[PATCH 0/8] busybox -- libselinux utilities applets

[PATCH 0/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

Hello,

The following patches provide utilities included in libselinux
package against to the latest busybox repository.
Any of them are fundamental one to use SELinux.

We are welcoming any comment, and hope to merge it into busybox.

NOTE: How to configure

All applets of them depend on CONFIG_SELINUX, so you have to
enable it by the following step on 'menuconfig'.

Busybox Settings  --->
  General Configuration  --->
    [*] Support NSA Security Enhanced Linux (CONFIG_SELINUX)

and, enable any checks under 'Selinux Utilities  --->'

[1/8] busybox-libselinux-01-common.patch
  The common part of libselinux package
  - modification of Makefile
  - add '-lselinux', if CONFIG_SELINUX enabled
    (It was never linked, so we could not build with SELinux
     support in busybox-1.4.0)
  - add selinux/Config.in and selinux/Kbuild
  - add usage.h and applets.h for the series of applets

[2/8] busybox-libselinux-02-getenforce.patch
  getenforce - get the current mode of SELinux.
  SELinux has two mode. 'Enforcing' is the one, it enables
  mandatory access control based on the security policy.
  The other is 'Permissive' mode. It enables to evaluate
  security policy and output audit messages, if violated.
  But mandatory access control was not done. It was used
  to debug policy.

[3/8] busybox-libselinux-03-selinuxenabled.patch
  selinuxenabled returns 0 as a command exit code,
  if SELinux is enabled.
  Typically, shell-scripts use it to decide whether
  SELinux is working, or not.

[4/8] busybox-libselinux-04-getsebool.patch
  getsebool reports the a particular or all SELinux
  boolean variable.
  SELinux boolean variable is a interface to configure
  the condition of security policy. We can enable or
  disable the part of the security policy via boolean
  variable.

[5/8] busybox-libselinux-05-avcstat.patch
  avcstat reports SELinux AVC(Access Vector Cache) statistics.
  AVC is a in-kernel data structure to accelerate SELinux's
  decision making.

[6/8] busybox-libselinux-06-togglesebool.patch
  togglesebool - flip the current value of a SELinux
  boolean variable.

[7/8] busybox-libselinux-07-matchpathcon.patch
  matchpathcon - get the default security context for
  the specified path from the file contexts configuration.
  Security context is a identifier for SELinux.
  Any files has a own security context, and SELinux use it
  to evaluate the attribute of the file.
  When we are setting up a system, we have to attach a security
  context for each files. so, we can obtain the most appropriate
  security context by using matchpathcon.

[8/8] busybox-libselinux-08-setenforce.patch
  setenforce - modify the mode SELinux is running in Enforcing
  mode or Permissive.

This project is originated from some of JPSEUG(Japan SELinux
User Group). Now, we are preparing to submit patches related
to SELinux like policycoreutils, '-Z' option support.
Please wait for a bit.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH 2/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

[2/8] busybox-libselinux-02-getenforce.patch
  getenforce - get the current mode of SELinux.
  SELinux has two mode. 'Enforcing' is the one, it enables
  mandatory access control based on the security policy.
  The other is 'Permissive' mode. It enables to evaluate
  security policy and output audit messages, if violated.
  But mandatory access control was not done. It was used
  to debug policy.

Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-02-getenforce.patch --]
[-- Type: text/x-patch, Size: 847 bytes --]

Index: selinux/getenforce.c
===================================================================
--- selinux/getenforce.c	(revision 0)
+++ selinux/getenforce.c	(revision 0)
@@ -0,0 +1,40 @@
+/*
+ * getenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int getenforce_main(int argc, char **argv)
+{
+	int rc;
+
+	rc = is_selinux_enabled();
+	if (rc < 0) {
+		bb_error_msg("is_selinux_enabled() failed");
+		return 2;
+	}
+	if (rc == 1) {
+		rc = security_getenforce();
+		if (rc < 0) {
+			bb_error_msg("getenforce() failed");
+			return 2;
+		}
+
+		if (rc)
+			puts("Enforcing");
+		else
+			puts("Permissive");
+	} else {
+		puts("Disabled");
+	}
+
+	return 0;
+}

[PATCH 3/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 354 bytes --]

[3/8] busybox-libselinux-03-selinuxenabled.patch
  selinuxenabled returns 0 as a command exit code,
  if SELinux is enabled.
  Typically, shell-scripts use it to decide whether
  SELinux is working, or not.

Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-03-selinuxenabled.patch --]
[-- Type: text/x-patch, Size: 533 bytes --]

Index: selinux/selinuxenabled.c
===================================================================
--- selinux/selinuxenabled.c	(revision 0)
+++ selinux/selinuxenabled.c	(revision 0)
@@ -0,0 +1,17 @@
+/*
+ * selinuxenabled
+ * 
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <selinux/selinux.h>
+
+int selinuxenabled_main(int argc, char **argv)
+{
+	return !is_selinux_enabled();
+}

[PATCH 4/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

[4/8] busybox-libselinux-04-getsebool.patch
  getsebool reports the a particular or all SELinux
  boolean variable.
  SELinux boolean variable is a interface to configure
  the condition of security policy. We can enable or
  disable the part of the security policy via boolean
  variable.

Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-04-getsebool.patch --]
[-- Type: text/x-patch, Size: 2263 bytes --]

Index: selinux/getsebool.c
===================================================================
--- selinux/getsebool.c	(revision 0)
+++ selinux/getsebool.c	(revision 0)
@@ -0,0 +1,98 @@
+/*
+ * getsebool
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+
+#define GETSEBOOL_OPT_ALL	1
+
+int getsebool_main(int argc, char **argv)
+{
+	int i, rc = 0, active, pending, len = 0;
+	char **names;
+	unsigned long opt;
+
+	opt = getopt32(argc, argv, "a");
+
+	if(opt & BB_GETOPT_ERROR) {
+		bb_show_usage();
+	}
+	if(opt & GETSEBOOL_OPT_ALL) {
+		if (argc > 2)
+			bb_show_usage();
+		if (is_selinux_enabled() <= 0) {
+			bb_error_msg_and_die("SELinux is disabled");
+		}
+		errno = 0;
+		rc = security_get_boolean_names(&names, &len);
+		if (rc) {
+			bb_error_msg_and_die("Unable to get boolean names:  %s", strerror(errno));
+		}
+		if (!len) {
+			printf("No booleans\n");
+			return 0;
+		}
+	}
+
+	if (is_selinux_enabled() <= 0) {
+		bb_error_msg_and_die("SELinux is disabled");
+	}
+
+	if (!len) {
+		if (argc < 2)
+			bb_show_usage();
+		len = argc - 1;
+		names = malloc(sizeof(char *) * len);
+		if (!names) {
+			bb_error_msg_and_die("out of memory");
+		}
+		for (i = 0; i < len; i++) {
+			names[i] = strdup(argv[i + 1]);
+			if (!names[i]) {
+				bb_error_msg_and_die("out of memory");
+			}
+		}
+	}
+
+	for (i = 0; i < len; i++) {
+		active = security_get_boolean_active(names[i]);
+		if (active < 0) {
+			bb_error_msg("Error getting active value for %s",
+				names[i]);
+			rc = -1;
+			goto out;
+		}
+		pending = security_get_boolean_pending(names[i]);
+		if (pending < 0) {
+			bb_error_msg("Error getting pending value for %s",
+				names[i]);
+			rc = -1;
+			goto out;
+		}
+		if (pending != active) {
+			printf("%s --> %s pending: %s\n", names[i],
+			       (active ? "on" : "off"),
+			       (pending ? "on" : "off"));
+		} else {
+			printf("%s --> %s\n", names[i],
+			       (active ? "on" : "off"));
+		}
+	}
+
+      out:
+	for (i = 0; i < len; i++)
+		free(names[i]);
+	free(names);
+	return rc;
+}

[PATCH 5/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 275 bytes --]

[5/8] busybox-libselinux-05-avcstat.patch
  avcstat reports SELinux AVC(Access Vector Cache) statistics.
  AVC is a in-kernel data structure to accelerate SELinux's
  decision making.

Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-05-avcstat.patch --]
[-- Type: text/x-patch, Size: 5315 bytes --]

Index: selinux/avcstat.c
===================================================================
--- selinux/avcstat.c	(revision 0)
+++ selinux/avcstat.c	(revision 0)
@@ -0,0 +1,201 @@
+/*
+ * avcstat - Display SELinux avc statistics.
+ *           based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ *
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <libgen.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <linux/limits.h>
+#include "busybox.h"
+
+#define DEF_STAT_FILE	"/avc/cache_stats"
+#define DEF_BUF_SIZE	8192
+#define HEADERS		"lookups hits misses allocations reclaims frees"
+
+struct avc_cache_stats {
+	unsigned long long lookups;
+	unsigned long long hits;
+	unsigned long long misses;
+	unsigned long long allocations;
+	unsigned long long reclaims;
+	unsigned long long frees;
+};
+
+static int interval;
+static int rows;
+static char *progname;
+static char buf[DEF_BUF_SIZE];
+
+/* selinuxfs mount point */
+extern char *selinux_mnt;
+
+static void set_window_rows(void)
+{
+	int ret;
+	struct winsize ws;
+
+	ret = ioctl(fileno(stdout), TIOCGWINSZ, &ws);
+	if (ret < 0 || ws.ws_row < 3)
+		ws.ws_row = 24;
+	rows = ws.ws_row;
+}
+
+static void sighandler(int num)
+{
+	if (num == SIGWINCH)
+		set_window_rows();
+}
+
+#define OPT_AVCSTAT_CUMULATIVE		(1 << 0)	/* -c */
+#define OPT_AVCSTAT_STATFILE		(1 << 1)	/* -f */
+#define OPT_AVCSTAT_HELP		(1 << 2)	/* -h */
+
+int avcstat_main(int argc, char **argv)
+{
+	struct avc_cache_stats tot, rel, last;
+	int fd, i, cumulative = 0;
+	struct sigaction sa;
+	char avcstatfile[PATH_MAX];
+	char *altstatfile;
+	unsigned long opts;
+
+	snprintf(avcstatfile, sizeof avcstatfile, "%s%s", selinux_mnt,
+		 DEF_STAT_FILE);
+	progname = basename(argv[0]);
+
+	memset(&last, 0, sizeof(last));
+	opts = getopt32(argc, argv, "cf:h", &altstatfile);
+	if (opts & (OPT_AVCSTAT_HELP | BB_GETOPT_ERROR))
+		bb_show_usage();
+	if (opts & OPT_AVCSTAT_CUMULATIVE)
+		cumulative = 1;
+	if (opts & OPT_AVCSTAT_STATFILE)
+		strncpy(avcstatfile, altstatfile, sizeof(avcstatfile));
+
+	if (optind < argc) {
+		char *arg = argv[optind];
+		unsigned int n = strtoul(arg, NULL, 10);
+
+		if (errno == ERANGE) {
+			bb_show_usage();
+			bb_error_msg_and_die("invalid interval \'%s\'", arg);
+		}
+		if (n == 0) {
+			bb_show_usage();
+			exit(0);
+		}
+		interval = n;
+	}
+
+	sa.sa_handler = sighandler;
+	sa.sa_flags = SA_RESTART;
+
+	i = sigaction(SIGWINCH, &sa, NULL);
+	if (i < 0)
+		bb_error_msg_and_die("sigaction");
+
+	set_window_rows();
+	fd = open(avcstatfile, O_RDONLY);
+	if (fd < 0)
+		bb_error_msg_and_die("open: \'%s\'", avcstatfile);
+
+	for (i = 0;; i++) {
+		char *line;
+		ssize_t ret, parsed = 0;
+
+		memset(buf, 0, DEF_BUF_SIZE);
+		ret = read(fd, buf, DEF_BUF_SIZE);
+		if (ret < 0)
+			bb_error_msg_and_die("read");
+
+		if (ret == 0)
+			bb_error_msg_and_die("read: \'%s\': unexpected end of file",
+			    avcstatfile);
+
+		line = strtok(buf, "\n");
+		if (!line)
+			bb_error_msg_and_die("unable to parse \'%s\': end of line not found",
+			    avcstatfile);
+
+		if (strcmp(line, HEADERS))
+			bb_error_msg_and_die("unable to parse \'%s\': invalid headers",
+			    avcstatfile);
+
+		if (!i || !(i % (rows - 2)))
+			printf("%10s %10s %10s %10s %10s %10s\n", "lookups",
+			       "hits", "misses", "allocs", "reclaims", "frees");
+
+		memset(&tot, 0, sizeof(tot));
+
+		while ((line = strtok(NULL, "\n"))) {
+			struct avc_cache_stats tmp;
+
+			ret = sscanf(line, "%llu %llu %llu %llu %llu %llu",
+				     &tmp.lookups,
+				     &tmp.hits,
+				     &tmp.misses,
+				     &tmp.allocations,
+				     &tmp.reclaims, &tmp.frees);
+			if (ret != 6)
+				bb_error_msg_and_die("unable to parse \'%s\': scan error",
+				    avcstatfile);
+
+			tot.lookups += tmp.lookups;
+			tot.hits += tmp.hits;
+			tot.misses += tmp.misses;
+			tot.allocations += tmp.allocations;
+			tot.reclaims += tmp.reclaims;
+			tot.frees += tmp.frees;
+			parsed = 1;
+		}
+
+		if (!parsed)
+			bb_error_msg_and_die("unable to parse \'%s\': no data", avcstatfile);
+
+		if (cumulative || (!cumulative && !i))
+			printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
+			       tot.lookups, tot.hits, tot.misses,
+			       tot.allocations, tot.reclaims, tot.frees);
+		else {
+			rel.lookups = tot.lookups - last.lookups;
+			rel.hits = tot.hits - last.hits;
+			rel.misses = tot.misses - last.misses;
+			rel.allocations = tot.allocations - last.allocations;
+			rel.reclaims = tot.reclaims - last.reclaims;
+			rel.frees = tot.frees - last.frees;
+			printf("%10Lu %10Lu %10Lu %10Lu %10Lu %10Lu\n",
+			       rel.lookups, rel.hits, rel.misses,
+			       rel.allocations, rel.reclaims, rel.frees);
+		}
+
+		if (!interval)
+			break;
+
+		memcpy(&last, &tot, sizeof(last));
+		sleep(interval);
+
+		ret = lseek(fd, 0, 0);
+		if (ret < 0)
+			bb_error_msg_and_die("lseek");
+	}
+
+	close(fd);
+	return 0;
+}

[PATCH 6/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 267 bytes --]

[6/8] busybox-libselinux-06-togglesebool.patch
  togglesebool - flip the current value of a SELinux
  boolean variable.

Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-06-togglesebool.patch --]
[-- Type: text/x-patch, Size: 2767 bytes --]

Index: selinux/togglesebool.c
===================================================================
--- selinux/togglesebool.c	(revision 0)
+++ selinux/togglesebool.c	(revision 0)
@@ -0,0 +1,106 @@
+/*
+ * togglesebool
+ * 
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ * Copyright 1999-2004 Gentoo Technologies, Inc.
+ * Distributed under the terms of the GNU General Public License v2
+ * $Header: /var/cvsroot/gentoo-projects/hardened/policycoreutils-extra/src/toggle_bool.c,v 1.2 2004/06/18 04:09:04 pebenito Exp $
+ */
+
+#include "busybox.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <libgen.h>
+#include <errno.h>
+#include <selinux/selinux.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <string.h>
+
+/* Attempt to rollback the transaction. No need to check error
+   codes since this is rolling back something that blew up. */
+static void rollback(int argc, char **argv)
+{
+	int i;
+
+	for (i = 1; i < argc; i++)
+		security_set_boolean(argv[i],
+				     security_get_boolean_active(argv[i]));
+	exit(1);
+}
+
+int togglesebool_main(int argc, char **argv)
+{
+
+	int rc, i, commit = 0;
+
+	if (is_selinux_enabled() <= 0) {
+		bb_error_msg_and_die("SELinux is disabled");
+	}
+
+	if (argc < 2) {
+		bb_show_usage();
+	}
+
+	for (i = 1; i < argc; i++) {
+		printf("%s: ", argv[i]);
+		rc = security_get_boolean_active(argv[i]);
+		switch (rc) {
+		case 1:
+			if (security_set_boolean(argv[i], 0) >= 0) {
+				printf("inactive\n");
+				commit++;
+			} else {
+				printf("%s - rolling back all changes\n",
+				       strerror(errno));
+				rollback(i, argv);
+			}
+			break;
+		case 0:
+			if (security_set_boolean(argv[i], 1) >= 0) {
+				printf("active\n");
+				commit++;
+			} else {
+				printf("%s - rolling back all changes\n",
+				       strerror(errno));
+				rollback(i, argv);
+			}
+			break;
+		default:
+			if (errno == ENOENT)
+				printf
+				    ("Boolean does not exist - rolling back all changes.\n");
+			else
+				printf("%s - rolling back all changes.\n",
+				       strerror(errno));
+			rollback(i, argv);
+			break;	/* Not reached. */
+		}
+	}
+
+	if (commit > 0) {
+		if (security_commit_booleans() < 0) {
+			printf("Commit failed. (%s)  No change to booleans.\n",
+			       strerror(errno));
+		} else {
+			/* syslog all the changes */
+			struct passwd *pwd = getpwuid(getuid());
+			for (i = 1; i < argc; i++) {
+				if (pwd && pwd->pw_name)
+					syslog(LOG_NOTICE,
+					       "The %s policy boolean was toggled by %s",
+					       argv[i], pwd->pw_name);
+				else
+					syslog(LOG_NOTICE,
+					       "The %s policy boolean was toggled by uid:%d",
+					       argv[i], getuid());
+
+			}
+			return 0;
+		}
+	}
+	return 1;
+}

[PATCH 7/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

[7/8] busybox-libselinux-07-matchpathcon.patch
  matchpathcon - get the default security context for
  the specified path from the file contexts configuration.
  Security context is a identifier for SELinux.
  Any files has a own security context, and SELinux use it
  to evaluate the attribute of the file.
  When we are setting up a system, we have to attach a security
  context for each files. so, we can obtain the most appropriate
  security context by using matchpathcon.

Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-07-matchpathcon.patch --]
[-- Type: text/x-patch, Size: 3058 bytes --]

Index: selinux/matchpathcon.c
===================================================================
--- selinux/matchpathcon.c	(revision 0)
+++ selinux/matchpathcon.c	(revision 0)
@@ -0,0 +1,108 @@
+/* matchpathcon  -  get the default security context for the specified
+ *                  path from the file contexts configuration.
+ *                  based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <errno.h>
+#include <string.h>
+#include <selinux/selinux.h>
+#include "busybox.h"
+
+static int printmatchpathcon(char *path, int header)
+{
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
+			strerror(errno));
+		return 1;
+	}
+	if (header)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+
+	freecon(buf);
+	return 0;
+}
+
+#define MATCHPATHCON_OPT_NOT_PRINT	(1<<0)	/* -n */
+#define MATCHPATHCON_OPT_NOT_TRANS	(1<<1)	/* -N */
+#define MATCHPATHCON_OPT_FCONTEXT	(1<<2)	/* -f */
+#define MATCHPATHCON_OPT_PREFIX		(1<<3)	/* -p */
+#define MATCHPATHCON_OPT_VERIFY		(1<<4)	/* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+	int i;
+	int header = 1;
+	int verify = 0;
+	int notrans = 0;
+	int error = 0;
+	unsigned long opts;
+	char *fcontext, *prefix;
+
+	if (argc < 2)
+		bb_show_usage();
+
+	opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+	if (opts & BB_GETOPT_ERROR)
+		bb_show_usage();
+	if (opts & MATCHPATHCON_OPT_NOT_PRINT)
+		header = 0;
+	if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
+		notrans = 1;
+		set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+	}
+	if ((opts & MATCHPATHCON_OPT_FCONTEXT) && (opts & MATCHPATHCON_OPT_PREFIX))
+		bb_error_msg_and_die("-f and -p are exclusive");
+
+	if (opts & MATCHPATHCON_OPT_FCONTEXT) {
+		if (matchpathcon_init(fcontext))
+			bb_error_msg_and_die("Error while processing %s: %s",
+					     fcontext, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_PREFIX) {
+		if (matchpathcon_init_prefix(NULL, prefix))
+			bb_error_msg_and_die("Error while processing %s:  %s",
+					     prefix, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_VERIFY)
+		verify = 1;
+
+	for (i = optind; i < argc; i++) {
+		if (verify) {
+			if (selinux_file_context_verify(argv[i], 0)) {
+				printf("%s verified.\n", argv[i]);
+			} else {
+				security_context_t con;
+				int rc;
+				if (notrans)
+					rc = lgetfilecon_raw(argv[i], &con);
+				else
+					rc = lgetfilecon(argv[i], &con);
+
+				if (rc >= 0) {
+					printf("%s has context %s, should be ",
+					       argv[i], con);
+					error += printmatchpathcon(argv[i], 0);
+					freecon(con);
+				} else {
+					printf
+					    ("actual context unknown: %s, should be ",
+					     strerror(errno));
+					error += printmatchpathcon(argv[i], 0);
+				}
+			}
+		} else {
+			error += printmatchpathcon(argv[i], header);
+		}
+	}
+	matchpathcon_fini();
+	return error;
+}

[PATCH 8/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 276 bytes --]

[8/8] busybox-libselinux-08-setenforce.patch
  setenforce - modify the mode SELinux is running in Enforcing
  mode or Permissive.

Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>

--
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: busybox-libselinux-08-setenforce.patch --]
[-- Type: text/x-patch, Size: 1115 bytes --]

Index: selinux/setenforce.c
===================================================================
--- selinux/setenforce.c	(revision 0)
+++ selinux/setenforce.c	(revision 0)
@@ -0,0 +1,44 @@
+/*
+ * setenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <strings.h>
+#include <selinux/selinux.h>
+
+int setenforce_main(int argc, char **argv)
+{
+	int rc = 0;
+	if (argc != 2) {
+		bb_show_usage();
+	}
+
+	if (is_selinux_enabled() <= 0) {
+		bb_error_msg("SELinux is disabled");
+		return 1;
+	}
+	if (strlen(argv[1]) == 1 && (argv[1][0] == '0' || argv[1][0] == '1')) {
+		rc = security_setenforce(atoi(argv[1]));
+	} else {
+		if (strcasecmp(argv[1], "enforcing") == 0) {
+			rc = security_setenforce(1);
+		} else if (strcasecmp(argv[1], "permissive") == 0) {
+			rc = security_setenforce(0);
+		} else
+			bb_show_usage();
+	}
+	if (rc < 0) {
+		bb_error_msg("setenforce() failed");
+		return 2;
+	}
+	return 0;
+}

Re: [PATCH 0/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 563 bytes --]

It seems to me that the patch [1/8] was not delivered via SELinux-ML
yet, so I try to resend it.

Was it filtered ?
I believe this patch is not a spam. :-)

> [1/8] busybox-libselinux-01-common.patch
>   The common part of libselinux package
>   - modification of Makefile
>   - add '-lselinux', if CONFIG_SELINUX enabled
>     (It was never linked, so we could not build with SELinux
>      support in busybox-1.4.0)
>   - add selinux/Config.in and selinux/Kbuild
>   - add usage.h and applets.h for the series of applets

--
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: busybox-libselinux-01-common.patch --]
[-- Type: text/x-patch, Size: 8785 bytes --]

Index: Makefile
===================================================================
--- Makefile	(revision 17485)
+++ Makefile	(working copy)
@@ -442,6 +442,7 @@
 		networking/udhcp/ \
 		procps/ \
 		runit/ \
+		selinux/ \
 		shell/ \
 		sysklogd/ \
 		util-linux/ \
Index: Makefile.flags
===================================================================
--- Makefile.flags	(revision 17485)
+++ Makefile.flags	(working copy)
@@ -34,4 +34,8 @@
 ifeq ($(CONFIG_STATIC),y)
 LDFLAGS += -static
 endif
+
+ifeq ($(CONFIG_SELINUX),y)
+LDFLAGS += -lselinux
+endif
 #LDFLAGS += -nostdlib
Index: Config.in
===================================================================
--- Config.in	(revision 17485)
+++ Config.in	(working copy)
@@ -485,3 +485,4 @@
 source shell/Config.in
 source sysklogd/Config.in
 source runit/Config.in
+source selinux/Config.in
Index: selinux/Kbuild
===================================================================
--- selinux/Kbuild	(revision 0)
+++ selinux/Kbuild	(revision 0)
@@ -0,0 +1,15 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+
+lib-y:=
+lib-$(CONFIG_AVCSTAT)		+= avcstat.o
+lib-$(CONFIG_GETENFORCE)	+= getenforce.o
+lib-$(CONFIG_GETSEBOOL)		+= getsebool.o
+lib-$(CONFIG_MATCHPATHCON)	+= matchpathcon.o
+lib-$(CONFIG_SELINUXENABLED)	+= selinuxenabled.o
+lib-$(CONFIG_SETENFORCE)	+= setenforce.o
+lib-$(CONFIG_TOGGLESEBOOL)	+= togglesebool.o
Index: selinux/Config.in
===================================================================
--- selinux/Config.in	(revision 0)
+++ selinux/Config.in	(revision 0)
@@ -0,0 +1,60 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+
+menu "Selinux Utilities"
+
+config AVCSTAT
+	bool "avcstat"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for avcstat command as a SELinux utility.
+
+config GETENFORCE
+	bool "getenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get the current mode of SELinux.
+
+config GETSEBOOL
+	bool "getsebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get SELinux boolean values.
+
+config MATCHPATHCON
+	bool "matchpathcon"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get default security context of the
+	  specified path from the file contexts configuration.
+
+config SELINUXENABLED
+	bool "selinuxenabled"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for this command to be used within shell scripts
+	  to determine if selinux is enabled.
+
+config SETENFORCE
+	bool "setenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to modify the mode SELinux is running in.
+
+config TOGGLESEBOOL
+	bool "togglesebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to flip the current value of a boolean.
+
+endmenu
+
Index: include/usage.h
===================================================================
--- include/usage.h	(revision 17485)
+++ include/usage.h	(working copy)
@@ -98,6 +98,15 @@
 #define ash_full_usage \
        "The ash shell (command interpreter)"
 
+#define avcstat_trivial_usage \
+	"[-c] [-f status_file] [interval]"
+#define avcstat_full_usage \
+	"Display SELinux AVC statistics.  If the interval parameter is specified, the\n" \
+	"program will loop, displaying updated statistics every 'interval' seconds.\n" \
+	"Relative values are displayed by default. Use the -c option to specify the\n" \
+	"display of cumulative values.  The -f option specifies the location of the\n" \
+	"AVC statistics file, defaulting to '/selinux/avc/cache_stats'."
+
 #define awk_trivial_usage \
        "[OPTION]... [program-text] [FILE ...]"
 #define awk_full_usage \
@@ -1013,6 +1022,9 @@
        "	-6	When using port/proto only search IPv6 space\n" \
        "	-SIGNAL	When used with -k, this signal will be used to kill"
 
+#define getenforce_trivial_usage
+#define getenforce_full_usage
+
 #define getopt_trivial_usage \
        "[OPTIONS]..."
 #define getopt_full_usage \
@@ -1047,6 +1059,11 @@
        " esac\n" \
        "done\n"
 
+#define getsebool_trivial_usage \
+	"-a or getsebool boolean..."
+#define getsebool_full_usage \
+	"-a     Show all SELinux booleans."
+
 #define getty_trivial_usage \
        "[OPTIONS]... baud_rate,... line [termtype]"
 #define getty_full_usage \
@@ -1896,6 +1913,15 @@
        "/dev/hda[0-15]\n"
 #endif
 
+#define matchpathcon_trivial_usage \
+	"[-n] [-N] [-f file_contexts_file] [-p prefix] [-V]"
+#define matchpathcon_full_usage \
+	"\t-n Do not display path.\n" \
+	"\t-N Do not use translations.\n" \
+	"\t-f file_context_file Use alternate file_context file\n" \
+	"\t-p prefix Use prefix to speed translations\n" \
+	"\t-V Verify file context on disk matches defaults"
+
 #define md5sum_trivial_usage \
        "[OPTION] [FILEs...]" \
 	USE_FEATURE_MD5_SHA1_SUM_CHECK("\n   or: md5sum [OPTION] -c [FILE]")
@@ -2718,6 +2744,9 @@
        "$ echo \"foo\" | sed -e 's/f[a-zA-Z]o/bar/g'\n" \
        "bar\n"
 
+#define selinuxenabled_trivial_usage
+#define selinuxenabled_full_usage
+
 #define seq_trivial_usage \
        "[first [increment]] last"
 #define seq_full_usage \
@@ -2735,6 +2764,10 @@
        "\n\nOptions:\n" \
        "	-r	Reset output to /dev/console"
 
+#define setenforce_trivial_usage \
+	"[ Enforcing | Permissive | 1 | 0 ]"
+#define setenforce_full_usage
+
 #define setkeycodes_trivial_usage \
        "SCANCODE KEYCODE ..."
 #define setkeycodes_full_usage \
@@ -3213,6 +3246,10 @@
        "\n\nOptions:\n" \
        "	-v	Display verbose resource usage information"
 
+#define togglesebool_trivial_usage \
+	"boolname1 [boolname2 ...]"
+#define togglesebool_full_usage
+
 #define top_trivial_usage \
        "[-b] [-n count] [-d seconds]"
 #define top_full_usage \
Index: include/applets.h
===================================================================
--- include/applets.h	(revision 17485)
+++ include/applets.h	(working copy)
@@ -59,6 +59,7 @@
 USE_ARP(APPLET(arp, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_ARPING(APPLET(arping, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_ASH(APPLET_NOUSAGE(ash, ash, _BB_DIR_BIN, _BB_SUID_NEVER))
+USE_AVCSTAT(APPLET(avcstat, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_AWK(APPLET(awk, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_BASENAME(APPLET(basename, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_BBCONFIG(APPLET(bbconfig, _BB_DIR_BIN, _BB_SUID_NEVER))
@@ -133,7 +134,9 @@
 USE_FTPGET(APPLET_ODDNAME(ftpget, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpget))
 USE_FTPPUT(APPLET_ODDNAME(ftpput, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpput))
 USE_FUSER(APPLET(fuser, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_GETENFORCE(APPLET(getenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETOPT(APPLET(getopt, _BB_DIR_BIN, _BB_SUID_NEVER))
+USE_GETSEBOOL(APPLET(getsebool, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETTY(APPLET(getty, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_GREP(APPLET(grep, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_GUNZIP(APPLET(gunzip, _BB_DIR_BIN, _BB_SUID_NEVER))
@@ -187,6 +190,7 @@
 USE_LSATTR(APPLET(lsattr, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_LSMOD(APPLET(lsmod, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_UNLZMA(APPLET_ODDNAME(lzmacat, unlzma, _BB_DIR_USR_BIN, _BB_SUID_NEVER, lzmacat))
+USE_MATCHPATHCON(APPLET(matchpathcon, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_MAKEDEVS(APPLET(makedevs, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_MD5SUM(APPLET_ODDNAME(md5sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_NEVER, md5sum))
 USE_MDEV(APPLET(mdev, _BB_DIR_SBIN, _BB_SUID_NEVER))
@@ -249,10 +253,12 @@
 USE_RUNSV(APPLET(runsv, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RUNSVDIR(APPLET(runsvdir, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RX(APPLET(rx, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SEQ(APPLET(seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))
+USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETKEYCODES(APPLET(setkeycodes, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETLOGCONS(APPLET(setlogcons, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETSID(APPLET(setsid, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
@@ -291,6 +297,7 @@
 USE_TFTP(APPLET(tftp, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 #endif
 USE_TIME(APPLET(time, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_TOGGLESEBOOL(APPLET(togglesebool, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_TOP(APPLET(top, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_TOUCH(APPLET(touch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_TR(APPLET(tr, _BB_DIR_USR_BIN, _BB_SUID_NEVER))

Re: [PATCH 0/8] busybox -- libselinux utilities applets

[Christopher J. PeBenito]

On Thu, 2007-01-25 at 23:35 +0900, KaiGai Kohei wrote:
> [1/8] busybox-libselinux-01-common.patch
>   The common part of libselinux package
>   - modification of Makefile
>   - add '-lselinux', if CONFIG_SELINUX enabled

Also need -lsepol, otherwise you'll get missing symbols if you compile
it static.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/8] busybox -- libselinux utilities applets

[Christopher J. PeBenito]

On Thu, 2007-01-25 at 23:44 +0900, KaiGai Kohei wrote:
> [5/8] busybox-libselinux-05-avcstat.patch
>   avcstat reports SELinux AVC(Access Vector Cache) statistics.
>   AVC is a in-kernel data structure to accelerate SELinux's
>   decision making.

Are you sure this should be added?  It doesn't seem like it would be
used much.  I don't think most people are even aware that you can get
stats on the AVC, much less know what to do with them.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 5/8] busybox -- libselinux utilities applets

[Russell Coker]

On Saturday 27 January 2007 07:10, "Christopher J. PeBenito" 
<cpebenito@tresys.com> wrote:
> On Thu, 2007-01-25 at 23:44 +0900, KaiGai Kohei wrote:
> > [5/8] busybox-libselinux-05-avcstat.patch
> >   avcstat reports SELinux AVC(Access Vector Cache) statistics.
> >   AVC is a in-kernel data structure to accelerate SELinux's
> >   decision making.
>
> Are you sure this should be added?  It doesn't seem like it would be
> used much.  I don't think most people are even aware that you can get
> stats on the AVC, much less know what to do with them.

I agree.  avcstat is used only rarely and only in development.  I don't think 
that it's something we need in production on an iPaQ, for system recovery, or 
in an initramfs - therefore I think it's something that isn't needed in 
busybox.

As for togglesebool, should such a thing even exist?  Before we had setenforce 
we had avc_toggle which was very similar to togglesebool - and it was 
generally regarded that avc_toggle should not exist.

Good work on the busybox development KaiGai, it's something that needed to be 
done for a while.  But I think you were a little over-enthusiastic in regard 
to those two commands.

-- 
russell@coker.com.au
http://etbe.blogspot.com/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 0/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]

Christopher J. PeBenito wrote:
> On Thu, 2007-01-25 at 23:35 +0900, KaiGai Kohei wrote:
>> [1/8] busybox-libselinux-01-common.patch
>>   The common part of libselinux package
>>   - modification of Makefile
>>   - add '-lselinux', if CONFIG_SELINUX enabled
> 
> Also need -lsepol, otherwise you'll get missing symbols if you compile
> it static.

Thanks for your notification.
The fixed patch enables to link libsepol when CONFIG_SELINUX is enabled.

-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: busybox-libselinux-01-common.v2.patch --]
[-- Type: text/x-patch, Size: 8793 bytes --]

Index: Makefile
===================================================================
--- Makefile	(revision 17485)
+++ Makefile	(working copy)
@@ -442,6 +442,7 @@
 		networking/udhcp/ \
 		procps/ \
 		runit/ \
+		selinux/ \
 		shell/ \
 		sysklogd/ \
 		util-linux/ \
Index: Makefile.flags
===================================================================
--- Makefile.flags	(revision 17485)
+++ Makefile.flags	(working copy)
@@ -34,4 +34,8 @@
 ifeq ($(CONFIG_STATIC),y)
 LDFLAGS += -static
 endif
+
+ifeq ($(CONFIG_SELINUX),y)
+LDFLAGS += -lselinux -lsepol
+endif
 #LDFLAGS += -nostdlib
Index: Config.in
===================================================================
--- Config.in	(revision 17485)
+++ Config.in	(working copy)
@@ -485,3 +485,4 @@
 source shell/Config.in
 source sysklogd/Config.in
 source runit/Config.in
+source selinux/Config.in
Index: selinux/Kbuild
===================================================================
--- selinux/Kbuild	(revision 0)
+++ selinux/Kbuild	(revision 0)
@@ -0,0 +1,15 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+
+lib-y:=
+lib-$(CONFIG_AVCSTAT)		+= avcstat.o
+lib-$(CONFIG_GETENFORCE)	+= getenforce.o
+lib-$(CONFIG_GETSEBOOL)		+= getsebool.o
+lib-$(CONFIG_MATCHPATHCON)	+= matchpathcon.o
+lib-$(CONFIG_SELINUXENABLED)	+= selinuxenabled.o
+lib-$(CONFIG_SETENFORCE)	+= setenforce.o
+lib-$(CONFIG_TOGGLESEBOOL)	+= togglesebool.o
Index: selinux/Config.in
===================================================================
--- selinux/Config.in	(revision 0)
+++ selinux/Config.in	(revision 0)
@@ -0,0 +1,60 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+
+menu "Selinux Utilities"
+
+config AVCSTAT
+	bool "avcstat"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for avcstat command as a SELinux utility.
+
+config GETENFORCE
+	bool "getenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get the current mode of SELinux.
+
+config GETSEBOOL
+	bool "getsebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get SELinux boolean values.
+
+config MATCHPATHCON
+	bool "matchpathcon"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get default security context of the
+	  specified path from the file contexts configuration.
+
+config SELINUXENABLED
+	bool "selinuxenabled"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for this command to be used within shell scripts
+	  to determine if selinux is enabled.
+
+config SETENFORCE
+	bool "setenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to modify the mode SELinux is running in.
+
+config TOGGLESEBOOL
+	bool "togglesebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to flip the current value of a boolean.
+
+endmenu
+
Index: include/usage.h
===================================================================
--- include/usage.h	(revision 17485)
+++ include/usage.h	(working copy)
@@ -98,6 +98,15 @@
 #define ash_full_usage \
        "The ash shell (command interpreter)"
 
+#define avcstat_trivial_usage \
+	"[-c] [-f status_file] [interval]"
+#define avcstat_full_usage \
+	"Display SELinux AVC statistics.  If the interval parameter is specified, the\n" \
+	"program will loop, displaying updated statistics every 'interval' seconds.\n" \
+	"Relative values are displayed by default. Use the -c option to specify the\n" \
+	"display of cumulative values.  The -f option specifies the location of the\n" \
+	"AVC statistics file, defaulting to '/selinux/avc/cache_stats'."
+
 #define awk_trivial_usage \
        "[OPTION]... [program-text] [FILE ...]"
 #define awk_full_usage \
@@ -1013,6 +1022,9 @@
        "	-6	When using port/proto only search IPv6 space\n" \
        "	-SIGNAL	When used with -k, this signal will be used to kill"
 
+#define getenforce_trivial_usage
+#define getenforce_full_usage
+
 #define getopt_trivial_usage \
        "[OPTIONS]..."
 #define getopt_full_usage \
@@ -1047,6 +1059,11 @@
        " esac\n" \
        "done\n"
 
+#define getsebool_trivial_usage \
+	"-a or getsebool boolean..."
+#define getsebool_full_usage \
+	"-a     Show all SELinux booleans."
+
 #define getty_trivial_usage \
        "[OPTIONS]... baud_rate,... line [termtype]"
 #define getty_full_usage \
@@ -1896,6 +1913,15 @@
        "/dev/hda[0-15]\n"
 #endif
 
+#define matchpathcon_trivial_usage \
+	"[-n] [-N] [-f file_contexts_file] [-p prefix] [-V]"
+#define matchpathcon_full_usage \
+	"\t-n Do not display path.\n" \
+	"\t-N Do not use translations.\n" \
+	"\t-f file_context_file Use alternate file_context file\n" \
+	"\t-p prefix Use prefix to speed translations\n" \
+	"\t-V Verify file context on disk matches defaults"
+
 #define md5sum_trivial_usage \
        "[OPTION] [FILEs...]" \
 	USE_FEATURE_MD5_SHA1_SUM_CHECK("\n   or: md5sum [OPTION] -c [FILE]")
@@ -2718,6 +2744,9 @@
        "$ echo \"foo\" | sed -e 's/f[a-zA-Z]o/bar/g'\n" \
        "bar\n"
 
+#define selinuxenabled_trivial_usage
+#define selinuxenabled_full_usage
+
 #define seq_trivial_usage \
        "[first [increment]] last"
 #define seq_full_usage \
@@ -2735,6 +2764,10 @@
        "\n\nOptions:\n" \
        "	-r	Reset output to /dev/console"
 
+#define setenforce_trivial_usage \
+	"[ Enforcing | Permissive | 1 | 0 ]"
+#define setenforce_full_usage
+
 #define setkeycodes_trivial_usage \
        "SCANCODE KEYCODE ..."
 #define setkeycodes_full_usage \
@@ -3213,6 +3246,10 @@
        "\n\nOptions:\n" \
        "	-v	Display verbose resource usage information"
 
+#define togglesebool_trivial_usage \
+	"boolname1 [boolname2 ...]"
+#define togglesebool_full_usage
+
 #define top_trivial_usage \
        "[-b] [-n count] [-d seconds]"
 #define top_full_usage \
Index: include/applets.h
===================================================================
--- include/applets.h	(revision 17485)
+++ include/applets.h	(working copy)
@@ -59,6 +59,7 @@
 USE_ARP(APPLET(arp, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_ARPING(APPLET(arping, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_ASH(APPLET_NOUSAGE(ash, ash, _BB_DIR_BIN, _BB_SUID_NEVER))
+USE_AVCSTAT(APPLET(avcstat, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_AWK(APPLET(awk, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_BASENAME(APPLET(basename, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_BBCONFIG(APPLET(bbconfig, _BB_DIR_BIN, _BB_SUID_NEVER))
@@ -133,7 +134,9 @@
 USE_FTPGET(APPLET_ODDNAME(ftpget, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpget))
 USE_FTPPUT(APPLET_ODDNAME(ftpput, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpput))
 USE_FUSER(APPLET(fuser, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_GETENFORCE(APPLET(getenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETOPT(APPLET(getopt, _BB_DIR_BIN, _BB_SUID_NEVER))
+USE_GETSEBOOL(APPLET(getsebool, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETTY(APPLET(getty, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_GREP(APPLET(grep, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_GUNZIP(APPLET(gunzip, _BB_DIR_BIN, _BB_SUID_NEVER))
@@ -187,6 +190,7 @@
 USE_LSATTR(APPLET(lsattr, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_LSMOD(APPLET(lsmod, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_UNLZMA(APPLET_ODDNAME(lzmacat, unlzma, _BB_DIR_USR_BIN, _BB_SUID_NEVER, lzmacat))
+USE_MATCHPATHCON(APPLET(matchpathcon, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_MAKEDEVS(APPLET(makedevs, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_MD5SUM(APPLET_ODDNAME(md5sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_NEVER, md5sum))
 USE_MDEV(APPLET(mdev, _BB_DIR_SBIN, _BB_SUID_NEVER))
@@ -249,10 +253,12 @@
 USE_RUNSV(APPLET(runsv, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RUNSVDIR(APPLET(runsvdir, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RX(APPLET(rx, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SEQ(APPLET(seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))
+USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETKEYCODES(APPLET(setkeycodes, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETLOGCONS(APPLET(setlogcons, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETSID(APPLET(setsid, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
@@ -291,6 +297,7 @@
 USE_TFTP(APPLET(tftp, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 #endif
 USE_TIME(APPLET(time, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_TOGGLESEBOOL(APPLET(togglesebool, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_TOP(APPLET(top, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_TOUCH(APPLET(touch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_TR(APPLET(tr, _BB_DIR_USR_BIN, _BB_SUID_NEVER))

Re: [PATCH 7/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 4380 bytes --]

Denis,

Thanks for your comments.

Denis Vlasenko wrote:
> On Thursday 25 January 2007 15:45, KaiGai Kohei wrote:
>> [7/8] busybox-libselinux-07-matchpathcon.patch
>>   matchpathcon - get the default security context for
>>   the specified path from the file contexts configuration.
>>   Security context is a identifier for SELinux.
>>   Any files has a own security context, and SELinux use it
>>   to evaluate the attribute of the file.
>>   When we are setting up a system, we have to attach a security
>>   context for each files. so, we can obtain the most appropriate
>>   security context by using matchpathcon.
>>
>> Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>
>>
>> --
>> KaiGai Kohei <kaigai@kaigai.gr.jp>
> 
> 
> --- selinux/matchpathcon.c      (revision 0)
> +++ selinux/matchpathcon.c      (revision 0)
> @@ -0,0 +1,108 @@
> +/* matchpathcon  -  get the default security context for the specified
> + *                  path from the file contexts configuration.
> + *                  based on libselinux-1.32
> + * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
> + *
> + */
> +#include <unistd.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <getopt.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <selinux/selinux.h>
> +#include "busybox.h"

I removed above redundant headers.

> +
> +static int printmatchpathcon(char *path, int header)
> +{
> +       char *buf;
> +       int rc = matchpathcon(path, 0, &buf);
> +       if (rc < 0) {
> +               fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
> +                       strerror(errno));
> +               return 1;
> +       }
> +       if (header)
> +               printf("%s\t%s\n", path, buf);
> +       else
> +               printf("%s\n", buf);
> +
> +       freecon(buf);
> +       return 0;
> +}
> +
> +#define MATCHPATHCON_OPT_NOT_PRINT     (1<<0)  /* -n */
> +#define MATCHPATHCON_OPT_NOT_TRANS     (1<<1)  /* -N */
> +#define MATCHPATHCON_OPT_FCONTEXT      (1<<2)  /* -f */
> +#define MATCHPATHCON_OPT_PREFIX                (1<<3)  /* -p */
> +#define MATCHPATHCON_OPT_VERIFY                (1<<4)  /* -V */
> +
> +int matchpathcon_main(int argc, char **argv)
> +{
> +       int i;
> +       int header = 1;
> +       int verify = 0;
> +       int notrans = 0;
> +       int error = 0;
> +       unsigned long opts;
> +       char *fcontext, *prefix;
> +
> +       if (argc < 2)
> +               bb_show_usage();
> +
> +       opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
> +       if (opts & BB_GETOPT_ERROR)
> +               bb_show_usage();
> +       if (opts & MATCHPATHCON_OPT_NOT_PRINT)
> +               header = 0;
> +       if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
> +               notrans = 1;
> +               set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
> +       }
> +       if ((opts & MATCHPATHCON_OPT_FCONTEXT) && (opts & MATCHPATHCON_OPT_PREFIX))
> +               bb_error_msg_and_die("-f and -p are exclusive");
> 
> This can be forced by just setting opt_complementary.
> There are a lot of examples in the tree.

The fixed patch uses opt_complementary and omit unnecessary as follows:
          :
     opt_complementary = "?:f--p:p--f";
     opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
          :

> +       if (opts & MATCHPATHCON_OPT_FCONTEXT) {
> +               if (matchpathcon_init(fcontext))
> +                       bb_error_msg_and_die("Error while processing %s: %s",
> 
> "<applet>: Error while...."  -- 'E' shpould be 'e' (small letter) here
> (and everywhere in bb_[ph]errorXXX)

OK, fixed.

- <snip> -

> Typically I avoid excessive indentation:
> 
>                if (!verify) {
>                        error += printmatchpathcon(argv[i], header);
>                        continue;
>                }
>                ...here entire old "if(verify)" block needs no indent now:
>                if (selinux_file_context_verify(argv[i], 0)) {
>                        printf("%s verified.\n", argv[i]);
>                } else {
>                ....

OK, I changed the code path as follows:

     if (!verify) {
         error += printmatchpathcon(argv[i], header);
         continue;
     }
     if (selinux_file_context_verify(argv[i], 0)) {
         printf("%s verified.\n", argv[i]);
         continue;
     }
         :

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: busybox-libselinux-07-matchpathcon.v2.patch --]
[-- Type: text/x-patch, Size: 2732 bytes --]

Index: selinux/matchpathcon.c
===================================================================
--- selinux/matchpathcon.c	(revision 0)
+++ selinux/matchpathcon.c	(revision 0)
@@ -0,0 +1,98 @@
+/* matchpathcon  -  get the default security context for the specified
+ *                  path from the file contexts configuration.
+ *                  based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include "busybox.h"
+#include <selinux/selinux.h>
+
+static int printmatchpathcon(char *path, int header)
+{
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "matchpathcon(%s) failed: %s\n",
+			path, strerror(errno));
+		return 1;
+	}
+	if (header)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+
+	freecon(buf);
+	return 0;
+}
+
+#define MATCHPATHCON_OPT_NOT_PRINT	(1<<0)	/* -n */
+#define MATCHPATHCON_OPT_NOT_TRANS	(1<<1)	/* -N */
+#define MATCHPATHCON_OPT_FCONTEXT	(1<<2)	/* -f */
+#define MATCHPATHCON_OPT_PREFIX		(1<<3)	/* -p */
+#define MATCHPATHCON_OPT_VERIFY		(1<<4)	/* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+	int i;
+	int header = 1;
+	int verify = 0;
+	int notrans = 0;
+	int error = 0;
+	unsigned long opts;
+	char *fcontext, *prefix;
+
+	if (argc < 2)
+		bb_show_usage();
+
+	opt_complementary = "?:f--p:p--f";
+	opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+	if (opts & MATCHPATHCON_OPT_NOT_PRINT)
+		header = 0;
+	if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
+		notrans = 1;
+		set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+	}
+	if (opts & MATCHPATHCON_OPT_FCONTEXT) {
+		if (matchpathcon_init(fcontext))
+			bb_error_msg_and_die("error while processing %s: %s",
+					     fcontext, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_PREFIX) {
+		if (matchpathcon_init_prefix(NULL, prefix))
+			bb_error_msg_and_die("error while processing %s:  %s",
+					     prefix, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_VERIFY)
+		verify = 1;
+
+	for (i = optind; i < argc; i++) {
+		security_context_t con;
+		int rc;
+
+		if (!verify) {
+			error += printmatchpathcon(argv[i], header);
+			continue;
+		}
+
+		if (selinux_file_context_verify(argv[i], 0)) {
+			printf("%s verified.\n", argv[i]);
+			continue;
+		}
+
+		if (notrans)
+			rc = lgetfilecon_raw(argv[i], &con);
+		else
+			rc = lgetfilecon(argv[i], &con);
+
+		if (rc >= 0) {
+			printf("%s has context %s, should be ", argv[i], con);
+			error += printmatchpathcon(argv[i], 0);
+			freecon(con);
+		} else {
+			printf("actual context unknown: %s, should be ", strerror(errno));
+			error += printmatchpathcon(argv[i], 0);
+		}
+	}
+	matchpathcon_fini();
+	return error;
+}

Re: [PATCH 2/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 2006 bytes --]

Denis, Thanks for your comments.

The attached patch uses bb_error_msg_and_die() instead of bb_error_msg()
and error exit, and remove redundant headers.

Thanks,

Denis Vlasenko wrote:
> On Thursday 25 January 2007 15:44, KaiGai Kohei wrote:
>> [2/8] busybox-libselinux-02-getenforce.patch
>>   getenforce - get the current mode of SELinux.
>>   SELinux has two mode. 'Enforcing' is the one, it enables
>>   mandatory access control based on the security policy.
>>   The other is 'Permissive' mode. It enables to evaluate
>>   security policy and output audit messages, if violated.
>>   But mandatory access control was not done. It was used
>>   to debug policy.
>>
>> Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
>> Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>
>>
>> --
>> KaiGai Kohei <kaigai@kaigai.gr.jp>
> 
> --- selinux/getenforce.c        (revision 0)
> +++ selinux/getenforce.c        (revision 0)
> @@ -0,0 +1,40 @@
> +/*
> + * getenforce
> + *
> + * Based on libselinux 1.33.1
> + * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
> + *
> + */
> +
> +#include "busybox.h"
> +#include <unistd.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <selinux/selinux.h>
> +
> +int getenforce_main(int argc, char **argv)
> +{
> +       int rc;
> +
> +       rc = is_selinux_enabled();
> +       if (rc < 0) {
> +               bb_error_msg("is_selinux_enabled() failed");
> +               return 2;
> 
> Will bb_error_msg_and_die work here?
> 
> +       }
> +       if (rc == 1) {
> +               rc = security_getenforce();
> +               if (rc < 0) {
> +                       bb_error_msg("getenforce() failed");
> +                       return 2;
> +               }
> +
> +               if (rc)
> +                       puts("Enforcing");
> +               else
> +                       puts("Permissive");
> +       } else {
> +               puts("Disabled");
> +       }
> +
> +       return 0;
> +}
> 
> 


-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: busybox-libselinux-02-getenforce.v2.patch --]
[-- Type: text/x-patch, Size: 763 bytes --]

Index: selinux/getenforce.c
===================================================================
--- selinux/getenforce.c	(revision 0)
+++ selinux/getenforce.c	(revision 0)
@@ -0,0 +1,34 @@
+/*
+ * getenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+#include <selinux/selinux.h>
+
+int getenforce_main(int argc, char **argv)
+{
+	int rc;
+
+	rc = is_selinux_enabled();
+	if (rc < 0)
+		bb_error_msg_and_die("is_selinux_enabled() failed");
+
+	if (rc == 1) {
+		rc = security_getenforce();
+		if (rc < 0)
+			bb_error_msg_and_die("getenforce() failed");
+
+		if (rc)
+			puts("Enforcing");
+		else
+			puts("Permissive");
+	} else {
+		puts("Disabled");
+	}
+
+	return 0;
+}

Re: [PATCH 4/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 2534 bytes --]

Denis, Thanks for your comments.

Denis Vlasenko wrote:
> On Thursday 25 January 2007 15:44, KaiGai Kohei wrote:
>> [4/8] busybox-libselinux-04-getsebool.patch
>>   getsebool reports the a particular or all SELinux
>>   boolean variable.
>>   SELinux boolean variable is a interface to configure
>>   the condition of security policy. We can enable or
>>   disable the part of the security policy via boolean
>>   variable.
>>
>> Signed-off-by: Hiroshi Shinji <shiroshi@my.email.ne.jp>
>> Signed-off-by: KaiGai Kohei <kaigai@kaigai.gr.jp>
>>
>> --
>> KaiGai Kohei <kaigai@kaigai.gr.jp>
> 
> --- selinux/getsebool.c (revision 0)
> +++ selinux/getsebool.c (revision 0)
> @@ -0,0 +1,98 @@
> +/*
> + * getsebool
> + *
> + * Based on libselinux 1.33.1
> + * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
> + *
> + */
> +
> +#include "busybox.h"
> +#include <unistd.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <getopt.h>
> +#include <errno.h>
> +#include <string.h>
> +#include <selinux/selinux.h>

I removed above redundant headers.

> +#define GETSEBOOL_OPT_ALL      1
> +
> +int getsebool_main(int argc, char **argv)
> +{
> +       int i, rc = 0, active, pending, len = 0;
> +       char **names;
> +       unsigned long opt;
> +
> +       opt = getopt32(argc, argv, "a");
> +
> +       if(opt & BB_GETOPT_ERROR) {
> +               bb_show_usage();
> +       }
> 
> Is it needed? I mean, can you give an example where it is needed?

No. The above block is unnecessary.

> +
> +       if (!len) {
> +               if (argc < 2)
> +                       bb_show_usage();
> +               len = argc - 1;
> +               names = malloc(sizeof(char *) * len);
> +               if (!names) {
> +                       bb_error_msg_and_die("out of memory");
> +               }
> 
> xmalloc will do dying for you! :)
> 
> +               for (i = 0; i < len; i++) {
> +                       names[i] = strdup(argv[i + 1]);
> 
> xstrdup. Gotta love busybox. We love to die, and love to get rid
> of useless error paths.

Thanks for the useful information.
I replaced them with xmalloc() and xstrdup().

> +      out:
> +       for (i = 0; i < len; i++)
> +               free(names[i]);
> +       free(names);
> 
> 	Add if (ENABLE_FEATURE_CLEAN_UP) in front of for().

OK, I appended if (ENABLE_FEATURE_CLEAN_UP) { ... } block.

BTW, I found both '#if ENABLE_FEATURE_CLEAN_UP' and 'if (ENABLE_FEATURE_CLEAN_UP)'
in the source tree. Which manner is preferable?

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: busybox-libselinux-04-getsebool.v2.patch --]
[-- Type: text/x-patch, Size: 1978 bytes --]

Index: selinux/getsebool.c
===================================================================
--- selinux/getsebool.c	(revision 0)
+++ selinux/getsebool.c	(revision 0)
@@ -0,0 +1,83 @@
+/*
+ * getsebool
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+#include <selinux/selinux.h>
+
+#define GETSEBOOL_OPT_ALL	1
+
+int getsebool_main(int argc, char **argv)
+{
+	int i, rc = 0, active, pending, len = 0;
+	char **names;
+	unsigned long opt;
+
+	opt = getopt32(argc, argv, "a");
+
+	if(opt & GETSEBOOL_OPT_ALL) {
+		if (argc > 2)
+			bb_show_usage();
+		if (is_selinux_enabled() <= 0) {
+			bb_error_msg_and_die("SELinux is disabled");
+		}
+		errno = 0;
+		rc = security_get_boolean_names(&names, &len);
+		if (rc) {
+			bb_error_msg_and_die("cannot get boolean names:  %s",
+					     strerror(errno));
+		}
+		if (!len) {
+			printf("No booleans\n");
+			return 0;
+		}
+	}
+
+	if (is_selinux_enabled() <= 0)
+		bb_error_msg_and_die("SELinux is disabled");
+
+	if (!len) {
+		if (argc < 2)
+			bb_show_usage();
+		len = argc - 1;
+		names = xmalloc(sizeof(char *) * len);
+		for (i = 0; i < len; i++)
+			names[i] = xstrdup(argv[i + 1]);
+	}
+
+	for (i = 0; i < len; i++) {
+		active = security_get_boolean_active(names[i]);
+		if (active < 0) {
+			bb_error_msg("error getting active value for %s", names[i]);
+			rc = -1;
+			goto out;
+		}
+		pending = security_get_boolean_pending(names[i]);
+		if (pending < 0) {
+			bb_error_msg("error getting pending value for %s", names[i]);
+			rc = -1;
+			goto out;
+		}
+		if (pending != active) {
+			printf("%s --> %s pending: %s\n", names[i],
+			       (active ? "on" : "off"),
+			       (pending ? "on" : "off"));
+		} else {
+			printf("%s --> %s\n", names[i],
+			       (active ? "on" : "off"));
+		}
+	}
+
+      out:
+	if (ENABLE_FEATURE_CLEAN_UP) {
+		for (i = 0; i < len; i++)
+			free(names[i]);
+		free(names);
+	}
+
+	return rc;
+}

Re: [PATCH 5/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

Hi, Thanks for your comments.

Russell Coker wrote:
> On Saturday 27 January 2007 07:10, "Christopher J. PeBenito" 
> <cpebenito@tresys.com> wrote:
>> On Thu, 2007-01-25 at 23:44 +0900, KaiGai Kohei wrote:
>>> [5/8] busybox-libselinux-05-avcstat.patch
>>>   avcstat reports SELinux AVC(Access Vector Cache) statistics.
>>>   AVC is a in-kernel data structure to accelerate SELinux's
>>>   decision making.
>> Are you sure this should be added?  It doesn't seem like it would be
>> used much.  I don't think most people are even aware that you can get
>> stats on the AVC, much less know what to do with them.
> 
> I agree.  avcstat is used only rarely and only in development.  I don't think 
> that it's something we need in production on an iPaQ, for system recovery, or 
> in an initramfs - therefore I think it's something that isn't needed in 
> busybox.
> 
> As for togglesebool, should such a thing even exist?  Before we had setenforce 
> we had avc_toggle which was very similar to togglesebool - and it was 
> generally regarded that avc_toggle should not exist.

Our primary motivation is that porting some of significant SELinux utilities
without any unexpected incompatibility.
Therefore, the serious of patches implements all of liblisenux utilities.

But your opinions are persuasive, I can agree to suspend the patches of
avcstat and togglesebool.

Denis, I would like to suspend the 5th and 6th patches by above reason.

> Good work on the busybox development KaiGai, it's something that needed to be 
> done for a while.  But I think you were a little over-enthusiastic in regard 
> to those two commands.

The list of our works (which include unsubmitted ones) are here:
   http://code.google.com/p/sebusybox/

We want any comments about its necessity and so on.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [PATCH 0/8] busybox -- libselinux utilities applets

[James Carter]

On Sat, 2007-01-27 at 00:29 +0900, KaiGai Kohei wrote:
> It seems to me that the patch [1/8] was not delivered via SELinux-ML
> yet, so I try to resend it.
> 
> Was it filtered ?
> I believe this patch is not a spam. :-)

It doesn't seem to have ever reached majordomo.

-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [busybox:00323] Re: [PATCH 4/8] busybox -- libselinux utilities applets

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 3434 bytes --]

Bernhard, Thanks for your comments.

The attached patch fixes following items:
- avcstat and togglesebool applet were removed
- xis_selinux_enabled() was added at libbb/xfuncs.c
- unneccesary headers were removed.
- bb_error_msg_and_die() + strerror() were replaced
   with bb_perror_msg_and_die()
- "Selinux Utilities" at menuconfig got dependency with CONFIG_SELINUX
- some cleanups.

>> Index: selinux/getsebool.c
>> ===================================================================
>> --- selinux/getsebool.c	(revision 0)
>> +++ selinux/getsebool.c	(revision 0)
>> @@ -0,0 +1,83 @@
>> +/*
>> + * getsebool
>> + *
>> + * Based on libselinux 1.33.1
>> + * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
>> + *
>> + */
>> +
>> +#include "busybox.h"
>> +#include <selinux/selinux.h>
>> +
>> +#define GETSEBOOL_OPT_ALL	1
>> +
>> +int getsebool_main(int argc, char **argv)
>> +{
>> +	int i, rc = 0, active, pending, len = 0;
>> +	char **names;
>> +	unsigned long opt;
>> +
>> +	opt = getopt32(argc, argv, "a");
>> +
>> +	if(opt & GETSEBOOL_OPT_ALL) {
> 
> missing space after "if"

Fixed, and confirmed a space is placed after any 'if' and 'for'
in front of '('.

>> +		if (argc > 2)
>> +			bb_show_usage();
>> +		if (is_selinux_enabled() <= 0) {
>> +			bb_error_msg_and_die("SELinux is disabled");
> 
> You're doing this alot. Please move this out to a
> int xis_selinux_enabled(void) {
> 	smallint ret = is_selinux_enabled();
> 	if (ret != 1)
> 		bb_error_msg_and_die("SELinux is disabled");
> 	return ret;
> }
> in e.g. libbb/xfuncs.c and use it in your other SElinux applets, too.

I added xis_selinux_enabled() at libbb/xfuncs.c to die if SELinux was
disabled. Some similar implementations are replaced.

>> +		}
>> +		errno = 0;
> 
> hm?

removed it.

>> +		rc = security_get_boolean_names(&names, &len);
>> +		if (rc) {
> ->+			bb_error_msg_and_die("cannot get boolean names:  %s",
> ->+					     strerror(errno));
> 
> bb_perror_msg_and_die("cannot get boolean name");
> should do too

The combination of bb_error_msg_and_die() and strerror() was replaced
by bb_perror_msg_and_die()

>> +		}
>> +		if (!len) {
>> +			printf("No booleans\n");
> 
> puts smaller?

Agreed. It was replaced with puts().

>> +			return 0;
>> +		}
>> +	}
> 
> See how you didn't use opt much?
> I'd rather say 
> xis_selinux_enabled();
> opt_complementary="-1";/* need at least 1 non-option arg*/
> if (getopt32(argc, argv, "a")) {
> 	rc = security_get_boolean_names(&names, &len);
> 	if (rc ...
> }

When we use '-a' option, any other non-option arguments are
not allowed. Thus, we cannot use the above opt_complementary.

>> +
>> +	if (is_selinux_enabled() <= 0)
>> +		bb_error_msg_and_die("SELinux is disabled");
> 
> That can't be right, no?
> You called security_get_boolean_names() before checking if selinux is
> enabled or not. Does this work?

No, the above security_get_boolean_names() was called after checking
if selinux is enabled or not in the 'if (opt & GETSEBOOL_OPT_ALL) {...}'
block.

> What about removing that is_selinux_enabled block here, move the call to 
> xis_selinux_enabled from the "if(opt & GETSEBOOL_OPT_ALL) {" block to
> below the "if (opt..)" block so you check for enabled only once (before
> get_boolean_nam())

I agreed it.
xis_selinux_enabled() was moved at light after getopt32().
It will be done only once.

Thanks,
-- 
Open Source Software Promotion Center, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: busybox-libselinux.v3.patch --]
[-- Type: text/x-patch, Size: 15404 bytes --]

Index: sebusybox-libselinux-0131/libbb/xfuncs.c
===================================================================
--- sebusybox-libselinux-0131/libbb/xfuncs.c	(revision 17684)
+++ sebusybox-libselinux-0131/libbb/xfuncs.c	(working copy)
@@ -574,6 +574,17 @@
 		bb_perror_msg_and_die("can't stat '%s'", name);
 }
 
+// xis_selinux_enabled() - die if SELinux is disabled.
+void xis_selinux_enabled(void)
+{
+#ifdef CONFIG_SELINUX
+	if (!is_selinux_enabled())
+		bb_error_msg_and_die("SELinux is disabled");
+#else
+	bb_error_msg_and_die("SELinux support is disabled");
+#endif
+}
+
 /* It is perfectly ok to pass in a NULL for either width or for
  * height, in which case that value will not be set.  */
 int get_terminal_width_height(const int fd, int *width, int *height)
Index: sebusybox-libselinux-0131/Makefile
===================================================================
--- sebusybox-libselinux-0131/Makefile	(revision 17684)
+++ sebusybox-libselinux-0131/Makefile	(working copy)
@@ -442,6 +442,7 @@
 		networking/udhcp/ \
 		procps/ \
 		runit/ \
+		selinux/ \
 		shell/ \
 		sysklogd/ \
 		util-linux/ \
Index: sebusybox-libselinux-0131/include/libbb.h
===================================================================
--- sebusybox-libselinux-0131/include/libbb.h	(revision 17684)
+++ sebusybox-libselinux-0131/include/libbb.h	(working copy)
@@ -571,6 +571,7 @@
 extern void renew_current_security_context(void);
 extern void set_current_security_context(security_context_t sid);
 #endif
+extern void xis_selinux_enabled(void);
 extern int restricted_shell(const char *shell);
 extern void setup_environment(const char *shell, int loginshell, int changeenv, const struct passwd *pw);
 extern int correct_password(const struct passwd *pw);
Index: sebusybox-libselinux-0131/include/usage.h
===================================================================
--- sebusybox-libselinux-0131/include/usage.h	(revision 17684)
+++ sebusybox-libselinux-0131/include/usage.h	(working copy)
@@ -1013,6 +1013,9 @@
        "	-6	When using port/proto only search IPv6 space\n" \
        "	-SIGNAL	When used with -k, this signal will be used to kill"
 
+#define getenforce_trivial_usage
+#define getenforce_full_usage
+
 #define getopt_trivial_usage \
        "[OPTIONS]..."
 #define getopt_full_usage \
@@ -1047,6 +1050,11 @@
        " esac\n" \
        "done\n"
 
+#define getsebool_trivial_usage \
+	"-a or getsebool boolean..."
+#define getsebool_full_usage \
+	"-a     Show all SELinux booleans."
+
 #define getty_trivial_usage \
        "[OPTIONS]... baud_rate,... line [termtype]"
 #define getty_full_usage \
@@ -1896,6 +1904,15 @@
        "/dev/hda[0-15]\n"
 #endif
 
+#define matchpathcon_trivial_usage \
+	"[-n] [-N] [-f file_contexts_file] [-p prefix] [-V]"
+#define matchpathcon_full_usage \
+	"\t-n Do not display path.\n" \
+	"\t-N Do not use translations.\n" \
+	"\t-f file_context_file Use alternate file_context file\n" \
+	"\t-p prefix Use prefix to speed translations\n" \
+	"\t-V Verify file context on disk matches defaults"
+
 #define md5sum_trivial_usage \
        "[OPTION] [FILEs...]" \
 	USE_FEATURE_MD5_SHA1_SUM_CHECK("\n   or: md5sum [OPTION] -c [FILE]")
@@ -2714,6 +2731,9 @@
        "$ echo \"foo\" | sed -e 's/f[a-zA-Z]o/bar/g'\n" \
        "bar\n"
 
+#define selinuxenabled_trivial_usage
+#define selinuxenabled_full_usage
+
 #define seq_trivial_usage \
        "[first [increment]] last"
 #define seq_full_usage \
@@ -2731,6 +2751,10 @@
        "\n\nOptions:\n" \
        "	-r	Reset output to /dev/console"
 
+#define setenforce_trivial_usage \
+	"[ Enforcing | Permissive | 1 | 0 ]"
+#define setenforce_full_usage
+
 #define setkeycodes_trivial_usage \
        "SCANCODE KEYCODE ..."
 #define setkeycodes_full_usage \
Index: sebusybox-libselinux-0131/include/applets.h
===================================================================
--- sebusybox-libselinux-0131/include/applets.h	(revision 17684)
+++ sebusybox-libselinux-0131/include/applets.h	(working copy)
@@ -133,7 +133,9 @@
 USE_FTPGET(APPLET_ODDNAME(ftpget, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpget))
 USE_FTPPUT(APPLET_ODDNAME(ftpput, ftpgetput, _BB_DIR_USR_BIN, _BB_SUID_NEVER,ftpput))
 USE_FUSER(APPLET(fuser, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_GETENFORCE(APPLET(getenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETOPT(APPLET(getopt, _BB_DIR_BIN, _BB_SUID_NEVER))
+USE_GETSEBOOL(APPLET(getsebool, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_GETTY(APPLET(getty, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_GREP(APPLET(grep, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_GUNZIP(APPLET(gunzip, _BB_DIR_BIN, _BB_SUID_NEVER))
@@ -187,6 +189,7 @@
 USE_LSATTR(APPLET(lsattr, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_LSMOD(APPLET(lsmod, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_UNLZMA(APPLET_ODDNAME(lzmacat, unlzma, _BB_DIR_USR_BIN, _BB_SUID_NEVER, lzmacat))
+USE_MATCHPATHCON(APPLET(matchpathcon, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_MAKEDEVS(APPLET(makedevs, _BB_DIR_SBIN, _BB_SUID_NEVER))
 USE_MD5SUM(APPLET_ODDNAME(md5sum, md5_sha1_sum, _BB_DIR_USR_BIN, _BB_SUID_NEVER, md5sum))
 USE_MDEV(APPLET(mdev, _BB_DIR_SBIN, _BB_SUID_NEVER))
@@ -249,10 +252,12 @@
 USE_RUNSV(APPLET(runsv, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RUNSVDIR(APPLET(runsvdir, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_RX(APPLET(rx, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
+USE_SELINUXENABLED(APPLET(selinuxenabled, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SED(APPLET(sed, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SEQ(APPLET(seq, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETARCH(APPLET(setarch, _BB_DIR_BIN, _BB_SUID_NEVER))
 USE_SETCONSOLE(APPLET(setconsole, _BB_DIR_SBIN, _BB_SUID_NEVER))
+USE_SETENFORCE(APPLET(setenforce, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETKEYCODES(APPLET(setkeycodes, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
 USE_SETLOGCONS(APPLET(setlogcons, _BB_DIR_USR_SBIN, _BB_SUID_NEVER))
 USE_SETSID(APPLET(setsid, _BB_DIR_USR_BIN, _BB_SUID_NEVER))
Index: sebusybox-libselinux-0131/selinux/getenforce.c
===================================================================
--- sebusybox-libselinux-0131/selinux/getenforce.c	(revision 0)
+++ sebusybox-libselinux-0131/selinux/getenforce.c	(revision 0)
@@ -0,0 +1,33 @@
+/*
+ * getenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+int getenforce_main(int argc, char **argv)
+{
+	int rc;
+
+	rc = is_selinux_enabled();
+	if (rc < 0)
+		bb_error_msg_and_die("is_selinux_enabled() failed");
+
+	if (rc == 1) {
+		rc = security_getenforce();
+		if (rc < 0)
+			bb_error_msg_and_die("getenforce() failed");
+
+		if (rc)
+			puts("Enforcing");
+		else
+			puts("Permissive");
+	} else {
+		puts("Disabled");
+	}
+
+	return 0;
+}
Index: sebusybox-libselinux-0131/selinux/selinuxenabled.c
===================================================================
--- sebusybox-libselinux-0131/selinux/selinuxenabled.c	(revision 0)
+++ sebusybox-libselinux-0131/selinux/selinuxenabled.c	(revision 0)
@@ -0,0 +1,13 @@
+/*
+ * selinuxenabled
+ * 
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+#include "busybox.h"
+
+int selinuxenabled_main(int argc, char **argv)
+{
+	return !is_selinux_enabled();
+}
Index: sebusybox-libselinux-0131/selinux/getsebool.c
===================================================================
--- sebusybox-libselinux-0131/selinux/getsebool.c	(revision 0)
+++ sebusybox-libselinux-0131/selinux/getsebool.c	(revision 0)
@@ -0,0 +1,73 @@
+/*
+ * getsebool
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+#define GETSEBOOL_OPT_ALL	1
+
+int getsebool_main(int argc, char **argv)
+{
+	int i, rc = 0, active, pending, len = 0;
+	char **names;
+	unsigned long opt;
+
+	opt = getopt32(argc, argv, "a");
+
+	xis_selinux_enabled();
+
+	if (opt & GETSEBOOL_OPT_ALL) {
+		if (argc > 2)
+			bb_show_usage();
+
+		rc = security_get_boolean_names(&names, &len);
+		if (rc)
+			bb_perror_msg_and_die("cannot get boolean names: ");
+
+		if (!len) {
+			puts("No booleans");
+			return 0;
+		}
+	}
+
+	if (!len) {
+		if (argc < 2)
+			bb_show_usage();
+		len = argc - 1;
+		names = xmalloc(sizeof(char *) * len);
+		for (i = 0; i < len; i++)
+			names[i] = xstrdup(argv[i + 1]);
+	}
+
+	for (i = 0; i < len; i++) {
+		active = security_get_boolean_active(names[i]);
+		if (active < 0) {
+			bb_error_msg("error getting active value for %s", names[i]);
+			rc = -1;
+			goto out;
+		}
+		pending = security_get_boolean_pending(names[i]);
+		if (pending < 0) {
+			bb_error_msg("error getting pending value for %s", names[i]);
+			rc = -1;
+			goto out;
+		}
+		printf("%s --> %s", names[i], (active ? "on" : "off"));
+		if (pending != active)
+			printf(" pending: %s", (pending ? "on" : "off"));
+		putchar('\n');
+	}
+
+      out:
+	if (ENABLE_FEATURE_CLEAN_UP) {
+		for (i = 0; i < len; i++)
+			free(names[i]);
+		free(names);
+	}
+
+	return rc;
+}
Index: sebusybox-libselinux-0131/selinux/Kbuild
===================================================================
--- sebusybox-libselinux-0131/selinux/Kbuild	(revision 0)
+++ sebusybox-libselinux-0131/selinux/Kbuild	(revision 0)
@@ -0,0 +1,13 @@
+# Makefile for busybox
+#
+# Copyright (C) 1999-2005 by Erik Andersen <andersen@codepoet.org>
+# Copyright (C) 2007 by KaiGai Kohei <kaigai@kaigai.gr.jp>
+#
+# Licensed under the GPL v2, see the file LICENSE in this tarball.
+
+lib-y:=
+lib-$(CONFIG_GETENFORCE)	+= getenforce.o
+lib-$(CONFIG_GETSEBOOL)		+= getsebool.o
+lib-$(CONFIG_MATCHPATHCON)	+= matchpathcon.o
+lib-$(CONFIG_SELINUXENABLED)	+= selinuxenabled.o
+lib-$(CONFIG_SETENFORCE)	+= setenforce.o
Index: sebusybox-libselinux-0131/selinux/Config.in
===================================================================
--- sebusybox-libselinux-0131/selinux/Config.in	(revision 0)
+++ sebusybox-libselinux-0131/selinux/Config.in	(revision 0)
@@ -0,0 +1,47 @@
+#
+# For a description of the syntax of this configuration file,
+# see scripts/kbuild/config-language.txt.
+#
+
+menu "Selinux Utilities"
+	depends on SELINUX
+
+config GETENFORCE
+	bool "getenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get the current mode of SELinux.
+
+config GETSEBOOL
+	bool "getsebool"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get SELinux boolean values.
+
+config MATCHPATHCON
+	bool "matchpathcon"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to get default security context of the
+	  specified path from the file contexts configuration.
+
+config SELINUXENABLED
+	bool "selinuxenabled"
+	default n
+	depends on SELINUX
+	help
+	  Enable support for this command to be used within shell scripts
+	  to determine if selinux is enabled.
+
+config SETENFORCE
+	bool "setenforce"
+	default n
+	depends on SELINUX
+	help
+	  Enable support to modify the mode SELinux is running in.
+
+endmenu
+
Index: sebusybox-libselinux-0131/selinux/matchpathcon.c
===================================================================
--- sebusybox-libselinux-0131/selinux/matchpathcon.c	(revision 0)
+++ sebusybox-libselinux-0131/selinux/matchpathcon.c	(revision 0)
@@ -0,0 +1,98 @@
+/* matchpathcon  -  get the default security context for the specified
+ *                  path from the file contexts configuration.
+ *                  based on libselinux-1.32
+ * Port to busybox: KaiGai Kohei <kaigai@kaigai.gr.jp>
+ *
+ */
+#include "busybox.h"
+
+static int printmatchpathcon(char *path, int header)
+{
+	char *buf;
+	int rc = matchpathcon(path, 0, &buf);
+	if (rc < 0) {
+		fprintf(stderr, "matchpathcon(%s) failed: %s\n",
+			path, strerror(errno));
+		return 1;
+	}
+	if (header)
+		printf("%s\t%s\n", path, buf);
+	else
+		printf("%s\n", buf);
+
+	freecon(buf);
+	return 0;
+}
+
+#define MATCHPATHCON_OPT_NOT_PRINT	(1<<0)	/* -n */
+#define MATCHPATHCON_OPT_NOT_TRANS	(1<<1)	/* -N */
+#define MATCHPATHCON_OPT_FCONTEXT	(1<<2)	/* -f */
+#define MATCHPATHCON_OPT_PREFIX		(1<<3)	/* -p */
+#define MATCHPATHCON_OPT_VERIFY		(1<<4)	/* -V */
+
+int matchpathcon_main(int argc, char **argv)
+{
+	int i;
+	int header = 1;
+	int verify = 0;
+	int notrans = 0;
+	int error = 0;
+	unsigned long opts;
+	char *fcontext, *prefix;
+
+	if (argc < 2)
+		bb_show_usage();
+
+	opt_complementary = "?:f--p:p--f";
+	opts = getopt32(argc, argv, "nNf:p:V", &fcontext, &prefix);
+
+	if (opts & MATCHPATHCON_OPT_NOT_PRINT)
+		header = 0;
+	if (opts & MATCHPATHCON_OPT_NOT_TRANS) {
+		notrans = 1;
+		set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+	}
+	if (opts & MATCHPATHCON_OPT_FCONTEXT) {
+		if (matchpathcon_init(fcontext))
+			bb_error_msg_and_die("error while processing %s: %s",
+					     fcontext, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_PREFIX) {
+		if (matchpathcon_init_prefix(NULL, prefix))
+			bb_error_msg_and_die("error while processing %s:  %s",
+					     prefix, errno ? strerror(errno) : "invalid");
+	}
+	if (opts & MATCHPATHCON_OPT_VERIFY)
+		verify = 1;
+
+	for (i = optind; i < argc; i++) {
+		security_context_t con;
+		int rc;
+
+		if (!verify) {
+			error += printmatchpathcon(argv[i], header);
+			continue;
+		}
+
+		if (selinux_file_context_verify(argv[i], 0)) {
+			printf("%s verified.\n", argv[i]);
+			continue;
+		}
+
+		if (notrans)
+			rc = lgetfilecon_raw(argv[i], &con);
+		else
+			rc = lgetfilecon(argv[i], &con);
+
+		if (rc >= 0) {
+			printf("%s has context %s, should be ", argv[i], con);
+			error += printmatchpathcon(argv[i], 0);
+			freecon(con);
+		} else {
+			printf("actual context unknown: %s, should be ", strerror(errno));
+			error += printmatchpathcon(argv[i], 0);
+		}
+	}
+	matchpathcon_fini();
+	return error;
+}
Index: sebusybox-libselinux-0131/selinux/setenforce.c
===================================================================
--- sebusybox-libselinux-0131/selinux/setenforce.c	(revision 0)
+++ sebusybox-libselinux-0131/selinux/setenforce.c	(revision 0)
@@ -0,0 +1,33 @@
+/*
+ * setenforce
+ *
+ * Based on libselinux 1.33.1
+ * Port to BusyBox  Hiroshi Shinji <shiroshi@my.email.ne.jp>
+ *
+ */
+
+#include "busybox.h"
+
+int setenforce_main(int argc, char **argv)
+{
+	int rc = 0;
+	if (argc != 2)
+		bb_show_usage();
+
+	xis_selinux_enabled();
+
+	if ((argv[1][0] == '0' || argv[1][0] == '1') && argv[1][1] == '\0') {
+		rc = security_setenforce(atoi(argv[1]));
+	} else {
+		if (strcasecmp(argv[1], "enforcing") == 0) {
+			rc = security_setenforce(1);
+		} else if (strcasecmp(argv[1], "permissive") == 0) {
+			rc = security_setenforce(0);
+		} else
+			bb_show_usage();
+	}
+	if (rc < 0)
+		bb_perror_msg_and_die("setenforce() failed : ");
+
+	return 0;
+}
Index: sebusybox-libselinux-0131/Makefile.flags
===================================================================
--- sebusybox-libselinux-0131/Makefile.flags	(revision 17684)
+++ sebusybox-libselinux-0131/Makefile.flags	(working copy)
@@ -54,4 +54,8 @@
 ifeq ($(CONFIG_STATIC),y)
 LDFLAGS += -static
 endif
+
+ifeq ($(CONFIG_SELINUX),y)
+LDFLAGS += -lselinux -lsepol
+endif
 #LDFLAGS += -nostdlib
Index: sebusybox-libselinux-0131/Config.in
===================================================================
--- sebusybox-libselinux-0131/Config.in	(revision 17684)
+++ sebusybox-libselinux-0131/Config.in	(working copy)
@@ -493,3 +493,4 @@
 source shell/Config.in
 source sysklogd/Config.in
 source runit/Config.in
+source selinux/Config.in