Second patch on systemd.

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 496 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This one is intended to handle labeling of directories if they do not
exist. As well as add use_selinux() function to determine is selinux is
enabled, and not do stuff if it is disabled.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEUEARECAAYFAkxJoiUACgkQrlYvE4MpobNa5wCg2/i63NszDUOvHyhmMdyNkkNE
JLcAmMAyIHNFOUWNrBqEuM7JaxjleLU=
=/UUh
-----END PGP SIGNATURE-----

[-- Attachment #2: systemd-selinux2.patch --]
[-- Type: text/plain, Size: 4906 bytes --]

diff --git a/src/main.c b/src/main.c
index 964bb9c..841caa5 100644
--- a/src/main.c
+++ b/src/main.c
@@ -31,6 +31,7 @@
 #include <signal.h>
 #include <sys/wait.h>
 #include <fcntl.h>
+#include <selinux/selinux.h>
 
 #include "manager.h"
 #include "log.h"
@@ -857,6 +858,14 @@ int main(int argc, char *argv[]) {
                 if (mount_setup() < 0)
                         goto finish;
 
+	if (use_selinux()) {
+		r = matchpathcon_init(NULL);
+		if (r < 0 && security_getenforce() == 1) {
+			log_error("Failed to initialize SELinux Context ");
+			goto finish;
+		}
+	}
+
         /* Reset all signal handlers. */
         assert_se(reset_all_signal_handlers() == 0);
 
@@ -1049,6 +1058,9 @@ int main(int argc, char *argv[]) {
         }
 
 finish:
+	if (use_selinux())
+		matchpathcon_fini();
+
         if (m)
                 manager_free(m);
 
diff --git a/src/socket-util.c b/src/socket-util.c
index 3a00fcf..3eea4f3 100644
--- a/src/socket-util.c
+++ b/src/socket-util.c
@@ -316,7 +316,7 @@ int socket_address_listen(
         if ((r = socket_address_verify(a)) < 0)
                 return r;
 
-        if (setsockcreatecon(scon) < 0) {
+        if (use_selinux() && setsockcreatecon(scon) < 0) {
                 log_error("Failed to set SELinux context (%s) on socket: %m", scon);
                 if (security_getenforce() == 1)
                         return -errno;
@@ -325,7 +325,8 @@ int socket_address_listen(
         fd = socket(socket_address_family(a), a->type | SOCK_NONBLOCK | SOCK_CLOEXEC, 0);
         r = fd < 0 ? -errno : 0;
 
-        setsockcreatecon(NULL);
+	if (use_selinux())
+		setsockcreatecon(NULL);
 
         if (r < 0)
                 return r;
diff --git a/src/socket.c b/src/socket.c
index 82a9348..9a64317 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -711,8 +711,8 @@ static int fifo_address_create(
 
         mkdir_parents(path, directory_mode);
 
-        if (scon) {
-                if (scon && ((r = selinux_getfileconfrompath(scon, path, "fifo_file", &filecon)) == 0)) {
+        if (use_selinux() && scon) {
+                if (((r = selinux_getfileconfrompath(scon, path, "fifo_file", &filecon)) == 0)) {
                         r = setfscreatecon(filecon);
 
                         if (r < 0) {
@@ -746,7 +746,8 @@ static int fifo_address_create(
                 goto fail;
         }
 
-        setfscreatecon(NULL);
+	if (use_selinux()) 
+		setfscreatecon(NULL);
 
         if (fstat(fd, &st) < 0) {
                 r = -errno;
diff --git a/src/util.c b/src/util.c
index da8a6c3..8a2fbbc 100644
--- a/src/util.c
+++ b/src/util.c
@@ -48,6 +48,7 @@
 #include <pwd.h>
 #include <netinet/ip.h>
 #include <linux/kd.h>
+#include <selinux/selinux.h>
 
 #include "macro.h"
 #include "util.h"
@@ -56,6 +57,45 @@
 #include "log.h"
 #include "strv.h"
 
+static int use_selinux_ind = -1;
+
+inline int use_selinux(void) {
+	if (use_selinux_ind == -1) 
+		use_selinux_ind = (is_selinux_enabled() == 1);
+	return use_selinux_ind;
+}
+
+static int mkdir_selinux(
+	const char *path, 
+	mode_t mode) {
+
+	int r;
+	security_context_t fcon = NULL;
+
+	if (use_selinux()) {
+		r = matchpathcon(path, S_IFDIR, &fcon);
+		if (r == 0) 
+			r = setfscreatecon(fcon);
+	
+		if (r < 0) {
+			log_error("Failed to set security context %s for %s", fcon, path);
+		
+			if (security_getenforce() == 1) 
+				goto finish;
+		}
+	}
+
+	r = mkdir(path, mode);
+
+finish:
+	if (use_selinux()) {
+		setfscreatecon(NULL);
+		freecon(fcon);
+	}
+
+	return r;
+}
+
 bool streq_ptr(const char *a, const char *b) {
 
         /* Like streq(), but tries to make sense of NULL pointers */
@@ -969,7 +1009,7 @@ char *file_in_same_dir(const char *path, const char *filename) {
 int safe_mkdir(const char *path, mode_t mode, uid_t uid, gid_t gid) {
         struct stat st;
 
-        if (mkdir(path, mode) >= 0)
+        if (mkdir_selinux(path, mode) >= 0)
                 if (chmod_and_chown(path, mode, uid, gid) < 0)
                         return -errno;
 
@@ -1012,7 +1052,7 @@ int mkdir_parents(const char *path, mode_t mode) {
                 if (!(t = strndup(path, e - path)))
                         return -ENOMEM;
 
-                r = mkdir(t, mode);
+                r = mkdir_selinux(t, mode);
                 free(t);
 
                 if (r < 0 && errno != EEXIST)
@@ -1028,7 +1068,7 @@ int mkdir_p(const char *path, mode_t mode) {
         if ((r = mkdir_parents(path, mode)) < 0)
                 return r;
 
-        if (mkdir(path, mode) < 0 && errno != EEXIST)
+        if (mkdir_selinux(path, mode) < 0 && errno != EEXIST)
                 return -errno;
 
         return 0;
diff --git a/src/util.h b/src/util.h
index 782adb8..48cf7cd 100644
--- a/src/util.h
+++ b/src/util.h
@@ -360,4 +360,6 @@ int ip_tos_from_string(const char *s);
 const char *signal_to_string(int i);
 int signal_from_string(const char *s);
 
+int use_selinux(void);
+
 #endif

[-- Attachment #3: systemd-selinux2.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]