From 90e234baa3d751d974b9d3cb70af118f5c6def8c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Tue, 8 Sep 2015 15:56:46 -0700
Subject: [PATCH] Import libselinux and fix setexeccon() bug

setexeccon() was broken in a way that broke systemd-nspawn. Backport
fec839cf17ba3e9cc9fc5e4382b00c61aee91c80 from upstream to fix that.
---
 .../sys-libs/libselinux/ChangeLog             | 648 ++++++++++++++++++
 .../sys-libs/libselinux/Manifest              |  35 +
 ...005-use-ruby-include-with-rubylibver.patch |  12 +
 .../0006-build-related-fixes-bug-500674.patch |  67 ++
 .../files/0007-fix-setexeccon-on-exec.patch   | 103 +++
 .../sys-libs/libselinux/libselinux-2.4.ebuild | 143 ++++
 .../libselinux/libselinux-9999.ebuild         | 153 +++++
 .../sys-libs/libselinux/metadata.xml          |  13 +
 8 files changed, 1174 insertions(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/ChangeLog
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0005-use-ruby-include-with-rubylibver.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0006-build-related-fixes-bug-500674.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0007-fix-setexeccon-on-exec.patch
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-2.4.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild
 create mode 100644 sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/ChangeLog b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/ChangeLog
new file mode 100644
index 0000000000..87e582fa09
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/ChangeLog
@@ -0,0 +1,648 @@
+# ChangeLog for sys-libs/libselinux
+# Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/libselinux/ChangeLog,v 1.144 2015/06/09 15:35:39 swift Exp $
+
+*libselinux-9999 (09 Jun 2015)
+
+  09 Jun 2015; Sven Vermeulen <swift@gentoo.org> +libselinux-9999.ebuild:
+  Adding libselinux-9999 to better support upstream integrations
+
+  10 May 2015; Jason Zaman <perfinion@gentoo.org> libselinux-2.4.ebuild:
+  stabilize selinux 2.4 userland
+
+  18 Apr 2015; Jason Zaman <perfinion@gentoo.org> -libselinux-2.3-r1.ebuild,
+  -libselinux-2.4_rc6.ebuild, -libselinux-2.4_rc7.ebuild:
+  Drop old RCs
+
+  08 Apr 2015; Michał Górny <mgorny@gentoo.org> libselinux-2.2.2-r5.ebuild,
+  libselinux-2.3-r1.ebuild, libselinux-2.3-r2.ebuild, libselinux-2.4.ebuild,
+  libselinux-2.4_rc6.ebuild, libselinux-2.4_rc7.ebuild:
+  Drop old Python implementations
+
+  04 Mar 2015; Sven Vermeulen <swift@gentoo.org> libselinux-2.4.ebuild:
+  Fix build failure on x32 (bug #541618)
+
+*libselinux-2.4 (04 Feb 2015)
+
+  04 Feb 2015; Jason Zaman <perfinion@gentoo.org> +libselinux-2.4.ebuild:
+  Version bump
+
+  26 Jan 2015; Agostino Sarubbo <ago@gentoo.org> libselinux-2.3-r2.ebuild:
+  Stable for x86, wrt bug #535682
+
+  22 Jan 2015; Agostino Sarubbo <ago@gentoo.org> libselinux-2.3-r2.ebuild:
+  Stable for amd64, wrt bug #535682
+
+*libselinux-2.4_rc7 (06 Dec 2014)
+
+  06 Dec 2014; Jason Zaman <perfinion@gentoo.org> +libselinux-2.4_rc7.ebuild,
+  -libselinux-2.4_rc2.ebuild, -libselinux-2.4_rc5.ebuild:
+  version bump and ebuild clean up, drop old RC
+
+*libselinux-2.3-r2 (04 Dec 2014)
+
+  04 Dec 2014; Jason Zaman <perfinion@gentoo.org> +libselinux-2.3-r2.ebuild,
+  libselinux-2.4_rc6.ebuild:
+  Call python_optimize, bug 531638
+
+*libselinux-2.4_rc6 (14 Nov 2014)
+
+  14 Nov 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.4_rc6.ebuild:
+  Bump to rc6, add python3_4 to PYTHON_COMPAT (fixes bug 529176); rc6 also fixes
+  unconfined issue when USE=-unconfined is set
+
+*libselinux-2.4_rc5 (29 Oct 2014)
+
+  29 Oct 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.4_rc5.ebuild,
+  -libselinux-2.4_rc4.ebuild:
+  Bump to 2.4_rc5
+
+*libselinux-2.4_rc4 (07 Oct 2014)
+
+  07 Oct 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.4_rc4.ebuild:
+  Bump to 2.4-rc4
+
+*libselinux-2.4_rc2 (21 Sep 2014)
+
+  21 Sep 2014; Sven Vermeulen <swift@gentoo.org>
+  +files/0005-use-ruby-include-with-rubylibver.patch,
+  +files/0006-build-related-fixes-bug-500674.patch, +libselinux-2.4_rc2.ebuild,
+  libselinux-2.3-r1.ebuild:
+  Noved to github; also add in masked 2.4 series
+
+  16 Sep 2014; Brian Dolbec <dolsen@gentoo.org> libselinux-2.3-r1.ebuild:
+  Add python-3.4 target, needed for dep of portage. Tested and 
+  confirmed working by perfinion.
+
+  05 Aug 2014; Sven Vermeulen <swift@gentoo.org> -libselinux-2.2.2-r4.ebuild,
+  -libselinux-2.3.ebuild, -libselinux-2.3_rc1-r1.ebuild,
+  -libselinux-2.3_rc1.ebuild:
+  Remove obsoleted ebuilds
+
+  30 Jul 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.3-r1.ebuild:
+  Fix bug #514194 - Stabilization of SELinux userspace 2.3
+
+  14 Jul 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.2-r5.ebuild:
+  Stabilize (fix segfault with setfiles)
+
+  09 Jul 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.2-r5.ebuild:
+  Fix bug #516608 - Backport pcre version fix from libselinux-2.3
+
+*libselinux-2.3-r1 (09 Jul 2014)
+
+  09 Jul 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.3-r1.ebuild:
+  Fix bug #516608 (segfault with setfiles)
+
+  18 Jun 2014; Michał Górny <mgorny@gentoo.org> libselinux-2.3.ebuild:
+  Update dependencies to require guaranteed EAPI=5 or multilib ebuilds, bug
+  #513718.
+
+  07 Jun 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.3.ebuild:
+  Update libpcre and libsepol deps to include MULTILIB_USEDEP
+
+  10 May 2014; Sven Vermeulen <swift@gentoo.org>
+  -files/libselinux-2.1.9-mountsys.patch,
+  -files/libselinux-2.1.9-support_ruby19.patch,
+  -files/libselinux-2.1.12-mountsys.patch:
+  Removing unused patches in files dir
+
+  10 May 2014; Sven Vermeulen <swift@gentoo.org> -libselinux-2.1.13-r1.ebuild,
+  -libselinux-2.1.13-r2.ebuild, -libselinux-2.1.13-r3.ebuild,
+  -libselinux-2.1.13-r4.ebuild, -libselinux-2.2-r1.ebuild,
+  -libselinux-2.2.1-r1.ebuild, -libselinux-2.2.2-r1.ebuild,
+  -libselinux-2.2.2-r2.ebuild:
+  Spring cleanup
+
+*libselinux-2.3 (09 May 2014)
+
+  09 May 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.3.ebuild:
+  Bump to 2.3
+
+  30 Apr 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.2-r5.ebuild:
+  Fix bug #509004 by stabilizing r5 (enable ruby bindings)
+
+*libselinux-2.2.2-r5 (29 Apr 2014)
+*libselinux-2.3_rc1-r1 (29 Apr 2014)
+
+  29 Apr 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2.2-r5.ebuild,
+  +libselinux-2.3_rc1-r1.ebuild:
+  Add USE=ruby support, now without ruby-ng eclass calls, fixes bug #509004
+
+*libselinux-2.3_rc1 (28 Apr 2014)
+
+  28 Apr 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.3_rc1.ebuild:
+  2.3-rc1 release
+
+  21 Apr 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.2-r4.ebuild:
+  Stabilize 2.2.2-r4
+
+  23 Mar 2014; Sven Vermeulen <swift@gentoo.org> -libselinux-2.2.2-r3.ebuild,
+  -files/libselinux-2.2.2-build.patch:
+  Dropping incorrect builds
+
+*libselinux-2.2.2-r4 (23 Mar 2014)
+
+  23 Mar 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2.2-r4.ebuild:
+  Fix bug #504832 - audit2why.so failures due to dynamic linking
+
+*libselinux-2.2.2-r3 (08 Mar 2014)
+
+  08 Mar 2014; Mike Frysinger <vapier@gentoo.org>
+  +files/libselinux-2.2.2-build.patch, +libselinux-2.2.2-r3.ebuild:
+  Clean up linking behavior #500674 by SpanKY.
+
+  04 Mar 2014; Samuli Suominen <ssuominen@gentoo.org>
+  libselinux-2.2.2-r2.ebuild:
+  Fix installation of python site-packages w/ multilib-strict by passing LIBDIR
+  to "make install" phase wrt #502954
+
+*libselinux-2.2.2-r2 (04 Mar 2014)
+
+  04 Mar 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2.2-r2.ebuild:
+  Fix bug #502544 - Honor multilib dir in pkgconfig file
+
+*libselinux-2.2.2-r1 (02 Feb 2014)
+
+  02 Feb 2014; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2.2-r1.ebuild:
+  Fix bug #480960 (multilib support). Drop ruby eclass as it messes with
+  defaults and I do not understand it. Bump to 2.2.2 release
+
+  02 Feb 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.1-r1.ebuild:
+  Support python 3.3, see bug 499604
+
+  02 Feb 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2.1-r1.ebuild:
+  Stabilize for amd64 and x86
+
+  20 Jan 2014; Sven Vermeulen <swift@gentoo.org> libselinux-2.2-r1.ebuild:
+  Stabilize for x86 and amd64
+
+  23 Dec 2013; Sven Vermeulen <swift@gentoo.org> -libselinux-2.1.12.ebuild,
+  -libselinux-2.1.12-r1.ebuild, -libselinux-2.1.12-r2.ebuild,
+  -libselinux-2.1.12-r3.ebuild:
+  Cleaning old version
+
+*libselinux-2.2.1-r1 (10 Dec 2013)
+
+  10 Dec 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2.1-r1.ebuild:
+  Adding 2.2.1 release
+
+*libselinux-2.2-r1 (04 Nov 2013)
+
+  04 Nov 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.2-r1.ebuild:
+  New libselinux release
+
+  27 Oct 2013; Sven Vermeulen <swift@gentoo.org> libselinux-2.1.13-r4.ebuild:
+  Fix bug 488102 - Only call ruby-ng pkg_setup if USE=ruby is set
+
+  05 Sep 2013; Michał Górny <mgorny@gentoo.org> libselinux-2.1.13-r4.ebuild:
+  Clean up PYTHON_COMPAT from old implementations.
+
+  20 Aug 2013; Sven Vermeulen <swift@gentoo.org> libselinux-2.1.13-r4.ebuild:
+  Stabilize, the issue with file_contexts.local is important to get in stable
+
+  10 Aug 2013; Sven Vermeulen <swift@gentoo.org> libselinux-2.1.13-r4.ebuild:
+  Create (parent) directories for local file
+
+*libselinux-2.1.13-r4 (28 Jul 2013)
+
+  28 Jul 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.1.13-r4.ebuild:
+  Migrate to python-r1, fix bug #473502
+
+  07 Jul 2013; Sven Vermeulen <swift@gentoo.org> -libselinux-2.1.9.ebuild,
+  -libselinux-2.1.9-r1.ebuild, -libselinux-2.1.9-r2.ebuild,
+  -libselinux-2.1.9-r3.ebuild:
+  Summer cleaning
+
+*libselinux-2.1.13-r3 (23 Jun 2013)
+
+  23 Jun 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.1.13-r3.ebuild:
+  Fix bug 473714 (add libpthread in Libs)
+
+  16 Jun 2013; Sven Vermeulen <swift@gentoo.org> libselinux-2.1.13-r2.ebuild:
+  Stabilization
+
+*libselinux-2.1.13-r2 (25 Apr 2013)
+
+  25 Apr 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.1.13-r1.ebuild,
+  +libselinux-2.1.13-r2.ebuild:
+  Fix bug #467258 - add selinux_current_policy_path
+
+*libselinux-2.1.13-r1 (25 Apr 2013)
+
+  25 Apr 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.1.13-r1.ebuild:
+  New upstream release
+
+  16 Apr 2013; Sven Vermeulen <swift@gentoo.org> libselinux-2.1.12-r3.ebuild:
+  Stabilize libselinux-2.1.12-r3
+
+*libselinux-2.1.12-r3 (29 Mar 2013)
+
+  29 Mar 2013; Sven Vermeulen <swift@gentoo.org> +libselinux-2.1.12-r3.ebuild:
+  Fix error return codes (bug #462626) and Python3 failure if built with swig-1
+  (bug #463410)
+
+  30 Dec 2012; Sven Vermeulen libselinux-2.1.12-r2.ebuild:
+  Stabilize
+
+*libselinux-2.1.12-r2 (03 Dec 2012)
+
+  03 Dec 2012; <swift@gentoo.org> +libselinux-2.1.12-r2.ebuild:
+  Fix bugs #444372 and #443928
+
+  17 Nov 2012; <swift@gentoo.org> libselinux-2.1.12-r1.ebuild:
+  Stabilize
+
+  17 Nov 2012; <swift@gentoo.org> libselinux-2.1.9-r3.ebuild:
+  Stabilize
+
+*libselinux-2.1.12-r1 (29 Oct 2012)
+
+  29 Oct 2012; <swift@gentoo.org> +libselinux-2.1.12-r1.ebuild:
+  Adding support for static-libs and RDEPEND on libpcre[static-libs] when
+  needed. See bug #436752. Also updates patching method and adds
+  Requires.private towards libpcre.
+
+  13 Oct 2012; <swift@gentoo.org> libselinux-2.1.12.ebuild:
+  Supporting user-provided patches using epatch_user
+
+*libselinux-2.1.12 (09 Oct 2012)
+*libselinux-2.1.9-r3 (09 Oct 2012)
+
+  09 Oct 2012; <swift@gentoo.org> +libselinux-2.1.9-r3.ebuild,
+  +files/libselinux-2.1.9-support_ruby19.patch, +libselinux-2.1.12.ebuild,
+  +files/libselinux-2.1.12-mountsys.patch:
+  Introducing upstream version and fix for ruby19
+
+  06 Oct 2012; <swift@gentoo.org> libselinux-2.1.9-r2.ebuild:
+  Stabilize
+
+  03 Oct 2012; Mike Frysinger <vapier@gentoo.org> libselinux-2.1.9-r2.ebuild:
+  Fix /usr/lib handling in utils subdir too.
+
+*libselinux-2.1.9-r2 (08 Sep 2012)
+
+  08 Sep 2012; <swift@gentoo.org> +libselinux-2.1.9-r2.ebuild:
+  Fix bugs #429456 and #417303
+
+  06 Aug 2012; Patrick Lauer <patrick@gentoo.org> libselinux-2.1.9-r1.ebuild:
+  Restricting python ABIs that don't work
+
+  10 Jul 2012; <swift@gentoo.org> libselinux-2.1.9-r1.ebuild:
+  Stabilization
+
+  26 Jun 2012; Mike Gilbert <floppym@gentoo.org> libselinux-2.1.9-r1.ebuild,
+  libselinux-2.1.9.ebuild:
+  Restrict pypy per Arfrever.
+
+  13 May 2012; <swift@gentoo.org> -libselinux-2.1.0.ebuild:
+  Removing obsoleted ebuild
+
+*libselinux-2.1.9-r1 (13 May 2012)
+
+  13 May 2012; <swift@gentoo.org> +libselinux-2.1.9-r1.ebuild,
+  +files/libselinux-2.1.9-mountsys.patch:
+  Mount /sys before trying to mount /sys/fs/selinux from within the policy load
+  functions, bug #414779
+
+  29 Apr 2012; <swift@gentoo.org> libselinux-2.1.9.ebuild:
+  Stabilization
+
+*libselinux-2.1.9 (31 Mar 2012)
+
+  31 Mar 2012; <swift@gentoo.org> +libselinux-2.1.9.ebuild:
+  Bump to version 2.1.9
+
+  12 Nov 2011; <swift@gentoo.org> -libselinux-2.0.94.ebuild,
+  -libselinux-2.0.98.ebuild:
+  Remove deprecated ebuilds
+
+  23 Oct 2011; <swift@gentoo.org> libselinux-2.1.0.ebuild:
+  Stabilization (tracker #384231)
+
+  12 Aug 2011; Anthony G. Basile <blueness@gentoo.org>
+  -libselinux-2.0.71.ebuild, -libselinux-2.0.85.ebuild,
+  -files/libselinux-2.0.85-headers.patch, -files/compat.py:
+  Removed deprecated versions
+
+*libselinux-2.1.0 (03 Aug 2011)
+
+  03 Aug 2011; Anthony G. Basile <blueness@gentoo.org>
+  +libselinux-2.1.0.ebuild:
+  Bump to 20110727 SELinux userspace release
+
+*libselinux-2.0.98 (15 Jul 2011)
+
+  15 Jul 2011; Anthony G. Basile <blueness@gentoo.org>
+  +libselinux-2.0.98.ebuild:
+  Bump to 2.0.98 - proxy for SwifT
+
+  28 May 2011; Anthony G. Basile <blueness@gentoo.org>
+  libselinux-2.0.94.ebuild:
+  Stable amd64 x86
+
+  13 Feb 2011; Anthony G. Basile <blueness@gentoo.org> metadata.xml:
+  Updated metadata.xml to reflect new selinux herd.
+
+  06 Feb 2011; Arfrever Frehtes Taifersar Arahesis <arfrever@gentoo.org>
+  libselinux-2.0.94.ebuild:
+  Add "python" USE flag.
+
+  05 Feb 2011; Arfrever Frehtes Taifersar Arahesis <arfrever@gentoo.org>
+  libselinux-2.0.94.ebuild:
+  Set SUPPORT_PYTHON_ABIS (bug #353763). Respect AR and CC.
+
+*libselinux-2.0.94 (05 Feb 2011)
+
+  05 Feb 2011; Anthony G. Basile <blueness@gentoo.org>
+  +libselinux-2.0.94.ebuild:
+  New upstream release.
+
+  29 Sep 2010; Mike Frysinger <vapier@gentoo.org> libselinux-2.0.85.ebuild,
+  +files/libselinux-2.0.85-headers.patch:
+  Fix by Chris Richards for building with glibc-2.12 #338302.
+
+  16 Apr 2010; Arfrever Frehtes Taifersar Arahesis <arfrever@gentoo.org>
+  libselinux-2.0.71.ebuild, libselinux-2.0.85.ebuild:
+  Delete calls to deprecated python_version().
+
+  02 Aug 2009; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-2.0.71.ebuild, libselinux-2.0.85.ebuild:
+  Add python_need_rebuild.
+
+*libselinux-2.0.85 (02 Aug 2009)
+
+  02 Aug 2009; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-2.0.85.ebuild:
+  New upstream release.
+
+  18 Jul 2009; Chris PeBenito <pebenito@gentoo.org>
+  -libselinux-1.34.14.ebuild, libselinux-2.0.71.ebuild:
+  Mark stable. Remove old ebuilds.
+
+*libselinux-2.0.71 (03 Oct 2008)
+
+  03 Oct 2008; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-2.0.71.ebuild:
+  Initial commit of 2.0 libselinux.
+
+  29 May 2008; Ali Polatel <hawking@gentoo.org> libselinux-1.34.14.ebuild:
+  python_mod_optimize is ROOT aware. Fixed python_mod_cleanup.
+
+  13 May 2008; Chris PeBenito <pebenito@gentoo.org>
+  -libselinux-1.28-r1.ebuild, -libselinux-1.30.ebuild,
+  -libselinux-1.34.0.ebuild, -libselinux-1.34.13.ebuild,
+  libselinux-1.34.14.ebuild:
+  Mark 1.34.14 stable, clear old ebuilds.
+
+  11 May 2008; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-1.34.0.ebuild, libselinux-1.34.13.ebuild,
+  libselinux-1.34.14.ebuild:
+  Fix bug #221501.
+
+*libselinux-1.34.14 (29 Jan 2008)
+
+  29 Jan 2008; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-1.34.14.ebuild:
+  New upstream bugfix release.
+
+*libselinux-1.34.13 (18 Oct 2007)
+
+  18 Oct 2007; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-1.34.13.ebuild:
+  New upstream release.
+
+  04 Jun 2007; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-1.34.0.ebuild:
+  Mark stable.
+
+  16 Feb 2007; Stephen Bennett <spb@gentoo.org> libselinux-1.34.0.ebuild:
+  Add missing swig depend. Bug #167007
+
+*libselinux-1.34.0 (15 Feb 2007)
+
+  15 Feb 2007; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-1.34.0.ebuild:
+  New upstream release.
+
+  23 Oct 2006; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-1.30.29.ebuild:
+  Fix depend for glibc
+
+  09 Oct 2006; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-1.30.29.ebuild:
+  Stable to make repoman happy.
+
+*libselinux-1.30.29 (05 Oct 2006)
+
+  05 Oct 2006; Chris PeBenito <pebenito@gentoo.org>
+  +libselinux-1.30.29.ebuild:
+  Add SVN snapshot.
+
+  31 Jul 2006; Chris PeBenito <pebenito@gentoo.org> libselinux-1.30.ebuild:
+  Mark stable, long overdue.
+
+  07 Apr 2006; Chris PeBenito <pebenito@gentoo.org> libselinux-1.30.ebuild:
+  Split python wrapper compile into a separate emake to ensure the main
+  library is built before trying to build the wrapper. Fixes bug #129074.
+
+  22 Mar 2006; Chris PeBenito <pebenito@gentoo.org> -libselinux-1.24.ebuild,
+  -libselinux-1.28.ebuild, libselinux-1.28-r1.ebuild:
+  Mark 1.28-r1 stable, clean out old ebuilds.
+
+*libselinux-1.30 (18 Mar 2006)
+
+  18 Mar 2006; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.30.ebuild:
+  New upstream release.
+
+  22 Feb 2006; Stephen Bennett <spb@gentoo.org> libselinux-1.28.ebuild:
+  Alpha stable
+
+*libselinux-1.28-r1 (20 Feb 2006)
+
+  20 Feb 2006; Chris PeBenito <pebenito@gentoo.org> +files/compat.py,
+  +libselinux-1.28-r1.ebuild:
+  Add python-selinux compatability aliases to swig wrapper.
+
+  19 Feb 2006; Joshua Kinard <kumba@gentoo.org> libselinux-1.28.ebuild:
+  Marked stable on mips.
+
+  09 Feb 2006; Chris PeBenito <pebenito@gentoo.org> libselinux-1.28.ebuild:
+  Move python_version out of global scope.
+
+  29 Jan 2006; Chris PeBenito <pebenito@gentoo.org> libselinux-1.28.ebuild:
+  Add python version handling to fix #120829, and add -fPIC to LDFLAGS to
+  hopefully fix #119271.
+
+  17 Jan 2006; Chris PeBenito <pebenito@gentoo.org> libselinux-1.28.ebuild:
+  Mark stable, x86, amd64, ppc, sparc.
+
+  14 Jan 2006; Stephen Bennett <spb@gentoo.org> libselinux-1.28.ebuild:
+  Added ~alpha
+
+  15 Dec 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.28.ebuild:
+  Tighten up versioning to try to prevent mismatch problems as seen in #112348.
+
+*libselinux-1.28 (09 Dec 2005)
+
+  09 Dec 2005; Chris PeBenito <pebenito@gentoo.org>
+  -files/libselinux-1.22.diff, -libselinux-1.22-r1.ebuild,
+  +libselinux-1.28.ebuild:
+  New upstream release.
+
+  09 Sep 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.24.ebuild:
+  Mark stable.
+
+*libselinux-1.24 (25 Jun 2005)
+
+  25 Jun 2005; Chris PeBenito <pebenito@gentoo.org> -libselinux-1.20.ebuild,
+  -libselinux-1.22.ebuild, +libselinux-1.24.ebuild:
+  New upstream release.
+
+  13 May 2005; Chris PeBenito <pebenito@gentoo.org>
+  libselinux-1.22-r1.ebuild:
+  Mark stable.
+
+  10 May 2005; Stephen Bennett <spb@gentoo.org> libselinux-1.22.ebuild:
+  mips stable
+
+*libselinux-1.22-r1 (08 May 2005)
+
+  08 May 2005; Chris PeBenito <pebenito@gentoo.org>
+  +files/libselinux-1.22.diff, +libselinux-1.22-r1.ebuild:
+  A couple fixes, including one for bug #91921.
+
+  01 May 2005; Stephen Bennett <spb@gentoo.org> libselinux-1.22.ebuild:
+  Mark ~mips.
+
+  01 May 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.22.ebuild:
+  Mark stable.
+
+*libselinux-1.22 (13 Mar 2005)
+
+  13 Mar 2005; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.22.ebuild:
+  New upstream release.
+
+  13 Feb 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.20.ebuild:
+  Mark stable.
+
+*libselinux-1.20 (07 Jan 2005)
+
+  07 Jan 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.18.ebuild,
+  +libselinux-1.20.ebuild:
+  New upstream release.  Mark 1.18 stable.
+
+  03 Jan 2005; Chris PeBenito <pebenito@gentoo.org> libselinux-1.16.ebuild,
+  libselinux-1.18.ebuild:
+  Switch to libc virtual for DEP since uclibc now has xattr support.
+
+*libselinux-1.18 (14 Nov 2004)
+
+  14 Nov 2004; Chris PeBenito <pebenito@gentoo.org>
+  +files/selinuxconfig.c.diff, +libselinux-1.18.ebuild:
+  New upstream release.
+
+*libselinux-1.16 (07 Sep 2004)
+
+  07 Sep 2004; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.16.ebuild:
+  New upstream release.
+
+*libselinux-1.14 (02 Jul 2004)
+
+  02 Jul 2004; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.14.ebuild:
+  New upstream version.
+
+  11 Jun 2004; Chris PeBenito <pebenito@gentoo.org> -libselinux-1.10.ebuild,
+  libselinux-1.12.ebuild:
+  Mark stable
+
+*libselinux-1.12 (14 May 2004)
+
+  14 May 2004; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.12.ebuild:
+  New upstream release.
+
+*libselinux-1.10 (17 Apr 2004)
+
+  17 Apr 2004; Chris PeBenito <pebenito@gentoo.org> +libselinux-1.10.ebuild:
+  New upstream version.
+
+  08 Apr 2004; Chris PeBenito <pebenito@gentoo.org> libselinux-1.8.ebuild:
+  Mark stable for 2004.1
+
+*libselinux-1.8 (12 Mar 2004)
+
+  12 Mar 2004; Chris PeBenito <pebenito@gentoo.org> libselinux-1.8.ebuild:
+  New upstream release.
+
+*libselinux-1.6 (24 Feb 2004)
+
+  24 Feb 2004; Chris PeBenito <pebenito@gentoo.org> libselinux-1.6.ebuild:
+  New upstream release.
+
+  16 Dec 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.4.ebuild:
+  Mark stable.
+
+*libselinux-1.4 (06 Dec 2003)
+
+  06 Dec 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.4.ebuild:
+  New upstream version.
+
+  29 Oct 2003; Joshua Brindle <method@gentoo.org> libselinux-1.2-r2.ebuild:
+  added sparc
+
+*libselinux-1.2-r2 (20 Oct 2003)
+
+  20 Oct 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.2-r2.ebuild,
+  files/libselinux-1.2-attr.diff:
+  Compile against sys-apps/attr only if linux-headers are older than 2.4.20.
+
+*libselinux-1.2-r1 (07 Oct 2003)
+
+  07 Oct 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.2-r1.ebuild,
+  files/libselinux-1.2-gentoo.diff:
+  Move libraries to /lib, to fix problems with having a separate /usr during
+  booting.
+
+*libselinux-1.2 (03 Oct 2003)
+
+  03 Oct 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.2.ebuild,
+  files/libselinux-1.2-const.diff:
+  New upstream version.
+
+  22 Sep 2003; <paul@gentoo.org> metadata.xml:
+  Fix metadata.xml
+
+  21 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.1-r1.ebuild:
+  Add a dep for portage. The newer versions have labelling support for the old
+  API.
+
+  18 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.1-r1.ebuild,
+  metadata.xml:
+  Fix license, this is public-domain, not GPL-2. Use package description in RPM
+  spec file as metadata.xml long description.
+
+  15 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.0.ebuild,
+  libselinux-1.1-r1.ebuild, files/libselinux-1.0-gentoo.diff:
+  Mark stable
+
+*libselinux-1.1-r1 (14 Aug 2003)
+
+  14 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.1-r1.ebuild,
+  libselinux-1.1.ebuild, files/libselinux-1.1-linkfix.diff:
+  Add fix for a random linking problem that causes libselinux to work
+  incorrectly.
+
+*libselinux-1.1 (14 Aug 2003)
+
+  14 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.1.ebuild,
+  files/libselinux-1.1-gentoo.diff:
+  New upstream version
+
+  04 Aug 2003; Chris PeBenito <pebenito@gentoo.org>
+  files/libselinux-1.0-gentoo.diff:
+  Add on a NSA nullbyte patch to the gentoo patch
+
+*libselinux-1.0 (03 Aug 2003)
+
+  03 Aug 2003; Chris PeBenito <pebenito@gentoo.org> libselinux-1.0.ebuild,
+  metadata.xml, files/libselinux-1.0-gentoo.diff:
+  Initial commit
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest
new file mode 100644
index 0000000000..f94eecc04f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/Manifest
@@ -0,0 +1,35 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+AUX 0005-use-ruby-include-with-rubylibver.patch 634 SHA256 ca87111f9eb48b45b7271f4863ad4fbae99b64fd28a457cb15920250b0ded834 SHA512 6755c06e39a924dacc8cd21e8b56138938b55a54e76baddd2243bb4ec2cb99a92ca9d825f2f789ea84e87b1d795334a6b936e627d45b097ff724f00eb566c118 WHIRLPOOL 76a35b23454c941c32efdb2ed87a3fa3b044929d24acdcec53ab36f7d300bc94d6d8165a7b55483cc26ad21b4415aa47cb1540c07c498d3eeef2717f60a8ec3c
+AUX 0006-build-related-fixes-bug-500674.patch 2846 SHA256 68084a13ed0366c279e37c6ce24703d0ddcbc46b2b4b88bb8af286b77df4212d SHA512 7eff094adfc4d276e72705735b3f73b2b8a4f78be153db749939cbf6c8df2246cf45d4eda0041696642ae22d3e1715f1fdc8b6351c13eb6003e48043fa38200b WHIRLPOOL dc2b99d5345e21f18de44dc56cb7996c5b567c932e4d3a2e6808a21233f582868333cc0d7c0eb2299b8d71a0cd46d2c0e88bfc6d351211b6374762b7863d72f6
+DIST libselinux-2.2.2.tar.gz 171013 SHA256 30ab363416806da907b86b97f1d31c252473e3200358bb1570f563c8312b5a3e SHA512 1270cba11ec0795a2cea3706ac5547655d0e65dcd2141932000526f3d0c781b6ae114051b2bb53950b8ef207a318335329280b9fc9fd81796e8e4a27cf6ae841 WHIRLPOOL a444e44225ced35b126bbd2e8924aaf5c9f4da7abb9663d20a32b97babe750245c22d75e2238de0958b73295cf582b8aec39e23312886b96417120c600ed37dc
+DIST libselinux-2.3.tar.gz 171254 SHA256 0b1e0b43ecd84a812713d09564019b08e7c205d89072b5cbcd07b052cd8e77b2 SHA512 8cfcd20ab0b43ffbb32389e0498b21e43cde643dcdf471a2354f1ca557f11641d250871ed5e71b9dde4c5f47ac1048746fe514f8f6cfad668fa179ed5136e802 WHIRLPOOL e975a391559aca3f8b251d2aa484cf8e344d09caa43ff56dd929e75a0ad195cf8d9a88b950679f589f4deb74aea0d22be4e7ad00b11eacc080288df0b5ac7ccb
+DIST libselinux-2.4.tar.gz 165931 SHA256 46043091f4c5ba4f43e8d3715f30d665a2d571c9126c1f03945c9ea4ed380f7b SHA512 f7c7ceabcc6ca7bb5cb24fd04b8ea4771af7e509a11ce601fb50d52bd14b291ab6136b7f5193912d02b61b132a2fdd1666f229478598d0b20b99bdea0f5e69d6 WHIRLPOOL d1499818fc885c3bd07785d41466b4ea4bcf56fafe8cbc9bd1a517fe0d2d528b10911fa6df08756ca63aebc411fd69c7f01283685c8a858a81301e203dfd3ec2
+DIST patchbundle-libselinux-2.2.2-r5.tar.gz 2304 SHA256 ad77f499c05ec3b5707cb9db518a891dd9c84ccb77db07e686c87e5799e1802c SHA512 a01db39a7aade27b0127dd0e2f3185587ff4d913b7b1be7beac36dc2d3e1007de5e6bae8a11bc84567385420fff064ba54892d8e113c8fd54ad3c598dde7648d WHIRLPOOL 5886d9de6fcf073d54ca5e0eac3f8b4754c44382e7044debb223f94ecc81ea0e26b7638037eef17eb6f8ce4cc5046a4bb9f93b9b7767480908ee5b2ced0413ac
+DIST patchbundle-libselinux-4.tar.gz 2631 SHA256 91bf43c84ce3d3178c8d21fdcf97380a635fa2465d1611fe4e0e3838a586c78c SHA512 bd2f9762f095e3dbc67e77ee04968cb8e87d460fdf10feff91cb1ce6027e19a660bb57617887e44608d39720e8f95500c451c4b284d58c0a756a04b08fa305c2 WHIRLPOOL 07a6a69d33c46c443907aae2ae4f3646a0360565e28d0a50cbcf81f8b5d8c259812d3e086841fc21c2a8104ce9863fc6c9c1d32e28ea08ebc7baf2d45af3509f
+EBUILD libselinux-2.2.2-r5.ebuild 2525 SHA256 1dd1041a0d3a310b8f9e37996dd8fbcc81f7ebdcde9b2ff6e073f88238493224 SHA512 02044a7244c47a9f36be9b8572f9ac0e992f1e0c68d8a658e2ccaa9d3b6c2d88d63ddae9071517cf011ab572a476847363670728f0a8b2cfd7d259ce95904242 WHIRLPOOL 27e0e4b5955bbd3b5bb217d8013f61fea766531205d9d2d5af431835bf623d0b0d8cb1360a0f7dd55f0cd2c8a2f0451878d1e3c76c9df8d80c12aa3867bbada3
+EBUILD libselinux-2.3-r2.ebuild 3970 SHA256 967b3f19eee57afc9c5202f391c3ce56b0e02da7e3fe71661a16adfe5bf27d88 SHA512 105767af31686286fdd19dc26a5695c593fa6607b947beff211b4953420afdd7fbca08832bff2a3d27826a1f0c84c4e6c9b0ca2b2a071b590bdc906d63d816bf WHIRLPOOL e50c5e10d69e0ac964572bb2798b6cc8bfa21f84faa2737680798cb38717250ee8eb3b099db8a2bbfadfbb8bdf089af691bcbabc459348cd1df09bde0de987f1
+EBUILD libselinux-2.4.ebuild 4022 SHA256 08ee10428e7e67ec7163257f01d3fe84960c78ee3bca780ae51ee15b66ecb588 SHA512 9cd6749ed3e4048dc3df8cfd8d2a434b7ffdd8587966df5c1a601582afbce400d1a3e8d5d9af835f81e09b75c9b706550da68019ceb5e9b6afdd1fe77e0ef43c WHIRLPOOL ecc28319c32c64b22c7b2168be6ca542a9d272b4061562b6d00b4cbf9202468a674f6e2c5763afe47504434b7d6c284e859bac53fe0a77662564516e9f2d6b8d
+EBUILD libselinux-9999.ebuild 4309 SHA256 cf461b2942bd4fddca4c089cd7a6429380b6427820caf9ed1a6ae146a02a31b1 SHA512 99f32876ad848d56e1cdc248583f57cf296689a89cae727e86d03b81dfef83a168f568d10db77d17bd0b9a28c2383d914bf7d6c6a829c83a033bd0f939810c09 WHIRLPOOL cd97fb9b7e3140f226b92bedd49795d462de43bc27ecac934798634d95df17481177fbd2924e2f18be8a407e8cb07c93afe9b06972088b5c49f3549b2f532aed
+MISC ChangeLog 21667 SHA256 3c8ecd29df3b5dd6b0b751dde592c1be7ad4d3c58fc6abc4ff5ddf1fa0dff484 SHA512 d9599d12aa78d4b97f74d989132b5def6d3ad3f34792457795bea1b3bdc1a06f0532cafb3d932339dbf7576fa68bd2422af1e5f5cccb36f74d0ca09dfc6145e1 WHIRLPOOL e5901ad1fbcf84db8c915e51d56da7f72d3703410113e82cddaf08979bf79a4886a5618cfa922a1f564ad2fb14694e6f46a97b3519a31e33d983f84e2ca414fe
+MISC metadata.xml 493 SHA256 dca22a8d4937b58859c409d8844957d119d7b67626ad6fb78710cf8f0eb8d746 SHA512 9791ff1b9f5a01451a2e2e2f2abbb21d27e44dfd2663b081e0c06c61172043997cd65ac891da74e9ae90d48ddb06ec41ab69146e584d1eb1d627d84a1b1af58a WHIRLPOOL c458ad5c3943f92d09bd5df029fda4ef436ac34c1d2f2f3597c88de41d9d09c6182c602ca4d0f138cf9ae13b41b6a53ac06a6846fe3356b02be8c881bd6e9f2c
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0
+
+iQJ8BAEBCgBmBQJVfyvsXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
+ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0QUU0N0I4NzFERUI0MTJFN0EyODE0NUFF
+OTQwMkE3OUIwMzUyOUEyAAoJEOlAKnmwNSmiTJEP/Ro3thaEYBwVvkTWO/GQZwQv
+NxRB9/Jz/8GvK8AYILnWt/k9UyMaVN115t3p/ul/GqJi9qCIgESUXi8BQk9ZZTdi
+Kbhp4Kc6+c37p0UIQFqndI46cY9pmt3kPgiRqTLGnIik4+pZIi16Q8wt/uFEn+xH
+KT7YSEGnY48m6BK+I3zkUCmS7Gm9jPIEMPzHlhes+nTapwPlk62RJWEbfrS6eLXY
+xiXzQvSw/yquULiAL3av4BGgWg7VeZGgXSfpbWa5IOhKUokqDBMGZUH9ymd0OV6M
++wZmE0l+6ojBtCj0Ke8HnYQqpwKNaudukSYJerqnr4Lh/MpVUHkaajH3hUavjWij
+F3JifJ1E3VgA6ay1Q44XSo7bcMgwCy4/Su/cKSr+AdBJaLiwMLpcVat1R+1ih95A
+W3UeHUXQ40BrHXPUgFNDzpkYh4VONk/m+GSy6b4tPRyJuMDB0HnfE3FoiXPjBzf5
+dNKznyYV6LZ8hV7ziS4toC2hPS4uEsQZS6ImHfySKOCvuvynf/+r3BtBktIWHI6D
+jccEpWNwsDGx95JWtqGfQ3+IB3MLeALbsFH2AY2n/HjYiJrUXrgAbz9R/IfFArrn
+tIaoSI6RDcnHuO8qrjmJstUgwEUBrZ/LNZgrEbQdM7pZkcow8rhctLx/+LCzv0xw
+GLNreFQ1lB4iUUTR4ko1
+=rhsU
+-----END PGP SIGNATURE-----
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0005-use-ruby-include-with-rubylibver.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0005-use-ruby-include-with-rubylibver.patch
new file mode 100644
index 0000000000..0fc84141a3
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0005-use-ruby-include-with-rubylibver.patch
@@ -0,0 +1,12 @@
+diff -uNr libselinux-2.2.2.orig/src/Makefile libselinux-2.2.2/src/Makefile
+--- libselinux-2.2.2.orig/src/Makefile	2013-11-06 20:56:30.000000000 +0100
++++ libselinux-2.2.2/src/Makefile	2013-11-25 21:02:05.327561766 +0100
+@@ -16,7 +16,7 @@
+ PYLIBDIR ?= $(LIBDIR)/$(PYLIBVER)
+ RUBYLIBVER ?= $(shell $(RUBY) -e 'print RUBY_VERSION.split(".")[0..1].join(".")')
+ RUBYPLATFORM ?= $(shell $(RUBY) -e 'print RUBY_PLATFORM')
+-RUBYINC ?= $(shell pkg-config --cflags ruby)
++RUBYINC ?= $(shell pkg-config --cflags ruby-$(RUBYLIBVER))
+ RUBYINSTALL ?= $(LIBDIR)/ruby/site_ruby/$(RUBYLIBVER)/$(RUBYPLATFORM)
+ LIBBASE ?= $(shell basename $(LIBDIR))
+ 
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0006-build-related-fixes-bug-500674.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0006-build-related-fixes-bug-500674.patch
new file mode 100644
index 0000000000..cec91b1282
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0006-build-related-fixes-bug-500674.patch
@@ -0,0 +1,67 @@
+https://bugs.gentoo.org/500674
+
+random fixes:
+ - make sure PCRE_CFLAGS get used
+ - use PCRE_LIBS via pkg-config
+ - move LDFLAGS to before objects, not after
+ - do not hardcode -L$(LIBDIR) (let the toolchain handle it)
+ - do not hardcode -I$(INCLUDEDIR) (let the toolchain handle it)
+
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -75,7 +75,7 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
+           -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
+           -Werror -Wno-aggregate-return -Wno-redundant-decls
+ 
+-override CFLAGS += -I../include -I$(INCLUDEDIR) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)
++override CFLAGS += -I../include $(PCRE_CFLAGS) -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 $(EMFLAGS)
+ 
+ SWIG_CFLAGS += -Wno-error -Wno-unused-variable -Wno-unused-but-set-variable -Wno-unused-parameter \
+ 		-Wno-shadow -Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
+@@ -104,17 +104,17 @@ $(SWIGRUBYLOBJ): $(SWIGRUBYCOUT)
+ 	$(CC) $(CFLAGS) $(SWIG_CFLAGS) $(RUBYINC) -fPIC -DSHARED -c -o $@ $<
+ 
+ $(SWIGSO): $(SWIGLOBJ)
+-	$(CC) $(CFLAGS) -shared -o $@ $< -L. -lselinux $(LDFLAGS) -L$(LIBDIR)
++	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $< -L. -lselinux
+ 
+ $(SWIGRUBYSO): $(SWIGRUBYLOBJ)
+-	$(CC) $(CFLAGS) -shared -o $@ $^ -L. -lselinux $(LDFLAGS) -L$(LIBDIR)
++	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux
+ 
+ $(LIBA): $(OBJS)
+ 	$(AR) rcs $@ $^
+ 	$(RANLIB) $@
+ 
+ $(LIBSO): $(LOBJS)
+-	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
++	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -ldl $(PCRE_LIBS) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+ 	ln -sf $@ $(TARGET) 
+ 
+ $(LIBPC): $(LIBPC).in ../VERSION
+@@ -127,7 +127,7 @@ $(AUDIT2WHYLOBJ): audit2why.c
+ 	$(CC) $(filter-out -Werror, $(CFLAGS)) $(PYINC) -fPIC -DSHARED -c -o $@ $<
+ 
+ $(AUDIT2WHYSO): $(AUDIT2WHYLOBJ)
+-	$(CC) $(CFLAGS) -shared -o $@ $^ -L. $(LDFLAGS) -lselinux $(LIBDIR)/libsepol.a -L$(LIBDIR)
++	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -L. -lselinux $(LIBDIR)/libsepol.a
+ 
+ %.o:  %.c policy.h
+ 	$(CC) $(CFLAGS) $(TLSFLAGS) -c -o $@ $<
+--- a/utils/Makefile
++++ b/utils/Makefile
+@@ -24,11 +24,12 @@ CFLAGS ?= -O -Wall -W -Wundef -Wformat-y2k -Wformat-security -Winit-self -Wmissi
+           -fipa-pure-const -Wno-suggest-attribute=pure -Wno-suggest-attribute=const \
+           -Werror -Wno-aggregate-return -Wno-redundant-decls
+ override CFLAGS += -I../include -D_GNU_SOURCE $(EMFLAGS)
+-LDLIBS += -L../src -lselinux -L$(LIBDIR)
++LDLIBS += -L../src -lselinux
+ 
+ TARGETS=$(patsubst %.c,%,$(wildcard *.c))
+ 
+-sefcontext_compile: LDLIBS += -lpcre
++sefcontext_compile: CFLAGS += $(PCRE_CFLAGS)
++sefcontext_compile: LDLIBS += $(PCRE_LIBS)
+ 
+ ifeq ($(DISABLE_AVC),y)
+ 	UNUSED_TARGETS+=compute_av compute_create compute_member compute_relabel
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0007-fix-setexeccon-on-exec.patch b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0007-fix-setexeccon-on-exec.patch
new file mode 100644
index 0000000000..141a3d0cdb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/files/0007-fix-setexeccon-on-exec.patch
@@ -0,0 +1,103 @@
+diff -ur libselinux-2.4.orig/src/procattr.c libselinux-2.4/src/procattr.c
+--- libselinux-2.4.orig/src/procattr.c	2015-02-02 06:38:10.000000000 -0800
++++ libselinux-2.4/src/procattr.c	2015-09-08 15:38:39.152239654 -0700
+@@ -11,8 +11,6 @@
+ 
+ #define UNSET (char *) -1
+ 
+-static __thread pid_t cpid;
+-static __thread pid_t tid;
+ static __thread char *prev_current = UNSET;
+ static __thread char * prev_exec = UNSET;
+ static __thread char * prev_fscreate = UNSET;
+@@ -24,15 +22,6 @@
+ static int destructor_key_initialized = 0;
+ static __thread char destructor_initialized;
+ 
+-extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
+-extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
+-
+-static int __selinux_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
+-{
+-  return __register_atfork (prepare, parent, child,
+-                            &__dso_handle == NULL ? NULL : __dso_handle);
+-}
+-
+ static pid_t gettid(void)
+ {
+ 	return syscall(__NR_gettid);
+@@ -52,14 +41,6 @@
+ 		free(prev_sockcreate);
+ }
+ 
+-static void free_procattr(void)
+-{
+-	procattr_thread_destructor(NULL);
+-	tid = 0;
+-	cpid = getpid();
+-	prev_current = prev_exec = prev_fscreate = prev_keycreate = prev_sockcreate = UNSET;
+-}
+-
+ void __attribute__((destructor)) procattr_destructor(void);
+ 
+ void hidden __attribute__((destructor)) procattr_destructor(void)
+@@ -79,7 +60,6 @@
+ static void init_procattr(void)
+ {
+ 	if (__selinux_key_create(&destructor_key, procattr_thread_destructor) == 0) {
+-		__selinux_atfork(NULL, NULL, free_procattr);
+ 		destructor_key_initialized = 1;
+ 	}
+ }
+@@ -88,21 +68,26 @@
+ {
+ 	int fd, rc;
+ 	char *path;
+-
+-	if (cpid != getpid())
+-		free_procattr();
++	pid_t tid;
+ 
+ 	if (pid > 0)
+ 		rc = asprintf(&path, "/proc/%d/attr/%s", pid, attr);
+ 	else {
+-		if (!tid)
+-			tid = gettid();
++		rc = asprintf(&path, "/proc/thread-self/attr/%s", attr);
++		if (rc < 0)
++			return -1;
++		fd = open(path, flags | O_CLOEXEC);
++		if (fd >= 0 || errno != ENOENT)
++			goto out;
++		free(path);
++		tid = gettid();
+ 		rc = asprintf(&path, "/proc/self/task/%d/attr/%s", tid, attr);
+ 	}
+ 	if (rc < 0)
+ 		return -1;
+ 
+ 	fd = open(path, flags | O_CLOEXEC);
++out:
+ 	free(path);
+ 	return fd;
+ }
+@@ -120,9 +105,6 @@
+ 	__selinux_once(once, init_procattr);
+ 	init_thread_destructor();
+ 
+-	if (cpid != getpid())
+-		free_procattr();
+-
+ 	switch (attr[0]) {
+ 		case 'c':
+ 			prev_context = prev_current;
+@@ -220,9 +202,6 @@
+ 	__selinux_once(once, init_procattr);
+ 	init_thread_destructor();
+ 
+-	if (cpid != getpid())
+-		free_procattr();
+-
+ 	switch (attr[0]) {
+ 		case 'c':
+ 			prev_context = &prev_current;
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-2.4.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-2.4.ebuild
new file mode 100644
index 0000000000..b82ff115a9
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-2.4.ebuild
@@ -0,0 +1,143 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/libselinux/libselinux-2.4.ebuild,v 1.4 2015/05/10 09:01:52 perfinion Exp $
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 python3_3 python3_4 )
+USE_RUBY="ruby19 ruby20"
+
+# No, I am not calling ruby-ng
+inherit multilib python-r1 toolchain-funcs eutils multilib-minimal
+
+MY_P="${P//_/-}"
+SEPOL_VER="${PV}"
+
+DESCRIPTION="SELinux userland library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20150202/${MY_P}.tar.gz"
+
+LICENSE="public-domain"
+SLOT="0"
+KEYWORDS="amd64 x86"
+
+IUSE="python ruby static-libs ruby_targets_ruby19 ruby_targets_ruby20"
+
+RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
+	>=dev-libs/libpcre-8.33-r1[static-libs?,${MULTILIB_USEDEP}]
+	python? ( ${PYTHON_DEPS} )
+	ruby? (
+		ruby_targets_ruby19? ( dev-lang/ruby:1.9 )
+		ruby_targets_ruby20? ( dev-lang/ruby:2.0 )
+	)"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	python? ( >=dev-lang/swig-2.0.9 )"
+
+S="${WORKDIR}/${MY_P}"
+
+src_prepare() {
+	epatch "${FILESDIR}/0005-use-ruby-include-with-rubylibver.patch"
+	epatch "${FILESDIR}/0006-build-related-fixes-bug-500674.patch"
+    epatch "${FILESDIR}/0007-fix-setexeccon-on-exec.patch"
+
+	epatch_user
+
+	multilib_copy_sources
+}
+
+multilib_src_compile() {
+	tc-export PKG_CONFIG RANLIB
+	local PCRE_CFLAGS=$(${PKG_CONFIG} libpcre --cflags)
+	local PCRE_LIBS=$(${PKG_CONFIG} libpcre --libs)
+	export PCRE_{CFLAGS,LIBS}
+
+	emake \
+		AR="$(tc-getAR)" \
+		CC="$(tc-getCC)" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
+		all
+
+	if multilib_is_native_abi && use python; then
+		building() {
+			python_export PYTHON_INCLUDEDIR PYTHON_LIBPATH
+			emake \
+				CC="$(tc-getCC)" \
+				PYINC="-I${PYTHON_INCLUDEDIR}" \
+				PYTHONLIBDIR="${PYTHON_LIBPATH}" \
+				PYPREFIX="${EPYTHON##*/}" \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				pywrap
+		}
+		python_foreach_impl building
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		building() {
+			einfo "Calling rubywrap for ${1}"
+			# Clean up .lo file to force rebuild
+			test -f src/selinuxswig_ruby_wrap.lo && rm src/selinuxswig_ruby_wrap.lo
+			emake \
+				CC="$(tc-getCC)" \
+				RUBY=${1} \
+				RUBYINSTALL=$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]') \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			building ${RUBYTARGET}
+		done
+	fi
+}
+
+multilib_src_install() {
+	LIBDIR="\$(PREFIX)/$(get_libdir)" SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi && use python; then
+		installation() {
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" install-pywrap
+			python_optimize # bug 531638
+		}
+		python_foreach_impl installation
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		installation() {
+			einfo "Calling install-rubywrap for ${1}"
+			# Forcing (re)build here as otherwise the resulting SO file is used for all ruby versions
+			rm src/selinuxswig_ruby_wrap.lo
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" \
+				RUBY=${1} \
+				RUBYINSTALL="${D}/$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]')" \
+				install-rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			installation ${RUBYTARGET}
+		done
+	fi
+
+	use static-libs || rm "${D}"/usr/lib*/*.a
+}
+
+pkg_postinst() {
+	# Fix bug 473502
+	for POLTYPE in ${POLICY_TYPES};
+	do
+		mkdir -p /etc/selinux/${POLTYPE}/contexts/files
+		touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local
+		# Fix bug 516608
+		for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do
+			sefcontext_compile /etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE};
+		done
+	done
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild
new file mode 100644
index 0000000000..af5cb56c76
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/libselinux-9999.ebuild
@@ -0,0 +1,153 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/libselinux/libselinux-9999.ebuild,v 1.1 2015/06/09 15:35:39 swift Exp $
+
+EAPI="5"
+PYTHON_COMPAT=( python2_7 python3_3 python3_4 )
+USE_RUBY="ruby19 ruby20"
+
+# No, I am not calling ruby-ng
+inherit multilib python-r1 toolchain-funcs eutils multilib-minimal
+
+MY_P="${P//_/-}"
+SEPOL_VER="${PV}"
+MY_RELEASEDATE="20150202"
+
+DESCRIPTION="SELinux userland library"
+HOMEPAGE="https://github.com/SELinuxProject/selinux/wiki"
+
+if [[ ${PV} == 9999 ]] ; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/SELinuxProject/selinux.git"
+	S="${WORKDIR}/${MY_P}/${PN}"
+else
+	SRC_URI="https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/${MY_RELEASEDATE}/${MY_P}.tar.gz"
+	KEYWORDS="~amd64 ~x86"
+	S="${WORKDIR}/${MY_P}"
+fi
+
+LICENSE="public-domain"
+SLOT="0"
+
+IUSE="python ruby static-libs ruby_targets_ruby19 ruby_targets_ruby20"
+
+RDEPEND=">=sys-libs/libsepol-${SEPOL_VER}[${MULTILIB_USEDEP}]
+	>=dev-libs/libpcre-8.33-r1[static-libs?,${MULTILIB_USEDEP}]
+	python? ( ${PYTHON_DEPS} )
+	ruby? (
+		ruby_targets_ruby19? ( dev-lang/ruby:1.9 )
+		ruby_targets_ruby20? ( dev-lang/ruby:2.0 )
+	)"
+DEPEND="${RDEPEND}
+	virtual/pkgconfig
+	python? ( >=dev-lang/swig-2.0.9 )"
+
+src_prepare() {
+	if [[ ${PV} != 9999 ]] ; then
+		# If needed for live builds, place them in /etc/portage/patches
+		epatch "${FILESDIR}/0005-use-ruby-include-with-rubylibver.patch"
+		epatch "${FILESDIR}/0006-build-related-fixes-bug-500674.patch"
+	    epatch "${FILESDIR}/0007-fix-setexeccon-on-exec.patch"
+	fi
+
+	epatch_user
+
+	multilib_copy_sources
+}
+
+multilib_src_compile() {
+	tc-export PKG_CONFIG RANLIB
+	local PCRE_CFLAGS=$(${PKG_CONFIG} libpcre --cflags)
+	local PCRE_LIBS=$(${PKG_CONFIG} libpcre --libs)
+	export PCRE_{CFLAGS,LIBS}
+
+	emake \
+		AR="$(tc-getAR)" \
+		CC="$(tc-getCC)" \
+		LIBDIR="\$(PREFIX)/$(get_libdir)" \
+		SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		LDFLAGS="-fPIC ${LDFLAGS} -pthread" \
+		all
+
+	if multilib_is_native_abi && use python; then
+		building() {
+			python_export PYTHON_INCLUDEDIR PYTHON_LIBPATH
+			emake \
+				CC="$(tc-getCC)" \
+				PYINC="-I${PYTHON_INCLUDEDIR}" \
+				PYTHONLIBDIR="${PYTHON_LIBPATH}" \
+				PYPREFIX="${EPYTHON##*/}" \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				pywrap
+		}
+		python_foreach_impl building
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		building() {
+			einfo "Calling rubywrap for ${1}"
+			# Clean up .lo file to force rebuild
+			test -f src/selinuxswig_ruby_wrap.lo && rm src/selinuxswig_ruby_wrap.lo
+			emake \
+				CC="$(tc-getCC)" \
+				RUBY=${1} \
+				RUBYINSTALL=$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]') \
+				LDFLAGS="-fPIC ${LDFLAGS} -lpthread" \
+				LIBDIR="\$(PREFIX)/$(get_libdir)" \
+				SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+				rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			building ${RUBYTARGET}
+		done
+	fi
+}
+
+multilib_src_install() {
+	LIBDIR="\$(PREFIX)/$(get_libdir)" SHLIBDIR="\$(DESTDIR)/$(get_libdir)" \
+		emake DESTDIR="${D}" install
+
+	if multilib_is_native_abi && use python; then
+		installation() {
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" install-pywrap
+			python_optimize # bug 531638
+		}
+		python_foreach_impl installation
+	fi
+
+	if multilib_is_native_abi && use ruby; then
+		installation() {
+			einfo "Calling install-rubywrap for ${1}"
+			# Forcing (re)build here as otherwise the resulting SO file is used for all ruby versions
+			rm src/selinuxswig_ruby_wrap.lo
+			LIBDIR="\$(PREFIX)/$(get_libdir)" emake DESTDIR="${D}" \
+				RUBY=${1} \
+				RUBYINSTALL="${D}/$(${1} -e 'print RbConfig::CONFIG["vendorarchdir"]')" \
+				install-rubywrap
+		}
+		for RUBYTARGET in ${USE_RUBY}; do
+			use ruby_targets_${RUBYTARGET} || continue
+
+			installation ${RUBYTARGET}
+		done
+	fi
+
+	use static-libs || rm "${D}"/usr/lib*/*.a
+}
+
+pkg_postinst() {
+	# Fix bug 473502
+	for POLTYPE in ${POLICY_TYPES};
+	do
+		mkdir -p /etc/selinux/${POLTYPE}/contexts/files
+		touch /etc/selinux/${POLTYPE}/contexts/files/file_contexts.local
+		# Fix bug 516608
+		for EXPRFILE in file_contexts file_contexts.homedirs file_contexts.local ; do
+			sefcontext_compile /etc/selinux/${POLTYPE}/contexts/files/${EXPRFILE};
+		done
+	done
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml
new file mode 100644
index 0000000000..3794d1d83f
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-libs/libselinux/metadata.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<herd>selinux</herd>
+	<longdescription>
+		Libselinux provides an API for SELinux applications to get and set
+		process and file security contexts and to obtain security policy
+		decisions.  Required for any applications that use the SELinux API.
+	</longdescription>
+	<upstream>
+		<remote-id type="github">SELinuxProject/selinux</remote-id>
+	</upstream>
+</pkgmetadata>