diff --git a/libsepol/include/sepol/policydb/services.h b/libsepol/include/sepol/policydb/services.h
index e4e8362c..bcde47b8 100644
--- a/libsepol/include/sepol/policydb/services.h
+++ b/libsepol/include/sepol/policydb/services.h
@@ -223,7 +223,7 @@ extern int sepol_fs_use(const char *fstype,	/* IN */
  * fixed labeling behavior like transition SIDs or task SIDs.
  */
 extern int sepol_genfs_sid(const char *fstype,	/* IN */
-			   char *name,	/* IN */
+			   const char *name,	/* IN */
 			   sepol_security_class_t sclass,	/* IN */
 			   sepol_security_id_t * sid);	/* OUT  */
 
diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index c8c510a7..e0bb1988 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -2089,7 +2089,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
 		if (ret < 0) {
 			return ret;
 		} else if (ret == 0) {
-			char *mod_name = cur->branch_list->module_name ?
+			const char *mod_name = cur->branch_list->module_name ?
 			    cur->branch_list->module_name : "BASE";
 			if (req.symbol_type == SYM_CLASSES) {
 				struct find_perm_arg fparg;
@@ -2148,7 +2148,7 @@ static void print_missing_requirements(link_state_t * state,
 				       missing_requirement_t * req)
 {
 	policydb_t *p = state->base;
-	char *mod_name = cur->branch_list->module_name ?
+	const char *mod_name = cur->branch_list->module_name ?
 	    cur->branch_list->module_name : "BASE";
 
 	if (req->symbol_type == SYM_CLASSES) {
@@ -2220,7 +2220,7 @@ static int enable_avrules(link_state_t * state, policydb_t * pol)
 			}
 			decl = block->branch_list;
 			if (state->verbose) {
-				char *mod_name = decl->module_name ?
+				const char *mod_name = decl->module_name ?
 				    decl->module_name : "BASE";
 				INFO(state->handle, "check module %s decl %d\n",
 				     mod_name, decl->decl_id);
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 19fbfea9..f077b931 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -55,7 +55,7 @@
 #include "mls.h"
 
 #define POLICYDB_TARGET_SZ   ARRAY_SIZE(policydb_target_strings)
-char *policydb_target_strings[] = { POLICYDB_STRING, POLICYDB_XEN_STRING };
+const char *policydb_target_strings[] = { POLICYDB_STRING, POLICYDB_XEN_STRING };
 
 /* These need to be updated if SYM_NUM or OCON_NUM changes */
 static struct policydb_compat_info policydb_compat[] = {
diff --git a/libsepol/src/policydb_internal.h b/libsepol/src/policydb_internal.h
index 8a31506e..f7bcdfa3 100644
--- a/libsepol/src/policydb_internal.h
+++ b/libsepol/src/policydb_internal.h
@@ -6,5 +6,5 @@
 
 hidden_proto(sepol_policydb_create)
     hidden_proto(sepol_policydb_free)
-extern char *policydb_target_strings[];
+extern const char *policydb_target_strings[];
 #endif
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index a1a0b98c..d64a8e8d 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -174,7 +174,7 @@ static char **expr_list;
 static int expr_buf_used;
 static int expr_buf_len;
 
-static void cat_expr_buf(char *e_buf, char *string)
+static void cat_expr_buf(char *e_buf, const char *string)
 {
 	int len, new_buf_len;
 	char *p, *new_buf = e_buf;
@@ -209,7 +209,7 @@ static void cat_expr_buf(char *e_buf, char *string)
  * POLICYDB_VERSION_CONSTRAINT_NAMES) just read the e->names list.
  */
 static void get_name_list(constraint_expr_t *e, int type,
-							char *src, char *op, int failed)
+							const char *src, const char *op, int failed)
 {
 	ebitmap_t *types;
 	int rc = 0;
@@ -273,7 +273,7 @@ static void get_name_list(constraint_expr_t *e, int type,
 	return;
 }
 
-static void msgcat(char *src, char *tgt, char *op, int failed)
+static void msgcat(const char *src, const char *tgt, const char *op, int failed)
 {
 	char tmp_buf[128];
 	if (failed)
@@ -303,7 +303,7 @@ static char *get_class_info(sepol_security_class_t tclass,
 	}
 
 	/* Determine statement type */
-	char *statements[] = {
+	const char *statements[] = {
 		"constrain ",			/* 0 */
 		"mlsconstrain ",		/* 1 */
 		"validatetrans ",		/* 2 */
@@ -771,7 +771,7 @@ mls_ops:
 	 * These contain the constraint components that are added to the
 	 * callers reason buffer.
 	 */
-	char *buffers[] = { class_buf, a, "); ", tmp_buf, 0 };
+	const char *buffers[] = { class_buf, a, "); ", tmp_buf, 0 };
 
 	/*
 	 * This will add the constraints to the callers reason buffer (who is
@@ -2085,7 +2085,7 @@ int hidden sepol_get_user_sids(sepol_security_id_t fromsid,
  * fixed labeling behavior like transition SIDs or task SIDs.
  */
 int hidden sepol_genfs_sid(const char *fstype,
-			   char *path,
+			   const char *path,
 			   sepol_security_class_t sclass,
 			   sepol_security_id_t * sid)
 {
diff --git a/libsepol/src/write.c b/libsepol/src/write.c
index 6fe73e6e..2e6541da 100644
--- a/libsepol/src/write.c
+++ b/libsepol/src/write.c
@@ -1880,7 +1880,7 @@ int policydb_write(policydb_t * p, struct policy_file *fp)
 	size_t items, items2, len;
 	struct policydb_compat_info *info;
 	struct policy_data pd;
-	char *policydb_str;
+	const char *policydb_str;
 
 	if (p->unsupported_format)
 		return POLICYDB_UNSUPPORTED;