libselinux/libselinux-rhat.patch

diff --git a/libselinux/Makefile b/libselinux/Makefile
index fd4f0b1..51469bc 100644
--- a/libselinux/Makefile
+++ b/libselinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = src include utils man
+SUBDIRS = src include utils man golang
 
 DISABLE_AVC ?= n
 DISABLE_SETRANS ?= n
diff --git a/libselinux/golang/Makefile b/libselinux/golang/Makefile
new file mode 100644
index 0000000..a5f0692
--- /dev/null
+++ b/libselinux/golang/Makefile
@@ -0,0 +1,17 @@
+# Installation directories.
+PREFIX ?= $(DESTDIR)/usr
+GODIR ?= $(PREFIX)/share/gocode/selinux
+
+all:
+
+install: 
+	[ -d $(GODIR) ] || mkdir -p $(GODIR)
+	install -m 644 selinux.go $(GODIR)
+
+test:
+
+clean:
+
+indent:
+
+relabel:
diff --git a/libselinux/golang/selinux.go b/libselinux/golang/selinux.go
new file mode 100644
index 0000000..018c955
--- /dev/null
+++ b/libselinux/golang/selinux.go
@@ -0,0 +1,282 @@
+package selinux
+
+/*
+ The selinux package is a go bindings to libselinux required to add selinux
+ support to docker.
+
+ Author Dan Walsh <dwalsh@redhat.com>
+
+ Used some ideas/code from the go-ini packages https://github.com/vaughan0
+ By Vaughan Newton
+*/
+
+// #cgo pkg-config: libselinux
+// #include <selinux/selinux.h>
+// #include <stdlib.h>
+import "C"
+import (
+	"encoding/binary"
+	"crypto/rand"
+	"unsafe"
+	"fmt"
+	"bufio"
+	"regexp"
+	"io"
+	"os"
+	"strings"
+)
+
+var (
+	assignRegex  = regexp.MustCompile(`^([^=]+)=(.*)$`)
+	mcs_list = make(map[string]bool)
+)
+
+func Matchpathcon(path string, mode int) (string, error) {
+	var con C.security_context_t
+	var scon string
+	rc, err := C.matchpathcon(C.CString(path),C.mode_t(mode), &con)
+	if rc == 0 {
+		scon = C.GoString(con)
+		C.free(unsafe.Pointer(con))
+	}
+	return scon, err
+}
+
+func Setfilecon(path,scon string) (int, error) {
+        rc, err := C.lsetfilecon(C.CString(path),C.CString(scon))
+	return int(rc), err
+}
+
+func Setexeccon(scon string) (int, error) {
+	var val *C.char
+	if ! Selinux_enabled() {
+		return 0, nil
+	}
+	if scon != "" {
+		val = C.CString(scon)
+	} else {
+		val = nil
+	}
+        rc, err := C.setexeccon(val)
+	return int(rc), err
+}
+
+type Context struct {
+	con []string
+}
+func (c *Context) Set_user(user string) {
+	c.con[0]=user
+}
+func (c *Context) Get_user() string {
+	return c.con[0]
+}
+func (c *Context) Set_role(role string) {
+	c.con[1]=role
+}
+func (c *Context) Get_role() string {
+	return c.con[1]
+}
+func (c *Context) Set_type(setype string) {
+	c.con[2]=setype
+}
+func (c *Context) Get_type() string {
+	return c.con[2]
+}
+func (c *Context) Set_level(mls string) {
+	c.con[3]=mls
+}
+func (c *Context) Get_level() string {
+	return c.con[3]
+}
+func (c *Context) Get() string{
+	return strings.Join(c.con,":")
+}
+func (c *Context) Set(scon string) {
+	c.con = strings.SplitN(scon,":",4)
+}
+func New_context(scon string) Context {
+	var con Context
+	con.Set(scon)
+	return con
+}
+
+func Is_selinux_enabled() bool {
+	b := C.is_selinux_enabled()
+	if b > 0 {
+		return true;
+	}
+	return false
+}
+
+func Selinux_enabled() bool {
+	b := C.is_selinux_enabled()
+	if b > 0 {
+		return true;
+	}
+	return false
+}
+
+const (
+	Enforcing = 1
+	Permissive = 0
+	Disabled = -1
+)
+
+func Selinux_getenforce() int {
+	return int(C.security_getenforce())
+}
+
+func Selinux_getenforcemode() (int) {
+	var enforce C.int
+	C.selinux_getenforcemode(&enforce)
+	return int(enforce)
+}
+
+func mcs_add(mcs string) {
+	mcs_list[mcs] = true
+}
+
+func mcs_delete(mcs string) {
+	mcs_list[mcs] = false
+}
+
+func mcs_exists(mcs string) bool {
+	return mcs_list[mcs] 
+}
+
+func uniq_mcs(catRange uint32) string {
+	var n uint32
+	var c1,c2 uint32
+	var mcs string
+	for ;; {
+		binary.Read(rand.Reader, binary.LittleEndian, &n)
+		c1 = n % catRange
+		binary.Read(rand.Reader, binary.LittleEndian, &n)
+		c2 = n % catRange
+		if c1 == c2 {
+			continue
+		} else {
+			if c1 > c2 {
+				t := c1
+				c1 = c2
+				c2 = t
+			}
+		}
+		mcs = fmt.Sprintf("s0:c%d,c%d", c1, c2)
+		if mcs_exists(mcs) {
+			continue
+		}
+		mcs_add(mcs)
+		break
+	}
+	return mcs
+}
+func free_context(process_label string) {
+	var scon Context
+	scon = New_context(process_label)
+	mcs_delete(scon.Get_level())
+}
+
+func Get_lxc_contexts() (process_label string, file_label string) {
+	var val, key string
+	var bufin *bufio.Reader
+	if ! Selinux_enabled() {
+		return
+	}
+	lxc_path := C.GoString(C.selinux_lxc_contexts_path())
+	file_label = "system_u:object_r:svirt_sandbox_file_t:s0"
+	process_label = "system_u:system_r:svirt_lxc_net_t:s0"
+
+	in, err := os.Open(lxc_path)
+	if err != nil {
+		goto exit
+	}
+
+	defer in.Close()
+	bufin = bufio.NewReader(in)
+
+	for done := false; !done; {
+		var line string
+		if line, err = bufin.ReadString('\n'); err != nil {
+			if err == io.EOF {
+				done = true
+			} else {
+				goto exit
+			}
+		}
+		line = strings.TrimSpace(line)
+		if len(line) == 0 {
+			// Skip blank lines
+			continue
+		}
+		if line[0] == ';' || line[0] == '#' {
+			// Skip comments
+			continue
+		}
+		if groups := assignRegex.FindStringSubmatch(line); groups != nil {
+			key, val = strings.TrimSpace(groups[1]), strings.TrimSpace(groups[2])
+			if key == "process" {
+				process_label = strings.Trim(val,"\"")
+			}
+			if key == "file" {
+				file_label = strings.Trim(val,"\"")
+			}
+		}
+	}
+exit:
+	var scon Context
+	mcs := uniq_mcs(1024)
+	scon = New_context(process_label)
+	scon.Set_level(mcs)
+	process_label = scon.Get()
+	scon = New_context(file_label)
+	scon.Set_level(mcs)
+	file_label = scon.Get()
+	return process_label, file_label
+}
+
+func CopyLevel (src, dest string) (string, error) {
+	if ! Selinux_enabled() {
+		return "", nil
+	}
+	if src == "" {
+		return "", nil
+	}
+	rc, err := C.security_check_context(C.CString(src))
+	if rc != 0 {
+		return "", err
+	}
+	rc, err = C.security_check_context(C.CString(dest))
+	if rc != 0 {
+		return "", err
+	}
+	scon := New_context(src)
+	tcon := New_context(dest)
+	tcon.Set_level(scon.Get_level())
+	return tcon.Get(), nil
+}
+
+func Test() {
+	var plabel,flabel string
+	if ! Selinux_enabled() {
+		return
+	}
+
+	plabel, flabel = Get_lxc_contexts()
+	fmt.Println(plabel)
+	fmt.Println(flabel)
+	free_context(plabel)
+	plabel, flabel = Get_lxc_contexts()
+	fmt.Println(plabel)
+	fmt.Println(flabel)
+	free_context(plabel)
+	if Selinux_enabled() {
+		fmt.Println("Enabled")
+	} else {
+		fmt.Println("Disabled")
+	}
+	fmt.Println(Selinux_getenforce())
+	fmt.Println(Selinux_getenforcemode())
+	flabel,_ = Matchpathcon("/home/dwalsh/.emacs", 0)
+	fmt.Println(flabel)
+}
diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 02dd829..6dfdb46 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -114,7 +114,7 @@ $(LIBA): $(OBJS)
 	$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -llzma -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index e419f1a..fdeca93 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -16,6 +16,82 @@
 #include <dlfcn.h>
 #include "policy.h"
 #include <limits.h>
+#include <lzma.h>
+
+static char *lzmaread(int fd, size_t *rsize) {
+	int capacity = 64*1024;
+	char *buf = NULL;
+	int tmpsize = 8 * 1024;
+	unsigned char tmp[tmpsize];
+	unsigned char tmp_out[tmpsize];
+	size_t size = 0;
+	lzma_stream strm = LZMA_STREAM_INIT;
+	lzma_action action = LZMA_RUN;
+	lzma_ret ret;
+	
+	FILE *stream = fdopen (fd, "r");
+	if (!stream) {
+		return NULL;
+	}
+	ret = lzma_stream_decoder(&strm, UINT64_MAX,
+				  LZMA_CONCATENATED);
+	
+	strm.avail_in = 0;
+	strm.next_out = tmp_out;
+	strm.avail_out = tmpsize;
+	
+	buf = (char *) malloc (capacity);
+	if (!buf)
+		goto err;
+	
+	while (1) {
+		if (strm.avail_in == 0) {
+			strm.next_in = tmp;
+			strm.avail_in = fread(tmp, 1, tmpsize, stream);
+			
+			if (ferror(stream)) {
+				// POSIX says that fread() sets errno if
+				// an error occurred. ferror() doesn't
+				// touch errno.
+				goto err;
+			}
+			if (feof(stream)) action = LZMA_FINISH;
+		}
+		
+		ret = lzma_code(&strm, action);
+		
+		// Write and check write error before checking decoder error.
+		// This way as much data as possible gets written to output
+		// even if decoder detected an error.
+		if (strm.avail_out == 0 || ret != LZMA_OK) {
+			const size_t num =  tmpsize - strm.avail_out;
+			if (num > capacity) {
+				buf = (char*) realloc (buf, size*2);
+				capacity = size;
+			}
+			memcpy (buf+size, tmp_out, num);
+			capacity -= num;
+			size += num;
+			strm.next_out = tmp_out;
+			strm.avail_out = tmpsize;
+		}
+		if (ret != LZMA_OK) {
+			if (ret == LZMA_STREAM_END) {
+				break;
+			} else {
+				goto err;
+			}
+		}
+	}
+	*rsize = size;
+	
+	goto exit;
+err:
+	free(buf); buf = NULL;
+exit:
+	lzma_end(&strm);
+	return buf;
+}
 
 int security_load_policy(void *data, size_t len)
 {
@@ -55,7 +131,7 @@ int selinux_mkload_policy(int preservebools)
 	struct stat sb;
 	struct utsname uts;
 	size_t size;
-	void *map, *data;
+	void *map = NULL, *data=NULL;
 	int fd, rc = -1, prot;
 	sepol_policydb_t *policydb;
 	sepol_policy_file_t *pf;
@@ -181,24 +257,28 @@ checkbool:
 		goto dlclose;
 	}
 
-	if (fstat(fd, &sb) < 0) {
-		fprintf(stderr,
-			"SELinux:  Could not stat policy file %s:  %s\n",
-			path, strerror(errno));
-		goto close;
-	}
-
-	prot = PROT_READ;
-	if (setlocaldefs || preservebools)
-		prot |= PROT_WRITE;
+	data = lzmaread(fd,&size);
 
-	size = sb.st_size;
-	data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED) {
-		fprintf(stderr,
-			"SELinux:  Could not map policy file %s:  %s\n",
+	if (!data) {
+		if (fstat(fd, &sb) < 0) {
+			fprintf(stderr,
+				"SELinux:  Could not stat policy file %s:  %s\n",
 			path, strerror(errno));
-		goto close;
+			goto close;
+		}
+		
+		prot = PROT_READ;
+		if (setlocaldefs || preservebools)
+			prot |= PROT_WRITE;
+		
+		size = sb.st_size;
+		data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
+		if (map == MAP_FAILED) {
+			fprintf(stderr,
+				"SELinux:  Could not map policy file %s:  %s\n",
+				path, strerror(errno));
+			goto close;
+		}
 	}
 
 	if (vers > kernvers && usesepol) {
@@ -210,6 +290,8 @@ checkbool:
 			goto unmap;
 		}
 		policy_file_set_mem(pf, data, size);
+		if (!map)
+			free(data);
 		if (policydb_read(policydb, pf)) {
 			policy_file_free(pf);
 			policydb_free(policydb);
@@ -223,7 +305,8 @@ checkbool:
 				path);
 			policy_file_free(pf);
 			policydb_free(policydb);
-			munmap(map, sb.st_size);
+			if (map)
+				munmap(map, sb.st_size);
 			close(fd);
 			vers--;
 			goto search;
@@ -275,7 +358,7 @@ checkbool:
 #endif
 	}
 
-
+	
 	rc = security_load_policy(data, size);
 	
 	if (rc)
@@ -286,7 +369,8 @@ checkbool:
       unmap:
 	if (data != map)
 		free(data);
-	munmap(map, sb.st_size);
+	if (map)
+		munmap(map, sb.st_size);
       close:
 	close(fd);
       dlclose:
@@ -410,7 +494,7 @@ int selinux_init_load_policy(int *enforce)
 	 * already mounted and selinuxmnt set above.
 	 */
 
-	if (seconfig == -1) {
+	if (*enforce == -1) {
 		/* Runtime disable of SELinux. */
 		rc = security_disable();
 		if (rc == 0) {
diff --git a/libselinux/src/matchpathcon.c b/libselinux/src/matchpathcon.c
index 2d7369e..2a00807 100644
--- a/libselinux/src/matchpathcon.c
+++ b/libselinux/src/matchpathcon.c
@@ -2,6 +2,7 @@
 #include <string.h>
 #include <errno.h>
 #include <stdio.h>
+#include <syslog.h>
 #include "selinux_internal.h"
 #include "label_internal.h"
 #include "callbacks.h"
@@ -62,7 +63,7 @@ static void
 {
 	va_list ap;
 	va_start(ap, fmt);
-	vfprintf(stderr, fmt, ap);
+	vsyslog(LOG_ERR, fmt, ap);
 	va_end(ap);
 }