[PATCH 10/92] libselinux mountpoint changing patch.

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk44GHYACgkQrlYvE4MpobNUawCfXCtl96DVzQQF3p7EDnlNs6VB
6dkAoOQGQL9w2bVVtlMtS+RH18NYN8zh
=+zb7
-----END PGP SIGNATURE-----

>From 09d0b1c50da8b7f7e897d779c9ce9e8d0c4fc398 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
Date: Tue, 3 May 2011 14:06:12 -0400
Subject: [PATCH 10/92] libselinux mountpoint changing patch.

The Fedora Distribution is looking to standardize kernel subsystem file
systems to be mounted under /sys/fs. They would like us to move /selinux
to /sys/fs/selinux.  This patch changes libselinux in the following
ways:

1.  load_policy will first check if /sys/fs/selinux exists and mount the
selinuxfs at this location, if it does not exists it will fall back to
mounting the file system at /selinux (if it exists).

2.  The init functions of selinux will now check if /sys/fs/selinux is
mounted, if it is and has an SELinuxfs mounted on it, the code will then
check if the selinuxfs is mounted rw, if it is, libselinux will set the
mountpoint, if it is readonly, libselinux will return no mountpoint.  If
/sys/fs/selinux does not exists, the same check will be done for
/selinux and finally for an entry in /proc/mounts.

NOTE:  We added the check for RO, to allow tools like mock to be able to
tell a chroot that SELinux is disabled while enforcing it outside the
chroot.

$ getenforce
Enabled
$ mount --bind /selinux /var/chroot/selinux
$ mount -o remount,ro /var/chroot/selinux
$ chroot /var/chroot
$ getenforce
Disabled

3. In order to make this work, I needed to stop enabled from checking if
/proc/filesystem for entries if selinux_mnt did not exist.  Now enabeled
checks if selinux_mnt has been discovered otherwise it will report
selinux disabled.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 libselinux/src/enabled.c     |   33 -------------------------
 libselinux/src/init.c        |   54 +++++++++++++++++++++++++++++------------
 libselinux/src/load_policy.c |   16 ++++++++++--
 libselinux/src/policy.h      |    6 ++++-
 4 files changed, 56 insertions(+), 53 deletions(-)

diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
 
 int is_selinux_enabled(void)
 {
-	char *buf=NULL;
-	FILE *fp;
-	ssize_t num;
-	size_t len;
 	int enabled = 0;
 	security_context_t con;
 
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
 				enabled = 0;
 			freecon(con);
 		}
-		return enabled;
         }
 
-	/* Drop back to detecting it the long way. */
-	fp = fopen("/proc/filesystems", "r");
-	if (!fp)
-		return -1;
-
-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
-	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
-			enabled = 1;
-			break;
-		}
-	}
-
-	if (num < 0)
-		goto out;
-
-	/* Since an selinux file system is available, we consider
-	 * selinux enabled. If getcon_raw fails, selinux is still
-	 * enabled. We only consider it disabled if no policy is loaded. */
-	if (getcon_raw(&con) == 0) {
-		if (!strcmp(con, "kernel"))
-			enabled = 0;
-		freecon(con);
-	}
-
-      out:
-	free(buf);
-	fclose(fp);
 	return enabled;
 }
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..31f1ea6 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <dlfcn.h>
+#include <sys/statvfs.h>
 #include <sys/vfs.h>
 #include <stdint.h>
 #include <limits.h>
@@ -20,12 +21,41 @@ char *selinux_mnt = NULL;
 int selinux_page_size = 0;
 int obj_class_compat = 1;
 
+/* Verify the mount point for selinux file system has a selinuxfs.
+   If the file system:
+   * Exist,
+   * Is mounted with an selinux file system,
+   * The file system is read/write
+   * then set this as the default file system.
+*/
+static int verify_selinuxmnt(char *mnt)
+{
+	struct statfs sfbuf;
+	int rc;
+
+	do {
+		rc = statfs(mnt, &sfbuf);
+	} while (rc < 0 && errno == EINTR);
+	if (rc == 0) {
+		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+			struct statvfs vfsbuf;
+			rc = statvfs(mnt, &vfsbuf);
+			if (rc == 0) {
+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
+					set_selinuxmnt(mnt);
+				}
+				return 0;
+			}
+		}
+	}
+
+	return -1;
+}
+
 static void init_selinuxmnt(void)
 {
 	char *buf=NULL, *p;
 	FILE *fp=NULL;
-	struct statfs sfbuf;
-	int rc;
 	size_t len;
 	ssize_t num;
 	int exists = 0;
@@ -33,17 +63,9 @@ static void init_selinuxmnt(void)
 	if (selinux_mnt)
 		return;
 
-	/* We check to see if the preferred mount point for selinux file
-	 * system has a selinuxfs. */
-	do {
-		rc = statfs(SELINUXMNT, &sfbuf);
-	} while (rc < 0 && errno == EINTR);
-	if (rc == 0) {
-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
-			selinux_mnt = strdup(SELINUXMNT);
-			return;
-		}
-	} 
+	if (verify_selinuxmnt(SELINUXMNT) == 0) return;
+
+	if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
 
 	/* Drop back to detecting it the long way. */
 	fp = fopen("/proc/filesystems", "r");
@@ -52,7 +74,7 @@ static void init_selinuxmnt(void)
 
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
+		if (strstr(buf, SELINUXFS)) {
 			exists = 1;
 			break;
 		}
@@ -79,7 +101,7 @@ static void init_selinuxmnt(void)
 		tmp = strchr(p, ' ');
 		if (!tmp)
 			goto out;
-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+		if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
 			*tmp = '\0';
 			break;
 		}
@@ -87,7 +109,7 @@ static void init_selinuxmnt(void)
 
 	/* If we found something, dup it */
 	if (num > 0)
-		selinux_mnt = strdup(p);
+		verify_selinuxmnt(p);
 
       out:
 	free(buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..868660f 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+	char *mntpoint = NULL;
+	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
+	} else {
+		/* check old mountpoint */
+		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+			mntpoint = OLDSELINUXMNT;
+		}
+	}
+
+	if (! mntpoint ) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce)
                 
 		goto noload;
 	}
-	set_selinuxmnt(SELINUXMNT);
+	set_selinuxmnt(mntpoint);
 
 	/*
 	 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
 		rc = security_disable();
 		if (rc == 0) {
 			/* Successfully disabled, so umount selinuxfs too. */
-			umount(SELINUXMNT);
+			umount(selinux_mnt);
 			fini_selinuxmnt();
 		}
 		/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..bf270b5 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -9,11 +9,15 @@
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
 
+/* selinux file system type */
+#define SELINUXFS "selinuxfs"
+
 /* selinuxfs magic number */
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
+#define OLDSELINUXMNT "/selinux"
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;
-- 
1.7.6

Attachment: 0010-libselinux-mountpoint-changing-patch.patch.sig
Description: PGP signature