!sha256_buf) {
  		fprintf(stderr, "Could not malloc buffer ERROR: %s\n",
- 						    strerror(errno));
+ 			strerror(errno));
  		rc = -1;
  		goto err;
  	}
@@ -1245,15 +1371,16 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
  	printf("calculated using the following specfile(s):\n");
  
  	if (specfiles) {
-@@ -198,19 +198,19 @@ int main(int argc, char **argv)
- 		}
+@@ -204,7 +204,7 @@ int main(int argc, char **argv)
  
  		if (validate) {
--			ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha1 -hex");
-+			ret = snprintf(cmd_ptr, cmd_rem, "| /usr/bin/openssl dgst -sha256 -hex");
+ 			ret = snprintf(cmd_ptr, cmd_rem,
+-				       "| /usr/bin/openssl dgst -sha1 -hex");
++				       "| /usr/bin/openssl dgst -sha256 -hex");
  			if (ret < 0 || (size_t)ret >= cmd_rem) {
- 				fprintf(stderr, "Could not format validate command\n");
- 				rc = -1;
+ 				fprintf(stderr,
+ 					"Could not format validate command\n");
+@@ -212,12 +212,12 @@ int main(int argc, char **argv)
  				goto err;
  			}
  
@@ -1269,10 +1396,10 @@ index 47aad21ff1fb..8bcd44a1dc73 100644
  	return rc;
  }
 diff --git a/libselinux/utils/selabel_get_digests_all_partial_matches.c b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-index e2733b4195ff..98e533dc2692 100644
+index 0552ef0f58df..649e8b7aa0a2 100644
 --- a/libselinux/utils/selabel_get_digests_all_partial_matches.c
 +++ b/libselinux/utils/selabel_get_digests_all_partial_matches.c
-@@ -16,8 +16,8 @@ static __attribute__ ((__noreturn__)) void usage(const char *progname)
+@@ -16,8 +16,8 @@ static __attribute__((__noreturn__)) void usage(const char *progname)
  		"-v  Validate file_contxts entries against loaded policy.\n\t"
  		"-r  Recursively descend directories.\n\t"
  		"-f  Optional file_contexts file (defaults to current policy).\n\t"
@@ -1282,8 +1409,8 @@ index e2733b4195ff..98e533dc2692 100644
 +		"This will check the directory selinux.sehash SHA256 digest for "
  		"<path> against\na newly generated digest based on the "
  		"file_context entries for that node\n(using the regx, mode "
- 		"and path entries).\n", progname);
-@@ -35,7 +35,7 @@ int main(int argc, char **argv)
+ 		"and path entries).\n",
+@@ -36,7 +36,7 @@ int main(int argc, char **argv)
  	char *paths[2] = { NULL, NULL };
  	uint8_t *xattr_digest = NULL;
  	uint8_t *calculated_digest = NULL;
@@ -1292,17 +1419,18 @@ index e2733b4195ff..98e533dc2692 100644
  
  	struct selabel_handle *hnd;
  	struct selinux_opt selabel_option[] = {
-@@ -104,27 +104,27 @@ int main(int argc, char **argv)
- 							 &xattr_digest,
- 							 &digest_len);
+@@ -101,8 +101,8 @@ int main(int argc, char **argv)
+ 				hnd, ftsent->fts_path, &calculated_digest,
+ 				&xattr_digest, &digest_len);
  
 -			sha1_buf = calloc(1, digest_len * 2 + 1);
 -			if (!sha1_buf) {
 +			sha256_buf = calloc(1, digest_len * 2 + 1);
 +			if (!sha256_buf) {
- 				fprintf(stderr, "Could not calloc buffer ERROR: %s\n",
- 					    strerror(errno));
- 				return -1;
+ 				fprintf(stderr,
+ 					"Could not calloc buffer ERROR: %s\n",
+ 					strerror(errno));
+@@ -110,19 +110,19 @@ int main(int argc, char **argv)
  			}
  
  			if (status) { /* They match */
@@ -1326,7 +1454,7 @@ index e2733b4195ff..98e533dc2692 100644
  					       ftsent->fts_path);
  					printf("as file_context entry is \"<<none>>\"\n");
  					goto cleanup;
-@@ -134,25 +134,25 @@ int main(int argc, char **argv)
+@@ -132,25 +132,25 @@ int main(int argc, char **argv)
  				       ftsent->fts_path);
  
  				for (i = 0; i < digest_len; i++)
@@ -1349,7 +1477,7 @@ index e2733b4195ff..98e533dc2692 100644
 +					printf("%s\n", sha256_buf);
  				}
  			}
- 			cleanup:
+ cleanup:
  			free(xattr_digest);
  			free(calculated_digest);
 -			free(sha1_buf);
@@ -1358,5 +1486,5 @@ index e2733b4195ff..98e533dc2692 100644
  		}
  		default:
 -- 
-2.47.0
+2.54.0
 

diff --git a/changelog b/changelog
index 56a9008..55ef0fd 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,9 @@
+* Wed Jul 01 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.11-1
+- SELinux userspace 3.11 release
+
+* Wed Jun 03 2026 Python Maint <python-maint@redhat.com> - 3.10-2
+- Rebuilt for Python 3.15
+
 * Mon Feb 02 2026 Petr Lautrbach <lautrbach@redhat.com> - 3.10-1
 - SELinux userspace 3.10 release
 

diff --git a/libselinux.spec b/libselinux.spec
index 5ec26dd..4e0f72f 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -1,29 +1,29 @@
 %define ruby_inc %(pkg-config --cflags ruby)
-%define libsepolver 3.10-1
+%define libsepolver 3.11-1
 
 Summary: SELinux library and simple utilities
 Name: libselinux
-Version: 3.10
-Release: 2%{?dist}
+Version: 3.11
+Release: 1%{?dist}
 License: LicenseRef-Fedora-Public-Domain
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz
 Source1: https://github.com/SELinuxProject/selinux/releases/download/%{version}/libselinux-%{version}.tar.gz.asc
-Source2: https://github.com/perfinion.gpg
+Source2: https://github.com/bachradsusi.gpg
 Source3: selinuxconlist.8
 Source4: selinuxdefcon.8
 
 Url: https://github.com/SELinuxProject/selinux/wiki
 # $ git clone https://github.com/fedora-selinux/selinux.git
 # $ cd selinux
-# $ git format-patch -N 3.10 -- libselinux
+# $ git format-patch -N 3.11 -- libselinux
 # $ i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 # Patch list start
 Patch0001: 0001-Use-SHA-2-instead-of-SHA-1.patch
 # Patch list end
 BuildRequires: gcc make
 BuildRequires: ruby-devel ruby libsepol-static >= %{libsepolver} swig pcre2-devel
-BuildRequires: python3 python3-devel python3-setuptools python3-pip
+BuildRequires: python3 python3-devel python3-setuptools python3-pip python3-build
 BuildRequires: (python3-wheel if python3-setuptools < 71)
 BuildRequires: systemd
 BuildRequires: gnupg2
@@ -221,7 +221,4 @@ rm -f %{buildroot}%{_mandir}/man8/togglesebool*
 %{ruby_vendorarchdir}/selinux.so
 
 %changelog
-* Wed Jun 03 2026 Python Maint <python-maint@redhat.com> - 3.10-2
-- Rebuilt for Python 3.15
-
 %autochangelog

diff --git a/sources b/sources
index 557820a..f772a29 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (libselinux-3.10.tar.gz) = 5783f737675eb94e0bdff082013589e5bddfa0669a357df185eb89f4f88cec8b90779e86c4b17b58f5c248175da0208c80cc2642046e348c7384dd799f1ba4c1
-SHA512 (libselinux-3.10.tar.gz.asc) = 6e0a18eb77b810eb7cbf756dcd82f57fa71d7c8d066ea99f754760d9e61db8f22e776c729a7387b01638249dacc270da7a5eb6a7ed38377ba858bebcd090cce6
+SHA512 (libselinux-3.11.tar.gz) = 49eb0b180b77b4b61505117ecd98ab9fdd79a36801b6d2216813ea370a02ba4f58a0f87a18e92a2d4eeffc11d9df67e4692d2d8f5d3ee77a2abd3f606196aaad
+SHA512 (libselinux-3.11.tar.gz.asc) = fa950a332a353dfbb7959b785956076d0547b6cf5387ecbaeeb11f8171a4fc3679772707364dee4bf8db76232eb2ea6a8f0280674a8351dcf98074892c3100de

                 reply	other threads:[~2026-07-01 19:36 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178293458652.1.5830165486301475632.rpms-libselinux-41d874fcf881@fedoraproject.org \
    --to=lautrbach@redhat.com \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox