diff --git a/backport-libselinux-Close-leaked-FILEs.patch b/backport-libselinux-Close-leaked-FILEs.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9e6fb2d98910784d6578e2125e005e4fad90e929
--- /dev/null
+++ b/backport-libselinux-Close-leaked-FILEs.patch
@@ -0,0 +1,55 @@
+From c1a8da6e4a2b53ea346d4493346cde7c0a5a5f49 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 11 Mar 2022 12:53:30 +0100
+Subject: [PATCH] libselinux: Close leaked FILEs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes:
+label_media.c:94:24: warning: leak of FILE ‘fopen (path_28, "re")’ [CWE-775] [-Wanalyzer-file-leak]
+label_x.c:121:24: warning: leak of FILE ‘fopen (path_28, "re")’ [CWE-775] [-Wanalyzer-file-leak]
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ src/label_media.c | 4 ++--
+ src/label_x.c     | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/label_media.c b/src/label_media.c
+index eb27deaf..3137c18e 100644
+--- a/src/label_media.c
++++ b/src/label_media.c
+@@ -95,10 +95,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	if (fstat(fileno(fp), &sb) < 0)
+-		return -1;
++		goto finish;
+ 	if (!S_ISREG(sb.st_mode)) {
+ 		errno = EINVAL;
+-		return -1;
++		goto finish;
+ 	}
+ 	rec->spec_file = strdup(path);
+ 
+diff --git a/src/label_x.c b/src/label_x.c
+index e9fa063f..e6e8d9f6 100644
+--- a/src/label_x.c
++++ b/src/label_x.c
+@@ -122,10 +122,10 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts,
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+ 	if (fstat(fileno(fp), &sb) < 0)
+-		return -1;
++		goto finish;
+ 	if (!S_ISREG(sb.st_mode)) {
+ 		errno = EINVAL;
+-		return -1;
++		goto finish;
+ 	}
+ 	rec->spec_file = strdup(path);
+ 
+-- 
+2.27.0
+
diff --git a/backport-libselinux-free-memory-in-error-branch.patch b/backport-libselinux-free-memory-in-error-branch.patch
new file mode 100644
index 0000000000000000000000000000000000000000..38b96bd80f5e32b323560aa11715763ca49e6fa1
--- /dev/null
+++ b/backport-libselinux-free-memory-in-error-branch.patch
@@ -0,0 +1,38 @@
+From 8266fd9401b920bd3552410ebe215069891c373f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 10 May 2022 19:45:51 +0200
+Subject: [PATCH] libselinux: free memory in error branch
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In case the allocation for the filename fails, free the memory of the context.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ src/selinux_restorecon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index 12b85101..c8db26c2 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -487,11 +487,13 @@ static int filespec_add(ino_t ino, const char *con, const char *file,
+ 		goto oom_freefl;
+ 	fl->file = strdup(file);
+ 	if (!fl->file)
+-		goto oom_freefl;
++		goto oom_freeflcon;
+ 	fl->next = prevfl->next;
+ 	prevfl->next = fl;
+ 	return 0;
+
++oom_freeflcon:
++	free(fl->con);
+ oom_freefl:
+ 	free(fl);
+ oom:
+-- 
+2.27.0
+
diff --git a/backport-libselinux-free-memory-on-selabel_open-3-failure.patch b/backport-libselinux-free-memory-on-selabel_open-3-failure.patch
new file mode 100644
index 0000000000000000000000000000000000000000..84996bc8509a3bcaf640778a3f609bdc89372473
--- /dev/null
+++ b/backport-libselinux-free-memory-on-selabel_open-3-failure.patch
@@ -0,0 +1,34 @@
+From b9a4d13a300665098f04bf5108929ea54668b1bf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 13 Apr 2022 17:56:32 +0200
+Subject: [PATCH] libselinux: free memory on selabel_open(3) failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If selabel_open(3) fails, e.g. when a specfile has the wrong file
+permissions, free the memory allocated for digests.
+
+Fixes: e40bbea9 ("libselinux: Add selabel_digest function")
+Acked-by: James Carter <jwcart2@gmail.com>
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+---
+ src/label.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/label.c b/src/label.c
+index a03192e5..586e5e5e 100644
+--- a/src/label.c
++++ b/src/label.c
+@@ -226,6 +226,8 @@ struct selabel_handle *selabel_open(unsigned int backend,
+ 	rec->digest = selabel_is_digest_set(opts, nopts, rec->digest);
+ 
+ 	if ((*initfuncs[backend])(rec, opts, nopts)) {
++		if (rec->digest)
++			selabel_digest_fini(rec->digest);
+ 		free(rec->spec_file);
+ 		free(rec);
+ 		rec = NULL;
+-- 
+2.27.0
+
diff --git a/backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch b/backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch
new file mode 100644
index 0000000000000000000000000000000000000000..6016b9e4e6a2e565df1d0df95d2d894e4a812e4a
--- /dev/null
+++ b/backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch
@@ -0,0 +1,36 @@
+From 956bda08f6183078f13b70f6aa27d0529a3ec20a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Tue, 7 Jun 2022 19:00:35 +0200
+Subject: [PATCH] libselinux: restorecon: avoid printing NULL pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The variable `curcon` is NULL in case the file has no current security
+context.  Most C standard libraries handle it fine, avoid it nonetheless
+for standard conformance.
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>
+---
+ src/selinux_restorecon.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index 66e6a4a2..2d24559f 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -744,7 +744,9 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
+ 			selinux_log(SELINUX_INFO,
+ 				    "%s %s from %s to %s\n",
+ 				    updated ? "Relabeled" : "Would relabel",
+-				    pathname, curcon, newcon);
++				    pathname,
++				    curcon ? curcon : "<no context>",
++				    newcon);
+ 
+ 		if (flags->syslog_changes && !flags->nochange) {
+ 			if (curcon)
+-- 
+2.27.0
+
diff --git a/backport-libselinux-restorecon-misc-tweaks.patch b/backport-libselinux-restorecon-misc-tweaks.patch
new file mode 100644
index 0000000000000000000000000000000000000000..d2752b43e71c66556fe347156cc42102c70c3812
--- /dev/null
+++ b/backport-libselinux-restorecon-misc-tweaks.patch
@@ -0,0 +1,114 @@
+From 657420d67fcca479fa495b09c540b3cecb539e9e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Wed, 11 May 2022 20:42:23 +0200
+Subject: [PATCH] libselinux: restorecon: misc tweaks
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+* mark read-only parameters const
+* check for overflow when adding exclude directory
+* use 64 bit integer for file counting
+* avoid implicit conversions
+
+Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
+Acked-by: James Carter <jwcart2@gmail.com>
+---
+ src/selinux_restorecon.c | 26 +++++++++++++++++---------
+ 1 file changed, 17 insertions(+), 9 deletions(-)
+
+diff --git a/src/selinux_restorecon.c b/src/selinux_restorecon.c
+index e6192912..c158ead8 100644
+--- a/src/selinux_restorecon.c
++++ b/src/selinux_restorecon.c
+@@ -44,7 +44,7 @@
+ static struct selabel_handle *fc_sehandle = NULL;
+ static bool selabel_no_digest;
+ static char *rootpath = NULL;
+-static int rootpathlen;
++static size_t rootpathlen;
+ 
+ /* Information on excluded fs and directories. */
+ struct edir {
+@@ -55,7 +55,7 @@ struct edir {
+ };
+ #define CALLER_EXCLUDED true
+ static bool ignore_mounts;
+-static int exclude_non_seclabel_mounts(void);
++static uint64_t exclude_non_seclabel_mounts(void);
+ static int exclude_count = 0;
+ static struct edir *exclude_lst = NULL;
+ static uint64_t fc_count = 0;	/* Number of files processed so far */
+@@ -169,6 +169,12 @@ static int add_exclude(const char *directory, bool who)
+ 		return -1;
+ 	}
+ 
++	if (exclude_count >= INT_MAX - 1) {
++		selinux_log(SELINUX_ERROR, "Too many directory excludes: %d.\n", exclude_count);
++		errno = EOVERFLOW;
++		return -1;
++	}
++
+ 	tmp_list = realloc(exclude_lst,
+ 			   sizeof(struct edir) * (exclude_count + 1));
+ 	if (!tmp_list)
+@@ -211,10 +217,10 @@ static int check_excluded(const char *file)
+ 	return 0;
+ }
+ 
+-static int file_system_count(char *name)
++static uint64_t file_system_count(const char *name)
+ {
+ 	struct statvfs statvfs_buf;
+-	int nfile = 0;
++	uint64_t nfile = 0;
+ 
+ 	memset(&statvfs_buf, 0, sizeof(statvfs_buf));
+ 	if (!statvfs(name, &statvfs_buf))
+@@ -230,12 +236,13 @@ static int file_system_count(char *name)
+  * that support security labels have the seclabel option, return
+  * approximate total file count.
+  */
+-static int exclude_non_seclabel_mounts(void)
++static uint64_t exclude_non_seclabel_mounts(void)
+ {
+ 	struct utsname uts;
+ 	FILE *fp;
+ 	size_t len;
+-	int index = 0, found = 0, nfile = 0;
++	int index = 0, found = 0;
++	uint64_t nfile = 0;
+ 	char *mount_info[4];
+ 	char *buf = NULL, *item;
+ 
+@@ -300,7 +307,8 @@ static int add_xattr_entry(const char *directory, bool delete_nonmatch,
+ {
+ 	char *sha1_buf = NULL;
+ 	size_t i, digest_len = 0;
+-	int rc, digest_result;
++	int rc;
++	enum digest_result digest_result;
+ 	bool match;
+ 	struct dir_xattr *new_entry;
+ 	uint8_t *xattr_digest = NULL;
+@@ -573,7 +581,7 @@ static void filespec_destroy(void)
+  * Called if SELINUX_RESTORECON_SET_SPECFILE_CTX is not set to check if
+  * the type components differ, updating newtypecon if so.
+  */
+-static int compare_types(char *curcon, char *newcon, char **newtypecon)
++static int compare_types(const char *curcon, const char *newcon, char **newtypecon)
+ {
+ 	int types_differ = 0;
+ 	context_t cona;
+@@ -1398,7 +1406,7 @@ void selinux_restorecon_set_exclude_list(const char **exclude_list)
+ /* selinux_restorecon_set_alt_rootpath(3) sets an alternate rootpath. */
+ int selinux_restorecon_set_alt_rootpath(const char *alt_rootpath)
+ {
+-	int len;
++	size_t len;
+ 
+ 	/* This should be NULL on first use */
+ 	if (rootpath)
+-- 
+2.27.0
+
diff --git a/libselinux.spec b/libselinux.spec
index fd737ec6207fb7da08bc8f4778d68347422e6cec..64ebb1580bc9b7e656064fd6379848b1a067c6d5 100644
--- a/libselinux.spec
+++ b/libselinux.spec
@@ -3,12 +3,18 @@
 
 Name:    libselinux
 Version: 3.3
-Release: 1
+Release: 2
 License: Public Domain
 Summary: SELinux library and simple utilities
 Url:     https://github.com/SELinuxProject/selinux/wiki
 Source0: https://github.com/SELinuxProject/selinux/releases/download/3.3/libselinux-3.3.tar.gz
 
+Patch6000: backport-libselinux-Close-leaked-FILEs.patch
+Patch6001: backport-libselinux-free-memory-on-selabel_open-3-failure.patch
+Patch6002: backport-libselinux-restorecon-misc-tweaks.patch
+Patch6003: backport-libselinux-free-memory-in-error-branch.patch
+Patch6004: backport-libselinux-restorecon-avoid-printing-NULL-pointer.patch
+
 Patch9000: do-malloc-trim-after-load-policy.patch
 
 BuildRequires: gcc python3-devel systemd swig pcre2-devel xz-devel
@@ -128,6 +134,9 @@ mv %{buildroot}%{_sbindir}/getconlist %{buildroot}%{_sbindir}/selinuxconlist
 %{_mandir}/ru/man8/*
 
 %changelog
+* Sun Oct 9 2022 lujie <lujie54@huawei.com> - 3.3-2
+- backport upstream patches
+
 * Wed Dec 8 2021 lujie <lujie42@huawei.com> - 3.3-1
 - update libselinux-3.1 to libselinux-3.3