Re: libselinux mountpoint changing patch.

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 900 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2011 01:13 PM, Stephen Smalley wrote:
> 
> diff --git a/libselinux/src/init.c b/libselinux/src/init.c
> index a948920..547f1eb 100644
> --- a/libselinux/src/init.c
> +++ b/libselinux/src/init.c
> @@ -79,7 +70,7 @@ static void init_selinuxmnt(void)
>  		tmp = strchr(p, ' ');
>  		if (!tmp)
>  			goto out;
> -		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
> +		if (!strncmp(tmp + 1, SELINUXFS, 10)) {
>  			*tmp = '\0';
>  			break;
>  		}
> 
> This isn't equivalent.  I suppose you could do this:
> +		if (!strncmp(tmp + 1, SELINUXFS" ", sizeof SELINUXFS)) {
> 


Ok one more time...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3ARBQACgkQrlYvE4MpobObeQCgwz+m8Ag8hzTWBuPGzXWXjcu6
xC0An3v6Kzia20ZfKwgV/Hq9sx6TfX7q
=akdW
-----END PGP SIGNATURE-----

[-- Attachment #2: libselinux-mountpoint.patch --]
[-- Type: text/plain, Size: 5532 bytes --]

diff --git a/libselinux/src/enabled.c b/libselinux/src/enabled.c
index b3c8c47..018c787 100644
--- a/libselinux/src/enabled.c
+++ b/libselinux/src/enabled.c
@@ -11,10 +11,6 @@
 
 int is_selinux_enabled(void)
 {
-	char *buf=NULL;
-	FILE *fp;
-	ssize_t num;
-	size_t len;
 	int enabled = 0;
 	security_context_t con;
 
@@ -32,37 +28,8 @@ int is_selinux_enabled(void)
 				enabled = 0;
 			freecon(con);
 		}
-		return enabled;
         }
 
-	/* Drop back to detecting it the long way. */
-	fp = fopen("/proc/filesystems", "r");
-	if (!fp)
-		return -1;
-
-	__fsetlocking(fp, FSETLOCKING_BYCALLER);
-	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
-			enabled = 1;
-			break;
-		}
-	}
-
-	if (num < 0)
-		goto out;
-
-	/* Since an selinux file system is available, we consider
-	 * selinux enabled. If getcon_raw fails, selinux is still
-	 * enabled. We only consider it disabled if no policy is loaded. */
-	if (getcon_raw(&con) == 0) {
-		if (!strcmp(con, "kernel"))
-			enabled = 0;
-		freecon(con);
-	}
-
-      out:
-	free(buf);
-	fclose(fp);
 	return enabled;
 }
 
diff --git a/libselinux/src/init.c b/libselinux/src/init.c
index a948920..dd03559 100644
--- a/libselinux/src/init.c
+++ b/libselinux/src/init.c
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <dlfcn.h>
+#include <sys/statvfs.h>
 #include <sys/vfs.h>
 #include <stdint.h>
 #include <limits.h>
@@ -20,12 +21,41 @@ char *selinux_mnt = NULL;
 int selinux_page_size = 0;
 int obj_class_compat = 1;
 
+/* Verify the mount point for selinux file system has a selinuxfs. 
+   If the file system:
+   * Exist, 
+   * Is mounted with an selinux file system, 
+   * The file system is read/write
+   * then set this as the default file system.
+*/
+static int verify_selinuxmnt(char *mnt) 
+{
+	struct statfs sfbuf;
+	int rc;
+
+	do {
+		rc = statfs(mnt, &sfbuf);
+	} while (rc < 0 && errno == EINTR);
+	if (rc == 0) {
+		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
+			struct statvfs vfsbuf;
+			rc = statvfs(mnt, &vfsbuf);
+			if (rc == 0) {
+				if (!(vfsbuf.f_flag & ST_RDONLY)) {
+					set_selinuxmnt(mnt);
+				}
+				return 0;
+			}
+		}
+	} 
+
+	return -1;
+}
+
 static void init_selinuxmnt(void)
 {
 	char *buf=NULL, *p;
 	FILE *fp=NULL;
-	struct statfs sfbuf;
-	int rc;
 	size_t len;
 	ssize_t num;
 	int exists = 0;
@@ -33,17 +63,9 @@ static void init_selinuxmnt(void)
 	if (selinux_mnt)
 		return;
 
-	/* We check to see if the preferred mount point for selinux file
-	 * system has a selinuxfs. */
-	do {
-		rc = statfs(SELINUXMNT, &sfbuf);
-	} while (rc < 0 && errno == EINTR);
-	if (rc == 0) {
-		if ((uint32_t)sfbuf.f_type == (uint32_t)SELINUX_MAGIC) {
-			selinux_mnt = strdup(SELINUXMNT);
-			return;
-		}
-	} 
+	if (verify_selinuxmnt(SELINUXMNT) == 0) return;
+
+	if (verify_selinuxmnt(OLDSELINUXMNT) == 0) return;
 
 	/* Drop back to detecting it the long way. */
 	fp = fopen("/proc/filesystems", "r");
@@ -52,7 +74,7 @@ static void init_selinuxmnt(void)
 
 	__fsetlocking(fp, FSETLOCKING_BYCALLER);
 	while ((num = getline(&buf, &len, fp)) != -1) {
-		if (strstr(buf, "selinuxfs")) {
+		if (strstr(buf, SELINUXFS)) {
 			exists = 1;
 			break;
 		}
@@ -79,7 +101,7 @@ static void init_selinuxmnt(void)
 		tmp = strchr(p, ' ');
 		if (!tmp)
 			goto out;
-		if (!strncmp(tmp + 1, "selinuxfs ", 10)) {
+		if (!strncmp(tmp + 1, SELINUXFS" ", strlen(SELINUXFS)+1)) {
 			*tmp = '\0';
 			break;
 		}
@@ -87,7 +109,7 @@ static void init_selinuxmnt(void)
 
 	/* If we found something, dup it */
 	if (num > 0)
-		selinux_mnt = strdup(p);
+		verify_selinuxmnt(p);
 
       out:
 	free(buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 83d2143..0961912 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,17 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
+	char *mntpoint = NULL;
+	if (mount(SELINUXFS, SELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+		mntpoint = SELINUXMNT;
+	} else { 
+		/* check old mountpoint */
+		if (mount(SELINUXFS, OLDSELINUXMNT, SELINUXFS, 0, 0) == 0 || errno == EBUSY) {
+			mntpoint = OLDSELINUXMNT;
+		}
+	} 
+
+	if (! mntpoint ) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -385,7 +395,7 @@ int selinux_init_load_policy(int *enforce)
                 
 		goto noload;
 	}
-	set_selinuxmnt(SELINUXMNT);
+	set_selinuxmnt(mntpoint);
 
 	/*
 	 * Note:  The following code depends on having selinuxfs 
@@ -397,7 +407,7 @@ int selinux_init_load_policy(int *enforce)
 		rc = security_disable();
 		if (rc == 0) {
 			/* Successfully disabled, so umount selinuxfs too. */
-			umount(SELINUXMNT);
+			umount(selinux_mnt);
 			fini_selinuxmnt();
 		}
 		/*
diff --git a/libselinux/src/policy.h b/libselinux/src/policy.h
index 10e8712..bf270b5 100644
--- a/libselinux/src/policy.h
+++ b/libselinux/src/policy.h
@@ -9,11 +9,15 @@
 /* Initial length guess for getting contexts. */
 #define INITCONTEXTLEN 255
 
+/* selinux file system type */
+#define SELINUXFS "selinuxfs"
+
 /* selinuxfs magic number */
 #define SELINUX_MAGIC 0xf97cff8c
 
 /* Preferred selinux mount location */
-#define SELINUXMNT "/selinux"
+#define SELINUXMNT "/sys/fs/selinux"
+#define OLDSELINUXMNT "/selinux"
 
 /* selinuxfs mount point */
 extern char *selinux_mnt;

[-- Attachment #3: libselinux-mountpoint.patch.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]