diff --git a/cfg/selinux.cfg b/cfg/selinux.cfg
new file mode 100644
index 000000000000..cf084d8bfeff
--- /dev/null
+++ b/cfg/selinux.cfg
@@ -0,0 +1,3621 @@
+<?xml version="1.0"?>
+<def format="2">
+  <!-- <selinux/restorecon.h> -->
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon.3.html -->
+  <!-- int selinux_restorecon(const char *pathname, unsigned int restorecon_flags); -->
+  <function name="selinux_restorecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int selinux_restorecon_parallel(const char *pathname, unsigned int restorecon_flags, size_t nthreads); -->
+  <function name="selinux_restorecon_parallel">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <define name="SELINUX_RESTORECON_IGNORE_DIGEST" value="0x00001"/>
+  <define name="SELINUX_RESTORECON_NOCHANGE" value="0x00002"/>
+  <define name="SELINUX_RESTORECON_SET_SPECFILE_CTX" value="0x00004"/>
+  <define name="SELINUX_RESTORECON_RECURSE" value="0x00008"/>
+  <define name="SELINUX_RESTORECON_VERBOSE" value="0x00010"/>
+  <define name="SELINUX_RESTORECON_PROGRESS" value="0x00020"/>
+  <define name="SELINUX_RESTORECON_REALPATH" value="0x00040"/>
+  <define name="SELINUX_RESTORECON_XDEV" value="0x00080"/>
+  <define name="SELINUX_RESTORECON_ADD_ASSOC" value="0x00100"/>
+  <define name="SELINUX_RESTORECON_ABORT_ON_ERROR" value="0x00200"/>
+  <define name="SELINUX_RESTORECON_SYSLOG_CHANGES" value="0x00400"/>
+  <define name="SELINUX_RESTORECON_LOG_MATCHES" value="0x00800"/>
+  <define name="SELINUX_RESTORECON_IGNORE_NOENTRY" value="0x01000"/>
+  <define name="SELINUX_RESTORECON_IGNORE_MOUNTS" value="0x02000"/>
+  <define name="SELINUX_RESTORECON_MASS_RELABEL" value="0x04000"/>
+  <define name="SELINUX_RESTORECON_SKIP_DIGEST" value="0x08000"/>
+  <define name="SELINUX_RESTORECON_CONFLICT_ERROR" value="0x10000"/>
+  <define name="SELINUX_RESTORECON_COUNT_ERRORS" value="0x20000"/>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_set_sehandle.3.html -->
+  <!-- void selinux_restorecon_set_sehandle(struct selabel_handle *hndl); -->
+  <function name="selinux_restorecon_set_sehandle">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_default_handle.3.html -->
+  <!-- struct selabel_handle *selinux_restorecon_default_handle(void); -->
+  <function name="selinux_restorecon_default_handle">
+    <returnValue type="struct selabel_handle *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_set_exclude_list.3.html -->
+  <!-- void selinux_restorecon_set_exclude_list(const char **exclude_list); -->
+  <function name="selinux_restorecon_set_exclude_list">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_set_alt_rootpath.3.html -->
+  <!-- int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath); -->
+  <function name="selinux_restorecon_set_alt_rootpath">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_get_skipped_errors.3.html -->
+  <!-- long unsigned selinux_restorecon_get_skipped_errors(void); -->
+  <function name="selinux_restorecon_get_skipped_errors">
+    <returnValue type="unsigned long"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_restorecon_xattr.3.html -->
+  <!-- int selinux_restorecon_xattr(const char *pathname, unsigned int xattr_flags, struct dir_xattr ***xattr_list); -->
+  <function name="selinux_restorecon_xattr">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <define name="SELINUX_RESTORECON_XATTR_RECURSE" value="0x0001"/>
+  <define name="SELINUX_RESTORECON_XATTR_DELETE_NONMATCH_DIGESTS" value="0x0002"/>
+  <define name="SELINUX_RESTORECON_XATTR_DELETE_ALL_DIGESTS" value="0x0004"/>
+  <define name="SELINUX_RESTORECON_XATTR_IGNORE_MOUNTS" value="0x0008"/>
+  <!-- <selinux/get_default_type.h> -->
+  <!-- https://man7.org/linux/man-pages/man3/selinux_binary_policy_path.3.html -->
+  <!-- const char *selinux_default_type_path(void); -->
+  <function name="selinux_default_type_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/get_ordered_context_list.3.html -->
+  <!-- int get_default_type(const char *role, char **type); -->
+  <function name="get_default_type">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">get_default_type</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- <selinux/label.h> -->
+  <!-- https://man7.org/linux/man-pages/man3/selabel_open.3.html -->
+  <podtype name="selabel_handle"/>
+  <!-- struct selabel_handle *selabel_open(unsigned int backend, const struct selinux_opt *opts, unsigned nopts); -->
+  <function name="selabel_open">
+    <returnValue type="struct selabel_handle *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:5</valid>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <minsize type="argvalue" arg="3"/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <define name="SELABEL_CTX_FILE" value="0"/>
+  <define name="SELABEL_CTX_MEDIA" value="1"/>
+  <define name="SELABEL_CTX_X" value="2"/>
+  <define name="SELABEL_CTX_DB" value="3"/>
+  <define name="SELABEL_CTX_ANDROID_PROP" value="4"/>
+  <define name="SELABEL_CTX_ANDROID_SERVICE" value="5"/>
+  <define name="SELABEL_OPT_UNUSED" value="0"/>
+  <define name="SELABEL_OPT_VALIDATE" value="1"/>
+  <define name="SELABEL_OPT_BASEONLY" value="2"/>
+  <define name="SELABEL_OPT_PATH" value="3"/>
+  <define name="SELABEL_OPT_SUBSET" value="4"/>
+  <define name="SELABEL_OPT_DIGEST" value="5"/>
+  <define name="SELABEL_NOPT" value="6"/>
+  <!-- void selabel_close(struct selabel_handle *handle); -->
+  <function name="selabel_close">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+  </function>
+  <resource>
+    <alloc init="true">selabel_open</alloc>
+    <dealloc>selabel_close</dealloc>
+  </resource>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_lookup.3.html -->
+  <!-- int selabel_lookup(struct selabel_handle *handle, char **con, const char *key, int type); -->
+  <function name="selabel_lookup">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selabel_lookup</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int selabel_lookup_raw(struct selabel_handle *handle, char **con, const char *key, int type); -->
+  <function name="selabel_lookup_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selabel_lookup_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_partial_match.3.html -->
+  <!-- bool selabel_partial_match(struct selabel_handle *handle, const char *key); -->
+  <function name="selabel_lookup_raw">
+    <returnValue type="bool"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_get_digests_all_partial_matches.3.html -->
+  <!-- bool selabel_get_digests_all_partial_matches(struct selabel_handle *rec, const char *key, uint8_t **calculated_digest, uint8_t **xattr_digest, size_t *digest_len); -->
+  <function name="selabel_get_digests_all_partial_matches">
+    <returnValue type="bool"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="5" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">selabel_get_digests_all_partial_matches</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <memory>
+    <alloc init="true" arg="4">selabel_get_digests_all_partial_matches</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- bool selabel_hash_all_partial_matches(struct selabel_handle *rec, const char *key, uint8_t* digest); -->
+  <function name="selabel_hash_all_partial_matches">
+    <returnValue type="bool"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_lookup_best_match.3.html -->
+  <!-- int selabel_lookup_best_match(struct selabel_handle *rec, char **con, const char *key, const char **aliases, int type); -->
+  <function name="selabel_lookup_best_match">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+    </arg>
+    <arg nr="5" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selabel_lookup_best_match</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int selabel_lookup_best_match_raw(struct selabel_handle *rec, char **con, const char *key, const char **aliases, int type); -->
+  <function name="selabel_lookup_best_match_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+    </arg>
+    <arg nr="5" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selabel_lookup_best_match_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_digest.3.html -->
+  <!-- int selabel_digest(struct selabel_handle *rec, unsigned char **digest, size_t *digest_len, char ***specfiles, size_t *num_specfiles); -->
+  <function name="selabel_digest">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="5" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- enum selabel_cmp_result selabel_cmp(const struct selabel_handle *h1, const struct selabel_handle *h2); -->
+  <function name="selabel_cmp">
+    <returnValue type="enum selabel_cmp_result"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selabel_stats.3.html -->
+  <!-- void selabel_stats(struct selabel_handle *handle); -->
+  <function name="selabel_stats">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man5/selabel_x.5.html -->
+  <define name="SELABEL_X_PROP" value="1"/>
+  <define name="SELABEL_X_EXT" value="2"/>
+  <define name="SELABEL_X_CLIENT" value="3"/>
+  <define name="SELABEL_X_EVENT" value="4"/>
+  <define name="SELABEL_X_SELN" value="5"/>
+  <define name="SELABEL_X_POLYPROP" value="6"/>
+  <define name="SELABEL_X_POLYSELN" value="7"/>
+  <!-- https://man7.org/linux/man-pages/man5/selabel_db.5.html -->
+  <define name="SELABEL_DB_DATABASE" value="1"/>
+  <define name="SELABEL_DB_SCHEMA" value="2"/>
+  <define name="SELABEL_DB_TABLE" value="3"/>
+  <define name="SELABEL_DB_COLUMN" value="4"/>
+  <define name="SELABEL_DB_SEQUENCE" value="5"/>
+  <define name="SELABEL_DB_VIEW" value="6"/>
+  <define name="SELABEL_DB_PROCEDURE" value="7"/>
+  <define name="SELABEL_DB_BLOB" value="8"/>
+  <define name="SELABEL_DB_TUPLE" value="9"/>
+  <define name="SELABEL_DB_LANGUAGE" value="10"/>
+  <define name="SELABEL_DB_EXCEPTION" value="11"/>
+  <define name="SELABEL_DB_DATATYPE" value="12"/>
+  <!-- <selinux/context.h>
+  <!-- https://man7.org/linux/man-pages/man3/context_new.3.html -->
+  <podtype name="context_t"/>
+  <!-- context_t context_new(const char *str); -->
+  <function name="context_new">
+    <returnValue type="context_new"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- const char *context_str(context_t con); -->
+  <function name="context_str">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- void context_free(context_t con); -->
+  <function name="context_free">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true">context_new</alloc>
+    <dealloc>context_free</dealloc>
+  </memory>
+  <!-- const char *context_type_get(context_t con); -->
+  <function name="context_type_get">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- const char *context_range_get(context_t con); -->
+  <function name="context_range_get">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- const char *context_role_get(context_t con); -->
+  <function name="context_role_get">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- const char *context_user_get(context_t con); -->
+  <function name="context_user_get">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- int context_type_set(context_t con, const char *type); -->
+  <function name="context_type_set">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="inout">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int context_range_set(context_t con, const char *type); -->
+  <function name="context_range_set">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="inout">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int context_role_set(context_t con, const char *type); -->
+  <function name="context_role_set">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="inout">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int context_user_set(context_t con, const char *type); -->
+  <function name="context_user_set">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="inout">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- <selinux/get_context_list.h> -->
+  <define name="SELINUX_DEFAULTUSER" value="&quot;user_u&quot;"/>
+  <!-- https://man7.org/linux/man-pages/man3/get_ordered_context_list.3.html -->
+  <!-- int get_ordered_context_list(const char *user, const char *fromcon, char *** list); -->
+  <function name="get_ordered_context_list">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">get_ordered_context_list</alloc>
+    <dealloc>freeconary</dealloc>
+  </memory>
+  <!-- int get_ordered_context_list_with_level(const char *user, const char *level, const char *fromcon, char *** list); -->
+  <function name="get_ordered_context_list_with_level">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">get_ordered_context_list_with_level</alloc>
+    <dealloc>freeconary</dealloc>
+  </memory>
+  <!-- int get_default_context(const char *user, const char *fromcon, char ** newcon); -->
+  <function name="get_default_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">get_default_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int get_default_context_with_level(const char *user, const char *level, const char *fromcon, char ** newcon); -->
+  <function name="get_default_context_with_level">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">get_default_context_with_level</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int get_default_context_with_role(const char *user, const char *role, const char *fromcon, char ** newcon); -->
+  <function name="get_default_context_with_role">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">get_default_context_with_role</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int get_default_context_with_rolelevel(const char *user, const char *role, const char *level, const char *fromcon, char ** newcon); -->
+  <function name="get_default_context_with_rolelevel">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="5" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="5">get_default_context_with_rolelevel</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int query_user_context(char ** list, char ** newcon); -->
+  <function name="query_user_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">query_user_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int manual_user_enter_context(const char *user, char ** newcon); -->
+  <function name="manual_user_enter_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">manual_user_enter_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- <selinux/avc.h> -->
+  <podtype name="security_id"/>
+  <define name="SECSID_WILD" value="NULL"/>
+  <define name="AVC_OPT_UNUSED" value="0"/>
+  <define name="AVC_OPT_SETENFORCE" value="1"/>
+  <define name="AVC_CALLBACK_GRANT" value="1"/>
+  <define name="AVC_CALLBACK_TRY_REVOKE" value="2"/>
+  <define name="AVC_CALLBACK_REVOKE" value="4"/>
+  <define name="AVC_CALLBACK_RESET" value="8"/>
+  <define name="AVC_CALLBACK_AUDITALLOW_ENABLE" value="16"/>
+  <define name="AVC_CALLBACK_AUDITALLOW_DISABLE" value="32"/>
+  <define name="AVC_CALLBACK_AUDITDENY_ENABLE" value="64"/>
+  <define name="AVC_CALLBACK_AUDITDENY_DISABLE" value="128"/>
+  <define name="AVC_CACHE_STATS" value="1"/>
+  <!-- https://man7.org/linux/man-pages/man3/avc_context_to_sid.3.html -->
+  <!-- int avc_sid_to_context(security_id_t sid, char ** ctx); -->
+  <function name="avc_sid_to_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">avc_sid_to_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int avc_sid_to_context_raw(security_id_t sid, char ** ctx); -->
+  <function name="avc_sid_to_context_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">avc_sid_to_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int avc_context_to_sid(const char * ctx, security_id_t * sid); -->
+  <function name="avc_context_to_sid">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- int avc_context_to_sid_raw(const char * ctx, security_id_t * sid); -->
+  <function name="avc_context_to_sid_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- int avc_get_initial_sid(const char *name, security_id_t * sid); -->
+  <function name="avc_get_initial_sid">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- int sidget(security_id_t sid); -->
+  <function name="sidget">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int sidput(security_id_t sid); -->
+  <function name="sidput">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_init.3.html -->
+  <!-- int avc_init(const char *msgprefix, const struct avc_memory_callback *mem_callbacks, const struct avc_log_callback *log_callbacks, const struct avc_thread_callback *thread_callbacks,
+  const struct avc_lock_callback *lock_callbacks) -->
+  <function name="avc_init">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_open.3.html -->
+  <!-- int avc_open(struct selinux_opt *opts, unsigned nopts); -->
+  <function name="avc_open">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <minsize type="argvalue" arg="2"/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void avc_cleanup(void); -->
+  <function name="avc_cleanup">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- int avc_reset(void); -->
+  <function name="avc_reset">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- void avc_destroy(void); -->
+  <function name="avc_destroy">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_has_perm.3.html -->
+  <!-- int avc_has_perm_noaudit(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested, struct avc_entry_ref *aeref, struct av_decision *avd); -->
+  <function name="avc_has_perm_noaudit">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="6" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int avc_has_perm(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested, struct avc_entry_ref *aeref, void *auditdata); -->
+  <function name="avc_has_perm">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="6" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void avc_audit(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested, struct av_decision *avd, int result, void *auditdata); -->
+  <function name="avc_audit">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="6" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="7" direction="inout">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_compute_create.3.html -->
+  <!-- int avc_compute_create(security_id_t ssid, security_id_t tsid, security_class_t tclass, security_id_t * newsid); -->
+  <function name="avc_compute_create">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- int avc_compute_member(security_id_t ssid, security_id_t tsid, security_class_t tclass, security_id_t * newsid); -->
+  <function name="avc_compute_member">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_add_callback.3.html -->
+  <!-- int avc_add_callback(int (*callback) (uint32_t event, security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t perms, access_vector_t * out_retained), uint32_t events, security_id_t ssid, security_id_t tsid, security_class_t tclass,
+  access_vector_t perms); -->
+  <function name="avc_add_callback">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="6" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_cache_stats.3.html -->
+  <!-- void avc_cache_stats(struct avc_cache_stats *stats); -->
+  <function name="avc_cache_stats">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void avc_av_stats(void); -->
+  <function name="avc_av_stats">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- void avc_sid_stats(void); -->
+  <function name="avc_sid_stats">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/avc_netlink_loop.3.html -->
+  <!-- int avc_netlink_open(int blocking); -->
+  <function name="avc_netlink_open">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <valid>0,1</valid>
+    </arg>
+  </function>
+  <!-- void avc_netlink_loop(void); -->
+  <function name="avc_netlink_loop">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- void avc_netlink_close(void); -->
+  <function name="avc_netlink_close">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- int avc_netlink_acquire_fd(void); -->
+  <function name="avc_netlink_acquire_fd">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- void avc_netlink_release_fd(void); -->
+  <function name="avc_netlink_release_fd">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- int avc_netlink_check_nb(void); -->
+  <function name="avc_netlink_check_nb">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_status_open.3.html -->
+  <!-- int selinux_status_open(int fallback); -->
+  <function name="selinux_status_open">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <valid>0,1</valid>
+    </arg>
+  </function>
+  <!-- void selinux_status_close(void); -->
+  <function name="selinux_status_close">
+    <noreturn>false</noreturn>
+  </function>
+  <!-- TODO: somehow model hidden resource
+  <resource>
+    <alloc init="true">selinux_status_open</alloc>
+    <dealloc>selinux_status_close</dealloc>
+  </resource> -->
+  <!-- int selinux_status_updated(void); -->
+  <function name="selinux_status_updated">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int selinux_status_getenforce(void); -->
+  <function name="selinux_status_getenforce">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int selinux_status_policyload(void); -->
+  <function name="selinux_status_policyload">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int selinux_status_deny_unknown(void); -->
+  <function name="selinux_status_deny_unknown">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- <selinux/selinux.h> -->
+  <podtype name="security_context_t"/>
+  <podtype name="access_vector_t"/>
+  <podtype name="security_class_t"/>
+  <podtype name="av_decision"/>
+  <podtype name="selinux_opt"/>
+  <podtype name="selinux_callback"/>
+  <podtype name="SELboolean"/>
+  <podtype name="security_class_mapping"/>
+  <define name="SELINUX_AVD_FLAGS_PERMISSIVE" value="0x0001"/>
+  <define name="SELINUX_CB_LOG" value="0"/>
+  <define name="SELINUX_CB_AUDIT" value="1"/>
+  <define name="SELINUX_CB_VALIDATE" value="2"/>
+  <define name="SELINUX_CB_SETENFORCE" value="3"/>
+  <define name="SELINUX_CB_POLICYLOAD" value="4"/>
+  <define name="SELINUX_ERROR" value="0"/>
+  <define name="SELINUX_WARNING" value="1"/>
+  <define name="SELINUX_INFO" value="2"/>
+  <define name="SELINUX_AVC" value="3"/>
+  <define name="SELINUX_POLICYLOAD" value="4"/>
+  <define name="SELINUX_SETENFORCE" value="5"/>
+  <define name="SELINUX_TRANS_DIR" value="&quot;/var/run/setrans&quot;"/>
+  <define name="MATCHPATHCON_BASEONLY" value="1"/>
+  <define name="MATCHPATHCON_NOTRANS" value="2"/>
+  <define name="MATCHPATHCON_VALIDATE" value="4"/>
+  <!-- https://man7.org/linux/man-pages/man3/is_selinux_enabled.3.html -->
+  <!-- int is_selinux_enabled(void); -->
+  <function name="is_selinux_enabled">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int is_selinux_mls_enabled(void); -->
+  <function name="is_selinux_mls_enabled">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/getcon.3.html -->
+  <!-- void freecon(char * con); -->
+  <function name="freecon">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- void freeconary(char ** con); -->
+  <function name="freeconary">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- int getcon(char ** con); -->
+  <function name="getcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getcon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getcon_raw(char ** con); -->
+  <function name="getcon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getcon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getprevcon(char ** con); -->
+  <function name="getprevcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getprevcon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getprevcon_raw(char ** con); -->
+  <function name="getprevcon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getprevcon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getexeccon(char ** con); -->
+  <function name="getexeccon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getexeccon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getexeccon_raw(char ** con); -->
+  <function name="getexeccon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getexeccon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getpidcon(pid_t pid, char ** con); -->
+  <function name="getpidcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpidcon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getpidcon_raw(pid_t pid, char ** con); -->
+  <function name="getpidcon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpidcon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getpidprevcon(pid_t pid, char ** con); -->
+  <function name="getpidprevcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpidprevcon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getpidprevcon_raw(pid_t pid, char ** con); -->
+  <function name="getpidprevcon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpidprevcon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int setcon(const char * con); -->
+  <function name="setcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setcon_raw(const char * con); -->
+  <function name="setcon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setexeccon(const char * con); -->
+  <function name="setexeccon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setexeccon_raw(const char * con); -->
+  <function name="setexeccon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setexecfilecon(const char *filename, const char *fallback_type); -->
+  <function name="setexecfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int getfscreatecon(char ** con); -->
+  <function name="getfscreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getfscreatecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getfscreatecon_raw(char ** con); -->
+  <function name="getfscreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getfscreatecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int setfscreatecon(const char * con); -->
+  <function name="setfscreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setfscreatecon_raw(const char * con); -->
+  <function name="setfscreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int getkeycreatecon(char ** con); -->
+  <function name="getkeycreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getkeycreatecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getkeycreatecon_raw(char ** con); -->
+  <function name="getkeycreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getkeycreatecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int setkeycreatecon(const char * con); -->
+  <function name="setkeycreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setkeycreatecon_raw(const char * con); -->
+  <function name="setkeycreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int getsockcreatecon(char ** con); -->
+  <function name="getsockcreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getsockcreatecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getsockcreatecon_raw(char ** con); -->
+  <function name="getsockcreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">getsockcreatecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int setsockcreatecon(const char * con); -->
+  <function name="setsockcreatecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setsockcreatecon_raw(const char * con); -->
+  <function name="setsockcreatecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int getpeercon(int fd, char ** con); -->
+  <function name="getpeercon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpeercon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getpeercon_raw(int fd, char ** con); -->
+  <function name="getpeercon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getpeercon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/getfilecon.3.html -->
+  <!-- int getfilecon(const char *path, char ** con); -->
+  <function name="getfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getfilecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int getfilecon_raw(const char *path, char ** con); -->
+  <function name="getfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getfilecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int lgetfilecon(const char *path, char ** con); -->
+  <function name="lgetfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">lgetfilecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int lgetfilecon_raw(const char *path, char ** con); -->
+  <function name="lgetfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">lgetfilecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int fgetfilecon(int fd, char ** con); -->
+  <function name="fgetfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">fgetfilecon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int fgetfilecon_raw(int fd, char ** con); -->
+  <function name="fgetfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">fgetfilecon_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/setfilecon.3.html -->
+  <!-- int setfilecon(const char *path, const char * con); -->
+  <function name="setfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int setfilecon_raw(const char *path, const char * con); -->
+  <function name="setfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int lsetfilecon(const char *path, const char * con); -->
+  <function name="lsetfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int lsetfilecon_raw(const char *path, const char * con); -->
+  <function name="lsetfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int fsetfilecon(int fd, const char * con); -->
+  <function name="fsetfilecon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int fsetfilecon_raw(int fd, const char * con); -->
+  <function name="fsetfilecon_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <valid>0:</valid>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- union selinux_callback selinux_get_callback(int type); -->
+  <function name="selinux_get_callback">
+    <returnValue type="union selinux_callback"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:4</valid>
+    </arg>
+  </function>
+  <!-- void selinux_set_callback(int type, union selinux_callback cb); -->
+  <function name="selinux_set_callback">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:4</valid>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_compute_av.3.html -->
+  <!-- int security_compute_av(const char * scon, const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -->
+  <function name="security_compute_av">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="out">
+    </arg>
+  </function>
+  <!-- int security_compute_av_raw(const char * scon, const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -->
+  <function name="security_compute_av_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="out">
+    </arg>
+  </function>
+  <!-- int security_compute_av_flags(const char * scon, const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -->
+  <function name="security_compute_av_flags">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="out">
+    </arg>
+  </function>
+  <!-- int security_compute_av_flags_raw(const char * scon, const char * tcon, security_class_t tclass, access_vector_t requested, struct av_decision *avd); -->
+  <function name="security_compute_av_flags_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="5" direction="out">
+    </arg>
+  </function>
+  <!-- int security_compute_create(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_create">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_create</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_create_raw(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_create_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_create_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_create_name(const char * scon, const char * tcon, security_class_t tclass, const char *objname, char ** newcon); -->
+  <function name="security_compute_create_name">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="5" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="5">security_compute_create_name</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_create_name_raw(const char * scon, const char * tcon, security_class_t tclass, const char *objname, char ** newcon); -->
+  <function name="security_compute_create_name_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="5" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="5">security_compute_create_name_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_relabel(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_relabel">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_relabel</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_relabel_raw(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_relabel_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_relabel</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_member(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_member">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_member</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_member_raw(const char * scon, const char * tcon, security_class_t tclass, char ** newcon); -->
+  <function name="security_compute_member_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="4">security_compute_member_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_compute_user(const char * scon, const char *username, char *** con); -->
+  <function name="security_compute_user">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">security_compute_user</alloc>
+    <dealloc>freeconary</dealloc>
+  </memory>
+  <!-- int security_compute_user_raw(const char * scon, const char *username, char *** con); -->
+  <function name="security_compute_user_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">security_compute_user_raw</alloc>
+    <dealloc>freeconary</dealloc>
+  </memory>
+  <!-- int security_validatetrans(const char *scon, const char *tcon, security_class_t tclass, const char *newcon); -->
+  <function name="security_validatetrans">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_validatetrans_raw(const char *scon, const char *tcon, security_class_t tclass, const char *newcon); -->
+  <function name="security_validatetrans_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int selinux_check_access(const char * scon, const char * tcon, const char *tclass, const char *perm, void *auditdata); -->
+  <function name="selinux_check_access">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="4" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="5" direction="in">
+      <not-uninit/>
+    </arg>
+  </function>
+  <!-- int selinux_check_passwd_access(access_vector_t requested) -->
+  <function name="selinux_check_passwd_access">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int checkPasswdAccess(access_vector_t requested) -->
+  <function name="checkPasswdAccess">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int security_get_initial_context(const char *name, char ** con); -->
+  <function name="security_get_initial_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">security_get_initial_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_get_initial_context_raw(const char *name, char ** con); -->
+  <function name="security_get_initial_context_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">security_get_initial_context_raw</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/security_load_policy.3.html -->
+  <!-- int security_load_policy(const void *data, size_t len); -->
+  <function name="security_load_policy">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <minsize type="argvalue" arg="2"/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- int selinux_mkload_policy(int preservebools); -->
+  <function name="selinux_mkload_policy">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0,1</valid>
+    </arg>
+  </function>
+  <!-- int selinux_init_load_policy(int *enforce); -->
+  <function name="selinux_init_load_policy">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_load_booleans.3.html -->
+  <!-- int security_set_boolean_list(size_t boolcnt, SELboolean * boollist, int permanent); -->
+  <function name="security_set_boolean_list">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <minsize type="argvalue" arg="1"/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0</valid>
+    </arg>
+  </function>
+  <!-- int security_get_boolean_names(char ***names, int *len); -->
+  <function name="security_get_boolean_names">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">security_get_boolean_names</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- int security_get_boolean_pending(const char *name); -->
+  <function name="security_get_boolean_pending">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_get_boolean_active(const char *name); -->
+  <function name="security_get_boolean_active">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_set_boolean(const char *name, int value); -->
+  <function name="security_set_boolean">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <valid>0,1</valid>
+    </arg>
+  </function>
+  <!-- int security_commit_booleans(void); -->
+  <function name="security_commit_booleans">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int security_load_booleans(char *path) -->
+  <function name="security_load_booleans">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_check_context.3.html -->
+  <!-- int security_check_context(const char * con); -->
+  <function name="security_check_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_check_context_raw(const char * con); -->
+  <function name="security_check_context_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_canonicalize_context(const char * con, char ** canoncon); -->
+  <function name="security_canonicalize_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">security_canonicalize_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int security_canonicalize_context_raw(const char * con, char ** canoncon); -->
+  <function name="security_canonicalize_context_raw">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">security_canonicalize_context</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/security_getenforce.3.html -->
+  <!-- int security_getenforce(void); -->
+  <function name="security_getenforce">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int security_setenforce(int value); -->
+  <function name="security_setenforce">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <valid>0,1</valid>
+    </arg>
+  </function>
+  <!-- int security_reject_unknown(void); -->
+  <function name="security_reject_unknown">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int security_deny_unknown(void); -->
+  <function name="security_deny_unknown">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int security_get_checkreqprot(void); -->
+  <function name="security_get_checkreqprot">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_disable.3.html -->
+  <!-- int security_disable(void); -->
+  <function name="security_disable">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <warn severity="warning">Disabling SELinux at runtime is deprecated and may not be supported on modern Linux kernels.</warn>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_policyvers.3.html -->
+  <!-- int security_policyvers(void); -->
+  <function name="security_policyvers">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_set_mapping.3.html -->
+  <!-- int selinux_set_mapping(const struct security_class_mapping *map); -->
+  <function name="selinux_set_mapping">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/security_class_to_string.3.html -->
+  <!-- security_class_t mode_to_security_class(mode_t mode); -->
+  <function name="mode_to_security_class">
+    <returnValue type="security_class_t"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- security_class_t string_to_security_class(const char *name); -->
+  <function name="string_to_security_class">
+    <returnValue type="security_class_t"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- const char *security_class_to_string(security_class_t cls); -->
+  <function name="security_class_to_string">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- const char *security_av_perm_to_string(security_class_t tclass, access_vector_t perm); -->
+  <function name="security_av_perm_to_string">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- access_vector_t string_to_av_perm(security_class_t tclass, const char *name); -->
+  <function name="string_to_av_perm">
+    <returnValue type="access_vector_t"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int security_av_string(security_class_t tclass, access_vector_t av, char **result); -->
+  <function name="security_av_string">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">security_av_string</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- void print_access_vector(security_class_t tclass, access_vector_t av); -->
+  <function name="print_access_vector">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void selinux_flush_class_cache(void); -->
+  <function name="selinux_flush_class_cache">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/set_matchpathcon_flags.3.html -->
+  <!-- void set_matchpathcon_printf(void (*f) (const char *fmt, ...)); -->
+  <function name="set_matchpathcon_printf">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void set_matchpathcon_invalidcon(int (*f) (const char *path, unsigned lineno, char *context)); -->
+  <function name="set_matchpathcon_invalidcon">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- void set_matchpathcon_flags(unsigned int flags); -->
+  <function name="set_matchpathcon_flags">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+      <valid>0:7</valid>
+    </arg>
+  </function>
+  <!-- void set_matchpathcon_canoncon(int (*f) (const char *path, unsigned lineno, char **context)); -->
+  <function name="set_matchpathcon_canoncon">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/matchpathcon.3.html -->
+  <!-- int matchpathcon_init(const char *path) -->
+  <function name="matchpathcon_init">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- int matchpathcon_init_prefix(const char *path, const char *prefix); -->
+  <function name="matchpathcon_init_prefix">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- void matchpathcon_fini(void) -->
+  <function name="matchpathcon_fini">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- int realpath_not_final(const char *name, char *resolved_path); -->
+  <function name="realpath_not_final">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+      <minsize type="value" value="4097" baseType="char"/>
+    </arg>
+  </function>
+  <!-- int matchpathcon(const char *path, mode_t mode, char ** con) -->
+  <function name="matchpathcon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">matchpathcon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- int matchpathcon_index(const char *path, mode_t mode, char ** con) -->
+  <function name="matchpathcon_index">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">matchpathcon_index</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/matchpathcon_checkmatches.3.html -->
+  <!-- int matchpathcon_filespec_add(ino_t ino, int specind, const char *file); -->
+  <function name="matchpathcon_filespec_add">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+    <arg nr="3" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- void matchpathcon_filespec_destroy(void); -->
+  <function name="matchpathcon_filespec_destroy">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- void matchpathcon_filespec_eval(void); -->
+  <function name="matchpathcon_filespec_eval">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- void matchpathcon_checkmatches(char *str); -->
+  <function name="matchpathcon_checkmatches">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <!-- unused parameter -->
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/matchmediacon.3.html -->
+  <!-- int matchmediacon(const char *media, char ** con); -->
+  <function name="matchmediacon">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-uninit/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">matchmediacon</alloc>
+    <dealloc>freecon</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_getenforcemode.3.html -->
+  <!-- int selinux_getenforcemode(int *enforce); -->
+  <function name="selinux_getenforcemode">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_boolean_sub.3.html -->
+  <!-- char *selinux_boolean_sub(const char *boolean_name); -->
+  <function name="selinux_boolean_sub">
+    <returnValue type="char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-uninit/>
+      <not-null/>
+      <strz/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true">selinux_boolean_sub</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_getpolicytype.3.html -->
+  <!-- int selinux_getpolicytype(char **policytype); -->
+  <function name="selinux_getpolicytype">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="1">selinux_getpolicytype</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_policy_root.3.html -->
+  <!-- const char *selinux_policy_root(void); -->
+  <function name="selinux_policy_root">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- int selinux_set_policy_root(const char *rootpath); -->
+  <function name="selinux_set_policy_root">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_binary_policy_path.3.html -->
+  <!-- const char *selinux_current_policy_path(void); -->
+  <function name="selinux_current_policy_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_binary_policy_path(void); -->
+  <function name="selinux_binary_policy_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_failsafe_context_path(void); -->
+  <function name="selinux_failsafe_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_removable_context_path(void); -->
+  <function name="selinux_removable_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_default_context_path(void); -->
+  <function name="selinux_default_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_user_contexts_path(void); -->
+  <function name="selinux_user_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_file_context_path(void); -->
+  <function name="selinux_file_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_file_context_homedir_path(void); -->
+  <function name="selinux_file_context_homedir_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_file_context_local_path(void); -->
+  <function name="selinux_file_context_local_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_file_context_subs_path(void); -->
+  <function name="selinux_file_context_subs_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_file_context_subs_dist_path(void); -->
+  <function name="selinux_file_context_subs_dist_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_homedir_context_path(void); -->
+  <function name="selinux_homedir_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_media_context_path(void); -->
+  <function name="selinux_media_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_virtual_domain_context_path(void); -->
+  <function name="selinux_virtual_domain_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_virtual_image_context_path(void); -->
+  <function name="selinux_virtual_image_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_lxc_contexts_path(void); -->
+  <function name="selinux_lxc_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_x_context_path(void); -->
+  <function name="selinux_x_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_sepgsql_context_path(void); -->
+  <function name="selinux_sepgsql_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_openrc_contexts_path(void); -->
+  <function name="selinux_openrc_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_openssh_contexts_path(void); -->
+  <function name="selinux_openssh_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_snapperd_contexts_path(void); -->
+  <function name="selinux_snapperd_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_systemd_contexts_path(void); -->
+  <function name="selinux_systemd_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_contexts_path(void); -->
+  <function name="selinux_contexts_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_securetty_types_path(void); -->
+  <function name="selinux_securetty_types_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_booleans_subs_path(void); -->
+  <function name="selinux_booleans_subs_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_booleans_path(void); -->
+  <function name="selinux_booleans_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_customizable_types_path(void); -->
+  <function name="selinux_customizable_types_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_users_path(void); -->
+  <function name="selinux_users_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_usersconf_path(void); -->
+  <function name="selinux_usersconf_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_translations_path(void); -->
+  <function name="selinux_translations_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_colors_path(void); -->
+  <function name="selinux_colors_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_netfilter_context_path(void); -->
+  <function name="selinux_netfilter_context_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- const char *selinux_path(void); -->
+  <function name="selinux_path">
+    <returnValue type="const char *"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_check_securetty_context.3.html -->
+  <!-- int selinux_check_securetty_context(const char * tty_context); -->
+  <function name="selinux_check_securetty_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/init_selinuxmnt.3.html -->
+  <!-- void set_selinuxmnt(const char *mnt); -->
+  <function name="set_selinuxmnt">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- void fini_selinuxmnt(void); -->
+  <function name="fini_selinuxmnt">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+  </function>
+  <!-- int selinuxfs_exists(void); -->
+  <function name="selinuxfs_exists">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/is_context_customizable.3.html -->
+  <!-- int is_context_customizable(const char * scontext); -->
+  <function name="is_context_customizable">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_raw_context_to_color.3.html -->
+  <!-- int selinux_raw_context_to_color(const char * raw, char **color_str); -->
+  <function name="selinux_raw_context_to_color">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selinux_raw_context_to_color</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- int selinux_trans_to_raw_context(const char * trans, char ** rawp); -->
+  <function name="selinux_trans_to_raw_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selinux_trans_to_raw_context</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- int selinux_raw_to_trans_context(const char * raw, char ** transp); -->
+  <function name="selinux_raw_to_trans_context">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">selinux_raw_to_trans_context</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/getseuserbyname.3.html -->
+  <!-- int getseuserbyname(const char *linuxuser, char **seuser, char **level); -->
+  <function name="getseuserbyname">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="2">getseuserbyname</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <memory>
+    <alloc init="true" arg="3">getseuserbyname</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- int getseuser(const char *username, const char *service, char **r_seuser, char **r_level); -->
+  <function name="getseuser">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="3" direction="out">
+      <not-null/>
+    </arg>
+    <arg nr="4" direction="out">
+      <not-null/>
+    </arg>
+  </function>
+  <memory>
+    <alloc init="true" arg="3">getseuser</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <memory>
+    <alloc init="true" arg="4">getseuser</alloc>
+    <dealloc>free</dealloc>
+  </memory>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_file_context_cmp.3.html -->
+  <!-- int selinux_file_context_cmp(const char * a, const char * b); -->
+  <function name="selinux_file_context_cmp">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_file_context_verify.3.html -->
+  <!-- int selinux_file_context_verify(const char *path, mode_t mode); -->
+  <function name="selinux_file_context_verify">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+    <arg nr="2" direction="in">
+      <not-uninit/>
+      <not-bool/>
+    </arg>
+  </function>
+  <!-- https://man7.org/linux/man-pages/man3/selinux_lsetfilecon_default.3.html -->
+  <!-- int selinux_lsetfilecon_default(const char *path); -->
+  <function name="selinux_lsetfilecon_default">
+    <returnValue type="int"/>
+    <noreturn>false</noreturn>
+    <use-retval/>
+    <leak-ignore/>
+    <arg nr="1" direction="in">
+      <not-null/>
+      <not-uninit/>
+      <strz/>
+    </arg>
+  </function>
+  <!-- void selinux_reset_config(void); -->
+  <function name="selinux_reset_config">
+    <returnValue type="void"/>
+    <noreturn>false</noreturn>
+    <leak-ignore/>
+    <warn severity="warning">This function is not thread safe. Be very sure that no other threads are calling into libselinux when this is called.</warn>
+  </function>
+</def>
diff --git a/test/CMakeLists.txt b/test/CMakeLists.txt
index a92ef8ed166d..6e72c8eb7c18 100644
--- a/test/CMakeLists.txt
+++ b/test/CMakeLists.txt
@@ -154,6 +154,7 @@ if (BUILD_TESTS)
         add_cfg(posix.c)
         add_cfg(python.c)
         add_cfg(qt.cpp)
+        add_cfg(selinux.c)
         add_cfg(sqlite3.c)
         add_cfg(std.c)
         add_cfg(std.cpp)
diff --git a/test/cfg/runtests.sh b/test/cfg/runtests.sh
index 7169886eb709..e26d1ece2e8d 100755
--- a/test/cfg/runtests.sh
+++ b/test/cfg/runtests.sh
@@ -447,6 +447,30 @@ function cppunit_fn {
     fi
 }
 
+# selinux.c
+function selinux_fn {
+    if [ $HAS_PKG_CONFIG -eq 1 ]; then
+        SELINUXCONFIG=$(get_pkg_config_cflags selinux)
+        if [ -n "$SELINUXCONFIG" ]; then
+            # TODO: get rid of the error enabling/disabling?
+            set +e
+            echo -e "#include <selinux/restorecon.h>" | ${CC} "${CC_OPT[@]}" ${SELINUXCONFIG} -x c -
+            SELINUXCONFIG_RETURNCODE=$?
+            set -e
+            if [ $SELINUXCONFIG_RETURNCODE -ne 0 ]; then
+                echo "selinux not completely present or not working, skipping syntax check with ${CC}."
+                exit_if_strict
+            else
+                echo "selinux found and working, checking syntax with ${CC} now."
+                ${CC} "${CC_OPT[@]}" ${SELINUXCONFIG} "${DIR}"selinux.c
+            fi
+        else
+            echo "selinux not present, skipping syntax check with ${CC}."
+            exit_if_strict
+        fi
+    fi
+}
+
 function check_file {
     f=$(basename "$1")
     lib="${f%%.*}"
@@ -527,6 +551,10 @@ function check_file {
             qt_fn
             "${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
             ;;
+        selinux.c)
+            selinux_fn
+            "${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
+            ;;
         sqlite3.c)
             sqlite3_fn
             "${CPPCHECK}" "${CPPCHECK_OPT[@]}" --library="$lib" "${DIR}""$f"
diff --git a/test/cfg/selinux.c b/test/cfg/selinux.c
new file mode 100644
index 000000000000..8f4a89587e95
--- /dev/null
+++ b/test/cfg/selinux.c
@@ -0,0 +1,305 @@
+
+// Test library configuration for selinux.cfg
+//
+// Usage:
+// $ cppcheck --check-library --library=selinux --enable=style,information --inconclusive --error-exitcode=1 --disable=missingInclude --inline-suppr test/cfg/selinux.c
+// =>
+// No warnings about bad library configuration, unmatched suppressions, etc. exitcode=0
+//
+
+#include <stdio.h>
+
+#include <selinux/restorecon.h>
+#include <selinux/get_default_type.h>
+#include <selinux/label.h>
+#include <selinux/context.h>
+#include <selinux/get_context_list.h>
+#include <selinux/avc.h>
+
+void restorecon(void)
+{
+    // cppcheck-suppress [ignoredReturnValue, nullPointer, invalidFunctionArgBool]
+    selinux_restorecon(NULL, true);
+
+    selinux_restorecon_set_sehandle(NULL);
+
+    // cppcheck-suppress ignoredReturnValue
+    selinux_restorecon_default_handle();
+
+    // cppcheck-suppress [ignoredReturnValue, nullPointer]
+    selinux_restorecon_set_alt_rootpath(NULL);
+
+    // cppcheck-suppress nullPointer
+    selinux_restorecon_set_exclude_list(NULL);
+
+    // cppcheck-suppress ignoredReturnValue
+    selinux_restorecon_get_skipped_errors();
+
+    struct dir_xattr **arg3;
+    // cppcheck-suppress [ignoredReturnValue, nullPointer, invalidFunctionArgBool, uninitvar]
+    selinux_restorecon_xattr(NULL, true, &arg3);
+}
+
+void get_default_type_fail(void)
+{
+    // cppcheck-suppress ignoredReturnValue
+    selinux_default_type_path();
+
+    char *type1;
+    // FIXME: report ignoredReturnValue
+    // cppcheck-suppress [nullPointer]
+    get_default_type(NULL, &type1);
+
+    char **type2;
+    // FIXME: report ignoredReturnValue
+    // cppcheck-suppress [uninitvar]
+    get_default_type("object_r", type2);
+
+    // cppcheck-suppress memleak
+}
+
+void get_default_type_success(void)
+{
+    char *type = NULL;
+    int err = get_default_type("object_r", &type);
+    if (err != 0)
+        return;
+    free(type);
+}
+
+void selabel_fail1(void)
+{
+    // FIXME: do not report constVariablePointer
+    // cppcheck-suppress [unreadVariable, constVariablePointer]
+    struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 1);
+
+    // cppcheck-suppress resourceLeak
+}
+
+void selabel_fail2(void)
+{
+    // FIXME: do not report constVariablePointer
+    // cppcheck-suppress constVariablePointer
+    struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+    char *ctx;
+    selabel_lookup(hnd, &ctx, "/", 0);
+
+    selabel_close(hnd);
+
+    // cppcheck-suppress memleak
+}
+
+void selabel_success(void)
+{
+    // FIXME: do not report constVariablePointer
+    // cppcheck-suppress constVariablePointer
+    struct selabel_handle *hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+    char *ctx;
+    selabel_lookup(hnd, &ctx, "/", 0);
+
+    freecon(ctx);
+
+    (void)selabel_cmp(hnd, hnd);
+
+    selabel_stats(hnd);
+
+    selabel_close(hnd);
+}
+
+void context_fail1(void)
+{
+    // cppcheck-suppress [unreadVariable, nullPointer]
+    context_t con = context_new(NULL);
+
+    // cppcheck-suppress memleak
+}
+
+void context_fail2(void)
+{
+    // cppcheck-suppress unreadVariable
+    context_t con = context_new("kernel");
+
+    // cppcheck-suppress memleak
+}
+
+void context_success(void)
+{
+    context_t con = context_new("system_u:system_r:kernel_t:s0");
+
+    printf("%s: %s %s %s %s\n", context_str(con),
+           context_type_get(con), context_range_get(con),
+           context_role_get(con), context_user_get(con));
+
+    (void)context_type_set(con, "init_t");
+
+    context_free(con);
+}
+
+void get_ordered_context_list_fail1(void)
+{
+    char **ret;
+    // cppcheck-suppress nullPointer
+    get_ordered_context_list(NULL, NULL, &ret);
+
+    // cppcheck-suppress memleak
+}
+
+void get_ordered_context_list_fail2(void)
+{
+    char **ret;
+    get_ordered_context_list("root", NULL, &ret);
+
+    // cppcheck-suppress mismatchAllocDealloc
+    freecon((void*)ret);
+}
+
+void get_ordered_context_list_success1(void)
+{
+    char **ret;
+    get_ordered_context_list("root", NULL, &ret);
+    freeconary(ret);
+}
+
+void get_default_context_with_rolelevel_fail1(void)
+{
+    char *ctx;
+    // cppcheck-suppress nullPointer
+    get_default_context_with_rolelevel("root", NULL, "s0", "system_u:system_r:init_t:s0", &ctx);
+
+    // cppcheck-suppress memleak
+}
+
+void get_default_context_with_rolelevel_fail2(void)
+{
+    char *ctx;
+    get_default_context_with_rolelevel("root", "sysadm_r", NULL, NULL, &ctx);
+
+    // cppcheck-suppress mismatchAllocDealloc
+    freeconary((void*)ctx);
+}
+
+void get_default_context_with_rolelevel_success1(void)
+{
+    char *ctx;
+    get_default_context_with_rolelevel("root", "sysadm_r", NULL, NULL, &ctx);
+    freecon(ctx);
+}
+
+void selinux_status_fail1(void)
+{
+    // cppcheck-suppress [invalidFunctionArg, ignoredReturnValue]
+    selinux_status_open(-1);
+    // TODO: report leak
+}
+
+void selinux_status_success1(void)
+{
+    (void)selinux_status_open(0);
+    (void)selinux_status_updated();
+    selinux_status_close();
+}
+
+void realpath_not_final_fail1(void)
+{
+    char buf[64];
+    // cppcheck-suppress bufferAccessOutOfBounds
+    (void)realpath_not_final("/root", buf);
+}
+
+void realpath_not_final_success1(void)
+{
+#define PATH_MAX 4096
+    char buf[PATH_MAX + 1];
+    // cppcheck-suppress ignoredReturnValue
+    realpath_not_final("/root", buf);
+}
+
+void selinux_getpolicytype_fail1(void)
+{
+    // cppcheck-suppress nullPointer
+    selinux_getpolicytype(NULL);
+}
+
+void selinux_getpolicytype_fail2(void)
+{
+    char *type;
+    (void)selinux_getpolicytype(&type);
+
+    // cppcheck-suppress memleak
+}
+
+void selinux_check_access_fail1(void)
+{
+    const char *msg = "Hello World!";
+    // cppcheck-suppress [ignoredReturnValue, nullPointer]
+    selinux_check_access("foo", "bar", NULL, "baz", msg);
+}
+
+void selinux_check_access_success1(void)
+{
+    (void)selinux_check_access("kernel", "init", "file", "write", NULL);
+}
+
+void selinux_trans_to_raw_context_fail1(void)
+{
+    // FIXME: report ignoredReturnValue
+    // cppcheck-suppress nullPointer
+    selinux_trans_to_raw_context("kernel", NULL);
+}
+
+void selinux_trans_to_raw_context_fail2(void)
+{
+    char *ctx;
+    // FIXME: report ignoredReturnValue
+    selinux_trans_to_raw_context("kernel", &ctx);
+
+    // cppcheck-suppress memleak
+}
+
+void selinux_trans_to_raw_context_success1(void)
+{
+    char *ctx;
+    (void)selinux_trans_to_raw_context("kernel", &ctx);
+    free(ctx);
+}
+
+void getseuserbyname_fail1(void)
+{
+    char *seuser, *level;
+    // cppcheck-suppress nullPointer
+    getseuserbyname(NULL, &seuser, &level);
+    free(seuser);
+
+    // cppcheck-suppress memleak
+}
+
+void getseuserbyname_fail2(void)
+{
+    char *seuser, *level;
+    getseuserbyname("root", &seuser, &level);
+    free(level);
+
+    // FIXME: report memleak
+}
+
+void getseuserbyname_success1(void)
+{
+    char *seuser, *level;
+    getseuserbyname("root", &seuser, &level);
+    free(seuser);
+    free(level);
+}
+
+void danger1(void)
+{
+    // cppcheck-suppress selinux_reset_configCalled
+    selinux_reset_config();
+}
+
+void danger2(void)
+{
+    // cppcheck-suppress [security_disableCalled, ignoredReturnValue]
+    security_disable();
+}