Move /selinux to /sys/fs/selinux

Add selinuxexeccon
Add realpath to matchpathcon to handle matchpathcon * type queries.

libselinux-rhat.patch

@@ -1,3 +1,33 @@
+diff --git a/libselinux/man/man8/selinuxexeccon.8 b/libselinux/man/man8/selinuxexeccon.8
+new file mode 100644
+index 0000000..6482d74
+--- /dev/null
++++ b/libselinux/man/man8/selinuxexeccon.8
+@@ -0,0 +1,24 @@
++.TH "selinuxexeccon" "1" "14 May 2011" "dwalsh@redhat.com" "SELinux Command Line documentation"
++.SH "NAME"
++selinuxexeccon \- report SELinux context used for this executable
++
++.SH "SYNOPSIS"
++.B selinuxexeccon command [ fromcon] o
++
++.SH "DESCRIPTION"
++.B selinuxexeccon
++reports the SELinux process context for the specified command from the specified context or the current context.
++
++.SH EXAMPLE
++# selinuxexeccon /usr/bin/passwd 
++staff_u:staff_r:passwd_t:s0-s0:c0.c1023
++
++.br
++# selinuxexeccon /usr/sbin/sendmail system_u:system_r:httpd_t:s0
++system_u:system_r:system_mail_t:s0
++
++.SH AUTHOR	
++This manual page was written by Dan Walsh <dwalsh@redhat.com>.
++
++.SH "SEE ALSO"
++secon(8)
 diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
 index bf665ab..ccd08ae 100644
 --- a/libselinux/src/Makefile
@@ -174,6 +204,204 @@ index b245364..7c47222 100644
  	va_start(ap, fmt);
  	rc = vfprintf(stderr, fmt, ap);
  	va_end(ap);
+diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
+index b3c8c47..018c787 100644
+--- a/libselinux/src/enabled.c
++++ b/libselinux/src/enabled.c
+@@ -11,10 +11,6 @@
+ 
+ int is_selinux_enabled(void)
+ {
+-	char *buf=NULL;
+-	FILE *fp;
+-	ssize_t num;
+-	size_t len;
+ 	int enabled = 0;
+ 	security_context_t con;
+ 
+@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
+ 				enabled = 0;
+ 			freecon(con);
+ 		}
+-		return enabled;
+         }
+ 
+-	/* Drop back to detecting it the long way. */
+-	fp = fopen("/proc/filesystems", "r");
+-	if (!fp)
+-		return -1;
+-
+-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+-	while ((num = getline(&buf, &len, fp)) != -1) {
+-		if (strstr(buf, "selinuxfs")) {
+-			enabled = 1;
+-			break;
+-		}
+-	}
+-
+-	if (num < 0)
+-		goto out;
+-
+-	/* Since an selinux file system is available, we consider
+-	 * selinux enabled. If getcon_raw fails, selinux is still
+-	 * enabled. We only consider it disabled if no policy is loaded. */
+-	if (getcon_raw(&con) == 0) {
+-		if (!strcmp(con, "kernel"))
+-			enabled = 0;
+-		freecon(con);
+-	}
+-
+-      out:
+-	free(buf);
+-	fclose(fp);
+ 	return enabled;
+ }
+ 
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index a948920..dd03559 100644
+--- a/libselinux/src/init.c
++++ b/libselinux/src/init.c
+@@ -7,6 +7,7 @@
+ #include <stdio.h>
+ #include <stdio_ext.h>
+ #include <dlfcn.h>
++#include <sys/statvfs.h>
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
+@@ -20,12 +21,41 @@ char *selinux_mnt = NULL;
+ int selinux_page_size = 0;
+ int obj_class_compat = 1;
+ 
++/* Verify the mount point for selinux file system has a selinuxfs. 
++   If the file system:
++   * Exist, 
++   * Is mounted with an selinux file system, 
++   * The file system is read/write
++   * then set this as the default file system.
++*/
++static int verify_selinuxmnt(char *mnt) 
++{
++	struct statfs sfbuf;
++	int rc;
++
++	do {
++		rc = statfs(mnt, &sfbuf);
++	} while (rc < 0 && errno == EINTR);
++	if (rc == 0) {
++		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
++			struct statvfs vfsbuf;
++			rc = statvfs(mnt, &vfsbuf);
++			if (rc == 0) {
++				if (!(vfsbuf.f_flag & ST_RDONLY)) {
++					set_selinuxmnt(mnt);
++				}
++				return 0;
++			}
++		}
++	} 
++
++	return -1;
++}
++
+ static void init_selinuxmnt(void)
+ {
+ 	char *buf=NULL, *p;
+ 	FILE *fp=NULL;
+-	struct statfs sfbuf;
+-	int rc;
+ 	size_t len;
+ 	ssize_t num;
+ 	int exists = 0;
+@@ -33,17 +63,9 @@ static void init_selinuxmnt(void)
+ 	if (selinux_mnt)
+ 		return;
+ 
+-	/* We check to see if the preferred mount point for selinux file
+-	 * system has a selinuxfs. */
+-	do {
+-		rc = statfs(SELINUXMNT, &sfbuf);
+-	} while (rc < 0 && errno == EINTR);
+-	if (rc == 0) {
+-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+-			selinux_mnt = strdup(SELINUXMNT);
+-			return;
+-		}
+-	} 
++	if (verify_selinuxmnt(SELINUXMNT) == 0) return;
++
++	if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
+ 
+ 	/* Drop back to detecting it the long way. */
+ 	fp = fopen("/proc/filesystems", "r");
+@@ -52,7 +74,7 @@ static void init_selinuxmnt(void)
+ 
+ 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 	while ((num = getline(&buf, &len, fp)) != -1) {
+-		if (strstr(buf, "selinuxfs")) {
++		if (strstr(buf, SELINUXFS)) {
+ 			exists = 1;
+ 			break;
+ 		}
+@@ -79,7 +101,7 @@ static void init_selinuxmnt(void)
+ 		tmp = strchr(p, ' ');
+ 		if (!tmp)
+ 			goto out;
+-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
++		if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
+ 			*tmp = '\0';
+ 			break;
+ 		}
+@@ -87,7 +109,7 @@ static void init_selinuxmnt(void)
+ 
+ 	/* If we found something, dup it */
+ 	if (num > 0)
+-		selinux_mnt = strdup(p);
++		verify_selinuxmnt(p);
+ 
+       out:
+ 	free(buf);
+diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
+index 83d2143..0961912 100644
+--- a/libselinux/src/load_policy.c
++++ b/libselinux/src/load_policy.c
+@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
+ 	 * Check for the existence of SELinux via selinuxfs, and 
+ 	 * mount it if present for use in the calls below.  
+ 	 */
+-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
++	char *mntpoint = NULL;
++	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
++		mntpoint = SELINUXMNT;
++	} else { 
++		/* check old mountpoint */
++		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
++			mntpoint = OLDSELINUXMNT;
++		}
++	} 
++
++	if (! mntpoint ) {
+ 		if (errno == ENODEV) {
+ 			/*
+ 			 * SELinux was disabled in the kernel, either
+@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce)
+                 
+ 		goto noload;
+ 	}
+-	set_selinuxmnt(SELINUXMNT);
++	set_selinuxmnt(mntpoint);
+ 
+ 	/*
+ 	 * Note:  The following code depends on having selinuxfs 
+@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
+ 		rc = security_disable();
+ 		if (rc == 0) {
+ 			/* Successfully disabled, so umount selinuxfs too. */
+-			umount(SELINUXMNT);
++			umount(selinux_mnt);
+ 			fini_selinuxmnt();
+ 		}
+ 		/*
 diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
 index 5fd8fe4..da5cab9 100644
 --- a/libselinux/src/matchpathcon.c
@@ -195,6 +423,27 @@ index 5fd8fe4..da5cab9 100644
  	va_end(ap);
  }
  
+diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
+index 10e8712..bf270b5 100644
+--- a/libselinux/src/policy.h
++++ b/libselinux/src/policy.h
+@@ -9,11 +9,15 @@
+ /* Initial length guess for getting contexts. */
+ #define INITCONTEXTLEN 255
+ 
++/* selinux file system type */
++#define SELINUXFS "selinuxfs"
++
+ /* selinuxfs magic number */
+ #define SELINUX_MAGIC 0xf97cff8c
+ 
+ /* Preferred selinux mount location */
+-#define SELINUXMNT "/selinux"
++#define SELINUXMNT "/sys/fs/selinux"
++#define OLDSELINUXMNT "/selinux"
+ 
+ /* selinuxfs mount point */
+ extern char *selinux_mnt;
 diff --git a/libselinux/src/selinux.py b/libselinux/src/selinux.py
 index fd63a4f..248048a 100644
 --- a/libselinux/src/selinux.py
@@ -1375,3 +1624,199 @@ index e0884f6..b131d2e 100644
    SWIG_Python_SetConstant(d, "SELINUX_AVD_FLAGS_PERMISSIVE",SWIG_From_int((int)(0x0001)));
    SWIG_Python_SetConstant(d, "SELINUX_CB_LOG",SWIG_From_int((int)(0)));
    SWIG_Python_SetConstant(d, "SELINUX_CB_AUDIT",SWIG_From_int((int)(1)));
+diff --git a/libselinux/utils/matchpathcon.c b/libselinux/utils/matchpathcon.c
+index 4453a88..f1fe506 100644
+--- a/libselinux/utils/matchpathcon.c
++++ b/libselinux/utils/matchpathcon.c
+@@ -8,6 +8,49 @@
+ #include <sys/stat.h>
+ #include <sys/errno.h>
+ #include <selinux/selinux.h>
++#include <limits.h>
++#include <stdlib.h>
++
++
++static int symlink_realpath(char *name, char *path)
++{
++	char *p = NULL, *file_sep;
++	char *tmp_path = strdupa(name);
++	size_t len = 0;
++
++	if (!tmp_path) {
++		fprintf(stderr, "strdupa on %s failed:  %s\n", name,
++			strerror(errno));
++		return -1;
++	}
++	file_sep = strrchr(tmp_path, '/');
++	if (file_sep == tmp_path) {
++		file_sep++;
++		p = strcpy(path, "");
++	} else if (file_sep) {
++		*file_sep = 0;
++		file_sep++;
++		p = realpath(tmp_path, path);
++	} else {
++		file_sep = tmp_path;
++		p = realpath("./", path);
++	}
++	if (p)
++		len = strlen(p);
++	if (!p || len + strlen(file_sep) + 2 > PATH_MAX) {
++		fprintf(stderr, "symlink_realpath(%s) failed %s\n", name,
++			strerror(errno));
++		return -1;
++	}
++	p += len;
++	/* ensure trailing slash of directory name */
++	if (len == 0 || *(p - 1) != '/') {
++		*p = '/';
++		p++;
++	}
++	strcpy(p, file_sep);
++	return 0;
++}
+ 
+ void usage(const char *progname)
+ {
+@@ -103,49 +146,66 @@ int main(int argc, char **argv)
+ 		}
+ 	}
+ 	for (i = optind; i < argc; i++) {
++		char lnkpath[PATH_MAX + 1];
+ 		int mode = 0;
+ 		struct stat buf;
++		char *newpath = NULL;
++		char *path;
+ 		int len = strlen(argv[i]);
+ 		if (len > 1  && argv[i][len - 1 ] == '/') {
+ 			argv[i][len - 1 ] = '\0';
+ 		}
+ 
+-		if (lstat(argv[i], &buf) == 0)
++		if (lstat(argv[i], &buf) == 0) {
+ 			mode = buf.st_mode;
++		}
++		
++		path = argv[i];
++		if (S_ISLNK(mode)) {
++			int rc = symlink_realpath(argv[i], lnkpath);
++			if (rc >= 0) {
++				path = lnkpath;
++			}
++		} else {
++			if ((newpath = realpath(argv[i], NULL))) {
++				path = newpath;
++			}
++		}
+ 
+ 		if (verify) {
+ 			if (quiet) {
+-				if (selinux_file_context_verify(argv[i], mode))
++				if (selinux_file_context_verify(path, mode))
+ 					continue;
+ 				else
+ 					exit(1);
+ 			}
+-			if (selinux_file_context_verify(argv[i], mode)) {
+-				printf("%s verified.\n", argv[i]);
++			if (selinux_file_context_verify(path, mode)) {
++				printf("%s verified.\n", path);
+ 			} else {
+ 				security_context_t con;
+ 				int rc;
+ 				error = 1;
+ 				if (notrans)
+-					rc = lgetfilecon_raw(argv[i], &con);
++					rc = lgetfilecon_raw(path, &con);
+ 				else
+-					rc = lgetfilecon(argv[i], &con);
++					rc = lgetfilecon(path, &con);
+ 
+ 				if (rc >= 0) {
+ 					printf("%s has context %s, should be ",
+ 					       argv[i], con);
+-					printmatchpathcon(argv[i], 0, mode);
++					printmatchpathcon(path, 0, mode);
+ 					freecon(con);
+ 				} else {
+ 					printf
+ 					    ("actual context unknown: %s, should be ",
+ 					     strerror(errno));
+-					printmatchpathcon(argv[i], 0, mode);
++					printmatchpathcon(path, 0, mode);
+ 				}
+ 			}
+ 		} else {
+-			error |= printmatchpathcon(argv[i], header, mode);
++			error |= printmatchpathcon(path, header, mode);
+ 		}
++		free(newpath); newpath = NULL;
+ 	}
+ 	matchpathcon_fini();
+ 	return error;
+diff --git a/libselinux/utils/selinuxexeccon.c b/libselinux/utils/selinuxexeccon.c
+new file mode 100644
+index 0000000..c55fde9
+--- /dev/null
++++ b/libselinux/utils/selinuxexeccon.c
+@@ -0,0 +1,60 @@
++#include <unistd.h>
++#include <sys/types.h>
++#include <fcntl.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <errno.h>
++#include <string.h>
++#include <ctype.h>
++#include <selinux/flask.h>
++#include <selinux/selinux.h>
++
++void usage(char *name, char *detail, int rc)
++{
++	fprintf(stderr, "usage:  %s command [ fromcon ]\n", name);
++	if (detail)
++		fprintf(stderr, "%s:  %s\n", name, detail);
++	exit(rc);
++}
++
++static security_context_t get_selinux_proc_context(const char *command, security_context_t execcon) {
++	security_context_t fcon = NULL, newcon = NULL;
++
++	int ret = getfilecon(command, &fcon);
++	if (ret < 0) goto err;
++	ret = security_compute_create(execcon, fcon, SECCLASS_PROCESS, &newcon);
++	if (ret < 0) goto err;
++
++err:
++	freecon(fcon);
++	return newcon;
++}
++
++int main(int argc, char **argv)
++{
++	int ret = -1;
++	security_context_t proccon = NULL, con = NULL;
++	if (argc < 2 || argc > 3)
++		usage(argv[0], "Invalid number of arguments", -1);
++
++	if (argc == 2) {
++		if (getcon(&con) < 0) {
++			perror(argv[0]);
++			return -1;
++		}
++	} else {
++		con = strdup(argv[2]);
++	}
++
++	proccon = get_selinux_proc_context(argv[1], con);
++	if (proccon) {
++		printf("%s\n", proccon);
++		ret = 0;
++	} else {
++		perror(argv[0]);
++	}
++
++	free(proccon);
++	free(con);
++	return ret;
++}

libselinux.spec

@@ -7,7 +7,7 @@
 Summary: SELinux library and simple utilities
 Name: libselinux
 Version: 2.0.102
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Public Domain
 Group: System Environment/Libraries
 Source: http://www.nsa.gov/research/selinux/%{name}-%{version}.tgz
@@ -198,6 +198,7 @@ exit 0
 %{_sbindir}/matchpathcon
 %{_sbindir}/selinuxconlist
 %{_sbindir}/selinuxdefcon
+%{_sbindir}/selinuxexeccon
 %{_sbindir}/selinuxenabled
 %{_sbindir}/setenforce
 %{_sbindir}/togglesebool
@@ -236,6 +237,11 @@ exit 0
 %{ruby_sitearch}/selinux.so
 
 %changelog
+* Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-5
+- Move /selinux to /sys/fs/selinux
+- Add selinuxexeccon
+- Add realpath to matchpathcon to handle matchpathcon * type queries.
+
 * Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.0.102-4
 - Update for latest libsepol