diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml
index e9e6e09181dc..07e4bf1373f8 100644
--- a/.github/workflows/CI-unixish.yml
+++ b/.github/workflows/CI-unixish.yml
@@ -359,7 +359,7 @@ jobs:
- name: Install missing software on ubuntu 22.04 (cfg)
if: matrix.os == 'ubuntu-22.04'
run: |
- sudo apt-get install libcairo2-dev libcurl4-openssl-dev liblua5.3-dev libssl-dev libsqlite3-dev libcppunit-dev libsigc++-2.0-dev libgtk-3-dev libboost-all-dev libwxgtk3.0-gtk3-dev xmlstarlet qtbase5-dev
+ sudo apt-get install libcairo2-dev libcurl4-openssl-dev liblua5.3-dev libssl-dev libsqlite3-dev libcppunit-dev libsigc++-2.0-dev libgtk-3-dev libboost-all-dev libselinux-dev libwxgtk3.0-gtk3-dev xmlstarlet qtbase5-dev
# coreutils contains "nproc"
- name: Install missing software on macos
diff --git a/cfg/selinux.cfg b/cfg/selinux.cfg
new file mode 100644
index 000000000000..ec99b98d1840
--- /dev/null
+++ b/cfg/selinux.cfg
@@ -0,0 +1,3621 @@
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ get_default_type
+ free
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ 0:5
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ selabel_open
+ selabel_close
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ selabel_lookup
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ selabel_lookup_raw
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ selabel_get_digests_all_partial_matches
+ free
+
+
+ selabel_get_digests_all_partial_matches
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ selabel_lookup_best_match
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ selabel_lookup_best_match_raw
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ context_new
+ context_free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_ordered_context_list
+ freeconary
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_ordered_context_list_with_level
+ freeconary
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_default_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_default_context_with_level
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_default_context_with_role
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ get_default_context_with_rolelevel
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ query_user_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ manual_user_enter_context
+ freecon
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ avc_sid_to_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ avc_sid_to_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+ 0,1
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+ 0,1
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getcon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getcon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getprevcon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getprevcon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getexeccon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getexeccon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ getpidcon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ getpidcon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ getpidprevcon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ getpidprevcon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getfscreatecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getfscreatecon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getkeycreatecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getkeycreatecon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getsockcreatecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+ getsockcreatecon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ 0:
+
+
+
+
+
+
+ getpeercon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+ 0:
+
+
+
+
+
+
+ getpeercon_raw
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ getfilecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ getfilecon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ lgetfilecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ lgetfilecon_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+ 0:
+
+
+
+
+
+
+ fgetfilecon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+ 0:
+
+
+
+
+
+
+ fgetfilecon_raw
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+ 0:
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+ 0:
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ 0:4
+
+
+
+
+
+ false
+
+
+
+
+ 0:4
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_create
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_create_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_create_name
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_create_name_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_relabel
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_relabel
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_member
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_member_raw
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_user
+ freeconary
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_compute_user_raw
+ freeconary
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ security_get_initial_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ security_get_initial_context_raw
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ 0,1
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 0
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ security_get_boolean_names
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ 0,1
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ security_canonicalize_context
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ security_canonicalize_context
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+ 0,1
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+ Disabling SELinux at runtime is deprecated and may not be supported on modern Linux kernels.
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ security_av_string
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+ 0:7
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ matchpathcon
+ freecon
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ matchpathcon_index
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ matchmediacon
+ freecon
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+ selinux_boolean_sub
+ free
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ selinux_getpolicytype
+ free
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ selinux_raw_context_to_color
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ selinux_trans_to_raw_context
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+ selinux_raw_to_trans_context
+ free
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getseuserbyname
+ free
+
+
+ getseuserbyname
+ free
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ getseuser
+ free
+
+
+ getseuser
+ free
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+
+
+
+
+
+
+
+
+
+
+ false
+
+ This function is not thread safe. Be very sure that no other threads are calling into libselinux when this is called.
+
+
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index a92ef8ed166d..6e72c8eb7c18 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -154,6 +154,7 @@ if (BUILD_TESTS)
add_cfg(posix.c)
add_cfg(python.c)
add_cfg(qt.cpp)
+ add_cfg(selinux.c)
add_cfg(sqlite3.c)
add_cfg(std.c)
add_cfg(std.cpp)
diff --git a/test/cfg/runtests.sh b/test/cfg/runtests.sh
index 7169886eb709..e26d1ece2e8d 100755
--- a/test/cfg/runtests.sh
+++ b/test/cfg/runtests.sh
@@ -447,6 +447,30 @@ function cppunit_fn {
fi
}
+# selinux.c
+function selinux_fn {
+ if [ $HAS_PKG_CONFIG -eq 1 ]; then
+ SELINUXCONFIG=$(get_pkg_config_cflags selinux)
+ if [ -n "$SELINUXCONFIG" ]; then
+ # TODO: get rid of the error enabling/disabling?
+ set +e
+ echo -e "#include " | ${CC} "${CC_OPT[@]}" ${SELINUXCONFIG} -x c -
+ SELINUXCONFIG_RETURNCODE=$?
+ set -e
+ if [ $SELINUXCONFIG_RETURNCODE -ne 0 ]; then
+ echo "selinux not completely present or not working, skipping syntax check with ${CC}."
+ exit_if_strict
+ else
+ echo "selinux found and working, checking syntax with ${CC} now."
+ ${CC} "${CC_OPT[@]}" ${SELINUXCONFIG} "${DIR}"selinux.c
+ fi
+ else
+ echo "selinux not present, skipping syntax check with ${CC}."
+ exit_if_strict
+ fi
+ fi
+}
+
function check_file {
f=$(basename "$1")
lib="${f%%.*}"
@@ -527,6 +551,10 @@ function check_file {
qt_fn
"${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
;;
+ selinux.c)
+ selinux_fn
+ "${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
+ ;;
sqlite3.c)
sqlite3_fn
"${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
diff --git a/test/cfg/selinux.c b/test/cfg/selinux.c
new file mode 100644
index 000000000000..8f4a89587e95
--- /dev/null
+++ b/test/cfg/selinux.c
@@ -0,0 +1,305 @@
+
+// Test library configuration for selinux.cfg
+//
+// Usage:
+// $ cppcheck --check-library --library=selinux --enable=style,information --inconclusive --error-exitcode=1 --disable=missingInclude --inline-suppr test/cfg/selinux.c
+// =>
+// No warnings about bad library configuration, unmatched suppressions, etc. exitcode=0
+//
+
+#include
+
+#include
+#include
+#include
+#include
+#include
+#include
+
+void restorecon(void)
+{
+ // cppcheck-suppress [ignoredReturnValue, nullPointer, invalidFunctionArgBool]
+ selinux_restorecon(NULL, true);
+
+ selinux_restorecon_set_sehandle(NULL);
+
+ // cppcheck-suppress ignoredReturnValue
+ selinux_restorecon_default_handle();
+
+ // cppcheck-suppress [ignoredReturnValue, nullPointer]
+ selinux_restorecon_set_alt_rootpath(NULL);
+
+ // cppcheck-suppress nullPointer
+ selinux_restorecon_set_exclude_list(NULL);
+
+ // cppcheck-suppress ignoredReturnValue
+ selinux_restorecon_get_skipped_errors();
+
+ struct dir_xattr **arg3;
+ // cppcheck-suppress [ignoredReturnValue, nullPointer, invalidFunctionArgBool, uninitvar]
+ selinux_restorecon_xattr(NULL, true, &arg3);
+}
+
+void get_default_type_fail(void)
+{
+ // cppcheck-suppress ignoredReturnValue
+ selinux_default_type_path();
+
+ char *type1;
+ // FIXME: report ignoredReturnValue
+ // cppcheck-suppress [nullPointer]
+ get_default_type(NULL, &type1);
+
+ char **type2;
+ // FIXME: report ignoredReturnValue
+ // cppcheck-suppress [uninitvar]
+ get_default_type("object_r", type2);
+
+ // cppcheck-suppress memleak
+}
+
+void get_default_type_success(void)
+{
+ char *type = NULL;
+ int err = get_default_type("object_r", &type);
+ if (err != 0)
+ return;
+ free(type);
+}
+
+void selabel_fail1(void)
+{
+ // FIXME: do not report constVariablePointer
+ // cppcheck-suppress [unreadVariable, constVariablePointer]
+ struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 1);
+
+ // cppcheck-suppress resourceLeak
+}
+
+void selabel_fail2(void)
+{
+ // FIXME: do not report constVariablePointer
+ // cppcheck-suppress constVariablePointer
+ struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+ char *ctx;
+ selabel_lookup(hnd, &ctx, "/", 0);
+
+ selabel_close(hnd);
+
+ // cppcheck-suppress memleak
+}
+
+void selabel_success(void)
+{
+ // FIXME: do not report constVariablePointer
+ // cppcheck-suppress constVariablePointer
+ struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+ char *ctx;
+ selabel_lookup(hnd, &ctx, "/", 0);
+
+ freecon(ctx);
+
+ (void)selabel_cmp(hnd, hnd);
+
+ selabel_stats(hnd);
+
+ selabel_close(hnd);
+}
+
+void context_fail1(void)
+{
+ // cppcheck-suppress [unreadVariable, nullPointer]
+ context_t con = context_new(NULL);
+
+ // cppcheck-suppress memleak
+}
+
+void context_fail2(void)
+{
+ // cppcheck-suppress unreadVariable
+ context_t con = context_new("kernel");
+
+ // cppcheck-suppress memleak
+}
+
+void context_success(void)
+{
+ context_t con = context_new("system_u:system_r:kernel_t:s0");
+
+ printf("%s: %s %s %s %s\n", context_str(con),
+ context_type_get(con), context_range_get(con),
+ context_role_get(con), context_user_get(con));
+
+ (void)context_type_set(con, "init_t");
+
+ context_free(con);
+}
+
+void get_ordered_context_list_fail1(void)
+{
+ char **ret;
+ // cppcheck-suppress nullPointer
+ get_ordered_context_list(NULL, NULL, &ret);
+
+ // cppcheck-suppress memleak
+}
+
+void get_ordered_context_list_fail2(void)
+{
+ char **ret;
+ get_ordered_context_list("root", NULL, &ret);
+
+ // cppcheck-suppress mismatchAllocDealloc
+ freecon((void*)ret);
+}
+
+void get_ordered_context_list_success1(void)
+{
+ char **ret;
+ get_ordered_context_list("root", NULL, &ret);
+ freeconary(ret);
+}
+
+void get_default_context_with_rolelevel_fail1(void)
+{
+ char *ctx;
+ // cppcheck-suppress nullPointer
+ get_default_context_with_rolelevel("root", NULL, "s0", "system_u:system_r:init_t:s0", &ctx);
+
+ // cppcheck-suppress memleak
+}
+
+void get_default_context_with_rolelevel_fail2(void)
+{
+ char *ctx;
+ get_default_context_with_rolelevel("root", "sysadm_r", NULL, NULL, &ctx);
+
+ // cppcheck-suppress mismatchAllocDealloc
+ freeconary((void*)ctx);
+}
+
+void get_default_context_with_rolelevel_success1(void)
+{
+ char *ctx;
+ get_default_context_with_rolelevel("root", "sysadm_r", NULL, NULL, &ctx);
+ freecon(ctx);
+}
+
+void selinux_status_fail1(void)
+{
+ // cppcheck-suppress [invalidFunctionArg, ignoredReturnValue]
+ selinux_status_open(-1);
+ // TODO: report leak
+}
+
+void selinux_status_success1(void)
+{
+ (void)selinux_status_open(0);
+ (void)selinux_status_updated();
+ selinux_status_close();
+}
+
+void realpath_not_final_fail1(void)
+{
+ char buf[64];
+ // cppcheck-suppress bufferAccessOutOfBounds
+ (void)realpath_not_final("/root", buf);
+}
+
+void realpath_not_final_success1(void)
+{
+#define PATH_MAX 4096
+ char buf[PATH_MAX + 1];
+ // cppcheck-suppress ignoredReturnValue
+ realpath_not_final("/root", buf);
+}
+
+void selinux_getpolicytype_fail1(void)
+{
+ // cppcheck-suppress nullPointer
+ selinux_getpolicytype(NULL);
+}
+
+void selinux_getpolicytype_fail2(void)
+{
+ char *type;
+ (void)selinux_getpolicytype(&type);
+
+ // cppcheck-suppress memleak
+}
+
+void selinux_check_access_fail1(void)
+{
+ const char *msg = "Hello World!";
+ // cppcheck-suppress [ignoredReturnValue, nullPointer]
+ selinux_check_access("foo", "bar", NULL, "baz", msg);
+}
+
+void selinux_check_access_success1(void)
+{
+ (void)selinux_check_access("kernel", "init", "file", "write", NULL);
+}
+
+void selinux_trans_to_raw_context_fail1(void)
+{
+ // FIXME: report ignoredReturnValue
+ // cppcheck-suppress nullPointer
+ selinux_trans_to_raw_context("kernel", NULL);
+}
+
+void selinux_trans_to_raw_context_fail2(void)
+{
+ char *ctx;
+ // FIXME: report ignoredReturnValue
+ selinux_trans_to_raw_context("kernel", &ctx);
+
+ // cppcheck-suppress memleak
+}
+
+void selinux_trans_to_raw_context_success1(void)
+{
+ char *ctx;
+ (void)selinux_trans_to_raw_context("kernel", &ctx);
+ free(ctx);
+}
+
+void getseuserbyname_fail1(void)
+{
+ char *seuser, *level;
+ // cppcheck-suppress nullPointer
+ getseuserbyname(NULL, &seuser, &level);
+ free(seuser);
+
+ // cppcheck-suppress memleak
+}
+
+void getseuserbyname_fail2(void)
+{
+ char *seuser, *level;
+ getseuserbyname("root", &seuser, &level);
+ free(level);
+
+ // FIXME: report memleak
+}
+
+void getseuserbyname_success1(void)
+{
+ char *seuser, *level;
+ getseuserbyname("root", &seuser, &level);
+ free(seuser);
+ free(level);
+}
+
+void danger1(void)
+{
+ // cppcheck-suppress selinux_reset_configCalled
+ selinux_reset_config();
+}
+
+void danger2(void)
+{
+ // cppcheck-suppress [security_disableCalled, ignoredReturnValue]
+ security_disable();
+}