diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 39498563..2985f6f7 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -413,6 +413,11 @@ extern int matchpathcon_init_prefix(const char *path, const char *prefix);
 /* Free the memory allocated by matchpathcon_init. */
 extern void matchpathcon_fini(void);
 
+/* Resolve all of the symlinks and relative portions of a pathname, but NOT
+ * the final component (same a realpath() unless the final component is a
+ * symlink.  Resolved path must be a path of size PATH_MAX + 1 */
+extern int realpath_not_final(const char *name, char *resolved_path);
+
 /* Match the specified pathname and mode against the file contexts
    configuration and set *con to refer to the resulting context.
    'mode' can be 0 to disable mode matching.
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 5914afa7..c396add3 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -344,7 +344,7 @@ void matchpathcon_fini(void)
  * determine a real path component of the first portion.  We then have to
  * copy the last part back on to get the final real path.  Wheww.
  */
-static int symlink_realpath(const char *name, char *resolved_path)
+int realpath_not_final(const char *name, char *resolved_path)
 {
 	char *last_component;
 	char *tmp_path, *p;
@@ -406,7 +406,7 @@ int matchpathcon(const char *path, mode_t mode, security_context_t * con)
 			return -1;
 
 	if (S_ISLNK(mode)) {
-		if (!symlink_realpath(path, stackpath))
+		if (!realpath_not_final(path, stackpath))
 			path = stackpath;
 	} else {
 		p = realpath(path, stackpath);