9 files changed, 1596 insertions, 0 deletions
diff --git a/libsefs/include/Makefile.am b/libsefs/include/Makefile.am
new file mode 100644
index 0000000..6f6c411
--- /dev/null
+++ b/libsefs/include/Makefile.am
@@ -0,0 +1 @@
+SUBDIRS = sefs
diff --git a/libsefs/include/sefs/Makefile.am b/libsefs/include/sefs/Makefile.am
new file mode 100644
index 0000000..f38dc4b
--- /dev/null
+++ b/libsefs/include/sefs/Makefile.am
@@ -0,0 +1,10 @@
+sefsdir = $(includedir)/sefs
+
+sefs_HEADERS = \
+	db.hh \
+	entry.hh \
+	fcfile.hh \
+	fclist.hh \
+	filesystem.hh \
+	query.hh \
+	util.h
diff --git a/libsefs/include/sefs/db.hh b/libsefs/include/sefs/db.hh
new file mode 100644
index 0000000..2355547
--- /dev/null
+++ b/libsefs/include/sefs/db.hh
@@ -0,0 +1,213 @@
+/**
+ *  @file
+ *  Defines the public interface for the database fc list object.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_DB_H
+#define SEFS_DB_H
+
+#include <sefs/fclist.hh>
+#include <sefs/filesystem.hh>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+#include <time.h>
+#include <apol/bst.h>
+#include <apol/vector.h>
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+/**
+ * This class represents a database that maps files to their SELinux
+ * file contexts.
+ */
+class sefs_db:public sefs_fclist
+{
+#ifndef SWIG_FRIENDS
+	// private functions -- do not call these directly from
+	// outside of the library
+	friend int db_create_from_filesystem(sefs_fclist * fclist __attribute__ ((unused)), const sefs_entry * entry, void *arg);
+	friend struct sefs_context_node *db_get_context(sefs_db *, const char *, const char *, const char *,
+							const char *) throw(std::bad_alloc);
+	friend sefs_entry *db_get_entry(sefs_db *, const struct sefs_context_node *, uint32_t, const char *, ino64_t,
+					const char *) throw(std::bad_alloc);
+#endif
+
+      public:
+
+	/**
+	 * Allocate and return a new sefs database initialized with
+	 * entries from the filesystem \a fs.
+	 * @param fs Sefs filesystem from which to create the database.
+	 * @param msg_callback Callback to invoke as errors/warnings are
+	 * generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to the
+	 * callback function.
+	 * @exception std::invalid_argument Filesystem does not exist.
+	 * @exception std::runtime_error Error while reading the
+	 * database.
+	 */
+	 sefs_db(sefs_filesystem * fs, sefs_callback_fn_t msg_callback, void *varg) throw(std::invalid_argument,
+											  std::runtime_error);
+
+	/**
+	 * Allocate and return a new sefs database, loading the
+	 * entries from an existing database stored at \a path.
+	 * @param filename Name of a sefs database from which to load.
+	 * @param msg_callback Callback to invoke as errors/warnings
+	 * are generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to
+	 * the callback function.
+	 * @exception std::invalid_argument Database does not exist.
+	 * @exception std::runtime_error Error while reading the
+	 * database.
+	 */
+	 sefs_db(const char *filename, sefs_callback_fn_t msg_callback, void *varg) throw(std::invalid_argument,
+											  std::runtime_error);
+
+	~sefs_db();
+
+	/**
+	 * Perform a sefs query on this database object, and then
+	 * invoke a callback upon each matching entry.  Entries will
+	 * be returned in alphabetical order by path.
+	 * @param query Query object containing search parameters.  If
+	 * NULL, invoke the callback on all entries.
+	 * @param fn Function to invoke upon matching entries.  This
+	 * function will be called with three parameters: a pointer to
+	 * this database, pointer to a matching entry, and an
+	 * arbitrary data pointer.  It should return a non-negative
+	 * value upon success, negative value upon error and to abort
+	 * the mapping.
+	 * @param data Arbitrary pointer to be passed into \fn as a
+	 * third parameter.
+	 * @return Last value returned by fn() (i.e., >= on success, <
+	 * 0 on failure).  If the database has no entries then
+	 * return 0.
+	 * @exception std::runtime_error Error while reading contexts
+	 * from the database.
+	 * @exception std::invalid_argument One or more query arguments
+	 * is invalid.
+	 */
+	int runQueryMap(sefs_query * query, sefs_fclist_map_fn_t fn, void *data) throw(std::runtime_error, std::invalid_argument);
+
+	/**
+	 * Determine if the contexts stored in this database contain
+	 * MLS fields.
+	 * @return \a true if MLS fields are present, \a false if not
+	 * or undeterminable.
+	 */
+	bool isMLS() const;
+
+	/**
+	 * Write a database to disk, overwriting any existing file.
+	 * The database may then be read by calling the appropriate
+	 * constructor.
+	 * @param filename Name of file to which write.
+	 * @exception std::invalid_argument No filename given.
+	 * @exception std::runtime_error Error while writing the
+	 * database.
+	 */
+	void save(const char *filename) throw(std::invalid_argument, std::runtime_error);
+
+	/**
+	 * Get the creation time of a sefs database.
+	 * @return Creation time of the database, or 0 on error.
+	 */
+	time_t getCTime() const;
+
+	/**
+	 * Determine if the given file is a valid sefs_db.  This
+	 * does not thoroughly load the file, rather just the header
+	 * of the file.
+	 * @param filename Name of file to check.
+	 * @return True if the file appears to be a database, false if not.
+	 */
+	static bool isDB(const char *filename);
+
+      private:
+	/**
+	 * Upgrade an existing version 1 database to version 2.
+	 */
+	void upgradeToDB2() throw(std::runtime_error);
+
+	const struct sefs_context_node *getContextNode(const sefs_entry * entry);
+	sefs_entry *getEntry(const struct sefs_context_node *context, uint32_t objectClass, const char *path, ino64_t inode,
+			     const char *dev) throw(std::bad_alloc);
+	struct sqlite3 *_db;
+	time_t _ctime;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_db sefs_db_t;
+	typedef struct sefs_filesystem sefs_filesystem_t;
+
+/**
+ * Allocate and return a new sefs database from the filesystem \a fs.
+ * @see sefs_db::sefs_db(const sefs_filesystem &fs, sefs_callback_fn_t msg_callback, void *varg)
+ */
+	extern sefs_fclist_t *sefs_db_create_from_filesystem(sefs_filesystem_t * fs, sefs_callback_fn_t msg_callback, void *varg);
+
+/**
+ * Allocate and return a new sefs database, loading the entries from
+ * the saved database \a path.
+ * @see sefs_db::sefs_db(const char *filename, sefs_callback_fn_t msg_callback, void *varg)
+ */
+	extern sefs_fclist_t *sefs_db_create_from_file(const char *path, sefs_callback_fn_t msg_callback, void *varg);
+
+/**
+ * Write a database to disk, overwriting any existing file.
+ * @see sefs_db::save()
+ */
+	extern int sefs_db_save(sefs_db_t * db, const char *filename);
+
+/**
+ * Get the creation time of a sefs database.
+ * @see sefs_db::getCTime()
+ */
+	extern time_t sefs_db_get_ctime(sefs_db_t * db);
+
+/**
+ * Determine if the given file is a valid sefs_db.
+ * @see sefs_db::isDB()
+ */
+	extern bool sefs_db_is_db(const char *filename);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_DB_H */
diff --git a/libsefs/include/sefs/entry.hh b/libsefs/include/sefs/entry.hh
new file mode 100644
index 0000000..34fae73
--- /dev/null
+++ b/libsefs/include/sefs/entry.hh
@@ -0,0 +1,222 @@
+/**
+ *  @file
+ *  Defines the public interface for file context entries.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_ENTRY_H
+#define SEFS_ENTRY_H
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <sys/types.h>
+#include <apol/context-query.h>
+#include <apol/vector.h>
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+class sefs_fclist;
+struct sefs_context_node;
+
+/**
+ * This class represents an individual entry within a list an fcfile
+ * object.  Note that the entry's contents (even upon a
+ * copy-constructed version of the entry) are always tied to its
+ * fclist, so do not access entries whose fclist has been destroyed.
+ */
+class sefs_entry
+{
+	friend class sefs_db;
+	friend class sefs_fcfile;
+	friend class sefs_filesystem;
+
+      public:
+
+	/**
+	 * Perform a deep copy of an entry object.
+	 */
+	 sefs_entry(const sefs_entry * e);
+
+	~sefs_entry();
+
+	/**
+	 * Get the context from a sefs entry.  If the entry has no
+	 * context (such as being marked <tt>&lt;&lt;none&gt;&gt;</tt>
+	 * in a file_contexts file) then apol_context_get_user() and
+	 * others will return an empty string.
+	 * @return A pointer to the context, or NULL on error.  The
+	 * caller should not modify or destroy the returned context.
+	 */
+	const apol_context_t *context() const;
+
+	/**
+	 * Get the inode number associated with a sefs entry.
+	 * @return Inode number associated with the entry or 0 on
+	 * error.  Entries originating from a file_contexts object
+	 * will have no inode and thus return 0.
+	 */
+	ino64_t inode() const;
+
+	/**
+	 * Get the device name associated with a sefs entry.  For
+	 * example, if /dev/sda5 is mounted as /home, the device name
+	 * for entry "/home/gburdell" will be "/dev/sda5".
+	 * @return Device number associated with the entry or NULL on
+	 * error.  Do not free() this value.  Entries originating from
+	 * a file_contexts object will have no device name and thus
+	 * return NULL.
+	 */
+	const char *dev() const;
+
+	/**
+	 * Get the object class associated with a sefs entry.  The
+	 * returned value will be one of one of QPOL_CLASS_ALL,
+	 * QPOL_CLASS_FILE, etc., as defined in
+	 * <qpol/genfscon_query.h>.  If this returns QPOL_CLASS_ALL
+	 * then the entry is associated with all object classes.
+	 * @return Entry's object class.  Upon error return
+	 * QPOL_CLASS_ALL.
+	 * @see apol_objclass_to_str() to convert the value to a
+	 * string.
+	 */
+	uint32_t objectClass() const;
+
+	/**
+	 * Get the paths associated with a sefs entry.
+	 * @return Path for the entry.If the entry came from a
+	 * file_contexts object the paths will be a regular expression
+	 * rather than literal paths.  Do not free() this pointer.
+	 */
+	const char *path() const;
+
+	/**
+	 * Get the file from which a sefs entry originated.
+	 * This function is only meaningful when entries are returned
+	 * from a query on a modular file context file.
+	 * @return The path of the file (policy package or source
+	 * file) providing the entry or NULL if the entry is not from
+	 * a module.  Do not free() this pointer.
+	 */
+	const char *origin() const;
+
+	/**
+	 * Return a string representation of this entry.  The string
+	 * is suitable for printing to the screen or to a
+	 * file_contexts file.
+	 * @return An allocated string representation.  The caller is
+	 * responsibily for free()ing the string afterwards.
+	 * @exception std::bad_alloc Out of memory.
+	 */
+	char *toString() const throw(std::bad_alloc);
+
+      private:
+	/**
+	 * Create a blank entry.  The entity creating this entry is
+	 * responsible for setting additional values as needed.
+	 * @param fclist List that will contain this entry.  This
+	 * constructor will not add itself to the fclist.
+	 * @param new_context Context node containing the SELinux
+	 * context.
+	 * @param new_objectClass Object class for the entry.
+	 * @param new_path Path to this entry.  The entry will share
+	 * this pointer.
+	 * @param new_origin Name of file_contexts file from which
+	 * this entry originated.  The entry will share this pointer.
+	 * @exception std::bad_alloc Out of memory.
+	 */
+	 sefs_entry(class sefs_fclist * fclist, const struct sefs_context_node *new_context, uint32_t new_objectClass,
+		    const char *new_path, const char *new_origin = NULL);
+
+	// note that entry does not own any of these pointers; they
+	// are shallow copies into the fclist's BST
+	class sefs_fclist *_fclist;
+	const struct sefs_context_node *_context;
+	ino64_t _inode;
+	const char *_dev;
+	uint32_t _objectClass;
+	const char *_path, *_origin;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_entry sefs_entry_t;
+
+/**
+ * Get the context from a sefs entry.
+ * @see sefs_entry::context()
+ */
+	extern const apol_context_t *sefs_entry_get_context(const sefs_entry_t * ent);
+
+/**
+ * Get the inode number associated with a sefs entry.
+ * @see sefs_entry::inode()
+ */
+	extern ino64_t sefs_entry_get_inode(const sefs_entry_t * ent);
+
+/**
+ * Get the device number associated with a sefs entry.
+ * @see sefs_entry::dev()
+ */
+	extern const char *sefs_entry_get_dev(const sefs_entry_t * ent);
+
+/**
+ * Get the object class associated with a sefs entry.
+ * @see sefs_entry::objectClass()
+ */
+	extern uint32_t sefs_entry_get_object_class(const sefs_entry_t * ent);
+
+/**
+ * Get the path associated with a sefs entry.
+ * @see sefs_entry::path()
+ */
+	extern const char *sefs_entry_get_path(const sefs_entry_t * ent);
+
+/**
+ * Get the file from which a sefs entry originated.
+ * @see sefs_entry::origin()
+ */
+	extern const char *sefs_entry_get_origin(const sefs_entry_t * ent);
+
+/**
+ * Return a string representation of this entry.
+ * @see sefs_entry::toString()
+ */
+	extern char *sefs_entry_to_string(const sefs_entry_t * ent);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_ENTRY_H */
diff --git a/libsefs/include/sefs/fcfile.hh b/libsefs/include/sefs/fcfile.hh
new file mode 100644
index 0000000..280a957
--- /dev/null
+++ b/libsefs/include/sefs/fcfile.hh
@@ -0,0 +1,261 @@
+/**
+ *  @file
+ *  Defines the public interface for the file_context set fc list object.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_FCFILE_H
+#define SEFS_FCFILE_H
+
+#include <sefs/fclist.hh>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <stdlib.h>
+
+#include <apol/vector.h>
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+/**
+ * This class represents file contexts entry as read from a file,
+ * typically name file_contexts.
+ */
+class sefs_fcfile:public sefs_fclist
+{
+      public:
+
+	/**
+	 * Allocate and return a new (and empty) sefs file_context set
+	 * structure.
+	 * @param msg_callback Callback to invoke as errors/warnings
+	 * are generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to
+	 * the callback function.
+	 * @exception std::bad_alloc if out of memory
+	 */
+	sefs_fcfile(sefs_callback_fn_t msg_callback, void *varg) throw(std::bad_alloc);
+
+	/**
+	 * Allocate and return a new sefs file_context set structure
+	 * from a single file_contexts file.
+	 * @param file File contexts file to read.
+	 * @param msg_callback Callback to invoke as errors/warnings
+	 * are generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to
+	 * the callback function.
+	 * @exception std::bad_alloc if out of memory
+	 * @exception std::invalid_argument if the vector is NULL
+	 * @exception std::runtime_error if the give file could not be
+	 * read or is the wrong format
+	 */
+	 sefs_fcfile(const char *file, sefs_callback_fn_t msg_callback, void *varg) throw(std::bad_alloc, std::invalid_argument,
+											  std::runtime_error);
+
+	/**
+	 * Allocate and return a new sefs file_context set structure
+	 * from a list of file_context files.
+	 * @param files Vector of file contexts filenames (of type
+	 * char *) to read.
+	 * @param msg_callback Callback to invoke as errors/warnings
+	 * are generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to
+	 * the callback function.
+	 * @exception std::bad_alloc if out of memory
+	 * @exception std::invalid_argument if the vector is NULL
+	 * @exception std::runtime_error if a given file could not
+	 * be read or is the wrong format
+	 */
+	 sefs_fcfile(const apol_vector_t * files, sefs_callback_fn_t msg_callback, void *varg) throw(std::bad_alloc,
+												     std::invalid_argument,
+												     std::runtime_error);
+
+	~sefs_fcfile();
+
+	/**
+	 * Perform a sefs query on this fcfile object, and then invoke
+	 * a callback upon each matching entry.  Mapping occurs in the
+	 * order of entries as given by the file_contexts, and in the
+	 * order that file_contexts were appended (via appendFile())
+	 * to this object.
+	 * @param query Query object containing search parameters.  If
+	 * NULL, invoke the callback on all entries.
+	 * @param fn Function to invoke upon matching entries.  This
+	 * function will be called with three parameters: a pointer to
+	 * this fclist, pointer to a matching entry, and an arbitrary
+	 * data pointer.  It should return a non-negative value upon
+	 * success, negative value upon error and to abort the
+	 * mapping.
+	 * @param data Arbitrary pointer to be passed into \fn as a
+	 * third parameter.
+	 * @return Last value returned by fn() (i.e., >= on success, <
+	 * 0 on failure).  If the fcfile has no entries then return 0.
+	 * @exception std::runtime_error Error while reading contexts
+	 * from the fclist.
+	 * @exception std::invalid_argument One or more query arguments
+	 * is invalid.
+	 */
+	int runQueryMap(sefs_query * query, sefs_fclist_map_fn_t fn, void *data) throw(std::runtime_error, std::invalid_argument);
+
+	/**
+	 * Determine if the contexts in the fcfile contain MLS fields.
+	 * @return \a true if MLS fields are present, \a false if not
+	 * or undeterminable.
+	 */
+	bool isMLS() const;
+
+	/**
+	 * Append a file_contexts file to a sefs file contexts file
+	 * set.  If the fcfile already has a non-MLS file, subsequent
+	 * appends must also be to non-MLS files.  Likewise, if the
+	 * fcfile already has an MLS file the file to be append must
+	 * also be MLS.
+	 * @param file File containing entries to append.
+	 * @return 0 on success or < 0 on failure; if the call fails,
+	 * the fcfile will be unchanged.
+	 * @exception std::bad_alloc if out of memory
+	 * @exception std::invalid_argument if the file name is NULL
+	 * @exception std::runtime_error if a given file could not
+	 * be read or is the wrong format
+	 */
+	int appendFile(const char *file) throw(std::bad_alloc, std::invalid_argument, std::runtime_error);
+
+	/**
+	 * Append a list of file_context files to a sefs file contexts
+	 * file set.  If the fcfile already has a non-MLS file,
+	 * subsequent appends must also be to non-MLS files.
+	 * Likewise, if the fcfile already has an MLS file the file to
+	 * be append must also be MLS.
+	 * @param files Vector of filenames (type char *) to append;
+	 * these files will be appended in the order they appear in
+	 * the vector.
+	 * @return The number of files successfully appended.  If the
+	 * value returned is less than the size of the vector, then
+	 * file at index (returned value) failed.  If append fails for
+	 * any file, the operation stops at that file; it is safe to
+	 * attempt to append the files remaining after the
+	 * unsuccessful file.
+	 * @exception std::bad_alloc if out of memory
+	 * @exception std::invalid_argument if the vector is NULL
+	 * @exception std::runtime_error if a given file could not
+	 * be read or is the wrong format
+	 */
+	size_t appendFileList(const apol_vector_t * files) throw(std::bad_alloc, std::invalid_argument, std::runtime_error);
+
+	/**
+	 * Get a list of all files contributing to the entries in a
+	 * sefs file_contexts set.
+	 * @return Vector of file paths (char *) of all files
+	 * contributing to the set; the caller should not destroy or
+	 * otherwise modify the returned vector.
+	 */
+	const apol_vector_t *fileList() const;
+
+      private:
+
+	/**
+	 * Parse a single line from a file_contexts file (or from any
+	 * other source of file contexts information), and then add
+	 * the resulting sefs_entry into the vector of entries.
+	 * @param origin File from which this line originated.
+	 * @param line File contexts line to parse.
+	 * @param line_regex Compiled regular expression pattern for
+	 * an entire line.
+	 * @param context_regex Compiled regular expression pattern
+	 * for the SELinux portion of a line.
+	 * @exception std::bad_alloc if out of memory
+	 * @exception std::runtime_error if the give file could not be
+	 * read or is the wrong format
+	 */
+	void parse_line(const char *origin, const char *line, regex_t * line_regex, regex_t * context_regex) throw(std::bad_alloc,
+														   std::
+														   runtime_error);
+
+	apol_vector_t *_files, *_entries;
+	bool _mls, _mls_set;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_fcfile sefs_fcfile_t;
+
+/**
+ * Allocate and return a new sefs file_context set structure.
+ * @see sefs_fcfile::sefs_fcfile(sefs_callback_fn_t msg_callback, void *varg)
+ */
+	extern sefs_fclist_t *sefs_fcfile_create(sefs_callback_fn_t msg_callback, void *varg);
+
+/**
+ * Allocate and return a new sefs file_context set structure from a
+ * single file_contexts file.
+ * @see sefs_fcfile::sefs_fcfile(const char *file, sefs_callback_fn_t msg_callback, void *varg)
+ */
+	extern sefs_fclist_t *sefs_fcfile_create_from_file(const char *file, sefs_callback_fn_t msg_callback, void *varg);
+
+/**
+ * Allocate and return a new sefs file_context set structure from a
+ * list of file_context files.
+ * @see sefs_fcfile::sefs_fcfile(const apol_vector_t * files, sefs_callback_fn_t msg_callback, void *varg)
+ */
+	extern sefs_fclist_t *sefs_fcfile_create_from_file_list(const apol_vector_t * files, sefs_callback_fn_t msg_callback,
+								void *varg);
+
+/**
+ * Append a file_contexts file to a sefs file contexts file set.
+ * @return 0 on success or < 0 on failure; if the call fails, the
+ * fcfile will be unchanged.
+ * @see sefs_fcfile::appendFile()
+ */
+	extern int sefs_fcfile_append_file(sefs_fcfile_t * fcfile, const char *file);
+
+/**
+ * Append a list of file_context files to a sefs file contexts file
+ * set.
+ * @see sefs_fcfile::appendFileList()
+ */
+	extern size_t sefs_fcfile_append_file_list(sefs_fcfile_t * fcfile, const apol_vector_t * files);
+
+/**
+ * Get a list of all files contributing to the entries in a sefs
+ * file_contexts set.
+ * @see sefs_fcfile::fileList()
+ */
+	extern const apol_vector_t *sefs_fcfile_get_file_list(const sefs_fcfile_t * fcfile);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_FCFILE_H */
diff --git a/libsefs/include/sefs/fclist.hh b/libsefs/include/sefs/fclist.hh
new file mode 100644
index 0000000..63eeeba
--- /dev/null
+++ b/libsefs/include/sefs/fclist.hh
@@ -0,0 +1,323 @@
+/**
+ *  @file
+ *  Defines the public interface for the file context list abstract
+ *  object.  A user must call a constructor for one of sefs_fcfile_t,
+ *  sefs_db_t, or sefs_filesystem_t to create a sefs_fclist_t object.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_FCLIST_H
+#define SEFS_FCLIST_H
+
+#include <sefs/entry.hh>
+#include <sefs/query.hh>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <selinux/selinux.h>
+#include <stdarg.h>
+
+#ifndef __cplusplus
+#include <stdbool.h>
+#endif
+
+#include <apol/policy.h>
+
+#define SEFS_MSG_ERR  1		       /*!< Message describes a fatal error. */
+#define SEFS_MSG_WARN 2		       /*!< Message is issued as a warning but does not represent a fatal error. */
+#define SEFS_MSG_INFO 3		       /*!< Message is issued for inormational reasons and does not represent an atypical state. */
+
+	struct sefs_fclist;
+
+	typedef void (*sefs_callback_fn_t) (void *varg, const struct sefs_fclist * fclist, int level, const char *fmt,
+					    va_list argp);
+
+/**
+ * Possible types of fclist for use with sefs_fclist_get_data().
+ */
+	typedef enum sefs_fclist_type
+	{
+		SEFS_FCLIST_TYPE_NONE = 0,	/*!< Not an actual type, used for error conditions */
+		SEFS_FCLIST_TYPE_FILESYSTEM,	/*!< get_data returns sefs_filesystem_t, a representation of a file system */
+		SEFS_FCLIST_TYPE_FCFILE,	/*!< get_data returns sefs_fcfile_t, a representation of a collection of file_context files */
+		SEFS_FCLIST_TYPE_DB    /*!< get_data returns sefs_db_t, a representation of a database of file system contexts */
+	} sefs_fclist_type_e;
+
+/**
+ * Invoke a sefs_fclist_t's callback for an error, passing it a format
+ * string and arguments.
+ */
+#define SEFS_ERR(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_ERR, format, __VA_ARGS__)
+
+/**
+ * Invoke a sefs_fclist_t's callback for a warning, passing it a
+ * format string and arguments.
+ */
+#define SEFS_WARN(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_WARN, format, __VA_ARGS__)
+
+/**
+ * Invoke a sefs_fclist's callback for an informational message,
+ * passing it a format string and arguments.
+ */
+#define SEFS_INFO(fclist, format, ...) sefs_fclist_handleMsg(fclist, SEFS_MSG_INFO, format, __VA_ARGS__)
+
+	extern void sefs_fclist_handleMsg(const struct sefs_fclist *fclist, int level, const char *fmt, ...);
+
+	__attribute__ ((format(printf, 3, 4))) void sefs_fclist_handleMsg(const struct sefs_fclist *fclist, int level,
+									  const char *fmt, ...);
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+struct apol_bst;
+struct context_node;
+
+#define SEFS_MAP_FUNC_DEFINED
+
+/**
+ * Function invoked upon each matching file context entry during a query.
+ */
+typedef int (*sefs_fclist_map_fn_t) (sefs_fclist *, const sefs_entry *, void *);
+/**
+ * An abstract class the represents a list of file contexts.  Contexts
+ * may be read from a filesystem, inferred from a file_contexts file,
+ * or read from a database.
+ */
+class sefs_fclist
+{
+#ifndef SWIG_FRIENDS
+	friend void sefs_fclist_handleMsg(const sefs_fclist * fclist, int level, const char *fmt, ...);
+	friend class sefs_entry;
+#endif
+
+      public:
+	 virtual ~sefs_fclist();
+
+	/**
+	 * Perform a sefs query on the given file context list object,
+	 * and then invoke a callback upon each matching entry.
+	 * Mapping occurs in the order of entries as specified by the
+	 * file context list.
+	 * @param query Query object containing search parameters.  If
+	 * NULL, invoke the callback on all entries.
+	 * @param fn Function to invoke upon matching entries.  This
+	 * function will be called with three parameters: a pointer to
+	 * this fclist, pointer to a matching entry, and an arbitrary
+	 * data pointer.  It should return a non-negative value upon
+	 * success, negative value upon error and to abort the
+	 * mapping.  Be aware that the entry may go out of scope upon
+	 * conclusion of runQueryMap(), so \a fn will need to clone
+	 * the entry if it needs it later.
+	 * <p>
+	 * <b>This function must not throw any exceptions.</b> Doing
+	 * so will most likely corrupt fclist's internal state.
+	 * Instead, return a negative value to abort processing.
+	 * @param data Arbitrary pointer to be passed into \a fn as a
+	 * third parameter.
+	 * @return Last value returned by fn() (i.e., >= on success, <
+	 * 0 on failure).  If the fclist has no entries then return 0.
+	 * @exception std::runtime_error Error while reading contexts
+	 * from the fclist.
+	 * @exception std::invalid_argument One or more query arguments
+	 * is invalid.
+	 */
+	virtual int runQueryMap(sefs_query * query, sefs_fclist_map_fn_t fn, void *data) throw(std::runtime_error,
+											       std::invalid_argument) = 0;
+
+	/**
+	 * Perform a sefs query on the given file context list object
+	 * and return a list of matching entries.
+	 * @param query Query object containing search parameters.  If
+	 * NULL, return all contexts.
+	 * @return A newly allocated unsorted vector (of class
+	 * sefs_entry *) containing all entries matching the query.
+	 * Do not modify the returned entries.  Note that the vector
+	 * may be empty.  The caller is responsible for calling
+	 * apol_vector_destroy() on the returned vector.
+	 * @exception std::bad_alloc Out of memory.
+	 * @exception std::runtime_error Error while reading contexts
+	 * from the fclist.
+	 * @exception std::invalid_argument One or more query arguments
+	 * is invalid.
+	 */
+	apol_vector_t *runQuery(sefs_query * query) throw(std::bad_alloc, std::runtime_error, std::invalid_argument);
+
+	/**
+	 * Determine if the contexts in the fclist contain MLS fields.
+	 * @return \a true if MLS fields are present, \a false if not
+	 * or undeterminable.
+	 */
+	virtual bool isMLS() const = 0;
+
+	/**
+	 * Associate a policy with the fclist.  This is needed to
+	 * resolve attributes and MLS ranges in queries.  If a policy
+	 * is already associated, then calling this function removes
+	 * that previous association.
+	 * @param policy Policy to associate with \a fclist.  If NULL,
+	 * remove any policy association. While \a policy is
+	 * associated with \a fclist the caller should not destroy \a
+	 * policy.
+	 * @see sefs_query_set_type()
+	 * @see sefs_query_set_range()
+	 */
+	void associatePolicy(apol_policy_t * new_policy);
+
+	/**
+	 * Return the policy currently associated with this fclist.
+	 * Do not destroy the policy without first unassociating it
+	 * (via call to sefs_fclist::associatePolicy(NULL)).
+	 * @return Currently associated policy, or NULL if none is
+	 * set.
+	 */
+	apol_policy_t *associatePolicy() const;
+
+	/**
+	 * Get the type of fclist object represented by \a fclist.
+	 * @return The type of fclist object or SEFS_FCLIST_TYPE_NONE
+	 * on error.
+	 */
+	sefs_fclist_type_e fclist_type() const;
+
+      protected:
+	 sefs_fclist(sefs_fclist_type_e type, sefs_callback_fn_t callback, void *varg) throw(std::bad_alloc);
+
+	/**
+	 * Given the parts of a context, return a context node (which
+	 * would contain an apol_context_t).  If the context already
+	 * exists, then a pointer to the existing one is returned.
+	 *
+	 * @param user User component of the context.  The string will
+	 * be duplicated.
+	 * @param role Role component of the context.  The string will
+	 * be duplicated.
+	 * @param type Type component of the context.  The string will
+	 * be duplicated.
+	 * @param range Range component of the context.  The string
+	 * will be duplicated, or NULL if no range exists.
+	 *
+	 * @return A context node.  Do not free() it.
+	 */
+	struct sefs_context_node *getContext(const char *user, const char *role, const char *type,
+					     const char *range) throw(std::bad_alloc);
+
+	/**
+	 * Given a SELinux security context, return a context node
+	 * (which would contain an apol_context_t).  If the context
+	 * already exists, then a pointer to the existing one is
+	 * returned.
+	 *
+	 * @param scon Security context from which to obtain a node.
+	 *
+	 * @return A context node.  Do not free() it.
+	 */
+	struct sefs_context_node *getContext(const security_context_t scon) throw(std::bad_alloc);
+
+	apol_policy_t *policy;
+	struct apol_bst *user_tree, *role_tree, *type_tree, *range_tree, *path_tree;
+	struct apol_bst *dev_tree;
+	struct apol_bst *context_tree;
+
+      private:
+
+	/**
+	 * Write a message to the callback stored within a fclist
+	 * error handler.  If the msg_callback field is empty, then
+	 * the default message callback will be used.
+	 * @param level Severity of message, one of SEFS_MSG_*.
+	 * @param fmt Format string to print, using syntax of
+	 * printf(3).
+	 */
+	void handleMsg(int level, const char *fmt, va_list va_args) const;
+
+	sefs_callback_fn_t _callback;
+	void *_varg;
+	sefs_fclist_type_e _fclist_type;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_fclist sefs_fclist_t;
+
+#ifndef SEFS_MAP_FUNC_DEFINED
+	struct sefs_fclist;
+	struct sefs_entry;
+	typedef int (*sefs_fclist_map_fn_t) (struct sefs_fclist *, const struct sefs_entry *, void *);
+#endif
+
+/**
+ * Deallocate all memory associated with the referenced fclist object,
+ * and then set it to NULL.  This function does nothing if the fclist
+ * object is already NULL.
+ * @param Reference to a fclist object to destroy.
+ */
+	extern void sefs_fclist_destroy(sefs_fclist_t ** fclist);
+
+/**
+ * Perform a sefs query on the given file context list object.
+ * @see sefs_fclist::runQueryMap()
+ */
+	extern int sefs_fclist_run_query_map(sefs_fclist_t * fclist, sefs_query_t * query, sefs_fclist_map_fn_t fn, void *data);
+
+/**
+ * Perform a sefs query on the given file context list object.
+ * @see sefs_fclist::runQuery()
+ */
+	extern apol_vector_t *sefs_fclist_run_query(sefs_fclist_t * fclist, sefs_query_t * query);
+
+/**
+ * Determine if the contexts in the fclist contain MLS fields.
+ * @see sefs_fclist::isMLS()
+ */
+	extern bool sefs_fclist_get_is_mls(const sefs_fclist_t * fclist);
+
+/**
+ * Associate a policy with the fclist.
+ * @see sefs_fclist::associatePolicy()
+ * @see sefs_query_set_type()
+ * @see sefs_query_set_range()
+ */
+	extern void sefs_fclist_associate_policy(sefs_fclist_t * fclist, apol_policy_t * policy);
+
+/**
+ * Get the type of fclist object represented by \a fclist.
+ * @see sefs_fclist::fclist_type()
+ */
+	extern sefs_fclist_type_e sefs_fclist_get_fclist_type(const sefs_fclist_t * fclist);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_FCLIST_H */
diff --git a/libsefs/include/sefs/filesystem.hh b/libsefs/include/sefs/filesystem.hh
new file mode 100644
index 0000000..1d2c9ed
--- /dev/null
+++ b/libsefs/include/sefs/filesystem.hh
@@ -0,0 +1,181 @@
+/**
+ *  @file
+ *  Defines the public interface for the filesystem fc list object.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_FILESYSTEM_H
+#define SEFS_FILESYSTEM_H
+
+#include <sefs/fclist.hh>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <apol/vector.h>
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+/**
+ * This class represents the SELinux file contexts on a local on-disk
+ * filesystem.  Be aware that the object will recurse beginning from
+ * the root directory, so if there are circular mounts (e.g., via
+ * something mounted with the 'bind' option) then queries against the
+ * filesystem will never terminate.
+ */
+class sefs_filesystem:public sefs_fclist
+{
+#ifndef SWIG_FRIENDS
+	// private functions -- do not call these directly from
+	// outside of the library
+	friend struct sefs_context_node *filesystem_get_context(sefs_filesystem *, security_context_t) throw(std::bad_alloc);
+	friend sefs_entry *filesystem_get_entry(sefs_filesystem *, const struct sefs_context_node *, uint32_t,
+						const char *, ino64_t, const char *) throw(std::bad_alloc);
+	friend bool filesystem_is_query_match(sefs_filesystem *, const sefs_query *, const char *, const char *,
+					      const struct stat64 *, apol_vector_t *, apol_mls_range_t *) throw(std::runtime_error);
+#endif
+
+      public:
+
+	/**
+	 * Allocate and return a new sefs filesystem structure
+	 * representing the filesystem rooted at directory \a root.
+	 * <b>Be aware that the constructor is not thread-safe.</b>
+	 * @param new_root Directory to use as the root of the
+	 * filesystem.  This object represents this directory and all
+	 * subdirectories, including other mounted filesystems.
+	 * @param msg_callback Callback to invoke as errors/warnings
+	 * are generated.  If NULL, write messages to standard error.
+	 * @param varg Value to be passed as the first parameter to
+	 * the callback function.
+	 * @exception bad_alloc Out of memory.
+	 * @exception invalid_argument Root directory does not exist.
+	 * @exception runtime_error Could not open root directory or
+	 * /etc/mtab.
+	 */
+	 sefs_filesystem(const char *new_root, sefs_callback_fn_t msg_callback, void *varg) throw(std::bad_alloc,
+												  std::invalid_argument,
+												  std::runtime_error);
+
+	~sefs_filesystem();
+
+	/**
+	 * Perform a sefs query on this filesystem object, and then
+	 * invoke a callback upon each matching entry.  Mapping is in
+	 * pre-order (i.e., directories will be mapped prior to files
+	 * and subdirectories they contain.)
+	 * @param query Query object containing search parameters.  If
+	 * NULL, invoke the callback on all entries.
+	 * @param fn Function to invoke upon matching entries.  This
+	 * function will be called with three parameters: a pointer to
+	 * this filesystem, pointer to a matching entry, and an
+	 * arbitrary data pointer.  It should return a non-negative
+	 * value upon success, negative value upon error and to abort
+	 * the mapping.
+	 * @param data Arbitrary pointer to be passed into \fn as a
+	 * third parameter.
+	 * @return Last value returned by fn() (i.e., >= on success, <
+	 * 0 on failure).  If the filesystem has no entries then
+	 * return 0.
+	 * @exception std::runtime_error Error while reading contexts
+	 * from the filesystem.
+	 * @exception std::invalid_argument One or more query arguments
+	 * is invalid.
+	 */
+	int runQueryMap(sefs_query * query, sefs_fclist_map_fn_t fn, void *data) throw(std::runtime_error, std::invalid_argument);
+
+	/**
+	 * Determine if the contexts stored in this filesystem contain
+	 * MLS fields.
+	 * @return \a true if MLS fields are present, \a false if not
+	 * or undeterminable.
+	 */
+	bool isMLS() const;
+
+	/**
+	 * Get the root directory of a sefs filesystem structure.
+	 * @return The root directory of the filesystem or NULL on
+	 * error.  Do not free() this string.
+	 */
+	const char *root() const;
+
+	/**
+	 * Look up the given device number on the currently running
+	 * system, and convert it to its device name.
+	 * @param dev Device number to look up.
+	 * @return Name of the device, or NULL if the device number
+	 * was not found.  Do not free() this pointer.
+	 * @exception std::runtime_error Error while querying system.
+	 */
+	const char *getDevName(const dev_t dev) throw(std::runtime_error);
+
+      private:
+	 apol_vector_t * buildDevMap(void) throw(std::runtime_error);
+	bool isQueryMatch(const sefs_query * query, const char *path, const char *dev, const struct stat64 *sb,
+			  apol_vector_t * type_list, apol_mls_range_t * range) throw(std::runtime_error);
+	sefs_entry *getEntry(const struct sefs_context_node *context, uint32_t objectClass, const char *path, ino64_t ino,
+			     const char *dev_name) throw(std::bad_alloc);
+	char *_root;
+	bool _rw, _mls;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_filesystem sefs_filesystem_t;
+
+/**
+ * Allocate and return a new sefs filesystem structure representing
+ * the filesystem rooted at directory \a root.
+ * @see sefs_filesystem::sefs_filesystem()
+ */
+	extern sefs_filesystem_t *sefs_filesystem_create(const char *root, sefs_callback_fn_t msg_callback, void *varg);
+
+/**
+ * Get the root directory of a sefs filesystem structure.
+ * @see sefs_filesystem::root()
+ */
+	extern const char *sefs_filesystem_get_root(const sefs_filesystem_t * fs);
+
+/**
+ * Look up the given device number on the currently running
+ * system, and convert it to its device name.
+ * @see sefs_filesystem::ged_dev_name()
+ */
+	extern const char *sefs_filesystem_get_dev_name(sefs_filesystem_t * fs, const dev_t dev);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_FILESYSTEM_H */
diff --git a/libsefs/include/sefs/query.hh b/libsefs/include/sefs/query.hh
new file mode 100644
index 0000000..c0e8921
--- /dev/null
+++ b/libsefs/include/sefs/query.hh
@@ -0,0 +1,329 @@
+/**
+ *  @file
+ *  Defines the public interface for file context queries.
+ *
+ *  @author Jeremy A. Mowery jmowery@tresys.com
+ *  @author Jason Tang jtang@tresys.com
+ *
+ *  Copyright (C) 2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_QUERY_H
+#define SEFS_QUERY_H
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#include <sys/types.h>
+#include <regex.h>
+
+#ifndef __cplusplus
+#include <stdbool.h>
+#endif
+
+#include <apol/context-query.h>
+#include <apol/mls-query.h>
+#include <apol/policy-query.h>
+#include <apol/vector.h>
+
+#ifdef __cplusplus
+}
+
+#include <stdexcept>
+
+/**
+ * This class represents a query into a (subclass of) fclist.  Create
+ * a query, fill in all accessors are needed, and then run the query.
+ * All fields must match for an entry to be returned.  Where a fclist
+ * does not support a particular criterion (e.g., inode numbers for
+ * fcfile) that portion of the query is considered to be matching.
+ */
+class sefs_query
+{
+	friend class sefs_db;
+	friend class sefs_fcfile;
+	friend class sefs_filesystem;
+
+      public:
+
+	/**
+	 * Allocate and return a new sefs query structure.  All fields
+	 * are initialized, such that running this blank query results
+	 * in returning all entries within a fclist.
+	 */
+	 sefs_query();
+
+	~sefs_query();
+
+	/**
+	 * Set a sefs query to match only entries with contexts with
+	 * the user \a name.
+	 * @param name Limit query to only contexts with this user, or
+	 * NULL to clear this field.  The string will be duplicated.
+	 * @exception std::bad_alloc Out of memory.
+	 */
+	void user(const char *name) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to match only entries with contexts with
+	 * the role \a name.
+	 * @param name Limit query to only contexts with this role, or
+	 * NULL to clear this field.  The string will be duplicated.
+         * @exception std::bad_alloc Out of memory.
+	 */
+	void role(const char *name) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to match only entries with contexts with
+	 * the type \a name.
+	 * @param name Limit query to only contexts with this type, or
+	 * NULL to clear this field.  The string will be duplicated.
+	 * @param indirect If true and if the fclist queried has
+	 * access to a policy, also match contexts with types in
+	 * attribute \a name or types which are an alias for \a name.
+	 * If a policy is not available, this field is ignored, and
+	 * exact string matching is used instead.  This paramater is
+	 * ignored if \a name is NULL.
+	 * @exception std::bad_alloc Out of memory.
+	 * @see sefs_fclist::associatePolicy() to associate a policy
+	 * with a fclist.
+	 */
+	void type(const char *name, bool indirect) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to match only entries with contexts with a
+	 * range of \a range.  If the fclist is not MLS then \a name
+	 * and \a match will be ignored.
+	 * @param name Limit query to only contexts matching this
+	 * string representing the MLS range, or NULL to clear this
+	 * field.  The string will be duplicated.
+	 * @param match If non-zero and the fclist queried has access
+	 * to a policy, match the range using the specified semantics;
+	 * this should be one of APOL_QUERY_SUB, APOL_QUERY_SUPER, or
+	 * APOL_QUERY_EXACT.  (The range string will be converted
+	 * automatically into an apol_mls_range_t object.)  If a
+	 * policy is not available or \a match is zero, exact string
+	 * matching is used instead.  Note, if a policy is available
+	 * the regex flag is ignored if \a match is non-zero.  This
+	 * parameter is ignored if \a range is NULL.
+	 * @exception std::bad_alloc Out of memory.
+	 * @see sefs_fclist::associatePolicy() to associate a policy
+	 * with a fclist.
+	 */
+	void range(const char *name, int match) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to match only entries with object class \a
+	 * objclass.
+	 *
+	 * <em>Note:</em> If the query is run against a fcfile, then
+	 * entries without explicit object classes (i.e., no explicit
+	 * <tt>--</tt>, <tt>-d</tt>, etc.) will always match
+	 * irrespective of the query's object class field.
+	 *
+	 * @param Numeric identifier for an objclass, one of
+	 * QPOL_CLASS_FILE, QPOL_CLASS_DIR, etc., as defined in
+	 * <qpol/genfscon_query.h>.  Use QPOL_CLASS_ALL to match all
+	 * object classes.
+	 */
+	void objectClass(uint32_t objclass);
+
+	/**
+	 * Set a sefs query to match only entries with object class \a
+	 * name.  The \a name parameter is not affected by regex().
+	 *
+	 * @param name Limit query to only entries with this object
+	 * class, or NULL to clear this field.  The incoming string
+	 * must be legal according to apol_str_to_objclass().
+	 *
+	 * @see objectClass(uint32_t) for note about fcfiles.
+	 */
+	void objectClass(const char *name);
+
+	/**
+	 * Set a sefs query to match only entries with path \a path.
+	 *
+	 * <em>Note:</em> If the query is run against a fcfile, the
+	 * behavior of matching paths is slightly different.  For each
+	 * of fcfile's entries, that entry's regular expression is
+	 * matched against \a path.  This is the reverse for other
+	 * types of fclist, where \a path matches an entry's path if
+	 * \a path is a substring.  (If sefs_query::regex() is set to
+	 * true, \a path is instead treated as a regular expression.)
+	 *
+	 * @param str Limit query to only entries containing this
+	 * path, or NULL to clear this field.  The string will be
+	 * duplicated.
+	 * @exception std::bad_alloc Out of memory.
+	 */
+	void path(const char *str) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to match only entries with a given inode
+	 * number.
+	 * @param ino Limit query to only entries with this inode
+	 * number, or 0 to clear this field.
+	 */
+	void inode(ino64_t ino);
+
+	/**
+	 * Set a sefs query to match only entries with a given device
+	 * name.
+	 * @param str Limit query to only entries with this device
+	 * name, or NULL to clear this string.  The string will be
+	 * duplicated.
+	 * @exception std::bad_alloc Out of memory.
+	 * @see sefs_filesystem::getDevName() to convert between dev_t
+	 * and a name.
+	 */
+	void dev(const char *str) throw(std::bad_alloc);
+
+	/**
+	 * Set a sefs query to use regular expression matching for
+	 * string fields.
+	 * @param r If true then use regular expression matching;
+	 * otherwise use only exact string matching.
+	 */
+	void regex(bool r);
+
+      private:
+	/**
+	 * Compile the regular expressions stored within this query
+	 * object.  It is safe to call this function multiple times.
+	 *
+	 * @exception std::bad_alloc Out of memory.
+	 * @exception std::invalid_argument One or more invalid regular
+	 * expressions is invalid.
+	 */
+	void compile() throw(std::bad_alloc, std::invalid_argument);
+
+	char *_user, *_role, *_type, *_range, *_path, *_dev;
+	uint32_t _objclass;
+	bool _indirect, _regex, _recursive;
+	int _rangeMatch;
+	ino64_t _inode;
+	bool _recompiled;
+	regex_t *_reuser, *_rerole, *_retype, *_rerange, *_repath, *_redev;
+};
+
+extern "C"
+{
+#endif
+
+//we do not want to wrap two copies of everything so have SWIG ignore
+//the compatibility section.
+#ifndef SWIG
+
+	typedef struct sefs_query sefs_query_t;
+
+/**
+ * Allocate and return a new sefs query structure.
+ * @see sefs_query::sefs_query()
+ */
+	extern sefs_query_t *sefs_query_create();
+
+/**
+ * Deallocate all memory associated with the referenced sefs query,
+ * and then set it to NULL.  This function does nothing if the query
+ * is already NULL.
+ * @param query Reference to a sefs query structure to destroy.
+ */
+	extern void sefs_query_destroy(sefs_query_t ** query);
+
+/**
+ * Set a sefs query to match only entries with contexts with the user
+ * \a name.
+ * @see sefs_query::user()
+ */
+	extern int sefs_query_set_user(sefs_query_t * query, const char *name);
+
+/**
+ * Set a sefs query to match only entries with contexts with the role
+ * \a name.
+ * @see sefs_query::role()
+ */
+	extern int sefs_query_set_role(sefs_query_t * query, const char *name);
+
+/**
+ * Set a sefs query to match only entries with contexts with the type
+ * \a name.
+ * @see sefs_query::type()
+ * @see sefs_fclist_associate_policy() to associate a policy with a
+ * fclist.
+ */
+	extern int sefs_query_set_type(sefs_query_t * query, const char *name, bool indirect);
+
+/**
+ * Set a sefs query to match only entries with contexts with a range
+ * of \a range.
+ * @see sefs_query::range()
+ * @see sefs_fclist_associate_policy() to associate a policy with a
+ * fclist.
+ */
+	extern int sefs_query_set_range(sefs_query_t * query, const char *range, int match);
+
+/**
+ * Set a sefs query to match only entries with object class \a
+ * objclass.
+ * @return Always 0.
+ * @see sefs_query::objectClass(uint32_t)
+ */
+	extern int sefs_query_set_object_class(sefs_query_t * query, uint32_t objclass);
+
+/**
+ * Set a sefs query to match only entries with object class \a name.
+ * @return Always 0.
+ * @see sefs_query::objectClass(const char *)
+ */
+	extern int sefs_query_set_object_class_str(sefs_query_t * query, const char *name);
+
+/**
+ * Set a sefs query to match only entries with path \a path.
+ * @see sefs_query::path()
+ */
+	extern int sefs_query_set_path(sefs_query_t * query, const char *path);
+
+/**
+ * Set a sefs query to match only entries with a given inode number.
+ * @return Always 0.
+ * @see sefs_query::inode()
+ */
+	extern int sefs_query_set_inode(sefs_query_t * query, ino64_t inode);
+
+/**
+ * Set a sefs query to match only entries with a given device number.
+ * @see sefs_query::dev()
+ */
+	extern int sefs_query_set_dev(sefs_query_t * query, const char *dev);
+
+/**
+ * Set a sefs query to use regular expression matching for string
+ * fields.
+ * @return Always 0.
+ * @see sefs_query::regex()
+ */
+	extern int sefs_query_set_regex(sefs_query_t * query, bool regex);
+
+#endif				       /* SWIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif				       /* SEFS_QUERY_H */
diff --git a/libsefs/include/sefs/util.h b/libsefs/include/sefs/util.h
new file mode 100644
index 0000000..24480ea
--- /dev/null
+++ b/libsefs/include/sefs/util.h
@@ -0,0 +1,56 @@
+/**
+ * @file
+ *
+ * Miscellaneous, uncategorized functions for libsefs.
+ *
+ * @author Jeremy A. Mowery jmowery@tresys.com
+ * @author Jason Tang  jtang@tresys.com
+ *
+ * Copyright (C) 2006-2007 Tresys Technology, LLC
+ *
+ *  This library is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU Lesser General Public
+ *  License as published by the Free Software Foundation; either
+ *  version 2.1 of the License, or (at your option) any later version.
+ *
+ *  This library is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ *  Lesser General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Lesser General Public
+ *  License along with this library; if not, write to the Free Software
+ *  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ */
+
+#ifndef SEFS_UTIL_H
+#define SEFS_UTIL_H
+
+#ifdef	__cplusplus
+extern "C"
+{
+#endif
+
+/**
+ * Return an immutable string describing this library's version.
+ *
+ * @return String describing this library.
+ */
+	extern const char *libsefs_get_version(void);
+
+/**
+ * Return the name (path + filename) of the file_contexts file for the
+ * currently running SELinux system.  If the system is not running
+ * SELinux then return an empty string ("").
+ *
+ * @return The name of the default file_contexts file (if system is
+ * running SELinux), an empty string (if not SELinux), or NULL upon
+ * error.  The caller must free() the string afterwards.
+ */
+	extern char *sefs_default_file_contexts_get_path(void);
+
+#ifdef	__cplusplus
+}
+#endif
+
+#endif