[v2,3/3] lbespol: remove wild cards in mapfile

Commit Message

William Roberts March 10, 2020, 9:08 p.m. UTC

From: William Roberts <william.c.roberts@intel.com>

With the old hidden_def and hidden_proto DSO infrastructure removed,
correctness of the map file becomes paramount, as it is what filters out
public API. Because of this, the wild cards should not be used, as it
lets some functions through that should not be made public API. Thus
remove the wild cards, and sort the list.

Additionally, verify that nothing changed in external symbols as well:

This was checked by generating an old export map (from master):
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map

Then creating a new one for this library after this patch is applied:
nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map

And diffing them:

Comments

Stephen Smalley March 11, 2020, 6:53 p.m. UTC | #1

On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
>
> From: William Roberts <william.c.roberts@intel.com>
>
> With the old hidden_def and hidden_proto DSO infrastructure removed,
> correctness of the map file becomes paramount, as it is what filters out
> public API. Because of this, the wild cards should not be used, as it
> lets some functions through that should not be made public API. Thus
> remove the wild cards, and sort the list.
>
> Additionally, verify that nothing changed in external symbols as well:
>
> This was checked by generating an old export map (from master):
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
>
> Then creating a new one for this library after this patch is applied:
> nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
>
> And diffing them:
> diff old.map new.map
>
> Signed-off-by: William Roberts <william.c.roberts@intel.com>

Other than the typo in the subject line,
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>

This should fix https://github.com/SELinuxProject/selinux/issues/204

Stephen Smalley March 11, 2020, 6:54 p.m. UTC | #2

On Wed, Mar 11, 2020 at 2:53 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
> >
> > From: William Roberts <william.c.roberts@intel.com>
> >
> > With the old hidden_def and hidden_proto DSO infrastructure removed,
> > correctness of the map file becomes paramount, as it is what filters out
> > public API. Because of this, the wild cards should not be used, as it
> > lets some functions through that should not be made public API. Thus
> > remove the wild cards, and sort the list.
> >
> > Additionally, verify that nothing changed in external symbols as well:
> >
> > This was checked by generating an old export map (from master):
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> >
> > Then creating a new one for this library after this patch is applied:
> > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> >
> > And diffing them:
> > diff old.map new.map
> >
> > Signed-off-by: William Roberts <william.c.roberts@intel.com>
>
> Other than the typo in the subject line,
> Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
>
> This should fix https://github.com/SELinuxProject/selinux/issues/204

and https://github.com/SELinuxProject/selinux/issues/165

William Roberts March 12, 2020, 1:59 p.m. UTC | #3

I will fix the subject and add the Fixes: #165 to the commit when I
stage them if thats ok?

On Wed, Mar 11, 2020 at 1:53 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Mar 11, 2020 at 2:53 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Tue, Mar 10, 2020 at 5:09 PM <bill.c.roberts@gmail.com> wrote:
> > >
> > > From: William Roberts <william.c.roberts@intel.com>
> > >
> > > With the old hidden_def and hidden_proto DSO infrastructure removed,
> > > correctness of the map file becomes paramount, as it is what filters out
> > > public API. Because of this, the wild cards should not be used, as it
> > > lets some functions through that should not be made public API. Thus
> > > remove the wild cards, and sort the list.
> > >
> > > Additionally, verify that nothing changed in external symbols as well:
> > >
> > > This was checked by generating an old export map (from master):
> > > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > old.map
> > >
> > > Then creating a new one for this library after this patch is applied:
> > > nm --defined-only -g ./src/libsepol.so | cut -d' ' -f 3-3 | grep -v '^_' > new.map
> > >
> > > And diffing them:
> > > diff old.map new.map
> > >
> > > Signed-off-by: William Roberts <william.c.roberts@intel.com>
> >
> > Other than the typo in the subject line,
> > Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
> >
> > This should fix https://github.com/SELinuxProject/selinux/issues/204
>
> and https://github.com/SELinuxProject/selinux/issues/165

Stephen Smalley March 12, 2020, 8:22 p.m. UTC | #4

On Thu, Mar 12, 2020 at 9:59 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> I will fix the subject and add the Fixes: #165 to the commit when I
> stage them if thats ok?

Fixes both 165 and 204 IIUC because the real underlying issue for both was the
fact that he was building with LTO and it was doing the wrong thing
with hidden_def/hidden_proto.
Otherwise works for me.  You can download the series from patchwork or
via get-lore-mbox
to pick up all the Acks automatically.

William Roberts March 12, 2020, 9:42 p.m. UTC | #5

On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > I will fix the subject and add the Fixes: #165 to the commit when I
> > stage them if thats ok?
>
> Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> fact that he was building with LTO and it was doing the wrong thing
> with hidden_def/hidden_proto.
> Otherwise works for me.  You can download the series from patchwork or
> via get-lore-mbox
> to pick up all the Acks automatically.

I have no idea how to do that, Ill have to spend some time and
familiarize myself with it.
For now I just manually added the acks and did the edits we discussed
and rebased ontop
of current master. Their was a simple conflict in libsepol/src/services.c.

I have them staged here:
https://github.com/SELinuxProject/selinux/pull/207

And since their were some minor edits before they go in, ill let them
sit a couple
of days for any last objections. Ill merge Monday March 16 end of workday if all
is silent.

Ondrej Mosnacek March 13, 2020, 11:03 a.m. UTC | #6

On Thu, Mar 12, 2020 at 10:42 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > stage them if thats ok?
> >
> > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > fact that he was building with LTO and it was doing the wrong thing
> > with hidden_def/hidden_proto.
> > Otherwise works for me.  You can download the series from patchwork or
> > via get-lore-mbox
> > to pick up all the Acks automatically.
>
> I have no idea how to do that, Ill have to spend some time and
> familiarize myself with it.

You can simply go to
https://patchwork.kernel.org/project/selinux/list/, click on any patch
in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
copy the address of the "series" button/link in the upper right
corner. Then you just do:

curl <link> | git am

There is certainly a faster way to do it using the Patchwork CLI, but
I never bothered to set that up :)

> For now I just manually added the acks and did the edits we discussed
> and rebased ontop
> of current master. Their was a simple conflict in libsepol/src/services.c.
>
> I have them staged here:
> https://github.com/SELinuxProject/selinux/pull/207

The CI failed because libsepol/src/services.c still includes "dso.h"
in the rebased commits. You'll need to fix that first.

>
> And since their were some minor edits before they go in, ill let them
> sit a couple
> of days for any last objections. Ill merge Monday March 16 end of workday if all
> is silent.

--
Ondrej Mosnacek <omosnace at redhat dot com>
Software Engineer, Security Technologies
Red Hat, Inc.

William Roberts March 13, 2020, 2:22 p.m. UTC | #7

On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > >
> > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > stage them if thats ok?
> > >
> > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > fact that he was building with LTO and it was doing the wrong thing
> > > with hidden_def/hidden_proto.
> > > Otherwise works for me.  You can download the series from patchwork or
> > > via get-lore-mbox
> > > to pick up all the Acks automatically.
> >
> > I have no idea how to do that, Ill have to spend some time and
> > familiarize myself with it.
>
> You can simply go to
> https://patchwork.kernel.org/project/selinux/list/, click on any patch
> in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> copy the address of the "series" button/link in the upper right
> corner. Then you just do:
>
> curl <link> | git am
>
> There is certainly a faster way to do it using the Patchwork CLI, but
> I never bothered to set that up :)

Thanks, ill have to try that next time!

>
> > For now I just manually added the acks and did the edits we discussed
> > and rebased ontop
> > of current master. Their was a simple conflict in libsepol/src/services.c.
> >
> > I have them staged here:
> > https://github.com/SELinuxProject/selinux/pull/207
>
> The CI failed because libsepol/src/services.c still includes "dso.h"
> in the rebased commits. You'll need to fix that first.

I'm sitting here thinking, "I built and ran the tests, how?" Looking
at bash history,
for libselinux, not libsepol!

>
> >
> > And since their were some minor edits before they go in, ill let them
> > sit a couple
> > of days for any last objections. Ill merge Monday March 16 end of workday if all
> > is silent.
>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>

Ondrej Mosnacek March 13, 2020, 2:41 p.m. UTC | #8

On Fri, Mar 13, 2020 at 3:23 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
> On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > > <stephen.smalley.work@gmail.com> wrote:
> > > >
> > > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > > <bill.c.roberts@gmail.com> wrote:
> > > > >
> > > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > > stage them if thats ok?
> > > >
> > > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > > fact that he was building with LTO and it was doing the wrong thing
> > > > with hidden_def/hidden_proto.
> > > > Otherwise works for me.  You can download the series from patchwork or
> > > > via get-lore-mbox
> > > > to pick up all the Acks automatically.
> > >
> > > I have no idea how to do that, Ill have to spend some time and
> > > familiarize myself with it.
> >
> > You can simply go to
> > https://patchwork.kernel.org/project/selinux/list/, click on any patch
> > in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> > copy the address of the "series" button/link in the upper right
> > corner. Then you just do:
> >
> > curl <link> | git am
> >
> > There is certainly a faster way to do it using the Patchwork CLI, but
> > I never bothered to set that up :)
>
> Thanks, ill have to try that next time!
>
> >
> > > For now I just manually added the acks and did the edits we discussed
> > > and rebased ontop
> > > of current master. Their was a simple conflict in libsepol/src/services.c.
> > >
> > > I have them staged here:
> > > https://github.com/SELinuxProject/selinux/pull/207
> >
> > The CI failed because libsepol/src/services.c still includes "dso.h"
> > in the rebased commits. You'll need to fix that first.
>
> I'm sitting here thinking, "I built and ran the tests, how?" Looking
> at bash history,
> for libselinux, not libsepol!

No worries, fortunately we have CI to cover our backs :)

Anyway, I just noticed that there is still a typo in the last commit's
title ("libespol").

William Roberts March 13, 2020, 2:51 p.m. UTC | #9

On Fri, Mar 13, 2020 at 9:41 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Fri, Mar 13, 2020 at 3:23 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> > On Fri, Mar 13, 2020 at 6:03 AM Ondrej Mosnacek <omosnace@redhat.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 10:42 PM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > > > <stephen.smalley.work@gmail.com> wrote:
> > > > >
> > > > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > > > <bill.c.roberts@gmail.com> wrote:
> > > > > >
> > > > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > > > stage them if thats ok?
> > > > >
> > > > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > > > fact that he was building with LTO and it was doing the wrong thing
> > > > > with hidden_def/hidden_proto.
> > > > > Otherwise works for me.  You can download the series from patchwork or
> > > > > via get-lore-mbox
> > > > > to pick up all the Acks automatically.
> > > >
> > > > I have no idea how to do that, Ill have to spend some time and
> > > > familiarize myself with it.
> > >
> > > You can simply go to
> > > https://patchwork.kernel.org/project/selinux/list/, click on any patch
> > > in the series (e.g. https://patchwork.kernel.org/patch/11430261/) and
> > > copy the address of the "series" button/link in the upper right
> > > corner. Then you just do:
> > >
> > > curl <link> | git am
> > >
> > > There is certainly a faster way to do it using the Patchwork CLI, but
> > > I never bothered to set that up :)
> >
> > Thanks, ill have to try that next time!
> >
> > >
> > > > For now I just manually added the acks and did the edits we discussed
> > > > and rebased ontop
> > > > of current master. Their was a simple conflict in libsepol/src/services.c.
> > > >
> > > > I have them staged here:
> > > > https://github.com/SELinuxProject/selinux/pull/207
> > >
> > > The CI failed because libsepol/src/services.c still includes "dso.h"
> > > in the rebased commits. You'll need to fix that first.
> >
> > I'm sitting here thinking, "I built and ran the tests, how?" Looking
> > at bash history,
> > for libselinux, not libsepol!
>
> No worries, fortunately we have CI to cover our backs :)

Why I love CI, free checking.

>
> Anyway, I just noticed that there is still a typo in the last commit's
> title ("libespol").

Agghhh, kill me now! Updated.

>
> --
> Ondrej Mosnacek <omosnace at redhat dot com>
> Software Engineer, Security Technologies
> Red Hat, Inc.
>

Stephen Smalley March 17, 2020, 5:46 p.m. UTC | #10

On Thu, Mar 12, 2020 at 5:42 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> <stephen.smalley.work@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > <bill.c.roberts@gmail.com> wrote:
> > >
> > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > stage them if thats ok?
> >
> > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > fact that he was building with LTO and it was doing the wrong thing
> > with hidden_def/hidden_proto.
> > Otherwise works for me.  You can download the series from patchwork or
> > via get-lore-mbox
> > to pick up all the Acks automatically.
>
> I have no idea how to do that, Ill have to spend some time and
> familiarize myself with it.
> For now I just manually added the acks and did the edits we discussed
> and rebased ontop
> of current master. Their was a simple conflict in libsepol/src/services.c.
>
> I have them staged here:
> https://github.com/SELinuxProject/selinux/pull/207
>
> And since their were some minor edits before they go in, ill let them
> sit a couple
> of days for any last objections. Ill merge Monday March 16 end of workday if all
> is silent.

I merged this pull request.

William Roberts March 19, 2020, 7:46 p.m. UTC | #11

FYI: Looks like I missed a dso.h in cil.c:
https://github.com/SELinuxProject/selinux/blob/master/libsepol/cil/src/cil.c#L53

Doesn't seem to be breaking anything, ill submit a patch to the mailing list.

On Tue, Mar 17, 2020 at 12:46 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Thu, Mar 12, 2020 at 5:42 PM William Roberts
> <bill.c.roberts@gmail.com> wrote:
> >
> > On Thu, Mar 12, 2020 at 3:21 PM Stephen Smalley
> > <stephen.smalley.work@gmail.com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 9:59 AM William Roberts
> > > <bill.c.roberts@gmail.com> wrote:
> > > >
> > > > I will fix the subject and add the Fixes: #165 to the commit when I
> > > > stage them if thats ok?
> > >
> > > Fixes both 165 and 204 IIUC because the real underlying issue for both was the
> > > fact that he was building with LTO and it was doing the wrong thing
> > > with hidden_def/hidden_proto.
> > > Otherwise works for me.  You can download the series from patchwork or
> > > via get-lore-mbox
> > > to pick up all the Acks automatically.
> >
> > I have no idea how to do that, Ill have to spend some time and
> > familiarize myself with it.
> > For now I just manually added the acks and did the edits we discussed
> > and rebased ontop
> > of current master. Their was a simple conflict in libsepol/src/services.c.
> >
> > I have them staged here:
> > https://github.com/SELinuxProject/selinux/pull/207
> >
> > And since their were some minor edits before they go in, ill let them
> > sit a couple
> > of days for any last objections. Ill merge Monday March 16 end of workday if all
> > is silent.
>
> I merged this pull request.

Patch

diff old.map new.map

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/libsepol.map.in | 275 +++++++++++++++++++++++++++++++----
 1 file changed, 245 insertions(+), 30 deletions(-)

diff --git a/libsepol/src/libsepol.map.in b/libsepol/src/libsepol.map.in
index f4946a79cae7..f08c2a861693 100644
--- a/libsepol/src/libsepol.map.in
+++ b/libsepol/src/libsepol.map.in
@@ -1,39 +1,254 @@ 
 LIBSEPOL_1.0 {
-  global: 
-	expand_module_avrules;
-	sepol_module_package_*; sepol_link_modules; sepol_expand_module; sepol_link_packages;
-	sepol_bool_*; sepol_genbools*; 
-	sepol_context_*; sepol_mls_*; sepol_check_context;
-	sepol_iface_*; 
-	sepol_port_*;
-	sepol_ibpkey_*;
-	sepol_ibendport_*;
-	sepol_node_*;
-	sepol_user_*; sepol_genusers; sepol_set_delusers;
-	sepol_msg_*; sepol_debug;
-	sepol_handle_*;
-	sepol_policydb_*; sepol_set_policydb_from_file; 
-	sepol_policy_kern_*;
-	sepol_policy_file_*;
-	sepol_get_disable_dontaudit;
-	sepol_set_disable_dontaudit;
-	sepol_set_expand_consume_base;
-	sepol_get_preserve_tunables; sepol_set_preserve_tunables;
+  global:
+	cil_add_file;
+	cil_build_policydb;
+	cil_compile;
+	cil_db_destroy;
 	cil_db_init;
+	cil_filecons_to_string;
+	cil_selinuxusers_to_string;
 	cil_set_disable_dontaudit;
 	cil_set_disable_neverallow;
-	cil_set_preserve_tunables;
 	cil_set_handle_unknown;
-	cil_db_destroy;
-	cil_add_file;
-	cil_compile;
-	cil_build_policydb;
-	cil_userprefixes_to_string;
-	cil_selinuxusers_to_string;
-	cil_filecons_to_string;
-	cil_set_log_level;
 	cil_set_log_handler;
-	cil_set_malloc_error_handler;
+	cil_set_log_level;
+	cil_set_preserve_tunables;
+	cil_userprefixes_to_string;
+	expand_module_avrules;
+	sepol_bool_clone;
+	sepol_bool_compare;
+	sepol_bool_compare2;
+	sepol_bool_count;
+	sepol_bool_create;
+	sepol_bool_exists;
+	sepol_bool_free;
+	sepol_bool_get_name;
+	sepol_bool_get_value;
+	sepol_bool_iterate;
+	sepol_bool_key_create;
+	sepol_bool_key_extract;
+	sepol_bool_key_free;
+	sepol_bool_key_unpack;
+	sepol_bool_query;
+	sepol_bool_set;
+	sepol_bool_set_name;
+	sepol_bool_set_value;
+	sepol_check_context;
+	sepol_context_check;
+	sepol_context_clone;
+	sepol_context_create;
+	sepol_context_free;
+	sepol_context_from_string;
+	sepol_context_get_mls;
+	sepol_context_get_role;
+	sepol_context_get_type;
+	sepol_context_get_user;
+	sepol_context_set_mls;
+	sepol_context_set_role;
+	sepol_context_set_type;
+	sepol_context_set_user;
+	sepol_context_to_string;
+	sepol_debug;
+	sepol_expand_module;
+	sepol_genbools;
+	sepol_genbools_array;
+	sepol_genusers;
+	sepol_get_disable_dontaudit;
+	sepol_get_preserve_tunables;
+	sepol_handle_create;
+	sepol_handle_destroy;
+	sepol_ibendport_alloc_ibdev_name;
+	sepol_ibendport_clone;
+	sepol_ibendport_compare;
+	sepol_ibendport_compare2;
+	sepol_ibendport_count;
+	sepol_ibendport_create;
+	sepol_ibendport_exists;
+	sepol_ibendport_free;
+	sepol_ibendport_get_con;
+	sepol_ibendport_get_ibdev_name;
+	sepol_ibendport_get_port;
+	sepol_ibendport_iterate;
+	sepol_ibendport_key_create;
+	sepol_ibendport_key_extract;
+	sepol_ibendport_key_free;
+	sepol_ibendport_key_unpack;
+	sepol_ibendport_modify;
+	sepol_ibendport_query;
+	sepol_ibendport_set_con;
+	sepol_ibendport_set_ibdev_name;
+	sepol_ibendport_set_port;
+	sepol_ibpkey_clone;
+	sepol_ibpkey_compare;
+	sepol_ibpkey_compare2;
+	sepol_ibpkey_count;
+	sepol_ibpkey_create;
+	sepol_ibpkey_exists;
+	sepol_ibpkey_free;
+	sepol_ibpkey_get_con;
+	sepol_ibpkey_get_high;
+	sepol_ibpkey_get_low;
+	sepol_ibpkey_get_subnet_prefix;
+	sepol_ibpkey_get_subnet_prefix_bytes;
+	sepol_ibpkey_iterate;
+	sepol_ibpkey_key_create;
+	sepol_ibpkey_key_extract;
+	sepol_ibpkey_key_free;
+	sepol_ibpkey_key_unpack;
+	sepol_ibpkey_modify;
+	sepol_ibpkey_query;
+	sepol_ibpkey_set_con;
+	sepol_ibpkey_set_pkey;
+	sepol_ibpkey_set_range;
+	sepol_ibpkey_set_subnet_prefix;
+	sepol_ibpkey_set_subnet_prefix_bytes;
+	sepol_iface_clone;
+	sepol_iface_compare;
+	sepol_iface_compare2;
+	sepol_iface_count;
+	sepol_iface_create;
+	sepol_iface_exists;
+	sepol_iface_free;
+	sepol_iface_get_ifcon;
+	sepol_iface_get_msgcon;
+	sepol_iface_get_name;
+	sepol_iface_iterate;
+	sepol_iface_key_create;
+	sepol_iface_key_extract;
+	sepol_iface_key_free;
+	sepol_iface_key_unpack;
+	sepol_iface_modify;
+	sepol_iface_query;
+	sepol_iface_set_ifcon;
+	sepol_iface_set_msgcon;
+	sepol_iface_set_name;
+	sepol_link_modules;
+	sepol_link_packages;
+	sepol_mls_check;
+	sepol_mls_contains;
+	sepol_module_package_create;
+	sepol_module_package_free;
+	sepol_module_package_get_file_contexts;
+	sepol_module_package_get_file_contexts_len;
+	sepol_module_package_get_netfilter_contexts;
+	sepol_module_package_get_netfilter_contexts_len;
+	sepol_module_package_get_policy;
+	sepol_module_package_get_seusers;
+	sepol_module_package_get_seusers_len;
+	sepol_module_package_get_user_extra;
+	sepol_module_package_get_user_extra_len;
+	sepol_module_package_info;
+	sepol_module_package_read;
+	sepol_module_package_set_file_contexts;
+	sepol_module_package_set_netfilter_contexts;
+	sepol_module_package_set_seusers;
+	sepol_module_package_set_user_extra;
+	sepol_module_package_write;
+	sepol_msg_get_channel;
+	sepol_msg_get_fname;
+	sepol_msg_get_level;
+	sepol_msg_set_callback;
+	sepol_node_clone;
+	sepol_node_compare;
+	sepol_node_compare2;
+	sepol_node_count;
+	sepol_node_create;
+	sepol_node_exists;
+	sepol_node_free;
+	sepol_node_get_addr;
+	sepol_node_get_addr_bytes;
+	sepol_node_get_con;
+	sepol_node_get_mask;
+	sepol_node_get_mask_bytes;
+	sepol_node_get_proto;
+	sepol_node_get_proto_str;
+	sepol_node_iterate;
+	sepol_node_key_create;
+	sepol_node_key_extract;
+	sepol_node_key_free;
+	sepol_node_key_unpack;
+	sepol_node_modify;
+	sepol_node_query;
+	sepol_node_set_addr;
+	sepol_node_set_addr_bytes;
+	sepol_node_set_con;
+	sepol_node_set_mask;
+	sepol_node_set_mask_bytes;
+	sepol_node_set_proto;
+	sepol_policydb_compat_net;
+	sepol_policydb_create;
+	sepol_policydb_free;
+	sepol_policydb_from_image;
+	sepol_policydb_mls_enabled;
+	sepol_policydb_read;
+	sepol_policydb_set_handle_unknown;
+	sepol_policydb_set_target_platform;
+	sepol_policydb_set_typevers;
+	sepol_policydb_set_vers;
+	sepol_policydb_to_image;
+	sepol_policydb_write;
+	sepol_policy_file_create;
+	sepol_policy_file_free;
+	sepol_policy_file_get_len;
+	sepol_policy_file_set_fp;
+	sepol_policy_file_set_handle;
+	sepol_policy_file_set_mem;
+	sepol_policy_kern_vers_max;
+	sepol_policy_kern_vers_min;
+	sepol_port_clone;
+	sepol_port_compare;
+	sepol_port_compare2;
+	sepol_port_count;
+	sepol_port_create;
+	sepol_port_exists;
+	sepol_port_free;
+	sepol_port_get_con;
+	sepol_port_get_high;
+	sepol_port_get_low;
+	sepol_port_get_proto;
+	sepol_port_get_proto_str;
+	sepol_port_iterate;
+	sepol_port_key_create;
+	sepol_port_key_extract;
+	sepol_port_key_free;
+	sepol_port_key_unpack;
+	sepol_port_modify;
+	sepol_port_query;
+	sepol_port_set_con;
+	sepol_port_set_port;
+	sepol_port_set_proto;
+	sepol_port_set_range;
+	sepol_set_delusers;
+	sepol_set_disable_dontaudit;
+	sepol_set_expand_consume_base;
+	sepol_set_policydb_from_file;
+	sepol_set_preserve_tunables;
+	sepol_user_add_role;
+	sepol_user_clone;
+	sepol_user_compare;
+	sepol_user_compare2;
+	sepol_user_count;
+	sepol_user_create;
+	sepol_user_del_role;
+	sepol_user_exists;
+	sepol_user_free;
+	sepol_user_get_mlslevel;
+	sepol_user_get_mlsrange;
+	sepol_user_get_name;
+	sepol_user_get_num_roles;
+	sepol_user_get_roles;
+	sepol_user_has_role;
+	sepol_user_iterate;
+	sepol_user_key_create;
+	sepol_user_key_extract;
+	sepol_user_key_free;
+	sepol_user_key_unpack;
+	sepol_user_modify;
+	sepol_user_query;
+	sepol_user_set_mlslevel;
+	sepol_user_set_mlsrange;
+	sepol_user_set_name;
+	sepol_user_set_roles;
   local: *;
 };