-diff -Nur coreutils-5.0/lib/Makefile.am coreutils-5.0.new/lib/Makefile.am
---- coreutils-5.0/lib/Makefile.am 2003-04-02 12:16:19.000000000 +0200
-+++ coreutils-5.0.new/lib/Makefile.am 2003-06-06 03:01:11.000000000 +0200
-@@ -20,8 +20,8 @@
-
- noinst_LIBRARIES = libfetish.a
-
--INCLUDES = -I.. -I$(srcdir)
--DEFS = -DLIBDIR=\"$(libdir)\" @DEFS@
-+INCLUDES = -I.. -I$(srcdir) -I/usr/include/selinux
-+DEFS = -DLIBDIR=\"$(libdir)\" -DFLASK_LINUX @DEFS@
-
- ## Put relatively complex files at the beginning of the list so
- ## that parallel compiles finish a tiny bit sooner. I don't see
-diff -Nur coreutils-5.0/lib/makepath.c coreutils-5.0.new/lib/makepath.c
---- coreutils-5.0/lib/makepath.c 2003-03-04 22:19:25.000000000 +0100
-+++ coreutils-5.0.new/lib/makepath.c 2003-06-06 03:01:11.000000000 +0200
-@@ -39,6 +39,9 @@
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#endif
- #if HAVE_UNISTD_H
- # include <unistd.h>
- #endif
-@@ -139,6 +142,24 @@
- } \
- while (0)
-
-+#ifdef FLASK_LINUX
-+static security_id_t Sid = -1;
-+#endif
-+
-+#ifdef FLASK_LINUX
-+int
-+make_dir_s (const char *dir,
-+ const char *dirpath,
-+ mode_t mode,
-+ int *created_dir_p,
-+ security_id_t sid)
-+{
-+ Sid = sid;
-+ return( make_dir(dir, dirpath,mode, created_dir_p));
-+}
-+#endif
-+
-+
- /* Attempt to create directory DIR (aka DIRPATH) with the specified MODE.
- If CREATED_DIR_P is non-NULL, set *CREATED_DIR_P to non-zero if this
- function creates DIR and to zero otherwise. Give a diagnostic and
-@@ -153,6 +174,11 @@
- int fail = 0;
- int created_dir;
-
-+#ifdef FLASK_LINUX
-+ if ( (int) Sid > 0 )
-+ created_dir = (mkdir_secure (dir, mode, Sid) == 0);
-+ else
-+#endif
- created_dir = (mkdir (dir, mode) == 0);
-
- if (!created_dir)
-@@ -191,6 +217,24 @@
- return fail;
- }
+diff -Nur coreutils-6.4/README coreutils-6.4.selinux/README
+--- coreutils-6.4/README 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/README 2006-10-31 23:39:34.000000000 +0000
+@@ -7,11 +7,11 @@
-+
-+#ifdef FLASK_LINUX
-+int
-+make_path_s (const char *argpath,
-+ int mode,
-+ int parent_mode,
-+ uid_t owner,
-+ gid_t group,
-+ int preserve_existing,
-+ const char *verbose_fmt_string,
-+ security_id_t sid)
-+{
-+ Sid = sid;
-+ return( make_path(argpath, mode, parent_mode, owner, group, preserve_existing, verbose_fmt_string) );
-+}
-+#endif
-+
-+
- /* Ensure that the directory ARGPATH exists.
+ The programs that can be built with this package are:
- Create any leading directories that don't already exist, with
-diff -Nur coreutils-5.0/man/chcon.x coreutils-5.0.new/man/chcon.x
---- coreutils-5.0/man/chcon.x 1970-01-01 01:00:00.000000000 +0100
-+++ coreutils-5.0.new/man/chcon.x 2003-06-06 03:01:11.000000000 +0200
-@@ -0,0 +1,4 @@
-+[NAME]
-+chcon \- change file security context
-+[DESCRIPTION]
-+.\" Add any additional description here
-diff -Nur coreutils-5.0/man/Makefile.am coreutils-5.0.new/man/Makefile.am
---- coreutils-5.0/man/Makefile.am 2003-06-06 02:58:53.000000000 +0200
-+++ coreutils-5.0.new/man/Makefile.am 2003-06-06 03:04:25.000000000 +0200
-@@ -9,7 +9,7 @@
- rm.1 rmdir.1 seq.1 sha1sum.1 shred.1 sleep.1 sort.1 split.1 stat.1 stty.1 \
+- [ base64 basename cat chgrp chmod chown chroot cksum comm cp csplit cut date
++ [ base64 basename cat chcon chgrp chmod chown chroot cksum comm cp csplit cut date
+ dd df dir dircolors dirname du echo env expand expr factor false fmt fold
+ ginstall groups head hostid hostname id join kill link ln logname ls
+ md5sum mkdir mkfifo mknod mv nice nl nohup od paste pathchk pinky pr
+- printenv printf ptx pwd readlink rm rmdir runuser seq sha1sum sha224sum sha256sum
++ printenv printf ptx pwd readlink rm rmdir runuser runcon seq sha1sum sha224sum sha256sum
+ sha384sum sha512sum shred shuf sleep sort split stat stty su sum sync tac
+ tail tee test touch tr true tsort tty uname unexpand uniq unlink uptime
+ users vdir wc who whoami yes
+diff -Nur coreutils-6.4/configure.ac coreutils-6.4.selinux/configure.ac
+--- coreutils-6.4/configure.ac 2006-10-31 23:38:15.000000000 +0000
++++ coreutils-6.4.selinux/configure.ac 2006-10-31 23:39:34.000000000 +0000
+@@ -264,6 +264,13 @@
+ LIB_CRYPT=
+ fi
+
++dnl Give the chance to enable SELINUX
++AC_ARG_ENABLE(selinux, dnl
++[ --enable-selinux Enable use of the SELinux libraries],
++[AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELinux])
++LIB_SELINUX="-lselinux"
++AC_SUBST(LIB_SELINUX)])
++
+ AC_CONFIG_FILES(
+ Makefile
+ doc/Makefile
+diff -Nur coreutils-6.4/lib/config.hin coreutils-6.4.selinux/lib/config.hin
+--- coreutils-6.4/lib/config.hin 2006-10-22 20:36:23.000000000 +0000
++++ coreutils-6.4.selinux/lib/config.hin 2006-10-31 23:39:34.000000000 +0000
+@@ -1645,6 +1645,9 @@
+ 'wint_t'. */
+ #undef WINT_T_SUFFIX
+
++/* Define if you want to use SELINUX */
++#undef WITH_SELINUX
++
+ /* Define to 1 if your processor stores words with the most significant byte
+ first (like Motorola and SPARC, unlike Intel and VAX). */
+ #undef WORDS_BIGENDIAN
+--- coreutils-6.5/man/Makefile.am.orig 2006-11-22 10:47:32.569505000 +0100
++++ coreutils-6.5/man/Makefile.am 2006-11-22 10:48:11.669505000 +0100
+@@ -30,7 +30,7 @@
+ shred.1 shuf.1 sleep.1 sort.1 split.1 stat.1 \
su.1 sum.1 sync.1 tac.1 tail.1 tee.1 test.1 touch.1 tr.1 true.1 tsort.1 \
- tty.1 uname.1 unexpand.1 uniq.1 unlink.1 uptime.1 users.1 vdir.1 wc.1 \
-- who.1 whoami.1 yes.1
-+ who.1 whoami.1 yes.1 chcon.1 runas.1
+ tty.1 unexpand.1 uniq.1 unlink.1 vdir.1 wc.1 \
+- whoami.1 yes.1 $(MAN)
++ whoami.1 yes.1 chcon.1 runcon.1 $(MAN)
+ optional_mans = \
+ chroot.1 hostid.1 nice.1 pinky.1 stty.1 uname.1 uptime.1 users.1 who.1
man_MANS = getgid.1
-
- man_aux = $(dist_man_MANS:.1=.x)
-@@ -111,6 +111,8 @@
+@@ -142,6 +142,8 @@
who.1: $(common_dep) $(srcdir)/who.x ../src/who.c
whoami.1: $(common_dep) $(srcdir)/whoami.x ../src/whoami.c
yes.1: $(common_dep) $(srcdir)/yes.x ../src/yes.c
+chcon.1: $(common_dep) $(srcdir)/chcon.x ../src/chcon.c
-+runas.1: $(common_dep) $(srcdir)/runas.x ../src/runas.c
++runcon.1: $(common_dep) $(srcdir)/runcon.x ../src/runcon.c
SUFFIXES = .x .1
-diff -Nur coreutils-5.0/man/runas.x coreutils-5.0.new/man/runas.x
---- coreutils-5.0/man/runas.x 1970-01-01 01:00:00.000000000 +0100
-+++ coreutils-5.0.new/man/runas.x 2003-06-06 03:01:11.000000000 +0200
+diff -Nur coreutils-6.4/man/chcon.1 coreutils-6.4.selinux/man/chcon.1
+--- coreutils-6.4/man/chcon.1 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/man/chcon.1 2006-10-31 23:39:34.000000000 +0000
+@@ -0,0 +1,64 @@
++.TH CHCON 1 "July 2003" "chcon (coreutils) 5.0" "User Commands"
++.SH NAME
++chcon \- change security context
++.SH SYNOPSIS
++.B chcon
++[\fIOPTION\fR]...\fI CONTEXT FILE\fR...
++.br
++.B chcon
++[\fIOPTION\fR]...\fI --reference=RFILE FILE\fR...
++.SH DESCRIPTION
++.PP
++." Add any additional description here
++.PP
++Change the security context of each FILE to CONTEXT.
++.TP
++\fB\-c\fR, \fB\-\-changes\fR
++like verbose but report only when a change is made
++.TP
++\fB\-h\fR, \fB\-\-no\-dereference\fR
++affect symbolic links instead of any referenced file (available only on systems with lchown system call)
++.TP
++\fB\-f\fR, \fB\-\-silent\fR, \fB\-\-quiet\fR
++suppress most error messages
++.TP
++\fB\-l\fR, \fB\-\-range\fR
++set range RANGE in the target security context
++.TP
++\fB\-\-reference\fR=\fIRFILE\fR
++use RFILE's context instead of using a CONTEXT value
++.TP
++\fB\-R\fR, \fB\-\-recursive\fR
++change files and directories recursively
++.TP
++\fB\-r\fR, \fB\-\-role\fR
++set role ROLE in the target security context
++.TP
++\fB\-t\fR, \fB\-\-type\fR
++set type TYPE in the target security context
++.TP
++\fB\-u\fR, \fB\-\-user\fR
++set user USER in the target security context
++.TP
++\fB\-v\fR, \fB\-\-verbose\fR
++output a diagnostic for every file processed
++.TP
++\fB\-\-help\fR
++display this help and exit
++.TP
++\fB\-\-version\fR
++output version information and exit
++.SH "REPORTING BUGS"
++Report bugs to <email@host.com>.
++.SH "SEE ALSO"
++The full documentation for
++.B chcon
++is maintained as a Texinfo manual. If the
++.B info
++and
++.B chcon
++programs are properly installed at your site, the command
++.IP
++.B info chcon
++.PP
++should give you access to the complete manual.
+diff -Nur coreutils-6.4/man/chcon.x coreutils-6.4.selinux/man/chcon.x
+--- coreutils-6.4/man/chcon.x 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/man/chcon.x 2006-10-31 23:39:34.000000000 +0000
+@@ -0,0 +1,4 @@
++[NAME]
++chcon \- change file security context
++[DESCRIPTION]
++.\" Add any additional description here
+diff -Nur coreutils-6.4/man/cp.1 coreutils-6.4.selinux/man/cp.1
+--- coreutils-6.4/man/cp.1 2006-10-22 19:56:33.000000000 +0000
++++ coreutils-6.4.selinux/man/cp.1 2006-10-31 23:39:34.000000000 +0000
+@@ -57,7 +57,7 @@
+ .TP
+ \fB\-\-preserve\fR[=\fIATTR_LIST\fR]
+ preserve the specified attributes (default:
+-mode,ownership,timestamps), if possible
++mode,ownership,timestamps) and security contexts, if possible
+ additional attributes: links, all
+ .TP
+ \fB\-\-no\-preserve\fR=\fIATTR_LIST\fR
+@@ -106,6 +106,9 @@
+ \fB\-\-help\fR
+ display this help and exit
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
++set security context of copy to CONTEXT
++.TP
+ \fB\-\-version\fR
+ output version information and exit
+ .PP
+diff -Nur coreutils-6.4/man/dir.1 coreutils-6.4.selinux/man/dir.1
+--- coreutils-6.4/man/dir.1 2006-10-22 19:56:34.000000000 +0000
++++ coreutils-6.4.selinux/man/dir.1 2006-10-31 23:39:34.000000000 +0000
+@@ -204,6 +204,20 @@
+ .TP
+ \fB\-1\fR
+ list one file per line
++.PP
++SELinux options:
++.TP
++\fB\-\-lcontext\fR
++Display security context. Enable \fB\-l\fR. Lines
++will probably be too wide for most displays.
++.TP
++\fB\-\-context\fR
++Display security context so it fits on most
++displays. Displays only mode, user, group,
++security context and file name.
++.TP
++\fB\-\-scontext\fR
++Display only security context and file name.
+ .TP
+ \fB\-\-help\fR
+ display this help and exit
+diff -Nur coreutils-6.4/man/id.1 coreutils-6.4.selinux/man/id.1
+--- coreutils-6.4/man/id.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/id.1 2006-10-31 23:39:34.000000000 +0000
+@@ -13,6 +13,9 @@
+ \fB\-a\fR
+ ignore, for compatibility with other versions
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR
++print only the security context
++.TP
+ \fB\-g\fR, \fB\-\-group\fR
+ print only the effective group ID
+ .TP
+diff -Nur coreutils-6.4/man/install.1 coreutils-6.4.selinux/man/install.1
+--- coreutils-6.4/man/install.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/install.1 2006-10-31 23:39:34.000000000 +0000
+@@ -66,6 +66,11 @@
+ .TP
+ \fB\-v\fR, \fB\-\-verbose\fR
+ print the name of each directory as it is created
++.HP
++\fB\-P\fR, \fB\-\-preserve_context\fR (SELinux) Preserve security context
++.TP
++\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
++(SELinux) Set security context of files and directories
+ .TP
+ \fB\-\-help\fR
+ display this help and exit
+diff -Nur coreutils-6.4/man/ls.1 coreutils-6.4.selinux/man/ls.1
+--- coreutils-6.4/man/ls.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/ls.1 2006-10-31 23:39:34.000000000 +0000
+@@ -204,6 +204,20 @@
+ .TP
+ \fB\-1\fR
+ list one file per line
++.PP
++SELinux options:
++.TP
++\fB\-\-lcontext\fR
++Display security context. Enable \fB\-l\fR. Lines
++will probably be too wide for most displays.
++.TP
++\fB\-Z\fR, \fB\-\-context\fR
++Display security context so it fits on most
++displays. Displays only mode, user, group,
++security context and file name.
++.TP
++\fB\-\-scontext\fR
++Display only security context and file name.
+ .TP
+ \fB\-\-help\fR
+ display this help and exit
+diff -Nur coreutils-6.4/man/mkdir.1 coreutils-6.4.selinux/man/mkdir.1
+--- coreutils-6.4/man/mkdir.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/mkdir.1 2006-10-31 23:39:34.000000000 +0000
+@@ -12,6 +12,8 @@
+ .PP
+ Mandatory arguments to long options are mandatory for short options too.
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR (SELinux) set security context to CONTEXT
++.TP
+ \fB\-m\fR, \fB\-\-mode\fR=\fIMODE\fR
+ set file mode (as in chmod), not a=rwx \- umask
+ .TP
+diff -Nur coreutils-6.4/man/mkfifo.1 coreutils-6.4.selinux/man/mkfifo.1
+--- coreutils-6.4/man/mkfifo.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/mkfifo.1 2006-10-31 23:39:34.000000000 +0000
+@@ -12,6 +12,9 @@
+ .PP
+ Mandatory arguments to long options are mandatory for short options too.
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
++set security context (quoted string)
++.TP
+ \fB\-m\fR, \fB\-\-mode\fR=\fIMODE\fR
+ set file permission bits to MODE, not a=rw \- umask
+ .TP
+diff -Nur coreutils-6.4/man/mknod.1 coreutils-6.4.selinux/man/mknod.1
+--- coreutils-6.4/man/mknod.1 2006-10-22 19:56:35.000000000 +0000
++++ coreutils-6.4.selinux/man/mknod.1 2006-10-31 23:39:34.000000000 +0000
+@@ -12,6 +12,9 @@
+ .PP
+ Mandatory arguments to long options are mandatory for short options too.
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR=\fICONTEXT\fR
++set security context (quoted string)
++.TP
+ \fB\-m\fR, \fB\-\-mode\fR=\fIMODE\fR
+ set file permission bits to MODE, not a=rw \- umask
+ .TP
+diff -Nur coreutils-6.4/man/runcon.1 coreutils-6.4.selinux/man/runcon.1
+--- coreutils-6.4/man/runcon.1 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/man/runcon.1 2006-10-31 23:39:34.000000000 +0000
+@@ -0,0 +1,39 @@
++.TH RUNCON "1" "July 2003" "runcon (coreutils) 5.0" "selinux"
++.SH NAME
++runcon \- run command with specified security context
++.SH SYNOPSIS
++.B runcon
++[\fI-t TYPE\fR] [\fI-l LEVEL\fR] [\fI-u USER\fR] [\fI-r ROLE\fR] \fICOMMAND\fR [\fIARGS...\fR]
++.PP
++or
++.PP
++.B runcon
++\fICONTEXT\fR \fICOMMAND\fR [\fIargs...\fR]
++.PP
++.br
++.SH DESCRIPTION
++.PP
++.\" Add any additional description here
++.PP
++Run COMMAND with current security context modified by one or more of LEVEL,
++ROLE, TYPE, and USER, or with completely-specified CONTEXT.
++.TP
++\fB\-t\fR
++change current type to the specified type
++.TP
++\fB\-l\fR
++change current level range to the specified range
++.TP
++\fB\-r\fR
++change current role to the specified role
++.TP
++\fB\-u\fR
++change current user to the specified user
++.PP
++If none of \fI-t\fR, \fI-u\fR, \fI-r\fR, or \fI-l\fR, is specified,
++the first argument is used as the complete context. Any additional
++arguments after \fICOMMAND\fR are interpreted as arguments to the
++command.
++.PP
++Note that only carefully-chosen contexts are likely to successfully
++run.
+diff -Nur coreutils-6.4/man/runcon.x coreutils-6.4.selinux/man/runcon.x
+--- coreutils-6.4/man/runcon.x 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/man/runcon.x 2006-10-31 23:39:34.000000000 +0000
@@ -0,0 +1,2 @@
+[DESCRIPTION]
+.\" Add any additional description here
-diff -Nur coreutils-5.0/README coreutils-5.0.new/README
---- coreutils-5.0/README 2003-03-29 15:24:00.000000000 +0100
-+++ coreutils-5.0.new/README 2003-06-06 03:01:11.000000000 +0200
-@@ -7,11 +7,11 @@
-
- The programs that can be built with this package are:
-
-- basename cat chgrp chmod chown chroot cksum comm cp csplit cut date dd
-+ basename cat chcon chgrp chmod chown chroot cksum comm cp csplit cut date dd
- df dir dircolors dirname du echo env expand expr factor false fmt fold
- ginstall groups head hostid hostname id join kill link ln logname ls
- md5sum mkdir mkfifo mknod mv nice nl nohup od paste pathchk pinky pr
-- printenv printf ptx pwd readlink rm rmdir seq sha1sum shred sleep sort
-+ printenv printf ptx pwd readlink rm rmdir runas seq sha1sum shred sleep sort
- split stat stty su sum sync tac tail tee test touch tr true tsort tty
- uname unexpand uniq unlink uptime users vdir wc who whoami yes
-
-diff -Nur coreutils-5.0/src/chcon.c coreutils-5.0.new/src/chcon.c
---- coreutils-5.0/src/chcon.c 1970-01-01 01:00:00.000000000 +0100
-+++ coreutils-5.0.new/src/chcon.c 2003-06-06 03:01:11.000000000 +0200
-@@ -0,0 +1,334 @@
+diff -Nur coreutils-6.4/man/stat.1 coreutils-6.4.selinux/man/stat.1
+--- coreutils-6.4/man/stat.1 2006-10-22 19:56:37.000000000 +0000
++++ coreutils-6.4.selinux/man/stat.1 2006-10-31 23:39:34.000000000 +0000
+@@ -28,6 +28,9 @@
+ \fB\-t\fR, \fB\-\-terse\fR
+ print the information in terse form
+ .TP
++\fB\-Z\fR, \fB\-\-context\fR
++print security context information for SELinux if available.
++.TP
+ \fB\-\-help\fR
+ display this help and exit
+ .TP
+@@ -51,6 +54,9 @@
+ %d
+ Device number in decimal
+ .TP
++%C
++SELinux security context
++.TP
+ %D
+ Device number in hex
+ .TP
+diff -Nur coreutils-6.4/man/vdir.1 coreutils-6.4.selinux/man/vdir.1
+--- coreutils-6.4/man/vdir.1 2006-10-22 19:56:39.000000000 +0000
++++ coreutils-6.4.selinux/man/vdir.1 2006-10-31 23:39:34.000000000 +0000
+@@ -204,6 +204,20 @@
+ .TP
+ \fB\-1\fR
+ list one file per line
++.PP
++SELinux options:
++.TP
++\fB\-\-lcontext\fR
++Display security context. Enable \fB\-l\fR. Lines
++will probably be too wide for most displays.
++.TP
++\fB\-\-context\fR
++Display security context so it fits on most
++displays. Displays only mode, user, group,
++security context and file name.
++.TP
++\fB\-\-scontext\fR
++Display only security context and file name.
+ .TP
+ \fB\-\-help\fR
+ display this help and exit
+diff -Nur coreutils-6.4/po/POTFILES.in coreutils-6.4.selinux/po/POTFILES.in
+--- coreutils-6.4/po/POTFILES.in 2006-10-31 23:38:15.000000000 +0000
++++ coreutils-6.4.selinux/po/POTFILES.in 2006-10-31 23:39:34.000000000 +0000
+@@ -33,6 +33,7 @@
+ src/base64.c
+ src/basename.c
+ src/cat.c
++src/chcon.c
+ src/chgrp.c
+ src/chmod.c
+ src/chown-core.c
+@@ -91,6 +92,7 @@
+ src/remove.c
+ src/rm.c
+ src/rmdir.c
++src/runcon.c
+ src/seq.c
+ src/setuidgid.c
+ src/shred.c
+--- coreutils-6.7/po/pl.po.orig 2006-12-09 20:03:10.686071942 +0100
++++ coreutils-6.7/po/pl.po 2006-12-09 20:06:54.942851606 +0100
+@@ -867,6 +867,95 @@
+ msgid "%s: input file is output file"
+ msgstr "%s: plik wej¶ciowy jest plikiem wyj¶ciowym"
+
++#: src/chcon.c:101
++#, c-format
++msgid "context of %s changed to %s\n"
++msgstr "kontekst %s zmieniony na %s\n"
++
++#: src/chcon.c:104
++#, c-format
++msgid "failed to change context of %s to %s\n"
++msgstr "nie mo¿na zmieniæ kontekstu %s na %s\n"
++
++#: src/chcon.c:107
++#, c-format
++msgid "context of %s retained as %s\n"
++msgstr "kontekst %s zachowany jako %s\n"
++
++#: src/chcon.c:172
++#, c-format
++msgid "can't apply partial context to unlabeled file %s"
++msgstr "nie mo¿na zastosowaæ czê¶ciowego kontekstu na nieoznakowanym pliku %s"
++
++#: src/chcon.c:180
++#, c-format
++msgid "couldn't compute security context from %s"
++msgstr "nie mo¿na obliczyæ kontekstu bezpieczeñstwa z %s"
++
++#: src/chcon.c:188
++#, c-format
++msgid "invalid context: %s"
++msgstr "b³êdny kontekst: %s"
++
++#: src/chcon.c:210
++#, c-format
++msgid "failed to change context of %s to %s"
++msgstr "nie mo¿na zmieniæ kontekstu %s na %s"
++
++#: src/chcon.c:258
++msgid "virtual memory exhausted"
++msgstr "pamiêæ wirtualna wyczerpana"
++
++#: src/chcon.c:292
++#, c-format
++msgid ""
++"Usage: %s [OPTION]... CONTEXT FILE...\n"
++" or: %s [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...\n"
++" or: %s [OPTION]... --reference=RFILE FILE...\n"
++msgstr ""
++"Sk³adnia: %s [OPCJA]... KONTEKST PLIK...\n"
++" albo: %s [OPCJA]... [-u U¯YTKOWNIK] [-r ROLA] [-l ZAKRES] [-t TYP] PLIK...\n"
++" albo: %s [OPCJA]... --reference=PLIK_WZ PLIK...\n"
++
++#: src/chcon.c:298
++#, c-format
++msgid ""
++"Change the security context of each FILE to CONTEXT.\n"
++"\n"
++" -c, --changes like verbose but report only when a change is made\n"
++" -h, --no-dereference affect symbolic links instead of any referenced file\n"
++" (available only on systems with lchown system call)\n"
++" -f, --silent, --quiet suppress most error messages\n"
++" --reference=RFILE use RFILE's group instead of using a CONTEXT value\n"
++" -u, --user=USER set user USER in the target security context\n"
++" -r, --role=ROLE set role ROLE in the target security context\n"
++" -t, --type=TYPE set type TYPE in the target security context\n"
++" -l, --range=RANGE set range RANGE in the target security context\n"
++" -R, --recursive change files and directories recursively\n"
++" -v, --verbose output a diagnostic for every file processed\n"
++" --help display this help and exit\n"
++" --version output version information and exit\n"
++msgstr ""
++"Zmiana kontekstu bezpieczeñstwa ka¿dego PLIKU na KONTEKST.\n"
++"\n"
++" -c, --changes jak verbose, ale raportowanie tylko wykonanych zmian\n"
++" -h, --no-dereference zmiana dowi±zañ symbolicznych zamiast wskazywanych\n"
++" plików (dostêpne tylko na systemach z lchown)\n"
++" -f, --silent, --quiet pominiêcie wiêkszo¶ci komunikatów o b³êdach\n"
++" --reference=PLIK u¿ycie grupy PLIKU zamiast warto¶ci KONTEKSTU\n"
++" -u, --user=U¯YTKOWNIK ustawienie U¯YTKOWNIK w kontek¶cie bezpieczeñstwa\n"
++" -r, --role=ROLA ustawienie ROLI w kontek¶cie bezpieczeñstwa\n"
++" -t, --type=TYP ustawienie TYPU w kontek¶cie bezpieczeñstwa\n"
++" -l, --range=ZAKRES ustawienie ZAKRESU w kontek¶cie bezpieczeñstwa\n"
++" -R, --recursive zmiana plików i katalogów rekursywnie\n"
++" -v, --verbose wypisywanie diagnostyki dla ka¿dego pliku\n"
++" --help wy¶wietlenie tego opisu i zakoñczenie\n"
++" --version wy¶wietlenie informacji o wersji i zakoñczenie\n"
++
++#: src/chcon.c:393
++msgid "conflicting security context specifiers given"
++msgstr "konflikt miêdzy podanymi okre¶leniami kontekstu bezpieczeñstwa"
++
+ #: src/chgrp.c:95 src/install.c:611
+ #, c-format
+ msgid "invalid group %s"
+@@ -1540,6 +1629,21 @@
+ "nie uda³o siê przeniesienie miêdzy urz±dzeniami: %s do %s; nie uda³o siê "
+ "usunaæ pliku docelowego"
+
++#: src/copy.c:1305
++#, c-format
++msgid "cannot set setfscreatecon %s"
++msgstr "nie mo¿na ustawiæ setfscreatecon %s"
++
++#: src/copy.c:1315
++#, c-format
++msgid "warning: security context not preserved %s"
++msgstr "uwaga: nie zachowano kontekstu bezpieczeñstwa %s"
++
++#: src/copy.c:1317
++#, c-format
++msgid "cannot lgetfilecon %s"
++msgstr "nie mo¿na wykonaæ lgetfilecon %s"
++
+ #: src/copy.c:1553
+ #, c-format
+ msgid "cannot copy cyclic symbolic link %s"
+@@ -1688,6 +1792,10 @@
+ " atrybutów: links (dowi±zania), all "
+ "(wszystkie))\n"
+
++#: src/cp.c:202
++msgid " -c same as --preserve=context\n"
++msgstr " -c to samo co --preserve=context\n"
++
+ #: src/cp.c:196
+ msgid ""
+ " --no-preserve=ATTR_LIST don't preserve the specified attributes\n"
+@@ -1740,12 +1848,13 @@
+ " destination file is missing\n"
+ " -v, --verbose explain what is being done\n"
+ " -x, --one-file-system stay on this file system\n"
++" -Z, --context=CONTEXT set security context of copy to CONTEXT\n"
+ msgstr ""
+ " -u, --update kopiowanie tylko plików, dla których ¬RÓD£O\n"
+ " jest nowsze ni¿ CEL albo brakuje CELU\n"
+ " -v, --verbose wyja¶nianie co siê dzieje\n"
+ " -x, --one-file-system pozostanie w jednym systemie plików\n"
+-"\n"
++" -Z, --context=KONTEKST ustawienie KONTEKSTU bezpieczeñstwa kopii\n"
+
+ #: src/cp.c:225
+ msgid ""
+@@ -1874,6 +1983,26 @@
+ msgid "multiple target directories specified"
+ msgstr "podano wiele katalogów docelowych"
+
++#: src/cp.c:1017
++#, c-format
++msgid "%s: cannot force target context <-- %s and preserve it\n"
++msgstr "%s: nie mo¿na wymusiæ docelowego kontekstu <-- %s i zachowaæ go\n"
++
++#: src/cp.c:1027
++#, c-format
++msgid "Warning: ignoring --context (-Z). It requires a SELinux enabled kernel.\n"
++msgstr "Uwaga: zignorowano --context (-Z). Ta opcja wymaga j±dra z obs³ug± SELinuksa.\n"
++
++#: src/cp.c:1031 src/install.c:369
++#, c-format
++msgid "%s: cannot force target context to '%s' and preserve it\n"
++msgstr "%s: nie mo¿na wymusiæ docelowego kontekstu na '%s' i zachowaæ go\n"
++
++#: src/cp.c:1038
++#, c-format
++msgid "cannot set default security context %s"
++msgstr "nie mo¿na ustawiæ domy¶lnego kontekstu bezpieczeñstwa %s"
++
+ #: src/cp.c:1030
+ #, c-format
+ msgid "cannot make both hard and symbolic links"
+@@ -3880,6 +4009,7 @@
+ "Print information for USERNAME, or the current user.\n"
+ "\n"
+ " -a ignore, for compatibility with other versions\n"
++" -Z, --context print only the context\n"
+ " -g, --group print only the effective group ID\n"
+ " -G, --groups print all group IDs\n"
+ " -n, --name print a name instead of a number, for -ugG\n"
+@@ -3890,6 +4020,7 @@
+ "\n"
+ " -a ignorowane, dla zachowania kompatybilno¶ci z innymi "
+ "wersjami\n"
++" -Z, --context wy¶wietlenie tylko kontekstu\n"
+ " -g, --group wy¶wietlenie tylko efektywnego identyfikatora grupy\n"
+ " -G, --groups wy¶wietlenie pe³nej listy grup\n"
+ " -n, --name wy¶wietlenie nazw zamiast numerów, dla -ugG\n"
+@@ -3906,10 +4037,26 @@
+ "Bez ¿adnych OPCJI wy¶wietla zestaw u¿ytecznych informacji, które uda³o siê\n"
+ "zidentyfikowaæ.\n"
+
+-#: src/id.c:152
++#: src/id.c:165 src/mkdir.c:136 src/mkfifo.c:124 src/mknod.c:135
+ #, c-format
+-msgid "cannot print only user and only group"
+-msgstr "nie mo¿na wypisaæ tylko u¿ytkownika i tylko grupê równocze¶nie"
++msgid "Sorry, --context (-Z) can be used only on a SELinux-enabled kernel.\n"
++msgstr "Niestety --context (-Z) mo¿na u¿ywaæ tylko na j±drze z obs³ug± SELinuksa.\n"
++
++#: src/id.c:198
++msgid ""
++"cannot display context when SELinux not enabled or when displaying the id\n"
++"of a different user"
++msgstr ""
++"nie mo¿na wy¶wietliæ kontekstu kiedy SELinux nie jest w³±czony lub przy\n"
++"wy¶wietlaniu identyfikatora innego u¿ytkownika"
++
++#: src/id.c:209
++msgid "can't get process context"
++msgstr "nie mo¿na uzyskaæ kontekstu procesu"
++
++#: src/id.c:214
++msgid "cannot print \"only\" of more than one choice"
++msgstr "nie mo¿na wypisaæ \"tylko czego¶\" dla wiêcej ni¿ jednej rzeczy"
+
+ #: src/id.c:156
+ #, c-format
+@@ -3941,6 +4088,31 @@
+ msgid " groups="
+ msgstr " grupy="
+
++#: src/id.c:458
++#, c-format
++msgid " context=%s"
++msgstr " kontekst=%s"
++
++#: src/install.c:365
++#, c-format
++msgid "Warning: ignoring --preserve_context (-P) because the kernel is not SELinux-enabled.\n"
++msgstr "Uwaga: zignorowano --preserve_context (-P), poniewa¿ j±dro nie ma obs³ugi SELinuksa.\n"
++
++#: src/install.c:377
++#, c-format
++msgid "Warning: ignoring --context (-Z) because the kernel is not SELinux-enabled.\n"
++msgstr "Uwaga: zignorowano --context (-Z), poniewa¿ j±dro nie ma obs³ugi SELinuksa.\n"
++
++#: src/install.c:382
++#, c-format
++msgid "%s: cannot force target context == '%s' and preserve it\n"
++msgstr "%s: nie mo¿na wymusiæ docelowego kontekstu '%s' i zachowaæ go\n"
++
++#: src/install.c:387
++#, c-format
++msgid "%s: cannot setup default context == '%s'\n"
++msgstr "%s: nie mo¿na ustawiæ domy¶lnego kontekstu '%s'\n"
++
+ #: src/install.c:318
+ #, c-format
+ msgid "the strip option may not be used when installing a directory"
+@@ -4079,6 +4251,14 @@
+ " -T, --no-target-directory traktowanie CELU jak zwyk³ego pliku\n"
+ " -v, --verbose wypisanie nazwy ka¿dego tworzonego katalogu\n"
+
++#: src/install.c:773
++msgid ""
++" -P, --preserve_context (SELinux) Preserve security context\n"
++" -Z, --context=CONTEXT (SELinux) Set security context of files and directories\n"
++msgstr ""
++" -P, --preserve_context (SELinux) zachowanie kontekstu bezpieczeñstwa\n"
++" -Z, --context=KONTEKST (SELinux) ustawienie kontekstu plików i katalogów\n"
++
+ #: src/install.c:692 src/ln.c:365 src/mv.c:318
+ msgid ""
+ "\n"
+@@ -4468,6 +4648,11 @@
+ msgid "no login name"
+ msgstr "brak nazwy u¿ytkownika"
+
++#: src/ls.c:129
++#, c-format
++msgid "Sorry, this option can only be used on a SELinux-enabled kernel.\n"
++msgstr "Niestety tej opcji mo¿na u¿yæ tylko na j±drze z obs³ug± SELinuksa.\n"
++
+ #: src/ls.c:684
+ msgid "%b %e %Y"
+ msgstr "%b %e %Y"
+@@ -4841,6 +5026,34 @@
+ " -X sortowanie alfabetyczne wg rozszerzeñ\n"
+ " -1 listowanie po jednym pliku w linii\n"
+
++#: src/ls.c:4134
++#, c-format
++msgid ""
++"\n"
++"SELinux options:\n"
++"\n"
++" --lcontext Display security context. Enable -l. Lines\n"
++" will probably be too wide for most displays.\n"
++" -Z, --context Display security context so it fits on most\n"
++" displays. Displays only mode, user, group,\n"
++" security context and file name.\n"
++" --scontext Display only security context and file name.\n"
++"\n"
++"\n"
++msgstr ""
++"\n"
++"Opcje dla SELinuksa:\n"
++"\n"
++" --lcontext wy¶wietlanie kontekstu bezpieczeñstwa; w³±cza -l,\n"
++" linie mog± byæ zbyt d³ugie dla wielu terminali\n"
++" --context wy¶wietlanie kontekstu tak, ¿eby zmie¶ci³ siê na\n"
++" wiêkszo¶ci terminali; wy¶wietlane s± tylko\n"
++" uprawnienia, w³a¶ciciel, grupa, kontekst\n"
++" bezpieczeñstwa i nazwa pliku\n"
++" --scontext wy¶wietlanie tylko kontekstu i nazwy pliku\n"
++"\n"
++"\n"
++
+ #: src/ls.c:4360
+ msgid ""
+ "\n"
+@@ -5043,6 +5256,11 @@
+ "Utworzenie KATALOGU/ÓW, je¿eli jeszcze nie istniej±.\n"
+ "\n"
+
++#: src/mkdir.c:74
++#, c-format
++msgid " -Z, --context=CONTEXT (SELinux) set security context to CONTEXT\n"
++msgstr " -Z, --context=KONTEKST (SELinux) ustawienie KONTEKSTU bezpieczeñstwa\n"
++
+ #: src/mkdir.c:67
+ msgid ""
+ " -m, --mode=MODE set file mode (as in chmod), not a=rwx - umask\n"
+@@ -5059,6 +5277,11 @@
+ msgid "created directory %s"
+ msgstr "utworzony katalog %s"
+
++#: src/mkdir.c:170 src/mkfifo.c:128 src/mknod.c:139
++#, c-format
++msgid "Sorry, cannot set default context to %s.\n"
++msgstr "Niestety nie mo¿na ustawiæ domy¶lnego kontekstu na %s.\n"
++
+ #: src/mkfifo.c:54
+ #, c-format
+ msgid "Usage: %s [OPTION] NAME...\n"
+@@ -5072,6 +5295,11 @@
+ "Tworzenie nazwanych potoków (pipes, FIFOs) o podanych NAZWACH.\n"
+ "\n"
+
++#: src/mkfifo.c:68 src/mknod.c:69
++#, c-format
++msgid " -Z, --context=CONTEXT set security context (quoted string)\n"
++msgstr " -Z, --context=KONTEKST ustawienie kontekstu bezpieczeñstwa (³añcuch cytowany)\n"
++
+ #: src/mkfifo.c:62 src/mknod.c:64
+ msgid ""
+ " -m, --mode=MODE set file permission bits to MODE, not a=rw - umask\n"
+@@ -6808,6 +7036,72 @@
+ " -v, --verbose informacja diagnostyczna o ka¿dym przetworzonym\n"
+ " katalogu\n"
+
++#: src/runcon.c:42
++#, c-format
++msgid ""
++"Usage: %s [OPTION]... command [args]\n"
++"Run a program in a different security context.\n"
++"\n"
++" context Complete security context\n"
++" -t type (for same role as parent)\n"
++" -u user identity\n"
++" -r role\n"
++" -l levelrange\n"
++" --help display this help and exit\n"
++msgstr ""
++"Sk³adnia: %s [OPCJA]... polecenie [argumenty]\n"
++"Uruchomienie programu w innym kontek¶cie bezpieczeñstwa.\n"
++"\n"
++" kontekst pe³ny kontekst bezpieczeñstwa\n"
++" -t typ (dla tej samej roli jako rodzica)\n"
++" -u identyfikator u¿ytkownika\n"
++" -r rola\n"
++" -l zakres poziomów\n"
++" --help wy¶wietlenie tego opisu i zakoñczenie\n"
++
++#: src/runcon.c:90
++#, c-format
++msgid "multiple roles\n"
++msgstr "wiele ról\n"
++
++#: src/runcon.c:97
++#, c-format
++msgid "multiple types\n"
++msgstr "wiele typów\n"
++
++#: src/runcon.c:104
++#, c-format
++msgid "multiple users\n"
++msgstr "wielu u¿ytkowników\n"
++
++#: src/runcon.c:111
++#, c-format
++msgid "multiple levelranges\n"
++msgstr "wiele zakresów poziomów\n"
++
++#: src/runcon.c:117
++#, c-format
++msgid "unrecognised option %c\n"
++msgstr "nierozpoznana opcja %c\n"
++
++#: src/runcon.c:125
++msgid "must specify -t, -u, -l, -r, or context"
++msgstr "trzeba podaæ -t, -u, -l, -r albo kontekst"
++
++#: src/runcon.c:131
++msgid "no command found"
++msgstr "nie znaleziono polecenia"
++
++#: src/runcon.c:137 src/runcon.c:145
++#, c-format
++msgid "%s is not a valid context\n"
++msgstr "%s nie jest poprawnym kontekstem\n"
++
++#: src/runcon.c:163
++#, c-format
++msgid "unable to setup security context %s\n"
++msgstr "nie mo¿na ustawiæ kontekstu bezpieczeñstwa %s\n"
++
+ #: src/seq.c:74
+ #, c-format
+ msgid ""
+@@ -7689,6 +7983,7 @@
+ " --printf=FORMAT like --format, but interpret backslash escapes,\n"
+ " and do not output a mandatory trailing newline.\n"
+ " If you want a newline, include \\n in FORMAT.\n"
++" -Z, --context print the security context\n"
+ " -t, --terse print the information in terse form\n"
+ msgstr ""
+ " -c --format=FORMAT u¿ycie podanego FORMATU zamiast domy¶lnego; po\n"
+@@ -7699,6 +7994,7 @@
+ " uko¶nikiem odwrotnym i bez wypisywania znaku "
+ "nowej\n"
+ " linii. ¯eby go wypisaæ u¿yj \\n w FORMACIE.\n"
++" -Z, --context wypisywanie kontekstu bezpieczeñstwa\n"
+ " -t, --terse wypisywanie informacji w skróconej formie\n"
+
+ #: src/stat.c:849
+@@ -7786,6 +8082,7 @@
+ " %c Total file nodes in file system\n"
+ " %d Free file nodes in file system\n"
+ " %f Free blocks in file system\n"
++" %C Security context in SELinux\n"
+ msgstr ""
+ "Prawid³owe specyfikacje formatu dla systemów plików:\n"
+ "\n"
+@@ -7794,6 +8091,7 @@
+ " %c ca³kowita liczba i-wêz³ów w systemie plików\n"
+ " %d liczba wolnych i-wêz³ów w systemie plików\n"
+ " %f liczba wolnych bloków w systemie plików\n"
++" %C kontekst bezpieczeñstwa w SELinuksie\n"
+
+ #: src/stat.c:896
+ msgid ""
+@@ -7813,6 +8111,10 @@
+ " %t typ szesnastkowo\n"
+ " %T typ w formie czytelnej dla cz³owieka\n"
+
++#: src/stat.c:900
++msgid "Kernel is not SELinux enabled"
++msgstr "J±dro nie ma obs³ugi SELinuksa"
++
+ #: src/stty.c:511
+ #, c-format
+ msgid ""
+diff -Nur coreutils-6.4/src/Makefile.am coreutils-6.4.selinux/src/Makefile.am
+--- coreutils-6.4/src/Makefile.am 2006-10-31 23:38:15.000000000 +0000
++++ coreutils-6.4.selinux/src/Makefile.am 2006-10-31 23:39:34.000000000 +0000
+@@ -20,14 +20,14 @@
+ EXTRA_PROGRAMS = chroot df hostid nice pinky stty su uname uptime users who
+
+ bin_SCRIPTS = groups
+-bin_PROGRAMS = [ chgrp chown chmod cp dd dircolors du \
++bin_PROGRAMS = [ chgrp chown chmod chcon cp dd dircolors du \
+ ginstall link ln dir vdir ls mkdir \
+ mkfifo mknod mv nohup readlink rm rmdir shred stat sync touch unlink \
+ cat cksum comm csplit cut expand fmt fold head join md5sum \
+ nl od paste pr ptx sha1sum sha224sum sha256sum sha384sum sha512sum \
+ shuf sort split sum tac tail tr tsort unexpand uniq wc \
+ basename date dirname echo env expr factor false getgid \
+- hostname id kill logname pathchk printenv printf pwd seq sleep tee \
++ hostname id kill logname pathchk printenv printf pwd runcon seq sleep tee \
+ test true tty whoami yes \
+ base64 \
+ $(OPTIONAL_BIN_PROGS) $(DF_PROG)
+@@ -112,6 +112,20 @@
+ mv_LDADD += $(LIB_ACL)
+ ginstall_LDADD += $(LIB_ACL)
+
++dir_LDADD += @LIB_SELINUX@
++ls_LDADD += @LIB_SELINUX@
++vdir_LDADD += @LIB_SELINUX@
++cp_LDADD += @LIB_SELINUX@
++ginstall_LDADD += @LIB_SELINUX@
++mv_LDADD += @LIB_SELINUX@
++chcon_LDADD = $(LDADD) @LIB_SELINUX@
++id_LDADD = $(LDADD) @LIB_SELINUX@
++mkdir_LDADD = $(LDADD) @LIB_SELINUX@
++mkfifo_LDADD = $(LDADD) @LIB_SELINUX@
++mknod_LDADD = $(LDADD) @LIB_SELINUX@
++stat_LDADD = $(LDADD) @LIB_SELINUX@
++runcon_LDADD = $(LDADD) @LIB_SELINUX@
++
+ $(PROGRAMS): ../lib/libcoreutils.a
+
+ SUFFIXES = .sh
+diff -Nur coreutils-6.4/src/chcon.c coreutils-6.4.selinux/src/chcon.c
+--- coreutils-6.4/src/chcon.c 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/src/chcon.c 2006-10-31 23:39:34.000000000 +0000
+@@ -0,0 +1,423 @@
+/* chcontext -- change security context of a pathname */
+
+#include <config.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <getopt.h>
-+#include <fs_secure.h>
++#include <selinux/selinux.h>
++#include <selinux/context.h>
+
+#include "system.h"
+#include "error.h"
+ V_off
+};
+
-+static int change_dir_context PARAMS ((const char *dir, int sid,
-+ const struct stat *statp));
++static int change_dir_context (const char *dir, const struct stat *statp);
+
+/* The name the program was run with. */
+char *program_name;
+/* Level of verbosity. */
+static enum Verbosity verbosity = V_off;
+
-+/* The name of the context the file is being given. */
-+static const char *contextname;
++/* The name of the context file is being given. */
++static const char *specified_context;
++
++/* Specific components of the context */
++static const char *specified_user;
++static const char *specified_role;
++static const char *specified_range;
++static const char *specified_type;
+
-+/* The argument to the --reference option. Use the context SID of this file.
++/* The argument to the --reference option. Use the context of this file.
+ This file must exist. */
+static char *reference_file;
+
+ {"silent", no_argument, 0, 'f'},
+ {"quiet", no_argument, 0, 'f'},
+ {"reference", required_argument, 0, CHAR_MAX + 1},
-+ {"sid", required_argument, 0, CHAR_MAX + 2},
++ {"context", required_argument, 0, CHAR_MAX + 2},
++ {"user", required_argument, 0, 'u'},
++ {"role", required_argument, 0, 'r'},
++ {"type", required_argument, 0, 't'},
++ {"range", required_argument, 0, 'l'},
+ {"verbose", no_argument, 0, 'v'},
+ {"help", no_argument, &show_help, 1},
+ {"version", no_argument, &show_version, 1},
+ CHANGED describes what (if anything) has happened. */
+
+static void
-+describe_change (const char *file, enum Change_status changed)
++describe_change (const char *file, security_context_t newcontext, enum Change_status changed)
+{
+ const char *fmt;
+ switch (changed)
+ default:
+ abort ();
+ }
-+ printf (fmt, file, contextname);
++ printf (fmt, file, newcontext);
++}
++
++static int
++compute_context_from_mask (security_context_t context, context_t *ret)
++{
++ context_t newcontext = context_new (context);
++ if (!newcontext)
++ return 1;
++#define SETCOMPONENT(comp) \
++ do { \
++ if (specified_ ## comp) \
++ if (context_ ## comp ## _set (newcontext, specified_ ## comp)) \
++ goto lose; \
++ } while (0)
++
++ SETCOMPONENT(user);
++ SETCOMPONENT(range);
++ SETCOMPONENT(role);
++ SETCOMPONENT(type);
++#undef SETCOMPONENT
++
++ *ret = newcontext;
++ return 0;
++ lose:
++ context_free (newcontext);
++ return 1;
+}
+
-+/* Change the context of FILE to SID CONTEXT.
++/* Change the context of FILE, using specified components.
+ If it is a directory and -R is given, recurse.
+ Return 0 if successful, 1 if errors occurred. */
+
+static int
-+change_file_context (const char *file, int sid)
++change_file_context (const char *file)
+{
+ struct stat file_stats;
-+ security_id_t file_sid;
++ security_context_t file_context=NULL;
++ context_t context;
++ security_context_t context_string;
+ int errors = 0;
++ int status = 0;
++
++ if (change_symlinks)
++ status = lgetfilecon(file, &file_context);
++ else
++ status = getfilecon(file, &file_context);
+
-+ if (lstat_secure (file, &file_stats, &file_sid))
++ if ((status < 0) && (errno != ENODATA))
+ {
+ if (force_silent == 0)
+ error (0, errno, "%s", file);
+ return 1;
+ }
+
-+ if (sid != file_sid)
++ /* If the file doesn't have a context, and we're not setting all of
++ the context components, there isn't really an obvious default.
++ Thus, we just give up. */
++ if (file_context == NULL && specified_context == NULL)
++ {
++ error (0, 0, _("can't apply partial context to unlabeled file %s"), file);
++ return 1;
++ }
++
++ if (specified_context == NULL)
++ {
++ if (compute_context_from_mask (file_context, &context))
++ {
++ error (0, 0, _("couldn't compute security context from %s"), file_context);
++ return 1;
++ }
++ }
++ else
++ {
++ context = context_new (specified_context);
++ if (!context)
++ error (1, 0,_("invalid context: %s"),specified_context);
++ }
++
++ context_string = context_str (context);
++
++ if (file_context == NULL || strcmp(context_string,file_context)!=0)
+ {
+ int fail;
+
+ if (change_symlinks)
-+ fail = lchsid (file, sid);
++ fail = lsetfilecon (file, context_string);
+ else
-+ fail = chsid (file, sid);
++ fail = setfilecon (file, context_string);
+
+ if (verbosity == V_high || (verbosity == V_changes_only && !fail))
-+ describe_change (file, (fail ? CH_FAILED : CH_SUCCEEDED));
++ describe_change (file, context_string, (fail ? CH_FAILED : CH_SUCCEEDED));
+
+ if (fail)
+ {
+ errors = 1;
+ if (force_silent == 0)
+ {
-+ error (0, errno, "%s", file);
++ error (0, errno, _("failed to change context of %s to %s"), file, context_string);
+ }
+ }
+ }
+ else if (verbosity == V_high)
+ {
-+ describe_change (file, CH_NO_CHANGE_REQUESTED);
++ describe_change (file, context_string, CH_NO_CHANGE_REQUESTED);
+ }
+
-+ if (recurse && S_ISDIR (file_stats.st_mode))
-+ errors |= change_dir_context (file, sid, &file_stats);
++ context_free(context);
++ freecon(file_context);
+
++ if (recurse) {
++ if (lstat(file, &file_stats)==0)
++ if (S_ISDIR (file_stats.st_mode) &&
++ (strcmp(file,"..") !=0) &&
++ (strcmp(file,".") !=0))
++ errors |= change_dir_context (file, &file_stats);
++ }
+ return errors;
+}
+
+/* Recursively change context of the files in directory DIR
-+ to SID CONTEXT.
++ using specified context components.
+ STATP points to the results of lstat on DIR.
+ Return 0 if successful, 1 if errors occurred. */
+
+static int
-+change_dir_context (const char *dir, int sid, const struct stat *statp)
++change_dir_context (const char *dir, const struct stat *statp)
+{
+ char *name_space, *namep;
+ char *path; /* Full path of each entry to process. */
+ path = xrealloc (path, pathlength);
+ }
+ strcpy (path + dirlength, namep);
-+ errors |= change_file_context (path, sid);
++ errors |= change_file_context (path);
+ }
+ free (path);
+ free (name_space);
+ {
+ printf (_("\
+Usage: %s [OPTION]... CONTEXT FILE...\n\
++ or: %s [OPTION]... [-u USER] [-r ROLE] [-l RANGE] [-t TYPE] FILE...\n\
+ or: %s [OPTION]... --reference=RFILE FILE...\n\
-+ or: %s [OPTION]... --sid=SID FILE...\n\
+"),
+ program_name, program_name, program_name);
+ printf (_("\
+ (available only on systems with lchown system call)\n\
+ -f, --silent, --quiet suppress most error messages\n\
+ --reference=RFILE use RFILE's group instead of using a CONTEXT value\n\
-+ --sid=SID use context corresponding to SID for CONTEXT value\n\
++ -u, --user=USER set user USER in the target security context\n\
++ -r, --role=ROLE set role ROLE in the target security context\n\
++ -t, --type=TYPE set type TYPE in the target security context\n\
++ -l, --range=RANGE set range RANGE in the target security context\n\
+ -R, --recursive change files and directories recursively\n\
+ -v, --verbose output a diagnostic for every file processed\n\
+ --help display this help and exit\n\
+int
+main (int argc, char **argv)
+{
-+ int sid = -1;
++ security_context_t ref_context = NULL;
+ int errors = 0;
+ int optc;
++ int component_specified = 0;
+
+ program_name = argv[0];
+ setlocale (LC_ALL, "");
+
+ recurse = force_silent = 0;
+
-+ while ((optc = getopt_long (argc, argv, "Rcfhv", long_options, NULL)) != -1)
++ while ((optc = getopt_long (argc, argv, "Rcfhvu:r:t:l:", long_options, NULL)) != -1)
+ {
+ switch (optc)
+ {
+ case 0:
-+ break;
++ break;
++ case 'u':
++ specified_user = optarg;
++ component_specified = 1;
++ break;
++ case 'r':
++ specified_role = optarg;
++ component_specified = 1;
++ break;
++ case 't':
++ specified_type = optarg;
++ component_specified = 1;
++ break;
++ case 'l':
++ specified_range = optarg;
++ component_specified = 1;
++ break;
+ case CHAR_MAX + 1:
+ reference_file = optarg;
+ break;
-+ case CHAR_MAX +2:
-+ sid = (int)strtol( optarg, (char **)NULL, 10);
-+ /* We use an int to represent sids so we can use -1 for *
-+ * an error condition. All valid sids are positive. *
-+ * Check for an invalid sid. */
-+ if( ( errno == ERANGE ) || ( sid <= 0 ) ) {
-+ error( 1, 0, _("invalid sid"));
-+ }
-+ break;
+ case 'R':
+ recurse = 1;
+ break;
+ if (show_help)
+ usage (0);
+
-+ if (argc - optind + ( (reference_file || ( sid > 0 ) ) ? 1 : 0) <= 1)
-+ {
-+ error (0, 0, _("too few arguments"));
-+ usage (1);
-+ }
++
++ if (reference_file && component_specified)
++ {
++ error (0, 0, _("conflicting security context specifiers given"));
++ usage (1);
++ }
++
++ if (!(((reference_file || component_specified)
++ && (argc - optind > 0))
++ || (argc - optind > 1)))
++ {
++ error (0, 0, _("too few arguments"));
++ usage (1);
++ }
+
+ if (reference_file)
+ {
-+ struct stat ref_stats;
-+ security_id_t ref_sid;
-+ if (stat_secure (reference_file, &ref_stats, &ref_sid))
++ if (getfilecon (reference_file, &ref_context)<0)
+ error (1, errno, "%s", reference_file);
-+
-+ sid = ref_sid;
++
++ specified_context = ref_context;
+ }
-+ else if( sid <= 0 ) /* sid > 0 means sid already set by --sid above */
-+ {
-+ contextname = argv[optind++];
-+
-+ if (*contextname == '\0')
-+ error (1, 0, _("can not change to null context"));
-+
-+ if (security_context_to_sid (contextname, strlen (contextname) + 1, &sid))
-+ error (1, errno, "%s", contextname);
-+ }
-+
++ else if (!component_specified) {
++ specified_context = argv[optind++];
++ }
+ for (; optind < argc; ++optind)
-+ errors |= change_file_context (argv[optind], sid);
++ errors |= change_file_context (argv[optind]);
+
+ if (verbosity != V_off)
+ close_stdout ();
++ if (ref_context != NULL)
++ freecon(ref_context);
+ exit (errors);
+}
-diff -Nur coreutils-5.0/src/copy.c coreutils-5.0.new/src/copy.c
---- coreutils-5.0/src/copy.c 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/copy.c 2003-06-06 03:01:11.000000000 +0200
-@@ -46,6 +46,11 @@
- #include "same.h"
+diff -Nur coreutils-6.4/src/copy.c coreutils-6.4.selinux/src/copy.c
+--- coreutils-6.4/src/copy.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/copy.c 2006-10-31 23:39:34.000000000 +0000
+@@ -53,6 +53,11 @@
#include "xreadlink.h"
+ #include "yesno.h"
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+security_id_t Sid = -1;
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
++extern int selinux_enabled;
+#endif
+
- #define DO_CHOWN(Chown, File, New_uid, New_gid) \
- (Chown (File, New_uid, New_gid) \
- /* If non-root uses -p, it's ok if we can't preserve ownership. \
-@@ -199,6 +204,9 @@
- off_t n_read_total = 0;
- int last_write_made_hole = 0;
- int make_holes = (x->sparse_mode == SPARSE_ALWAYS);
-+#ifdef FLASK_LINUX
-+ security_id_t lsid;
-+#endif
+ #ifndef HAVE_FCHOWN
+ # define HAVE_FCHOWN false
+ # define fchown(fd, uid, gid) (-1)
+@@ -1473,6 +1478,34 @@
+ In such cases, set this variable to zero. */
+ preserve_metadata = true;
- source_desc = open (src_path, O_RDONLY);
- if (source_desc < 0)
-@@ -780,12 +788,20 @@
- int copied_as_regular = 0;
- int dst_mode_valid = 0;
- int preserve_metadata;
-+#ifdef FLASK_LINUX
-+ security_id_t lsid;
-+ struct stat tst_sb;
-+#endif
-
- if (x->move_mode && rename_succeeded)
- *rename_succeeded = 0;
-
- *copy_into_self = 0;
-+#ifdef FLASK_LINUX
-+ if ((*(x->xstat)) (src_path, &src_sb, &lsid))
-+#else
- if ((*(x->xstat)) (src_path, &src_sb))
++#ifdef WITH_SELINUX
++ if (x->preserve_security_context && selinux_enabled)
++ {
++ security_context_t con;
++
++ if (lgetfilecon (src_name, &con) >= 0)
++ {
++ if (setfscreatecon(con) < 0)
++ {
++ error (0, errno, _("cannot set setfscreatecon %s"), quote (con));
++ if (x->require_preserve) {
++ freecon(con);
++ return 1;
++ }
++ }
++ freecon(con);
++ }
++ else {
++ if ( errno == ENOTSUP ) {
++ error (0, errno, _("warning: security context not preserved %s"), quote (src_name));
++ } else {
++ error (0, errno, _("cannot lgetfilecon %s"), quote (src_name));
++ return 1;
++ }
++ }
++ }
+#endif
++
+ if (S_ISDIR (src_mode))
{
- error (0, errno, _("cannot stat %s"), quote (src_path));
- return 1;
-@@ -819,7 +835,11 @@
-
- if (!new_dst)
- {
-+#ifdef FLASK_LINUX
-+ if ((*(x->xstat)) (dst_path, &dst_sb, &lsid))
-+#else
- if ((*(x->xstat)) (dst_path, &dst_sb))
-+#endif
+ struct dir_list *dir;
+@@ -1544,6 +1577,10 @@
{
- if (errno != ENOENT)
- {
-@@ -1463,6 +1483,25 @@
- preserving owner/group is a potential security problem. */
- # endif
- }
-+#ifdef FLASK_LINUX
-+ /* Trying to preserve a security context can fail for any UID, and user
-+ * should probably always know about it.
-+ */
-+ if ( x->preserve_security_context ) {
-+ if ( (int) Sid > 0 ) {
-+ error (0, 0, _("cannot set context to SID==%d and preserve it"), (int)Sid);
-+ return 1;
-+ }
-+ if ( stat_secure(src_path, &tst_sb, &lsid) < 0 ) {
-+ error (0, errno, _("getting security context for %s"), src_path);
-+ return 1;
-+ }
-+ if ( chsid(dst_path, lsid) < 0 ) {
-+ error (0, errno, _("preserving security context for %s (sid==%d)"), dst_path, (int)lsid);
-+ return 1;
-+ }
-+ }
+ /* Here, we are crossing a file system boundary and cp's -x option
+ is in effect: so don't copy the contents of this directory. */
++#ifdef WITH_SELINUX
++ if (x->preserve_security_context && selinux_enabled)
++ setfscreatecon(NULL);
+#endif
- }
- else
- #endif
-@@ -1596,6 +1635,15 @@
- quote_n (0, dst_backup), quote_n (1, dst_path));
}
- }
-+
-+#ifdef FLASK_LINUX
-+ /* if rename() just failed, so will this */
-+ if ( (int) Sid > 0 && x->preserve_security_context == 0 ) {
-+ if ( chsid(dst_path, Sid) < 0 )
-+ error (0, errno, _("setting scontext (%d) for %s"), (int)Sid, dst_path);
-+ }
+ else
+ {
+@@ -1689,6 +1728,11 @@
+ }
+ }
+
++#ifdef WITH_SELINUX
++ if (x->preserve_security_context && selinux_enabled)
++ setfscreatecon(NULL);
+#endif
+
- return 1;
- }
+ /* There's no need to preserve timestamps or permissions. */
+ preserve_metadata = false;
-@@ -1627,6 +1675,17 @@
- same as) DST_PATH; otherwise, set it to zero.
- Return 0 if successful, 1 if an error occurs. */
+@@ -1789,6 +1833,11 @@
-+#ifdef FLASK_LINUX
-+int
-+copy_s (const char *src_path, const char *dst_path,
-+ int nonexistent_dst, const struct cp_options *options,
-+ int *copy_into_self, int *rename_succeeded, security_id_t sid)
-+{
-+ Sid = sid;
-+ return( copy( src_path, dst_path, nonexistent_dst, options, copy_into_self, rename_succeeded) );
-+}
+ un_backup:
+
++#ifdef WITH_SELINUX
++ if (x->preserve_security_context && selinux_enabled)
++ setfscreatecon(NULL);
+#endif
+
- int
- copy (const char *src_path, const char *dst_path,
- int nonexistent_dst, const struct cp_options *options,
-diff -Nur coreutils-5.0/src/copy.h coreutils-5.0.new/src/copy.h
---- coreutils-5.0/src/copy.h 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/copy.h 2003-06-06 03:01:12.000000000 +0200
-@@ -105,6 +105,9 @@
- int preserve_ownership;
- int preserve_mode;
- int preserve_timestamps;
-+#ifdef FLASK_LINUX
-+ int preserve_security_context;
-+#endif
+ /* We have failed to create the destination file.
+ If we've just added a dev/ino entry via the remember_copied
+ call above (i.e., unless we've just failed to create a hard link),
+diff -Nur coreutils-6.4/src/copy.h coreutils-6.4.selinux/src/copy.h
+--- coreutils-6.4/src/copy.h 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/copy.h 2006-10-31 23:39:34.000000000 +0000
+@@ -128,6 +128,9 @@
+ bool preserve_mode;
+ bool preserve_timestamps;
++#ifdef WITH_SELINUX
++ bool preserve_security_context;
++#endif
/* Enabled for mv, and for cp by the --preserve=links option.
- If nonzero, attempt to preserve in the destination files any
-diff -Nur coreutils-5.0/src/copy.h.orig coreutils-5.0.new/src/copy.h.orig
---- coreutils-5.0/src/copy.h.orig 2003-03-26 19:46:56.000000000 +0100
-+++ coreutils-5.0.new/src/copy.h.orig 1970-01-01 01:00:00.000000000 +0100
-@@ -1,211 +0,0 @@
--#ifndef COPY_H
--# define COPY_H
--
--# include "hash.h"
--
--/* Control creation of sparse files (files with holes). */
--enum Sparse_type
--{
-- SPARSE_UNUSED,
--
-- /* Never create holes in DEST. */
-- SPARSE_NEVER,
--
-- /* This is the default. Use a crude (and sometimes inaccurate)
-- heuristic to determine if SOURCE has holes. If so, try to create
-- holes in DEST. */
-- SPARSE_AUTO,
--
-- /* For every sufficiently long sequence of bytes in SOURCE, try to
-- create a corresponding hole in DEST. There is a performance penalty
-- here because CP has to search for holes in SRC. But if the holes are
-- big enough, that penalty can be offset by the decrease in the amount
-- of data written to disk. */
-- SPARSE_ALWAYS
--};
--
--/* This type is used to help mv (via copy.c) distinguish these cases. */
--enum Interactive
--{
-- I_ALWAYS_YES = 1,
-- I_ALWAYS_NO,
-- I_ASK_USER,
-- I_UNSPECIFIED
--};
--
--/* How to handle symbolic links. */
--enum Dereference_symlink
--{
-- DEREF_UNDEFINED = 1,
--
-- /* Copy the symbolic link itself. -P */
-- DEREF_NEVER,
--
-- /* If the symbolic is a command line argument, then copy
-- its referent. Otherwise, copy the symbolic link itself. -H */
-- DEREF_COMMAND_LINE_ARGUMENTS,
--
-- /* Copy the referent of the symbolic link. -L */
-- DEREF_ALWAYS
--};
--
--# define VALID_SPARSE_MODE(Mode) \
-- ((Mode) == SPARSE_NEVER \
-- || (Mode) == SPARSE_AUTO \
-- || (Mode) == SPARSE_ALWAYS)
--
--/* These options control how files are copied by at least the
-- following programs: mv (when rename doesn't work), cp, install.
-- So, if you add a new member, be sure to initialize it in
-- mv.c, cp.c, and install.c. */
--struct cp_options
--{
-- enum backup_type backup_type;
--
-- /* If nonzero, copy all files except (directories and, if not dereferencing
-- them, symbolic links,) as if they were regular files. */
-- int copy_as_regular;
--
-- /* How to handle symlinks. */
-- enum Dereference_symlink dereference;
--
-- /* If nonzero, remove each existing destination nondirectory before
-- trying to open it. */
-- int unlink_dest_before_opening;
--
-- /* If nonzero, first try to open each existing destination nondirectory,
-- then, if the open fails, unlink and try again.
-- This option must be set for `cp -f', in case the destination file
-- exists when the open is attempted. It is irrelevant to `mv' since
-- any destination is sure to be removed before the open. */
-- int unlink_dest_after_failed_open;
--
-- /* If nonzero, create hard links instead of copying files.
-- Create destination directories as usual. */
-- int hard_link;
--
-- /* This value is used to determine whether to prompt before removing
-- each existing destination file. It works differently depending on
-- whether move_mode is set. See code/comments in copy.c. */
-- enum Interactive interactive;
--
-- /* If nonzero, rather than copying, first attempt to use rename.
-- If that fails, then resort to copying. */
-- int move_mode;
--
-- /* This process's effective user ID. */
-- uid_t myeuid;
--
-- /* If nonzero, when copying recursively, skip any subdirectories that are
-- on different filesystems from the one we started on. */
-- int one_file_system;
--
-- /* If nonzero, attempt to give the copies the original files' permissions,
-- owner, group, and timestamps. */
-- int preserve_ownership;
-- int preserve_mode;
-- int preserve_timestamps;
--
-- /* Enabled for mv, and for cp by the --preserve=links option.
-- If nonzero, attempt to preserve in the destination files any
-- logical hard links between the source files. If used with cp's
-- --no-dereference option, and copying two hard-linked files,
-- the two corresponding destination files will also be hard linked.
--
-- If used with cp's --dereference (-L) option, then, as that option implies,
-- hard links are *not* preserved. However, when copying a file F and
-- a symlink S to F, the resulting S and F in the destination directory
-- will be hard links to the same file (a copy of F). */
-- int preserve_links;
--
-- /* If nonzero and any of the above (for preserve) file attributes cannot
-- be applied to a destination file, treat it as a failure and return
-- nonzero immediately. E.g. cp -p requires this be nonzero, mv requires
-- it be zero. */
-- int require_preserve;
--
-- /* If nonzero, copy directories recursively and copy special files
-- as themselves rather than copying their contents. */
-- int recursive;
--
-- /* If nonzero, set file mode to value of MODE. Otherwise,
-- set it based on current umask modified by UMASK_KILL. */
-- int set_mode;
--
-- /* Set the mode of the destination file to exactly this value
-- if USE_MODE is nonzero. */
-- mode_t mode;
--
-- /* Control creation of sparse files. */
-- enum Sparse_type sparse_mode;
--
-- /* If nonzero, create symbolic links instead of copying files.
-- Create destination directories as usual. */
-- int symbolic_link;
--
-- /* The bits to preserve in created files' modes. */
-- mode_t umask_kill;
--
-- /* If nonzero, do not copy a nondirectory that has an existing destination
-- with the same or newer modification time. */
-- int update;
--
-- /* If nonzero, display the names of the files before copying them. */
-- int verbose;
--
-- /* A pointer to either lstat or stat, depending on
-- whether the copy should dereference symlinks. */
-- int (*xstat) ();
--
-- /* If nonzero, stdin is a tty. */
-- int stdin_tty;
--
-- /* This is a set of destination name/inode/dev triples. Each such triple
-- represents a file we have created corresponding to a source file name
-- that was specified on the command line. Use it to avoid clobbering
-- source files in commands like this:
-- rm -rf a b c; mkdir a b c; touch a/f b/f; mv a/f b/f c
-- For now, it protects only regular files when copying (i.e. not renaming).
-- When renaming, it protects all non-directories.
-- Use dest_info_init to initialize it, or set it to NULL to disable
-- this feature. */
-- Hash_table *dest_info;
--
-- /* FIXME */
-- Hash_table *src_info;
--};
--
--int stat ();
--int lstat ();
--
--/* Arrange to make lstat calls go through the wrapper function
-- on systems with an lstat function that does not dereference symlinks
-- that are specified with a trailing slash. */
--# if ! LSTAT_FOLLOWS_SLASHED_SYMLINK
--int rpl_lstat (const char *, struct stat *);
--# undef lstat
--# define lstat rpl_lstat
--# endif
--
--int rename ();
--
--/* Arrange to make rename calls go through the wrapper function
-- on systems with a rename function that fails for a source path
-- specified with a trailing slash. */
--# if RENAME_TRAILING_SLASH_BUG
--int rpl_rename (const char *, const char *);
--# undef rename
--# define rename rpl_rename
--# endif
--
--int
--copy (const char *src_path, const char *dst_path,
-- int nonexistent_dst, const struct cp_options *options,
-- int *copy_into_self, int *rename_succeeded);
--
--void
--dest_info_init (struct cp_options *);
--void
--src_info_init (struct cp_options *);
--
--#endif
-diff -Nur coreutils-5.0/src/cp.c coreutils-5.0.new/src/cp.c
---- coreutils-5.0/src/cp.c 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/cp.c 2003-06-06 03:01:12.000000000 +0200
-@@ -52,6 +52,16 @@
-
- #define AUTHORS N_ ("Torbjorn Granlund, David MacKenzie, and Jim Meyering")
-
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
-+#define CTXTLEN 256
-+char *scontext = NULL;
-+security_id_t sid = -1;
-+int ctxtlen = CTXTLEN;
-+char *calloc();
-+#endif
-+
- #ifndef _POSIX_VERSION
- uid_t geteuid ();
- #endif
-@@ -149,6 +159,10 @@
+ If true, attempt to preserve in the destination files any
+ logical hard links between the source files. If used with cp's
+diff -Nur coreutils-6.4/src/cp.c coreutils-6.4.selinux/src/cp.c
+--- coreutils-6.4/src/cp.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/cp.c 2006-10-31 23:39:34.000000000 +0000
+@@ -51,6 +51,11 @@
+
+ #define AUTHORS "Torbjorn Granlund", "David MacKenzie", "Jim Meyering"
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
++int selinux_enabled=0;
++#endif
++
+ /* Used by do_copy, make_dir_parents_private, and re_protect
+ to keep a list of leading directories whose protections
+ need to be fixed after copying. */
+@@ -141,6 +146,9 @@
+ {"target-directory", required_argument, NULL, 't'},
{"update", no_argument, NULL, 'u'},
{"verbose", no_argument, NULL, 'v'},
- {"version-control", required_argument, NULL, 'V'}, /* Deprecated. FIXME. */
-+#ifdef FLASK_LINUX
-+ {"sid", required_argument, NULL, 'Z'},
-+ {"context", required_argument, NULL, 'X'},
++#ifdef WITH_SELINUX
++ {"context", required_argument, NULL, 'Z'},
+#endif
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
{NULL, 0, NULL, 0}
-@@ -198,6 +212,9 @@
+@@ -194,6 +202,9 @@
additional attributes: links, all\n\
"), stdout);
fputs (_("\
+"), stdout);
+ fputs (_("\
--no-preserve=ATTR_LIST don't preserve the specified attributes\n\
- --parents append source path to DIRECTORY\n\
- -P same as `--no-dereference'\n\
-@@ -225,6 +242,8 @@
+ --parents use full source file name under DIRECTORY\n\
+ "), stdout);
+@@ -219,6 +230,7 @@
destination file is missing\n\
-v, --verbose explain what is being done\n\
-x, --one-file-system stay on this file system\n\
-+ -X, --context=CONTEXT set security context of copy to CONTEXT\n\
-+ -Z, --sid=SID set Security ID of copy to SID\n\
++ -Z, --context=CONTEXT set security context of copy to CONTEXT\n\
"), stdout);
fputs (HELP_OPTION_DESCRIPTION, stdout);
fputs (VERSION_OPTION_DESCRIPTION, stdout);
-@@ -288,6 +307,9 @@
- char *dst_path; /* A copy of CONST_DST_PATH we can change. */
- char *src_path; /* The source name in `dst_path'. */
- uid_t myeuid = geteuid ();
-+#ifdef FLASK_LINUX
-+ security_id_t lsid;
-+#endif
-
- dst_path = (char *) alloca (strlen (const_dst_path) + 1);
- strcpy (dst_path, const_dst_path);
-@@ -299,7 +321,11 @@
-
- dst_path[p->slash_offset] = '\0';
-
-+#ifdef FLASK_LINUX
-+ if ((*(x->xstat)) (src_path, &src_sb, &lsid))
-+#else
- if ((*(x->xstat)) (src_path, &src_sb))
-+#endif
- {
- error (0, errno, _("failed to get attributes of %s"),
- quote (src_path));
-@@ -358,6 +384,28 @@
- }
- }
-
-+#ifdef FLASK_LINUX
-+ /* Trying to preserve a security context can fail for any UID, and user
-+ * should probably always know about it.
-+ */
-+
-+ if ( x->preserve_security_context ) {
-+ int rv;
-+ struct stat st;
-+ security_id_t lsid;
-+
-+ if ( (rv = stat_secure(src_path, &st, &lsid)) < 0 ) {
-+ error (0, errno, _("getting security context for %s"), src_path);
-+ return 1;
-+ }
-+
-+ if ( (rv = chsid(dst_path, lsid)) < 0 ) {
-+ error (0, errno, _("preserving security context for %s (sid==%d)"), dst_path, (int)lsid);
-+ return 1;
-+ }
-+ }
-+#endif
-+
- dst_path[p->slash_offset] = '/';
- }
- return 0;
-@@ -678,6 +726,11 @@
- else
- {
- int copy_into_self;
-+#ifdef FLASK_LINUX
-+ if ( (int) sid > 0 )
-+ ret |= copy_s (arg, dst_path, new_dst, x, ©_into_self, NULL, sid);
-+ else
-+#endif
- ret |= copy (arg, dst_path, new_dst, x, ©_into_self, NULL);
-
- if (flag_path)
-@@ -756,8 +809,12 @@
- {
- new_dest = (char *) dest;
- }
--
-- return copy (source, new_dest, new_dst, x, &unused, NULL);
-+#ifdef FLASK_LINUX
-+ if ( (int) sid > 0 )
-+ return copy_s (source, new_dest, new_dst, x, &unused, NULL, sid);
-+ else
-+#endif
-+ return copy (source, new_dest, new_dst, x, &unused, NULL);
- }
+@@ -729,6 +741,10 @@
+ x->preserve_mode = false;
+ x->preserve_timestamps = false;
- /* unreachable */
-@@ -781,6 +838,10 @@
- x->preserve_mode = 0;
- x->preserve_timestamps = 0;
-
-+#ifdef FLASK_LINUX
-+ x->preserve_security_context = 0;
++#ifdef WITH_SELINUX
++ x->preserve_security_context = false;
+#endif
+
- x->require_preserve = 0;
- x->recursive = 0;
+ x->require_preserve = false;
+ x->recursive = false;
x->sparse_mode = SPARSE_AUTO;
-@@ -808,19 +869,20 @@
+@@ -756,18 +772,19 @@
PRESERVE_TIMESTAMPS,
PRESERVE_OWNERSHIP,
PRESERVE_LINK,
- PRESERVE_OWNERSHIP, PRESERVE_LINK, PRESERVE_ALL
+ PRESERVE_OWNERSHIP, PRESERVE_LINK, PRESERVE_CONTEXT, PRESERVE_ALL
};
-
/* Valid arguments to the `--preserve' option. */
static char const* const preserve_args[] =
{
"mode", "timestamps",
-- "ownership", "links", "all", 0
-+ "ownership", "links", "context", "all", 0
+- "ownership", "links", "all", NULL
++ "ownership", "links", "context", "all", NULL
};
+ ARGMATCH_VERIFY (preserve_args, preserve_vals);
- char *arg_writable = xstrdup (arg);
-@@ -855,11 +917,16 @@
+@@ -803,11 +820,16 @@
x->preserve_links = on_off;
break;
break;
default:
-@@ -882,6 +949,11 @@
- struct cp_options x;
- int copy_contents = 0;
+@@ -832,6 +854,10 @@
+ bool copy_contents = false;
char *target_directory = NULL;
-+#ifdef FLASK_LINUX
-+ int is_flask_enabled_flag;
-+
-+ is_flask_enabled_flag = is_flask_enabled();
+ bool no_target_directory = false;
++#ifdef WITH_SELINUX
++ security_context_t scontext = NULL;
++ selinux_enabled= (is_selinux_enabled()>0);
+#endif
+ initialize_main (&argc, &argv);
program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -896,7 +968,11 @@
+@@ -847,7 +873,13 @@
we'll actually use backup_suffix_string. */
backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
-+#ifdef FLASK_LINUX
-+ while ((c = getopt_long (argc, argv, "abcdfHilLprsuvxPRS:V:X:Z:", long_opts, NULL))
+- while ((c = getopt_long (argc, argv, "abdfHilLprst:uvxPRS:T",
++
++ while ((c = getopt_long (argc, argv,
++#ifdef WITH_SELINUX
++ "abcdfHilLprst:uvxPRS:TZ:",
+#else
- while ((c = getopt_long (argc, argv, "abdfHilLprsuvxPRS:V:", long_opts, NULL))
++ "abdfHilLprst:uvxPRS:T",
+#endif
+ long_opts, NULL))
!= -1)
{
- switch (c)
-@@ -987,6 +1063,85 @@
- x.preserve_timestamps = 1;
- x.require_preserve = 1;
+@@ -938,6 +970,35 @@
+ case 'R':
+ x.recursive = true;
break;
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ case 'c':
-+ if ( (int) sid > 0 ) { /* scontext could be NULL because of calloc() failure */
-+ if ( scontext )
-+ (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], scontext);
-+ else
-+ (void) fprintf(stderr, "%s: cannot force target context <-- %d and preserve it\n", argv[0], (int) sid);
++ if ( scontext != NULL ) {
++ (void) fprintf(stderr, _("%s: cannot force target context <-- %s and preserve it\n"), argv[0], scontext);
+ exit( 1 );
+ }
-+ else if (is_flask_enabled_flag)
-+ x.preserve_security_context = 1;
++ else if (selinux_enabled)
++ x.preserve_security_context = true;
+ break;
++
+ case 'Z':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Warning: ignoring --sid (-Z) "
-+ "because the kernel is not flask-enabled.\n" );
-+ break;
-+ }
-+ if ( x.preserve_security_context ) {
-+ (void) fprintf(stderr, "%s: can't force target context to '%s' and preserve it\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ if ( (int) sid > 0 || scontext != NULL ) {
-+ (void) fprintf(stderr, "%s: --sid (-Z) and --context (-X) are mutually exclusive\n", argv[0]);
-+ exit( 1 );
-+ }
-+ /* check for typos */
-+ {
-+ char *ep;
-+ sid = (security_id_t) strtol(optarg, &ep, 10);
-+ if ( *ep ) {
-+ (void) fprintf(stderr, "%s: non-numeric SID '%s'\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ }
-+ /* do a sanity check and save result if SID is OK */
-+ scontext = calloc(1, ctxtlen+1);
-+ if ( scontext != NULL ) {
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ if ( errno != ENOSPC ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): '%s'\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ free(scontext);
-+ scontext = calloc(1, ctxtlen+1);
-+ /* nonfatal */
-+ if ( scontext != NULL )
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): %s\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ }
-+ }
-+ break;
-+ case 'X':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Warning: ignoring --context (-X) "
-+ "because the kernel is not flask-enabled.\n" );
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !selinux_enabled ) {
++ fprintf( stderr, _("Warning: ignoring --context (-Z). It requires a SELinux enabled kernel.\n") );
+ break;
+ }
+ if ( x.preserve_security_context ) {
-+ (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ if ( (int) sid > 0 ) {
-+ (void) fprintf(stderr, "%s: --context (-X) and --sid (-Z) are mutually exclusive\n", argv[0]);
++ (void) fprintf(stderr, _("%s: cannot force target context to '%s' and preserve it\n"), argv[0], optarg);
+ exit( 1 );
+ }
+ scontext = optarg;
-+ /* sanity check -- also sets sid val */
-+ if ( security_context_to_sid(scontext, strlen(scontext)+1, &sid) ) {
-+ (void) fprintf(stderr, "%s: security_context_to_sid(%s): %s\n",
-+ argv[0], scontext, strerror(errno));
++ /* if there's a security_context given set new path
++ components to that context, too */
++ if ( setfscreatecon(scontext) < 0 ) {
++ (void) fprintf(stderr, _("cannot set default security context %s"), scontext);
+ exit( 1 );
+ }
+ break;
+#endif
- case PARENTS_OPTION:
- flag_path = 1;
-@@ -1076,13 +1231,21 @@
- of `stat' to call. */
-
- if (x.dereference == DEREF_NEVER)
-+#ifdef FLASK_LINUX
-+ x.xstat = lstat_secure;
-+#else
- x.xstat = lstat;
-+#endif
- else
- {
- /* For DEREF_COMMAND_LINE_ARGUMENTS, x.xstat must be stat for
- each command line argument, but must later be `lstat' for
- any symlinks that are found via recursive traversal. */
-+#ifdef FLASK_LINUX
-+ x.xstat = stat_secure;
-+#else
- x.xstat = stat;
-+#endif
- }
-
- if (x.recursive)
-diff -Nur coreutils-5.0/src/id.c coreutils-5.0.new/src/id.c
---- coreutils-5.0/src/id.c 2003-03-27 23:39:46.000000000 +0100
-+++ coreutils-5.0.new/src/id.c 2003-06-06 03:01:12.000000000 +0200
-@@ -25,7 +25,8 @@
- #include <pwd.h>
- #include <grp.h>
- #include <getopt.h>
--
-+#include <proc_secure.h>
-+#include <flask_util.h>
- #include "system.h"
- #include "error.h"
- #include "closeout.h"
-@@ -46,6 +47,8 @@
+ case REPLY_OPTION: /* Deprecated */
+ x.interactive = XARGMATCH ("--reply", optarg,
+diff -Nur coreutils-6.4/src/id.c coreutils-6.4.selinux/src/id.c
+--- coreutils-6.4/src/id.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/id.c 2006-10-31 23:39:34.000000000 +0000
+@@ -37,6 +37,20 @@
int getugroups ();
-+static void print_context PARAMS ((char* context));
-+static void print_sid PARAMS ((security_id_t sid));
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++static void print_context (char* context);
++/* Print the SELinux context */
++static void
++print_context(char *context)
++{
++ printf ("%s", context);
++}
++
++/* If nonzero, output only the SELinux context. -Z */
++static int just_context = 0;
++
++#endif
static void print_user (uid_t uid);
static void print_group (gid_t gid);
static void print_group_list (const char *username);
-@@ -54,6 +57,12 @@
- /* The name this program was run with. */
- char *program_name;
+@@ -55,8 +69,14 @@
+ /* True unless errors have been encountered. */
+ static bool ok = true;
-+/* If nonzero, output only the TOS context. -c */
-+static int just_context = 0;
-+
-+/* If nonzero, output only the security ID (sid). -s */
-+static int just_sid = 0;
-+
- /* If nonzero, output user/group name instead of ID number. -n */
- static int use_name = 0;
-
-@@ -64,12 +73,21 @@
- /* The number of errors encountered so far. */
- static int problems = 0;
-
-+/* The TOS context */
-+static char context[1024];
-+
-+/* The security ID ("sid") */
-+security_id_t mysid = 0;
-+
++/* The SELinux context */
++/* Set `context' to a known invalid value so print_full_info() will *
++ * know when `context' has not been set to a meaningful value. */
++static security_context_t context=NULL;
+
static struct option const longopts[] =
{
-+ {"context", no_argument, NULL, 'c'},
++ {"context", no_argument, NULL, 'Z'},
{"group", no_argument, NULL, 'g'},
{"groups", no_argument, NULL, 'G'},
{"name", no_argument, NULL, 'n'},
- {"real", no_argument, NULL, 'r'},
-+ {"sid", no_argument, NULL, 's'},
- {"user", no_argument, NULL, 'u'},
- {GETOPT_HELP_OPTION_DECL},
- {GETOPT_VERSION_OPTION_DECL},
-@@ -89,10 +107,12 @@
+@@ -80,6 +100,7 @@
Print information for USERNAME, or the current user.\n\
\n\
-a ignore, for compatibility with other versions\n\
-+ -c, --context print only the context\n\
++ -Z, --context print only the context\n\
-g, --group print only the effective group ID\n\
-G, --groups print all group IDs\n\
-n, --name print a name instead of a number, for -ugG\n\
- -r, --real print the real ID instead of the effective ID, with -ugG\n\
-+ -s, --sid print only the security ID\n\
- -u, --user print only the effective user ID\n\
- "), stdout);
- fputs (HELP_OPTION_DESCRIPTION, stdout);
-@@ -110,6 +130,8 @@
+@@ -101,6 +122,7 @@
main (int argc, char **argv)
{
int optc;
-+ int len = sizeof (context);
-+ int is_flask_enabled_flag;
++ int selinux_enabled=(is_selinux_enabled()>0);
- /* If nonzero, output the list of all group IDs. -G */
- int just_group_list = 0;
-@@ -125,9 +147,15 @@
- bindtextdomain (PACKAGE, LOCALEDIR);
- textdomain (PACKAGE);
+ /* If true, output the list of all group IDs. -G */
+ bool just_group_list = false;
+@@ -119,13 +141,23 @@
-+ /* Set `context' to a known invalid value so print_full_info() will *
-+ * know when `context' has not been set to a meaningful value. */
-+ context[ 0 ] = '\0';
-+
-+ is_flask_enabled_flag = is_flask_enabled();
-+
atexit (close_stdout);
- while ((optc = getopt_long (argc, argv, "agnruG", longopts, NULL)) != -1)
-+ while ((optc = getopt_long (argc, argv, "acgnrsuG", longopts, NULL)) != -1)
++ while ((optc = getopt_long (argc, argv, "agnruGZ", longopts, NULL)) != -1)
{
switch (optc)
{
-@@ -136,6 +164,15 @@
case 'a':
/* Ignore -a, for compatibility with SVR4. */
break;
-+ case 'c':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --context (-c) can be used only on "
-+ "a flask-enabled kernel.\n" );
++#ifdef WITH_SELINUX
++ case 'Z':
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !selinux_enabled ) {
++ fprintf( stderr, _("Sorry, --context (-Z) can be used only on a SELinux-enabled kernel.\n") );
+ exit( 1 );
+ }
+ just_context = 1;
+ break;
++#endif
case 'g':
- just_group = 1;
- break;
-@@ -145,6 +182,15 @@
- case 'r':
- use_real = 1;
- break;
-+ case 's':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --sid (-s) can be used only on "
-+ "a flask-enabled kernel.\n" );
-+ exit( 1 );
-+ }
-+ just_sid = 1;
-+ break;
- case 'u':
- just_user = 1;
+ just_group = true;
break;
-@@ -158,13 +204,32 @@
+@@ -148,8 +180,28 @@
}
}
- if (just_user + just_group + just_group_list > 1)
- error (EXIT_FAILURE, 0, _("cannot print only user and only group"));
++#ifdef WITH_SELINUX
+ if (argc - optind == 1)
-+ is_flask_enabled_flag = 0;
++ selinux_enabled = 0;
+
-+ if (just_user + just_group + just_group_list + just_context + just_sid > 1)
-+ error (EXIT_FAILURE, 0, _("cannot print \"only\" of more than one choice"));
-
- if (just_user + just_group + just_group_list == 0 && (use_real || use_name))
- error (EXIT_FAILURE, 0,
- _("cannot print only names or real IDs in default format"));
-
-+ if( (just_context | just_sid) && !is_flask_enabled_flag)
++ if( just_context && !selinux_enabled)
+ error (1, 0, _("\
-+cannot display context/sid when flask not enabled or when displaying the id\n\
++cannot display context when SELinux not enabled or when displaying the id\n\
+of a different user"));
+
-+ /* If we are on a flask-enabled kernel, get our sid and context. *
-+ * Otherwise, leave the sid and context variables alone - they have *
-+ * been initialized known invalid values; if we see these invalid *
-+ * values later, we will know we are on a non-flask kernel. */
-+ if( is_flask_enabled_flag )
++ /* If we are on a selinux-enabled kernel, get our context. *
++ * Otherwise, leave the context variable alone - it has *
++ * been initialized known invalid value; if we see this invalid *
++ * value later, we will know we are on a non-selinux kernel. */
++ if( selinux_enabled )
+ {
-+ mysid = getsecsid ();
-+ if( security_sid_to_context(mysid, context, &len) )
-+ error (1, 0, "can't get process context");
++ if (getcon(&context))
++ error (1, 0, _("can't get process context"));
+ }
++#endif
+
- if (argc - optind > 1)
- usage (EXIT_FAILURE);
++ if (just_user + just_group + just_group_list + just_context > 1)
++ error (EXIT_FAILURE, 0, _("cannot print \"only\" of more than one choice"));
-@@ -190,6 +255,10 @@
+ if (just_user + just_group + just_group_list == 0 && (use_real | use_name))
+ error (EXIT_FAILURE, 0,
+@@ -183,6 +235,10 @@
print_group (use_real ? rgid : egid);
else if (just_group_list)
print_group_list (argv[optind]);
++#ifdef WITH_SELINUX
+ else if (just_context)
+ print_context (context);
-+ else if (just_sid)
-+ print_sid (mysid);
++#endif
else
print_full_info (argv[optind]);
putchar ('\n');
-@@ -197,6 +266,20 @@
- exit (problems != 0);
- }
-
-+/* Print the TOS context */
-+static void
-+print_context(char *context)
-+{
-+ printf ("%s", context);
-+}
-+
-+/* Print the security ID (sid) */
-+static void
-+print_sid( security_id_t sid )
-+{
-+ printf ("%u", sid );
-+}
-+
- /* Print the name or value of user ID UID. */
-
- static void
-@@ -397,4 +480,10 @@
+@@ -385,4 +441,9 @@
free (groups);
}
#endif /* HAVE_GETGROUPS */
-+ if ( context[0] ) {
-+ printf(" context=%s",context);
-+ }
-+ if ( mysid != 0 ) {
-+ printf(" sid=%u",mysid);
++#ifdef WITH_SELINUX
++ if ( context != NULL ) {
++ printf(_(" context=%s"),context);
+ }
++#endif
}
-diff -Nur coreutils-5.0/src/install.c coreutils-5.0.new/src/install.c
---- coreutils-5.0/src/install.c 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/install.c 2003-06-06 03:01:12.000000000 +0200
-@@ -50,6 +50,15 @@
+diff -Nur coreutils-6.4/src/install.c coreutils-6.4.selinux/src/install.c
+--- coreutils-6.4/src/install.c 2006-10-31 23:38:15.000000000 +0000
++++ coreutils-6.4.selinux/src/install.c 2006-10-31 23:39:34.000000000 +0000
+@@ -50,6 +50,11 @@
# include <sys/wait.h>
#endif
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
-+#define CTXTLEN 256
-+char *scontext = NULL;
-+int ctxtlen = CTXTLEN;
-+char *calloc();
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
++int selinux_enabled=0;
+#endif
+
- struct passwd *getpwnam ();
- struct group *getgrnam ();
-
-@@ -126,11 +135,18 @@
+ #if ! HAVE_ENDGRENT
+ # define endgrent() ((void) 0)
+ #endif
+@@ -128,12 +133,18 @@
static struct option const long_options[] =
{
{"backup", optional_argument, NULL, 'b'},
-+#ifdef FLASK_LINUX
-+ {"context", required_argument, NULL, 'X'},
++#ifdef WITH_SELINUX
++ {"context", required_argument, NULL, 'Z'},
+#endif
{"directory", no_argument, NULL, 'd'},
{"group", required_argument, NULL, 'g'},
{"mode", required_argument, NULL, 'm'},
+ {"no-target-directory", no_argument, NULL, 'T'},
{"owner", required_argument, NULL, 'o'},
{"preserve-timestamps", no_argument, NULL, 'p'},
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ {"preserve_context", no_argument, NULL, 'P'},
-+ {"sid", required_argument, NULL, 'Z'},
+#endif
{"strip", no_argument, NULL, 's'},
{"suffix", required_argument, NULL, 'S'},
- {"version-control", required_argument, NULL, 'V'}, /* Deprecated. FIXME. */
-@@ -247,11 +263,20 @@
-
- x->update = 0;
- x->verbose = 0;
-+#ifdef FLASK_LINUX
-+ x->xstat = stat_secure;
-+ x->preserve_security_context = 0;
-+#else
- x->xstat = stat;
+ {"target-directory", required_argument, NULL, 't'},
+@@ -250,6 +261,9 @@
+
+ x->update = false;
+ x->verbose = false;
++#ifdef WITH_SELINUX
++ x->preserve_security_context = false;
+#endif
x->dest_info = NULL;
x->src_info = NULL;
}
-
-+#ifdef FLASK_LINUX
-+security_id_t sid = -1;
-+#endif
-+
- int
- main (int argc, char **argv)
- {
-@@ -265,6 +290,13 @@
- struct cp_options x;
+@@ -302,6 +316,11 @@
+ bool no_target_directory = false;
int n_files;
char **file;
-+#ifdef FLASK_LINUX
-+ int rv;
-+ int is_flask_enabled_flag; /* set iff kernel has extra flask system calls */
-+
-+ /* Set `is_flask_enabled_flag' iff the kernel has the extra flask syscalls */
-+ is_flask_enabled_flag = is_flask_enabled();
++#ifdef WITH_SELINUX
++ security_context_t scontext = NULL;
++ /* set iff kernel has extra selinux system calls */
++ selinux_enabled = (is_selinux_enabled()>0);
+#endif
+ initialize_main (&argc, &argv);
program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -338,6 +370,90 @@
- make_backups = 1;
- backup_suffix_string = optarg;
+@@ -323,8 +342,13 @@
+ we'll actually use backup_suffix_string. */
+ backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
+
+- while ((optc = getopt_long (argc, argv, "bcCsDdg:m:o:pt:TvS:", long_options,
+- NULL)) != -1)
++ while ((optc = getopt_long (argc, argv,
++#ifdef WITH_SELINUX
++ "bcCsDdg:m:o:pPt:TvS:Z:",
++#else
++ "bcCsDdg:m:o:pt:TvS:",
++#endif
++ long_options, NULL)) != -1)
+ {
+ switch (optc)
+ {
+@@ -388,6 +412,37 @@
+ case 'T':
+ no_target_directory = true;
break;
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ case 'P':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Warning: ignoring --preserve_context (-P) "
-+ "because the kernel is not flask-enabled.\n" );
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !selinux_enabled ) {
++ fprintf( stderr, _("Warning: ignoring --preserve_context (-P) because the kernel is not SELinux-enabled.\n") );
+ break;
+ }
-+ if ( (int) sid >= 0 ) { /* scontext could be NULL because of calloc() failure */
-+ if ( scontext )
-+ (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], scontext);
-+ else
-+ (void) fprintf(stderr, "%s: cannot force target context <-- %d and preserve it\n", argv[0], (int) sid);
++ if ( scontext!=NULL ) { /* scontext could be NULL because of calloc() failure */
++ (void) fprintf(stderr, _("%s: cannot force target context to '%s' and preserve it\n"), argv[0], scontext);
+ exit( 1 );
+ }
-+ x.preserve_security_context = 1;
++ x.preserve_security_context = true;
+ break ;
+ case 'Z':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Warning: ignoring --sid (-Z) "
-+ "because the kernel is not flask-enabled.\n" );
-+ break;
-+ }
-+ if ( x.preserve_security_context ) {
-+ (void) fprintf(stderr, "%s: can't force target context to '%s' and preserve it\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ if ( scontext != NULL ) {
-+ (void) fprintf(stderr, "%s: --sid (-Z) and --context (-X) are mutually exclusive\n", argv[0]);
-+ exit( 1 );
-+ }
-+ /* check for typos */
-+ {
-+ char *ep;
-+ sid = (security_id_t) strtol(optarg, &ep, 10);
-+ if ( *ep ) {
-+ (void) fprintf(stderr, "%s: non-numeric SID '%s'\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ }
-+ /* do a sanity check and save result if SID is OK */
-+ scontext = calloc(1, ctxtlen+1);
-+ if ( scontext != NULL ) {
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ if ( errno != ENOSPC ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): '%s'\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ free(scontext);
-+ scontext = calloc(1, ctxtlen+1);
-+ if ( scontext != NULL )
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): %s\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ }
-+ }
-+ break;
-+ case 'X':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Warning: ignoring --context (-X) "
-+ "because the kernel is not flask-enabled.\n" );
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !selinux_enabled) {
++ fprintf( stderr, _("Warning: ignoring --context (-Z) because the kernel is not SELinux-enabled.\n") );
+ break;
+ }
+ if ( x.preserve_security_context ) {
-+ (void) fprintf(stderr, "%s: cannot force target context == '%s' and preserve it\n", argv[0], optarg);
++
++ (void) fprintf(stderr, _("%s: cannot force target context == '%s' and preserve it\n"), argv[0], optarg);
+ exit( 1 );
+ }
-+ if ( (int) sid >= 0 ) {
-+ (void) fprintf(stderr, "%s: --context (-X) and --sid (-Z) are mutually exclusive\n", argv[0]);
-+ exit(1);
-+ }
+ scontext = optarg;
-+ /* sanity check */
-+ rv = security_context_to_sid(scontext, strlen(scontext)+1, &sid);
-+ if ( rv ) {
-+ (void) fprintf(stderr, "%s: security_context_to_sid(%s): %s\n", argv[0], scontext,
-+ strerror(errno));
-+ exit(1);
-+ }
++ if (setfscreatecon(scontext)) {
++ (void) fprintf(stderr, _("%s: cannot setup default context == '%s'\n"), argv[0], scontext);
++ exit(1);
++ }
+ break;
+#endif
case_GETOPT_HELP_CHAR;
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
default:
-@@ -385,8 +501,13 @@
- for (i = 0; i < n_files; i++)
- {
- errors |=
-+#ifdef FLASK_LINUX
-+ make_path_s (file[i], mode, mode, owner_id, group_id, 0,
-+ (x.verbose ? _("creating directory %s") : NULL), sid);
-+#else
- make_path (file[i], mode, mode, owner_id, group_id, 0,
- (x.verbose ? _("creating directory %s") : NULL));
-+#endif
- }
- }
- else
-@@ -449,8 +570,13 @@
- that this option is intended mainly to help installers when the
- distribution doesn't provide proper install rules. */
- #define DIR_MODE (S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH)
-+#ifdef FLASK_LINUX
-+ fail = make_path_s (dest_dir, DIR_MODE, DIR_MODE, owner_id, group_id, 0,
-+ (x->verbose ? _("creating directory %s") : NULL), sid);
-+#else
- fail = make_path (dest_dir, DIR_MODE, DIR_MODE, owner_id, group_id, 0,
- (x->verbose ? _("creating directory %s") : NULL));
-+#endif
- }
-
- if (fail == 0)
-@@ -501,7 +627,6 @@
-
- /* Copy file FROM onto file TO, creating TO if necessary.
- Return 0 if the copy is successful, 1 if not. */
--
- static int
- copy_file (const char *from, const char *to, const struct cp_options *x)
- {
-@@ -721,6 +846,12 @@
- -S, --suffix=SUFFIX override the usual backup suffix\n\
+@@ -781,6 +836,11 @@
+ -T, --no-target-directory treat DEST as a normal file\n\
-v, --verbose print the name of each directory as it is created\n\
"), stdout);
+ fputs (_("\
-+ -P, --preserve_context (Flask) Preserve security context\n\
-+ -Z, --sid=SID (Flask) Set SID of files and directories\n\
-+ -X, --context=CONTEXT (Flask) Set security context of files and directories\n\
++ -P, --preserve_context (SELinux) Preserve security context\n\
++ -Z, --context=CONTEXT (SELinux) Set security context of files and directories\n\
+"), stdout);
+
fputs (HELP_OPTION_DESCRIPTION, stdout);
fputs (VERSION_OPTION_DESCRIPTION, stdout);
fputs (_("\
-diff -Nur coreutils-5.0/src/ls.c coreutils-5.0.new/src/ls.c
---- coreutils-5.0/src/ls.c 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/ls.c 2003-06-06 03:01:12.000000000 +0200
-@@ -130,6 +130,18 @@
+diff -Nur coreutils-6.4/src/ls.c coreutils-6.4.selinux/src/ls.c
+--- coreutils-6.4/src/ls.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/ls.c 2006-10-31 23:39:34.000000000 +0000
+@@ -110,6 +110,17 @@
- #define AUTHORS N_ ("Richard Stallman and David MacKenzie")
+ #define AUTHORS "Richard Stallman", "David MacKenzie"
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
-+
-+#define CTXTLEN 256
-+#define SID_DIGITS 5
-+
-+static int print_sid = 0;
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++int selinux_enabled= 0;
+static int print_scontext = 0;
++#define check_selinux() if (!selinux_enabled) { \
++ fprintf( stderr, _("Sorry, this option can only be used on a SELinux-enabled kernel.\n") ); \
++ exit( EXIT_FAILURE ); \
++}
+
+#endif
+
#define obstack_chunk_alloc malloc
#define obstack_chunk_free free
-@@ -227,6 +239,10 @@
+@@ -175,6 +186,10 @@
/* For long listings, true if the file has an access control list. */
bool have_acl;
#endif
+
-+#ifdef FLASK_LINUX
-+ security_id_t sid;
++#ifdef WITH_SELINUX
++ security_context_t scontext;
+#endif
};
- #if HAVE_ACL || USE_ACL
-@@ -290,6 +306,9 @@
+ #if USE_ACL
+@@ -245,6 +260,9 @@
static void sort_files (void);
static void parse_ls_color (void);
void usage (int status);
-+#ifdef FLASK_LINUX
-+static void print_scontext_format PARAMS ((const struct fileinfo *f));
++#ifdef WITH_SELINUX
++static void print_scontext_format (const struct fileinfo *f);
+#endif
- /* The name the program was run with, stripped of any leading path. */
+ /* The name this program was run with. */
char *program_name;
-@@ -379,7 +398,12 @@
+@@ -353,7 +371,10 @@
one_per_line, /* -1 */
many_per_line, /* -C */
horizontal, /* -x */
- with_commas /* -m */
-+#ifdef FLASK_LINUX
-+ with_commas, /* -m */
-+ security_format
-+#else
-+ with_commas /* -m */
++#ifdef WITH_SELINUX
++ security_format, /* -Z */
+#endif
++ with_commas /* -m */
};
static enum format format;
-@@ -700,6 +724,13 @@
+@@ -734,6 +755,11 @@
SHOW_CONTROL_CHARS_OPTION,
SI_OPTION,
SORT_OPTION,
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ CONTEXT_OPTION,
+ LCONTEXT_OPTION,
+ SCONTEXT_OPTION,
-+ SID_OPTION,
-+ LSID_OPTION,
+#endif
TIME_OPTION,
TIME_STYLE_OPTION
};
-@@ -743,6 +774,13 @@
- {"time-style", required_argument, 0, TIME_STYLE_OPTION},
- {"color", optional_argument, 0, COLOR_OPTION},
- {"block-size", required_argument, 0, BLOCK_SIZE_OPTION},
-+#ifdef FLASK_LINUX
+@@ -780,6 +806,11 @@
+ {"time-style", required_argument, NULL, TIME_STYLE_OPTION},
+ {"color", optional_argument, NULL, COLOR_OPTION},
+ {"block-size", required_argument, NULL, BLOCK_SIZE_OPTION},
++#ifdef WITH_SELINUX
+ {"context", no_argument, 0, CONTEXT_OPTION},
+ {"lcontext", no_argument, 0, LCONTEXT_OPTION},
+ {"scontext", no_argument, 0, SCONTEXT_OPTION},
-+ {"sid", no_argument, 0, SID_OPTION},
-+ {"lsid", no_argument, 0, LSID_OPTION},
+#endif
- {"author", no_argument, 0, AUTHOR_OPTION},
+ {"author", no_argument, NULL, AUTHOR_OPTION},
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
-@@ -752,13 +790,21 @@
+@@ -789,11 +820,18 @@
static char const *const format_args[] =
{
"verbose", "long", "commas", "horizontal", "across",
-+#ifdef FLASK_LINUX
-+ "vertical", "single-column", "context", 0
-+#else
- "vertical", "single-column", 0
+- "vertical", "single-column", NULL
++ "vertical", "single-column",
++#ifdef WITH_SELINUX
++ "context",
+#endif
++ NULL
};
-
static enum format const format_types[] =
{
long_format, long_format, with_commas, horizontal, horizontal,
-+#ifdef FLASK_LINUX
-+ many_per_line, one_per_line, security_format
-+#else
- many_per_line, one_per_line
++#ifdef WITH_SELINUX
++ security_format,
+#endif
+ many_per_line, one_per_line
};
-
- static char const *const sort_args[] =
-@@ -1121,6 +1167,9 @@
+ ARGMATCH_VERIFY (format_args, format_types);
+@@ -1218,6 +1256,9 @@
format_needs_stat = sort_type == sort_time || sort_type == sort_size
|| format == long_format
-+#ifdef FLASK_LINUX
-+ || format == security_format || print_sid || print_scontext
++#ifdef WITH_SELINUX
++ || format == security_format || print_scontext
+#endif
- || dereference == DEREF_ALWAYS
- || print_block_size || print_inode;
- format_needs_type = (format_needs_stat == 0
-@@ -1243,6 +1292,13 @@
+ || print_block_size;
+ format_needs_type = (! format_needs_stat
+ && (recursive
+@@ -1361,6 +1402,11 @@
/* Record whether there is an option specifying sort type. */
- int sort_type_specified = 0;
+ bool sort_type_specified = false;
-+#ifdef FLASK_LINUX
-+ int is_flask_enabled_flag; /* 1 iff kernel has new flask system calls */
-+
-+ /* Set `is_flask_enabled_flag iff the kernel has new flask system calls. */
-+ is_flask_enabled_flag = is_flask_enabled();
++#ifdef WITH_SELINUX
++ /* 1 iff kernel has new selinux system calls */
++ selinux_enabled= (is_selinux_enabled()>0);
+#endif
+
- qmark_funny_chars = 0;
+ qmark_funny_chars = false;
/* initialize all switches to default settings */
-@@ -1293,6 +1349,10 @@
- all_files = 0;
- really_all_files = 0;
- ignore_patterns = 0;
-+#ifdef FLASK_LINUX
-+ print_sid = 0;
+@@ -1411,6 +1457,9 @@
+ ignore_mode = IGNORE_DEFAULT;
+ ignore_patterns = NULL;
+ hide_patterns = NULL;
++#ifdef WITH_SELINUX
+ print_scontext = 0;
+#endif
/* FIXME: put this in a function. */
{
-@@ -1656,6 +1716,40 @@
+@@ -1486,7 +1535,7 @@
+ }
+
+ while ((c = getopt_long (argc, argv,
+- "abcdfghiklmnopqrstuvw:xABCDFGHI:LNQRST:UX1",
++ "abcdfghiklmnopqrstuvw:xABCDFGHI:LNQRST:UX1Z",
+ long_options, NULL)) != -1)
+ {
+ switch (c)
+@@ -1609,6 +1658,13 @@
+ format = horizontal;
+ break;
+
++#ifdef WITH_SELINUX
++ case 'Z':
++ check_selinux();
++ print_scontext = 1;
++ format = security_format;
++ break;
++#endif
+ case 'A':
+ if (ignore_mode == IGNORE_DEFAULT)
+ ignore_mode = IGNORE_DOT_AND_DOTDOT;
+@@ -1789,6 +1845,25 @@
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
-+#ifdef FLASK_LINUX
-+
-+#define check_selinux() if (!is_flask_enabled_flag) { \
-+ fprintf( stderr, "Sorry, this option can only be used " \
-+ "on a SELinux kernel.\n" ); \
-+ exit( EXIT_FAILURE ); \
-+}
++#ifdef WITH_SELINUX
+
+ case CONTEXT_OPTION: /* new security format */
+ check_selinux();
+ print_scontext = 0;
+ format = security_format;
+ break;
-+ case SID_OPTION: /* SID, format unspecified */
-+ check_selinux();
-+ print_sid = 1;
-+ break;
-+ case LSID_OPTION: /* long format plus SID */
-+ check_selinux();
-+ print_sid = 1;
-+ format = long_format;
-+ break;
+#endif
+
default:
- usage (EXIT_FAILURE);
+ usage (LS_FAILURE);
}
-@@ -2371,7 +2465,11 @@
- if (explicit_arg)
- {
- int need_lstat;
-+#ifdef FLASK_LINUX
-+ err = stat_secure(path, &files[files_index].stat, &files[files_index].sid);
-+#else
- err = stat (path, &files[files_index].stat);
+@@ -2485,6 +2558,12 @@
+ struct fileinfo *f = sorted_file[i];
+ free (f->name);
+ free (f->linkname);
++#ifdef WITH_SELINUX
++ if (f->scontext) {
++ freecon (f->scontext);
++ f->scontext=NULL;
++ }
++#endif
+ }
+
+ cwd_n_used = 0;
+@@ -2527,6 +2608,9 @@
+ memset (f, '\0', sizeof *f);
+ f->stat.st_ino = inode;
+ f->filetype = type;
++#ifdef WITH_SELINUX
++ f->scontext = NULL;
+#endif
+ if (command_line_arg
+ || format_needs_stat
+@@ -2582,7 +2666,12 @@
+ {
+ bool need_lstat;
+ err = stat (absolute_name, &f->stat);
+-
++#ifdef WITH_SELINUX
++ if (err>=0)
++ if (selinux_enabled && (format == security_format || print_scontext))
++ getfilecon(absolute_name, &f->scontext);
++#endif
++
if (dereference == DEREF_COMMAND_LINE_ARGUMENTS)
break;
-@@ -2389,7 +2487,11 @@
- }
+
+@@ -2600,6 +2689,11 @@
default: /* DEREF_NEVER */
-+#ifdef FLASK_LINUX
-+ err = lstat_secure(path, &files[files_index].stat, &files[files_index].sid);
-+#else
- err = lstat (path, &files[files_index].stat);
+ err = lstat (absolute_name, &f->stat);
++#ifdef WITH_SELINUX
++ if (err>=0)
++ if (selinux_enabled && (format == security_format || print_scontext))
++ lgetfilecon(absolute_name, &f->scontext);
+#endif
break;
}
-@@ -2819,6 +2921,16 @@
+@@ -3158,6 +3252,16 @@
DIRED_PUTCHAR ('\n');
}
break;
+
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ case security_format:
+ for (i = 0; i < files_index; i++)
+ {
}
}
-@@ -2936,6 +3048,10 @@
- time_t when;
- int when_ns IF_LINT (= 0);
- struct tm *when_local;
-+#ifdef FLASK_LINUX
-+ char *scontext;
-+ int ctxtlen;
-+#endif
-
- /* Compute mode string. On most systems, it's based on st_mode.
- On systems with migration (via the stat.st_dm_mode field), use
-@@ -3082,6 +3198,34 @@
- p += strlen (p);
- }
+@@ -3412,6 +3516,14 @@
+ The latter is wrong when nlink_width is zero. */
+ p += strlen (p);
-+#ifdef FLASK_LINUX
-+
-+ if ( print_sid ) {
-+ sprintf (p, " %3u ", (unsigned int) f->sid);
-+ p += strlen(p);
-+ }
++#ifdef WITH_SELINUX
+
+ if ( print_scontext ) {
-+ ctxtlen = CTXTLEN;
-+ scontext = xmalloc(ctxtlen);
-+ if (security_sid_to_context(f->sid, scontext, &ctxtlen) < 0) {
-+ if (errno == ENOSPC) {
-+ scontext = xrealloc(scontext, ctxtlen);
-+ if (security_sid_to_context(f->sid, scontext, &ctxtlen) < 0) {
-+ (void) fprintf(stderr, "security_sid_to_context(%d): %s\n", f->sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ } else {
-+ (void) fprintf(stderr, "security_sid_to_context(%d): %s\n", f->sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ }
-+ sprintf (p, "%-32s ", scontext);
++ sprintf (p, "%-32s ", f->scontext);
+ p += strlen (p);
-+ free(scontext);
+ }
+#endif
+
DIRED_INDENT ();
- DIRED_FPUTS (buf, stdout, p - buf);
- print_name_with_quoting (f->name, FILE_OR_LINK_MODE (f), f->linkok,
-@@ -3317,6 +3461,12 @@
- if (print_inode)
- printf ("%*s ", INODE_DIGITS, umaxtostr (f->stat.st_ino, buf));
-
-+#ifdef FLASK_LINUX
-+ if (print_sid)
-+ printf ("%*s ", SID_DIGITS,
-+ human_readable ((uintmax_t) f->sid, buf, human_group_digits, 1, 1));
-+#endif
-+
- if (print_block_size)
- printf ("%*s ", block_size_size,
- human_readable (ST_NBLOCKS (f->stat), buf, human_output_opts,
-@@ -3454,6 +3604,11 @@
- if (print_inode)
- len += INODE_DIGITS + 1;
-
-+#ifdef FLASK_LINUX
-+ if (print_sid)
-+ len += SID_DIGITS + 1;
-+#endif
-+
- if (print_block_size)
- len += 1 + block_size_size;
-@@ -3874,6 +4029,18 @@
+ if (print_owner | print_group | print_author)
+@@ -4347,6 +4459,16 @@
-X sort alphabetically by entry extension\n\
-1 list one file per line\n\
"), stdout);
-+#ifdef FLASK_LINUX
-+printf(_("FLASK options:\n\n\
-+ --lsid Display Security ID (SID). Enable -l\n\
-+ --sid Display SID.\n\
++#ifdef WITH_SELINUX
++printf(_("\nSELinux options:\n\n\
+ --lcontext Display security context. Enable -l. Lines\n\
+ will probably be too wide for most displays.\n\
-+ --context Display security context so it fits on most\n\
++ -Z, --context Display security context so it fits on most\n\
+ displays. Displays only mode, user, group,\n\
+ security context and file name.\n\
+ --scontext Display only security context and file name.\n\
-+"));
++\n\n"));
+#endif
fputs (HELP_OPTION_DESCRIPTION, stdout);
fputs (VERSION_OPTION_DESCRIPTION, stdout);
fputs (_("\n\
-@@ -3892,3 +4059,102 @@
+@@ -4370,3 +4492,79 @@
}
exit (status);
}
+
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+
+static void
+print_scontext_format (const struct fileinfo *f)
+ char *group_name;
+ int rv;
+ char *scontext;
-+ int ctxtlen;
+
+ p = buf;
+
+ if ( print_scontext ) { /* zero means terse listing */
-+ mode_string (f->stat.st_mode, modebuf);
++ filemodestring (&f->stat, modebuf);
+ modebuf[10] = (FILE_HAS_ACL (f) ? '+' : ' ');
+ modebuf[11] = '\0';
+
+ }
+ }
+
-+ if ( print_sid ) {
-+ sprintf (p, " %3u ", (unsigned int) f->sid);
-+ p += strlen(p);
-+ }
-+
-+ /* print security context */
-+ ctxtlen = CTXTLEN;
-+ scontext = xmalloc(ctxtlen);
-+ if ( security_sid_to_context(f->sid, scontext, &ctxtlen) ) {
-+ if ( errno == ENOSPC ) {
-+ scontext = xrealloc(scontext, ctxtlen);
-+ if ( security_sid_to_context(f->sid, scontext, &ctxtlen) ) {
-+ (void) fprintf(stderr, "security_sid_to_context(%d): %s\n", f->sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ } else {
-+ (void) fprintf(stderr, "security_sid_to_context(%d): %s\n", f->sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ }
-+
-+ (void) sprintf (p, "%-32s ", scontext);
++ (void) sprintf (p, "%-32s ", f->scontext);
+ p += strlen (p);
-+ free(scontext);
+
+ DIRED_INDENT ();
+ DIRED_FPUTS (buf, stdout, p - buf);
-+ print_name_with_quoting (f->name, f->stat.st_mode, f->linkok, &dired_obstack);
++ print_name_with_quoting (f->name, f->stat.st_mode, f->linkok, f->stat_ok, f->filetype, &dired_obstack);
+
+ if (f->filetype == symbolic_link) {
+ if (f->linkname) {
+ DIRED_FPUTS_LITERAL (" -> ", stdout);
-+ print_name_with_quoting (f->linkname, f->linkmode, f->linkok - 1, NULL);
++ print_name_with_quoting (f->linkname, f->linkmode, f->linkok - 1, f->stat_ok, f->filetype, NULL);
+ if (indicator_style != none)
-+ print_type_indicator (f->linkmode);
++ print_type_indicator (f->stat_ok, f->linkmode, f->filetype);
+ }
+ }
+ else {
+ if (indicator_style != none)
-+ print_type_indicator (f->stat.st_mode);
++ print_type_indicator (f->stat_ok, f->stat.st_mode, f->filetype);
+ }
+}
+#endif
-diff -Nur coreutils-5.0/src/Makefile.am coreutils-5.0.new/src/Makefile.am
---- coreutils-5.0/src/Makefile.am 2003-06-06 02:58:53.000000000 +0200
-+++ coreutils-5.0.new/src/Makefile.am 2003-06-06 03:06:13.000000000 +0200
-@@ -4,13 +4,13 @@
- EXTRA_SCRIPTS = nohup
-
- bin_SCRIPTS = groups @OPTIONAL_BIN_ZCRIPTS@
--bin_PROGRAMS = chgrp chown chmod cp dd dircolors du \
-+bin_PROGRAMS = chgrp chown chmod chcon cp dd dircolors du \
- ginstall link ln dir vdir ls mkdir \
- mkfifo mknod mv readlink rm rmdir shred stat sync touch unlink \
- cat cksum comm csplit cut expand fmt fold head join md5sum \
- nl od paste pr ptx sha1sum sort split sum tac tail tr tsort unexpand uniq wc \
- basename date dirname echo env expr factor false getgid \
-- hostname id kill logname pathchk printenv printf pwd seq sleep tee \
-+ hostname id kill logname pathchk printenv printf pwd runas seq sleep tee \
- test true tty whoami yes \
- @OPTIONAL_BIN_PROGS@ @DF_PROG@
-
-@@ -24,15 +24,15 @@
- groups.sh nohup.sh wheel-gen.pl
- CLEANFILES = $(SCRIPTS) su
-
--INCLUDES = -I.. -I$(srcdir) -I$(top_srcdir)/lib -I../lib
--DEFS = -DLOCALEDIR=\"$(localedir)\" -DSHAREDIR=\"$(datadir)\" @DEFS@
-+INCLUDES = -I.. -I$(srcdir) -I$(top_srcdir)/lib -I../lib -I/usr/include/selinux
-+DEFS = -DLOCALEDIR=\"$(localedir)\" -DSHAREDIR=\"$(datadir)\" -DFLASK_LINUX @DEFS@
-
- # Sometimes, the expansion of @LIBINTL@ includes -lc which may
- # include modules defining variables like `optind', so libfetish.a
- # must precede @LIBINTL@ in order to ensure we use GNU getopt.
- # But libfetish.a must also follow @LIBINTL@, since libintl uses
- # replacement functions defined in libfetish.a.
--LDADD = ../lib/libfetish.a @LIBINTL@ ../lib/libfetish.a
-+LDADD = ../lib/libfetish.a @LIBINTL@ ../lib/libfetish.a /usr/lib/libsecure.a
-
- dir_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
- ls_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
-diff -Nur coreutils-5.0/src/Makefile.am.orig coreutils-5.0.new/src/Makefile.am.orig
---- coreutils-5.0/src/Makefile.am.orig 2003-06-06 02:58:53.000000000 +0200
-+++ coreutils-5.0.new/src/Makefile.am.orig 1970-01-01 01:00:00.000000000 +0100
-@@ -1,242 +0,0 @@
--## Process this file with automake to produce Makefile.in -*-Makefile-*-
--
--EXTRA_PROGRAMS = chroot df hostid nice pinky stty su uname uptime users who
--EXTRA_SCRIPTS = nohup
--
--bin_SCRIPTS = groups @OPTIONAL_BIN_ZCRIPTS@
--bin_PROGRAMS = chgrp chown chmod cp dd dircolors du \
-- ginstall link ln dir vdir ls mkdir \
-- mkfifo mknod mv readlink rm rmdir shred stat sync touch unlink \
-- cat cksum comm csplit cut expand fmt fold head join md5sum \
-- nl od paste pr ptx sha1sum sort split sum tac tail tr tsort unexpand uniq wc \
-- basename date dirname echo env expr factor false \
-- hostname id kill logname pathchk printenv printf pwd seq sleep tee \
-- test true tty whoami yes \
-- @OPTIONAL_BIN_PROGS@ @DF_PROG@
--
--localedir = $(datadir)/locale
--
--noinst_HEADERS = \
-- system.h sys2.h checksum.h copy.h cp-hash.h ls.h dircolors.h remove.h \
-- chown-core.h fs.h \
-- wheel.h wheel-size.h
--EXTRA_DIST = dcgen dircolors.hin tac-pipe.c \
-- groups.sh nohup.sh wheel-gen.pl
--CLEANFILES = $(SCRIPTS) su
--
--INCLUDES = -I.. -I$(srcdir) -I$(top_srcdir)/lib -I../lib
--DEFS = -DLOCALEDIR=\"$(localedir)\" -DSHAREDIR=\"$(datadir)\" @DEFS@
--
--# Sometimes, the expansion of @LIBINTL@ includes -lc which may
--# include modules defining variables like `optind', so libfetish.a
--# must precede @LIBINTL@ in order to ensure we use GNU getopt.
--# But libfetish.a must also follow @LIBINTL@, since libintl uses
--# replacement functions defined in libfetish.a.
--LDADD = ../lib/libfetish.a @LIBINTL@ ../lib/libfetish.a
--
--dir_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
--ls_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
--shred_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
--vdir_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
--
--## If necessary, add -lm to resolve use of pow in lib/strtod.c.
--sort_LDADD = $(LDADD) @POW_LIB@
--
--# for clock_gettime
--date_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
--
--# For sqrt
--factor_LDADD = $(LDADD) @SQRT_LIBM@
--
--# If necessary, add -lm to resolve use of pow in lib/strtod.c.
--# If necessary, add -liconv to resolve use of iconv in lib/unicodeio.c.
--printf_LDADD = $(LDADD) @POW_LIB@ @LIBICONV@
--
--# If necessary, add -lm to resolve use of floor, rint, modf.
--seq_LDADD = $(LDADD) @SEQ_LIBM@
--
--# If necessary, add -lm to resolve the `pow' reference in lib/strtod.c
--# or for the fesetround reference in programs using nanosec.c.
--nanosec_libs = \
-- $(LDADD) @FESETROUND_LIBM@ @POW_LIB@ @LIB_CLOCK_GETTIME@ @LIB_NANOSLEEP@
--
--sleep_LDADD = $(nanosec_libs)
--tail_LDADD = $(nanosec_libs)
--
--uptime_LDADD = $(LDADD) @GETLOADAVG_LIBS@
--
--su_LDADD = $(LDADD) @LIB_CRYPT@ @LIB_PAM@
--
--$(PROGRAMS): ../lib/libfetish.a
--
--$(SCRIPTS): Makefile
--
--SUFFIXES = .sh
--
--.sh:
-- rm -f $@ $@-t
-- sed \
-- -e 's!@''bindir''@!$(bindir)!' \
-- -e 's/@''GNU_PACKAGE''@/@GNU_PACKAGE@/' \
-- -e 's/@''PACKAGE_BUGREPORT''@/@PACKAGE_BUGREPORT@/' \
-- -e 's/@''VERSION''@/@VERSION@/' $< > $@-t
-- chmod +x $@-t
-- mv $@-t $@
--
--all-local: su$(EXEEXT)
--
--installed_su = $(DESTDIR)$(bindir)/`echo su|sed '$(transform)'`
--
--setuid_root_mode = a=rx,u+s
--
--INSTALL_SU = \
-- p=su; \
-- echo " $(INSTALL_PROGRAM) $$p $(installed_su)"; \
-- $(INSTALL_PROGRAM) $$p $(installed_su); \
-- echo " chown root $(installed_su)"; \
-- chown root $(installed_su); \
-- echo " chmod $(setuid_root_mode) $(installed_su)"; \
-- chmod $(setuid_root_mode) $(installed_su)
--
--install-root: su$(EXEEXT)
-- @$(INSTALL_SU)
--
--install-exec-local: su$(EXEEXT)
-- @TMPFILE=$(DESTDIR)$(bindir)/.su-$$$$; \
-- rm -f $$TMPFILE; \
-- echo > $$TMPFILE; \
--## See if we can create a setuid root executable in $(bindir).
--## If not, then don't even try to install su.
-- can_create_suid_root_executable=no; \
-- chown root $$TMPFILE > /dev/null 2>&1 \
-- && chmod $(setuid_root_mode) $$TMPFILE > /dev/null 2>&1 \
-- && can_create_suid_root_executable=yes; \
-- rm -f $$TMPFILE; \
-- if test $$can_create_suid_root_executable = yes; then \
-- $(INSTALL_SU); \
-- else \
-- echo "WARNING: insufficient access; not installing su"; \
-- echo "NOTE: to install su, run 'make install-root' as root"; \
-- fi
--
--uninstall-local:
--# Remove su only if it's one we installed.
-- @if grep '@GNU_PACKAGE@' $(installed_su) > /dev/null 2>&1; then \
-- echo " rm -f $(installed_su)"; \
-- rm -f $(installed_su); \
-- else :; fi
--
--# Use `ginstall' in the definition of PROGRAMS and in dependencies to avoid
--# confusion with the `install' target. The install rule transforms `ginstall'
--# to install before applying any user-specified name transformations.
--
--transform = s/ginstall/install/; @program_transform_name@
--ginstall_SOURCES = install.c copy.c cp-hash.c
--
--cp_SOURCES = cp.c copy.c cp-hash.c
--dir_SOURCES = ls.c ls-dir.c
--vdir_SOURCES = ls.c ls-vdir.c
--ls_SOURCES = ls.c ls-ls.c
--chown_SOURCES = chown.c chown-core.c
--chgrp_SOURCES = chgrp.c chown-core.c
--
--mv_SOURCES = mv.c copy.c cp-hash.c remove.c
--rm_SOURCES = rm.c remove.c
--
--md5sum_SOURCES = md5sum.c md5.c
--sha1sum_SOURCES = md5sum.c sha1sum.c
--
--PERL = @PERL@
--editpl = sed -e 's,@''PERL''@,$(PERL),g'
--
--MAINTAINERCLEANFILES = dircolors.h \
-- wheel.h wheel-size.h
--
--dircolors.h: dcgen dircolors.hin
-- $(PERL) -w -- $(srcdir)/dcgen $(srcdir)/dircolors.hin > $@-t
-- mv $@-t $@
--
--wheel_size = 5
--
--wheel-size.h: Makefile.am
-- echo '#define WHEEL_SIZE $(wheel_size)' > $@-t
-- mv $@-t $@
--
--wheel.h: wheel-gen.pl Makefile.am
-- $(srcdir)/wheel-gen.pl $(wheel_size) \
-- > $@-t
-- mv $@-t $@
--
--BUILT_SOURCES = dircolors.h false.c wheel.h wheel-size.h
--
--# false exits nonzero even with --help or --version.
--# Tell automake to exempt it from that installcheck test.
--AM_INSTALLCHECK_STD_OPTIONS_EXEMPT = false
--
--false.c: true.c
-- rm -f $@
-- sed \
-- -e s/true/false/g \
-- -e s/success/failure/g \
-- -e 's/(EXIT_SUCCESS)/(EXIT_FAILURE)/g' \
-- $(srcdir)/true.c > $@-t
-- chmod a-w $@-t
-- mv $@-t $@
--
--all_programs = \
-- $(bin_PROGRAMS) \
-- $(bin_SCRIPTS) \
-- $(EXTRA_PROGRAMS) \
-- $(EXTRA_SCRIPTS)
--
--pm = progs-makefile
--pr = progs-readme
--# Ensure that the list of programs in README matches the list
--# of programs we can build.
--check: check-README check-misc
--.PHONY: check-README
--check-README:
-- rm -rf $(pr) $(pm)
-- echo $(all_programs) \
-- | tr -s ' ' '\n' | sort -u > $(pm)
-- sed -n '/^The programs .* are:/,/^[a-zA-Z]/p' $(top_srcdir)/README \
-- | sed -n '/^ */s///p' | tr -s ' ' '\n' > $(pr)
-- diff $(pm) $(pr) && rm -rf $(pr) $(pm)
--
--# Make sure we don't define any S_IS* macros in src/*.c files.
--# Not a big deal, but they're already defined via system.h.
--#
--# Also make sure we don't use st_blocks. Use ST_NBLOCKS instead.
--# This is a bit of a kludge, since it prevents use of the string
--# even in comments, but for now it does the job with no false positives.
--.PHONY: check-misc
--check-misc:
-- cd $(srcdir); grep '^# *define *S_IS' $(SOURCES) && exit 1 || :
-- cd $(srcdir); grep st_blocks $(SOURCES) && exit 1 || :
-- cd $(srcdir); grep '^# *define .*defined' $(SOURCES) && exit 1 || :
--
--# Extract the list of authors from each file.
--sed_filter = s/^ *//;s/N_ (//;s/^"//;s/")*$$//
--# Sometimes the string is on the same line as the #define...
--s1 = '/^\#define AUTHORS \([^\\]\)/{;s//\1/;$(sed_filter);p;q;}'
--# Sometimes the string is on the backslash-continued line after the #define.
--s2 = '/^\#define AUTHORS \\\\/{;n;$(sed_filter);p;q;}'
--# FIXME: handle *.sh; and use $(all_programs), not $(SOURCES)
--../AUTHORS: $(SOURCES)
-- rm -f $@-t
-- ( \
-- set -e; \
-- echo "Here are the names of the programs in this package,"; \
-- echo "each followed by the name(s) of its author(s)."; \
-- echo; \
-- for i in $(SOURCES); do \
-- a=`sed -n $(s1) $$i`; \
-- test "$$a" && : \
-- || a=`sed -n $(s2) $$i`; \
-- if test "$$a"; then \
-- prog=`echo $$i|sed 's/\.c$$//'`; \
-- echo "$$prog: $$a"; \
-- fi; \
-- done | sort -u ) > $@-t
-- chmod a-w $@-t
-- mv $@-t $@
-diff -Nur coreutils-5.0/src/mkdir.c coreutils-5.0.new/src/mkdir.c
---- coreutils-5.0/src/mkdir.c 2002-09-23 09:35:27.000000000 +0200
-+++ coreutils-5.0.new/src/mkdir.c 2003-06-06 03:01:12.000000000 +0200
-@@ -34,6 +34,15 @@
+diff -Nur coreutils-6.4/src/mkdir.c coreutils-6.4.selinux/src/mkdir.c
+--- coreutils-6.4/src/mkdir.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/mkdir.c 2006-10-31 23:39:34.000000000 +0000
+@@ -35,11 +35,18 @@
#define AUTHORS "David MacKenzie"
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
-+#define CTXTLEN 256
-+char *scontext = NULL;
-+int ctxtlen = CTXTLEN;
-+char *calloc();
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
+#endif
+
/* The name this program was run with. */
char *program_name;
-@@ -42,6 +51,10 @@
-
static struct option const longopts[] =
{
-+#ifdef FLASK_LINUX
-+ {"sid", required_argument, NULL, 's'},
-+ {"context", required_argument, NULL, 'c'},
++#ifdef WITH_SELINUX
++ {"context", required_argument, NULL, 'Z'},
+#endif
{"mode", required_argument, NULL, 'm'},
{"parents", no_argument, NULL, 'p'},
{"verbose", no_argument, NULL, 'v'},
-@@ -63,6 +76,12 @@
+@@ -61,6 +68,11 @@
Create the DIRECTORY(ies), if they do not already exist.\n\
\n\
"), stdout);
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ printf (_("\
-+ -s, --sid=SID (Flask) set security ID to SID\n\
-+ -c, --context=CONTEXT (Flask) set security context to CONTEXT\n\
++ -Z, --context=CONTEXT (SELinux) set security context to CONTEXT\n\
+"));
+#endif
fputs (_("\
Mandatory arguments to long options are mandatory for short options too.\n\
"), stdout);
-@@ -87,6 +106,13 @@
- const char *verbose_fmt_string = NULL;
- int errors = 0;
- int optc;
-+#ifdef FLASK_LINUX
-+ security_id_t sid = -1;
-+ char *scontext = NULL;
-+ int rv;
-+ int is_flask_enabled_flag; /* set iff kernel has extra flask system calls */
-+ is_flask_enabled_flag = is_flask_enabled();
-+#endif
+@@ -154,7 +166,11 @@
- program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -97,7 +123,11 @@
-
- create_parents = 0;
+ atexit (close_stdout);
-+#ifdef FLASK_LINUX
-+ while ((optc = getopt_long (argc, argv, "pm:s:c:v", longopts, NULL)) != -1)
++#ifdef WITH_SELINUX
++ while ((optc = getopt_long (argc, argv, "pm:vZ:", longopts, NULL)) != -1)
+#else
while ((optc = getopt_long (argc, argv, "pm:v", longopts, NULL)) != -1)
+#endif
{
switch (optc)
{
-@@ -112,6 +142,66 @@
+@@ -167,6 +183,19 @@
case 'v': /* --verbose */
- verbose_fmt_string = _("created directory %s");
+ options.created_directory_format = _("created directory %s");
break;
-+#ifdef FLASK_LINUX
-+ case 's':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --sid (-s) can be used only on "
-+ "a flask-enabled kernel.\n" );
-+ exit( 1 );
-+ }
-+ if ( ((int) sid > 0) || (scontext != NULL) ) {
-+ (void) fprintf(stderr, "%s: --sid (-s) and --context (-c) are mutually exclusive\n", argv[0]);
-+ exit( 1 );
-+ }
-+ {
-+ /* check for typos */
-+ char *ep;
-+ sid = (security_id_t) strtol(optarg, &ep, 10);
-+ if ( *ep ) {
-+ (void) fprintf(stderr, "%s: non-numeric SID '%s'\n", argv[0], optarg);
-+ exit( 1 );
-+ }
-+ }
-+ /* do sanity check, save result on success */
-+ scontext = calloc(1, ctxtlen+1);
-+ if ( scontext != NULL ) {
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ if ( errno != ENOSPC ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): '%s'\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ free(scontext);
-+ scontext = calloc(1, ctxtlen+1);
-+ /* nonfatal, so if there's an error we punt */
-+ if ( scontext != NULL )
-+ if ( security_sid_to_context(sid, scontext, &ctxtlen) ) {
-+ (void) fprintf(stderr, "%s: security_sid_to_context(%d): %s\n", argv[0], (int) sid, strerror(errno));
-+ exit( 1 );
-+ }
-+ }
-+ }
-+ break;
-+ case 'c':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --context (-c) can be used only on "
-+ "a flask-enabled kernel.\n" );
-+ exit( 1 );
-+ }
-+ if ( ((int) sid >= 0) || (scontext != NULL) ) {
-+ (void) fprintf(stderr, "%s: --context (-c) and --sid (-s) are mutually exclusive\n", argv[0]);
++#ifdef WITH_SELINUX
++ case 'Z':
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !(is_selinux_enabled()>0)) {
++ fprintf( stderr, _("Sorry, --context (-Z) can be used only on a SELinux-enabled kernel.\n") );
+ exit( 1 );
+ }
-+ scontext = optarg;
-+ /* sanity check */
-+ rv = security_context_to_sid(scontext, strlen(scontext)+1, &sid);
-+ if ( rv ) {
-+ (void) fprintf(stderr, "%s: security_context_to_sid(%s): %s\n", argv[0], scontext, strerror(errno));
++ if (setfscreatecon(optarg)) {
++ fprintf( stderr, _("Sorry, cannot set default context to %s.\n"), optarg);
+ exit( 1 );
+ }
+ break;
case_GETOPT_HELP_CHAR;
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
default:
-@@ -150,14 +240,23 @@
- if (create_parents)
- {
- char *dir = argv[optind];
-+#ifdef FLASK_LINUX
-+ fail = make_path_s (dir, newmode, parent_mode,
-+ -1, -1, 1, verbose_fmt_string, sid);
-+#else
- fail = make_path (dir, newmode, parent_mode,
- -1, -1, 1, verbose_fmt_string);
-+#endif
- }
- else
- {
- const char *dir = argv[optind];
- int dir_created;
-+#ifdef FLASK_LINUX
-+ fail = make_dir_s (dir, dir, newmode, &dir_created, sid);
-+#else
- fail = make_dir (dir, dir, newmode, &dir_created);
-+#endif
- if (fail)
- {
- /* make_dir already gave a diagnostic. */
-diff -Nur coreutils-5.0/src/mkfifo.c coreutils-5.0.new/src/mkfifo.c
---- coreutils-5.0/src/mkfifo.c 2002-08-31 09:29:21.000000000 +0200
-+++ coreutils-5.0.new/src/mkfifo.c 2003-06-06 03:01:12.000000000 +0200
-@@ -32,11 +32,20 @@
+diff -Nur coreutils-6.4/src/mkfifo.c coreutils-6.4.selinux/src/mkfifo.c
+--- coreutils-6.4/src/mkfifo.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/mkfifo.c 2006-10-31 23:39:34.000000000 +0000
+@@ -32,11 +32,18 @@
#define AUTHORS "David MacKenzie"
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
+#endif
+
/* The name this program was run with. */
static struct option const longopts[] =
{
-+#ifdef FLASK_LINUX
-+ {"sid", required_argument, NULL, 's'},
-+ {"context", required_argument, NULL, 'c'},
++#ifdef WITH_SELINUX
++ {"context", required_argument, NULL, 'Z'},
+#endif
{"mode", required_argument, NULL, 'm'},
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
-@@ -57,6 +66,12 @@
+@@ -56,6 +63,11 @@
Create named pipes (FIFOs) with the given NAMEs.\n\
\n\
"), stdout);
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ printf (_("\
-+ -s, --sid=SID set SID\n\
-+ -c, --context=CONTEXT set security context (quoted string)\n\
++ -Z, --context=CONTEXT set security context (quoted string)\n\
+"), stdout);
+#endif
fputs (_("\
Mandatory arguments to long options are mandatory for short options too.\n\
"), stdout);
-@@ -79,6 +94,15 @@
- const char *specified_mode;
- int errors = 0;
- int optc;
-+#ifdef FLASK_LINUX
-+ security_id_t sid = -1;
-+ char *scontext = NULL;
-+ int rv;
-+ int is_flask_enabled_flag; /* set iff kernel has extra flask system calls */
-+
-+ /* Set `is_flask_enabled_flag' iff the kernel has the extra flask syscalls */
-+ is_flask_enabled_flag = is_flask_enabled();
-+#endif
+@@ -85,13 +97,31 @@
- program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -92,7 +116,11 @@
- #ifndef S_ISFIFO
- error (4, 0, _("fifo files not supported"));
- #else
-+#ifdef FLASK_LINUX
-+ while ((optc = getopt_long (argc, argv, "m:s:c:", longopts, NULL)) != -1)
+ atexit (close_stdout);
+
+- while ((optc = getopt_long (argc, argv, "m:", longopts, NULL)) != -1)
++ while ((optc = getopt_long (argc, argv,
++#ifdef WITH_SELINUX
++ "m:Z:",
+#else
- while ((optc = getopt_long (argc, argv, "m:", longopts, NULL)) != -1)
-+#endif
++ "m:",
++#endif
++ longopts, NULL)) != -1)
{
switch (optc)
{
-diff -Nur coreutils-5.0/src/mknod.c coreutils-5.0.new/src/mknod.c
---- coreutils-5.0/src/mknod.c 2002-12-14 15:14:59.000000000 +0100
-+++ coreutils-5.0.new/src/mknod.c 2003-06-06 03:01:12.000000000 +0200
-@@ -36,8 +36,17 @@
+ case 'm':
+ specified_mode = optarg;
+ break;
++#ifdef WITH_SELINUX
++ case 'Z':
++ if( !(is_selinux_enabled()>0)) {
++ fprintf( stderr, _("Sorry, --context (-Z) can be used only on a SELinux-enabled kernel.\n") );
++ exit( 1 );
++ }
++ if (setfscreatecon(optarg)) {
++ fprintf( stderr, _("Sorry, cannot set default context to %s.\n"), optarg);
++ exit( 1 );
++ }
++ break;
++#endif
+ case_GETOPT_HELP_CHAR;
+ case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
+ default:
+diff -Nur coreutils-6.4/src/mknod.c coreutils-6.4.selinux/src/mknod.c
+--- coreutils-6.4/src/mknod.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/mknod.c 2006-10-31 23:39:34.000000000 +0000
+@@ -36,8 +36,15 @@
/* The name this program was run with. */
char *program_name;
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
+#endif
+
static struct option const longopts[] =
{
-+#ifdef FLASK_LINUX
-+ {"sid", required_argument, NULL, 's'},
-+ {"context", required_argument, NULL, 'c'},
++#ifdef WITH_SELINUX
++ {"context", required_argument, NULL, 'Z'},
+#endif
{"mode", required_argument, NULL, 'm'},
{GETOPT_HELP_OPTION_DECL},
{GETOPT_VERSION_OPTION_DECL},
-@@ -58,6 +67,12 @@
+@@ -58,6 +65,11 @@
Create the special file NAME of the given TYPE.\n\
\n\
"), stdout);
-+#ifdef FLASK_LINUX
++#ifdef WITH_SELINUX
+ fputs(_("\
-+ -s, --sid=SID set SID\n\
-+ -c, --context=CONTEXT set security context (quoted string)\n\
++ -Z, --context=CONTEXT set security context (quoted string)\n\
+"), stdout);
+#endif
fputs (_("\
Mandatory arguments to long options are mandatory for short options too.\n\
"), stdout);
-@@ -92,6 +107,15 @@
- const char *specified_mode;
- int optc;
- mode_t node_type;
-+#ifdef FLASK_LINUX
-+ security_id_t sid = -1;
-+ char *scontext = NULL;
-+ int rv;
-+ int is_flask_enabled_flag; /* set iff kernel has extra flask system calls */
-+
-+ /* Set `is_flask_enabled_flag' iff the kernel has the extra flask syscalls */
-+ is_flask_enabled_flag = is_flask_enabled();
-+#endif
-
- program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -102,7 +126,11 @@
+@@ -101,13 +113,30 @@
- specified_mode = NULL;
+ atexit (close_stdout);
-+#ifdef FLASK_LINUX
-+ while ((optc = getopt_long (argc, argv, "m:s:c:", longopts, NULL)) != -1)
++#ifdef WITH_SELINUX
++ while ((optc = getopt_long (argc, argv, "m:Z:", longopts, NULL)) != -1)
+#else
while ((optc = getopt_long (argc, argv, "m:", longopts, NULL)) != -1)
+#endif
{
switch (optc)
{
-@@ -111,6 +139,46 @@
case 'm':
specified_mode = optarg;
break;
-+#ifdef FLASK_LINUX
-+ case 's':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --sid (-s) can be used only on "
-+ "a flask-enabled kernel.\n" );
++#ifdef WITH_SELINUX
++ case 'Z':
++ /* politely decline if we're not on a selinux-enabled kernel. */
++ if( !(is_selinux_enabled()>0)) {
++ fprintf( stderr, _("Sorry, --context (-Z) can be used only on a SELinux-enabled kernel.\n") );
+ exit( 1 );
+ }
-+ if ( scontext != NULL ) {
-+ (void) printf("%s: --sid (-s) and --context (-c) are mutually exclusive\n", argv[0]);
-+ (void) fflush(stdout);
-+ close_stdout();
-+ exit(1);
-+ }
-+ sid = atoi(optarg);
-+ break;
-+ case 'c':
-+ /* politely decline if we're not on a flask-enabled kernel. */
-+ if( !is_flask_enabled_flag ) {
-+ fprintf( stderr, "Sorry, --context (-c) can be used only on "
-+ "a flask-enabled kernel.\n" );
++ if (setfscreatecon(optarg)) {
++ fprintf( stderr, _("Sorry, cannot set default context to %s.\n"), optarg);
+ exit( 1 );
+ }
-+ if ( (int) sid >= 0 ) {
-+ (void) printf("%s: --context (-c) and --sid (-s) are mutually exclusive\n", argv[0]);
-+ (void) fflush(stdout);
-+ close_stdout();
-+ exit(1);
-+ }
-+ scontext = optarg;
-+ rv = security_context_to_sid(scontext, strlen(scontext)+1, &sid);
-+ if ( rv ) {
-+ (void) printf("%s: security_context_to_sid(%s): %s\n", argv[0], scontext,
-+ strerror(errno));
-+ (void) fflush(stdout);
-+ close_stdout();
-+ exit(1);
-+ }
+ break;
+#endif
case_GETOPT_HELP_CHAR;
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
default:
-@@ -196,6 +264,18 @@
- error (EXIT_FAILURE, 0, _("invalid device %s %s"), s_major, s_minor);
- #endif
-
-+#ifdef FLASK_LINUX
-+ /* `sid' will be > 0 iff the --sid (-s) option was specified on the *
-+ * command line. The --sid argument processing code exits politely *
-+ * if the kernel doesn't support the new flask system calls. So, *
-+ * if sid > 0 at this point, we know we're on a flask-enabled kernel *
-+ * and can call the "_secure" version of mknod. */
-+ if ( (int) sid > 0 ) {
-+ if ( mknod_secure (argv[optind], newmode | S_IFBLK, makedev (i_major, i_minor), sid) )
-+ error (1, errno, "mknod_secure(%s)", argv[optind]);
-+ }
-+ else
-+#endif
- if (mknod (argv[optind], newmode | node_type, device) != 0)
- error (EXIT_FAILURE, errno, "%s", quote (argv[optind]));
- }
-@@ -211,6 +291,18 @@
- major and minor device numbers may not be specified for fifo files"));
- usage (EXIT_FAILURE);
- }
-+#ifdef FLASK_LINUX
-+ /* `sid' will be > 0 iff the --sid (-s) option was specified on the *
-+ * command line. The --sid argument processing code exits politely *
-+ * if the kernel doesn't support the new flask system calls. So, *
-+ * if sid > 0 at this point, we know we're on a flask-enabled kernel *
-+ * and can call the "_secure" version of mknod. */
-+ if( (int) sid > 0 )
-+ {
-+ if ( mkfifo_secure (argv[optind], newmode, sid) )
-+ error (1, errno, "%s", quote (argv[optind]));
-+ } else
-+#endif
- if (mkfifo (argv[optind], newmode))
- error (EXIT_FAILURE, errno, "%s", quote (argv[optind]));
- #endif
-diff -Nur coreutils-5.0/src/mv.c coreutils-5.0.new/src/mv.c
---- coreutils-5.0/src/mv.c 2003-06-06 02:58:57.000000000 +0200
-+++ coreutils-5.0.new/src/mv.c 2003-06-06 03:01:12.000000000 +0200
-@@ -37,6 +37,10 @@
- #include "path-concat.h"
+diff -Nur coreutils-6.4/src/mv.c coreutils-6.4.selinux/src/mv.c
+--- coreutils-6.4/src/mv.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/mv.c 2006-10-31 23:39:34.000000000 +0000
+@@ -33,6 +33,11 @@
#include "quote.h"
#include "remove.h"
-+#ifdef FLASK_LINUX
-+#include <fs_secure.h>
-+#include <flask_util.h> /* for is_flask_enabled() */
-+#endif
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h> /* for is_selinux_enabled() */
++int selinux_enabled=0;
++#endif
++
/* The official name of this program (e.g., no `g' prefix). */
#define PROGRAM_NAME "mv"
-@@ -139,7 +143,12 @@
- x->update = 0;
- x->verbose = 0;
-+#ifdef FLASK_LINUX
-+ x->preserve_security_context = 0;
-+ x->xstat = lstat_secure;
-+#else
- x->xstat = lstat;
+@@ -125,6 +130,9 @@
+ x->preserve_links = true;
+ x->preserve_mode = true;
+ x->preserve_timestamps = true;
++#ifdef WITH_SELINUX
++ x->preserve_security_context = true;
+#endif
- x->dest_info = NULL;
- x->src_info = NULL;
- }
-@@ -324,6 +333,10 @@
- equivalent to --reply=query\n\
- "), stdout);
- fputs (_("\
-+ -c preserve security context when source and\n\
-+ destination are on different file systems\n\
-+"), stdout);
-+ fputs (_("\
- --reply={yes,no,query} specify how to handle the prompt about an\n\
- existing destination file\n\
- --strip-trailing-slashes remove any trailing slashes from each SOURCE\n\
-@@ -371,6 +384,9 @@
- int target_directory_specified;
- unsigned int n_files;
- char **file;
-+#ifdef FLASK_LINUX
-+ int is_flask_enabled_flag = is_flask_enabled();
-+#endif;
+ x->require_preserve = false; /* FIXME: maybe make this an option */
+ x->recursive = true;
+ x->sparse_mode = SPARSE_AUTO; /* FIXME: maybe make this an option */
+@@ -356,6 +364,10 @@
- program_name = argv[0];
- setlocale (LC_ALL, "");
-@@ -387,7 +403,11 @@
+ cp_option_init (&x);
- errors = 0;
-
-+#ifdef FLASK_LINUX
-+ while ((c = getopt_long (argc, argv, "bcfiuvS:V:", long_options, NULL)) != -1)
-+#else
- while ((c = getopt_long (argc, argv, "bfiuvS:V:", long_options, NULL)) != -1)
-+#endif
- {
- switch (c)
- {
-@@ -406,6 +426,12 @@
- if (optarg)
- version_control_string = optarg;
- break;
-+#ifdef FLASK_LINUX
-+ case 'c':
-+ if (is_flask_enabled_flag)
-+ x.preserve_security_context = 1;
-+ break;
-+#endif
- case 'f':
- x.interactive = I_ALWAYS_YES;
- break;
-diff -Nur coreutils-5.0/src/mv.c.orig coreutils-5.0.new/src/mv.c.orig
---- coreutils-5.0/src/mv.c.orig 1970-01-01 01:00:00.000000000 +0100
-+++ coreutils-5.0.new/src/mv.c.orig 2003-06-06 03:00:43.000000000 +0200
-@@ -0,0 +1,499 @@
-+/* mv -- move or rename files
-+ Copyright (C) 86, 89, 90, 91, 1995-2002 Free Software Foundation, Inc.
-+
-+ This program is free software; you can redistribute it and/or modify
-+ it under the terms of the GNU General Public License as published by
-+ the Free Software Foundation; either version 2, or (at your option)
-+ any later version.
-+
-+ This program is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-+ GNU General Public License for more details.
-+
-+ You should have received a copy of the GNU General Public License
-+ along with this program; if not, write to the Free Software Foundation,
-+ Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
-+
-+/* Written by Mike Parker, David MacKenzie, and Jim Meyering */
-+
-+#ifdef _AIX
-+ #pragma alloca
++#ifdef WITH_SELINUX
++ selinux_enabled= (is_selinux_enabled()>0);
+#endif
+
-+#include <config.h>
-+#include <stdio.h>
-+#include <getopt.h>
-+#include <sys/types.h>
-+#include <assert.h>
-+
-+#include "system.h"
-+#include "argmatch.h"
-+#include "backupfile.h"
-+#include "copy.h"
-+#include "cp-hash.h"
-+#include "dirname.h"
-+#include "error.h"
-+#include "path-concat.h"
-+#include "quote.h"
-+#include "remove.h"
-+
-+/* The official name of this program (e.g., no `g' prefix). */
-+#define PROGRAM_NAME "mv"
-+
-+#define AUTHORS N_ ("Mike Parker, David MacKenzie, and Jim Meyering")
-+
-+/* Initial number of entries in each hash table entry's table of inodes. */
-+#define INITIAL_HASH_MODULE 100
-+
-+/* Initial number of entries in the inode hash table. */
-+#define INITIAL_ENTRY_TAB_SIZE 70
-+
-+/* For long options that have no equivalent short option, use a
-+ non-character as a pseudo short option, starting with CHAR_MAX + 1. */
-+enum
-+{
-+ TARGET_DIRECTORY_OPTION = CHAR_MAX + 1,
-+ STRIP_TRAILING_SLASHES_OPTION,
-+ REPLY_OPTION
-+};
-+
-+int isdir ();
-+int lstat ();
-+
-+/* The name this program was run with. */
-+char *program_name;
-+
-+/* Remove any trailing slashes from each SOURCE argument. */
-+static int remove_trailing_slashes;
-+
-+/* Valid arguments to the `--reply' option. */
-+static char const* const reply_args[] =
-+{
-+ "yes", "no", "query", 0
-+};
-+
-+/* The values that correspond to the above strings. */
-+static int const reply_vals[] =
-+{
-+ I_ALWAYS_YES, I_ALWAYS_NO, I_ASK_USER
-+};
-+
-+static struct option const long_options[] =
-+{
-+ {"backup", optional_argument, NULL, 'b'},
-+ {"force", no_argument, NULL, 'f'},
-+ {"interactive", no_argument, NULL, 'i'},
-+ {"reply", required_argument, NULL, REPLY_OPTION},
-+ {"strip-trailing-slashes", no_argument, NULL, STRIP_TRAILING_SLASHES_OPTION},
-+ {"suffix", required_argument, NULL, 'S'},
-+ {"target-directory", required_argument, NULL, TARGET_DIRECTORY_OPTION},
-+ {"update", no_argument, NULL, 'u'},
-+ {"verbose", no_argument, NULL, 'v'},
-+ {"version-control", required_argument, NULL, 'V'},
-+ {GETOPT_HELP_OPTION_DECL},
-+ {GETOPT_VERSION_OPTION_DECL},
-+ {NULL, 0, NULL, 0}
-+};
-+
-+static void
-+rm_option_init (struct rm_options *x)
-+{
-+ x->unlink_dirs = 0;
-+
-+ x->ignore_missing_files = 0;
-+
-+ x->recursive = 1;
-+
-+ /* Should we prompt for removal, too? No. Prompting for the `move'
-+ part is enough. It implies removal. */
-+ x->interactive = 0;
-+ x->stdin_tty = 0;
-+
-+ x->verbose = 0;
-+}
-+
-+static void
-+cp_option_init (struct cp_options *x)
-+{
-+ x->copy_as_regular = 0; /* FIXME: maybe make this an option */
-+ x->dereference = DEREF_NEVER;
-+ x->unlink_dest_before_opening = 0;
-+ x->unlink_dest_after_failed_open = 0;
-+ x->hard_link = 0;
-+ x->interactive = I_UNSPECIFIED;
-+ x->move_mode = 1;
-+ x->myeuid = geteuid ();
-+ x->one_file_system = 0;
-+ x->preserve_ownership = 1;
-+ x->preserve_links = 1;
-+ x->preserve_mode = 1;
-+ x->preserve_timestamps = 1;
-+ x->require_preserve = 0; /* FIXME: maybe make this an option */
-+ x->recursive = 1;
-+ x->sparse_mode = SPARSE_AUTO; /* FIXME: maybe make this an option */
-+ x->symbolic_link = 0;
-+ x->set_mode = 0;
-+ x->mode = 0;
-+ x->stdin_tty = isatty (STDIN_FILENO);
-+
-+ x->update = 0;
-+ x->verbose = 0;
-+ x->xstat = lstat;
-+ x->dest_info = NULL;
-+ x->src_info = NULL;
-+}
-+
-+/* If PATH is an existing directory, return nonzero, else 0. */
-+
-+static int
-+is_real_dir (const char *path)
-+{
-+ struct stat stats;
-+
-+ return lstat (path, &stats) == 0 && S_ISDIR (stats.st_mode);
-+}
-+
-+/* Move SOURCE onto DEST. Handles cross-filesystem moves.
-+ If SOURCE is a directory, DEST must not exist.
-+ Return 0 if successful, non-zero if an error occurred. */
-+
-+static int
-+do_move (const char *source, const char *dest, const struct cp_options *x)
-+{
-+ static int first = 1;
-+ int copy_into_self;
-+ int rename_succeeded;
-+ int fail;
-+
-+ if (first)
-+ {
-+ first = 0;
-+
-+ /* Allocate space for remembering copied and created files. */
-+ hash_init ();
-+ }
-+
-+ fail = copy (source, dest, 0, x, ©_into_self, &rename_succeeded);
-+
-+ if (!fail)
-+ {
-+ char const *dir_to_remove;
-+ if (copy_into_self)
-+ {
-+ /* In general, when copy returns with copy_into_self set, SOURCE is
-+ the same as, or a parent of DEST. In this case we know it's a
-+ parent. It doesn't make sense to move a directory into itself, and
-+ besides in some situations doing so would give highly nonintuitive
-+ results. Run this `mkdir b; touch a c; mv * b' in an empty
-+ directory. Here's the result of running echo `find b -print`:
-+ b b/a b/b b/b/a b/c. Notice that only file `a' was copied
-+ into b/b. Handle this by giving a diagnostic, removing the
-+ copied-into-self directory, DEST (`b/b' in the example),
-+ and failing. */
-+
-+ dir_to_remove = NULL;
-+ fail = 1;
-+ }
-+ else if (rename_succeeded)
-+ {
-+ /* No need to remove anything. SOURCE was successfully
-+ renamed to DEST. Or the user declined to rename a file. */
-+ dir_to_remove = NULL;
-+ }
-+ else
-+ {
-+ /* This may mean SOURCE and DEST referred to different devices.
-+ It may also conceivably mean that even though they referred
-+ to the same device, rename wasn't implemented for that device.
-+
-+ E.g., (from Joel N. Weber),
-+ [...] there might someday be cases where you can't rename
-+ but you can copy where the device name is the same, especially
-+ on Hurd. Consider an ftpfs with a primitive ftp server that
-+ supports uploading, downloading and deleting, but not renaming.
-+
-+ Also, note that comparing device numbers is not a reliable
-+ check for `can-rename'. Some systems can be set up so that
-+ files from many different physical devices all have the same
-+ st_dev field. This is a feature of some NFS mounting
-+ configurations.
-+
-+ We reach this point if SOURCE has been successfully copied
-+ to DEST. Now we have to remove SOURCE.
-+
-+ This function used to resort to copying only when rename
-+ failed and set errno to EXDEV. */
-+
-+ dir_to_remove = source;
-+ }
-+
-+ if (dir_to_remove != NULL)
-+ {
-+ struct rm_options rm_options;
-+ enum RM_status status;
-+
-+ rm_option_init (&rm_options);
-+ rm_options.verbose = x->verbose;
-+
-+ status = rm (1, &dir_to_remove, &rm_options);
-+ assert (VALID_STATUS (status));
-+ if (status == RM_ERROR)
-+ fail = 1;
-+ }
-+ }
-+
-+ return fail;
-+}
-+
-+/* Move file SOURCE onto DEST. Handles the case when DEST is a directory.
-+ DEST_IS_DIR must be nonzero when DEST is a directory or a symlink to a
-+ directory and zero otherwise.
-+ Return 0 if successful, non-zero if an error occurred. */
-+
-+static int
-+movefile (char *source, char *dest, int dest_is_dir,
-+ const struct cp_options *x)
-+{
-+ int dest_had_trailing_slash = strip_trailing_slashes (dest);
-+ int fail;
-+
-+ /* This code was introduced to handle the ambiguity in the semantics
-+ of mv that is induced by the varying semantics of the rename function.
-+ Some systems (e.g., Linux) have a rename function that honors a
-+ trailing slash, while others (like Solaris 5,6,7) have a rename
-+ function that ignores a trailing slash. I believe the Linux
-+ rename semantics are POSIX and susv2 compliant. */
-+
-+ if (remove_trailing_slashes)
-+ strip_trailing_slashes (source);
-+
-+ /* In addition to when DEST is a directory, if DEST has a trailing
-+ slash and neither SOURCE nor DEST is a directory, presume the target
-+ is DEST/`basename source`. This converts `mv x y/' to `mv x y/x'.
-+ This change means that the command `mv any file/' will now fail
-+ rather than performing the move. The case when SOURCE is a
-+ directory and DEST is not is properly diagnosed by do_move. */
-+
-+ if (dest_is_dir || (dest_had_trailing_slash && !is_real_dir (source)))
-+ {
-+ /* DEST is a directory; build full target filename. */
-+ char const *src_basename = base_name (source);
-+ char *new_dest = path_concat (dest, src_basename, NULL);
-+ if (new_dest == NULL)
-+ xalloc_die ();
-+ strip_trailing_slashes (new_dest);
-+ fail = do_move (source, new_dest, x);
-+ free (new_dest);
-+ }
-+ else
-+ {
-+ fail = do_move (source, dest, x);
-+ }
-+
-+ return fail;
-+}
-+
-+void
-+usage (int status)
-+{
-+ if (status != 0)
-+ fprintf (stderr, _("Try `%s --help' for more information.\n"),
-+ program_name);
-+ else
-+ {
-+ printf (_("\
-+Usage: %s [OPTION]... SOURCE DEST\n\
-+ or: %s [OPTION]... SOURCE... DIRECTORY\n\
-+ or: %s [OPTION]... --target-directory=DIRECTORY SOURCE...\n\
-+"),
-+ program_name, program_name, program_name);
-+ fputs (_("\
-+Rename SOURCE to DEST, or move SOURCE(s) to DIRECTORY.\n\
-+\n\
-+"), stdout);
-+ fputs (_("\
-+Mandatory arguments to long options are mandatory for short options too.\n\
-+"), stdout);
-+ fputs (_("\
-+ --backup[=CONTROL] make a backup of each existing destination file\n\
-+ -b like --backup but does not accept an argument\n\
-+ -f, --force do not prompt before overwriting\n\
-+ equivalent to --reply=yes\n\
-+ -i, --interactive prompt before overwrite\n\
-+ equivalent to --reply=query\n\
-+"), stdout);
-+ fputs (_("\
-+ --reply={yes,no,query} specify how to handle the prompt about an\n\
-+ existing destination file\n\
-+ --strip-trailing-slashes remove any trailing slashes from each SOURCE\n\
-+ argument\n\
-+ -S, --suffix=SUFFIX override the usual backup suffix\n\
-+"), stdout);
-+ fputs (_("\
-+ --target-directory=DIRECTORY move all SOURCE arguments into DIRECTORY\n\
-+ -u, --update move only when the SOURCE file is newer\n\
-+ than the destination file or when the\n\
-+ destination file is missing\n\
-+ -v, --verbose explain what is being done\n\
-+"), stdout);
-+ fputs (HELP_OPTION_DESCRIPTION, stdout);
-+ fputs (VERSION_OPTION_DESCRIPTION, stdout);
-+ fputs (_("\
-+\n\
-+The backup suffix is `~', unless set with --suffix or SIMPLE_BACKUP_SUFFIX.\n\
-+The version control method may be selected via the --backup option or through\n\
-+the VERSION_CONTROL environment variable. Here are the values:\n\
-+\n\
-+"), stdout);
-+ fputs (_("\
-+ none, off never make backups (even if --backup is given)\n\
-+ numbered, t make numbered backups\n\
-+ existing, nil numbered if numbered backups exist, simple otherwise\n\
-+ simple, never always make simple backups\n\
-+"), stdout);
-+ printf (_("\nReport bugs to <%s>.\n"), PACKAGE_BUGREPORT);
-+ }
-+ exit (status);
-+}
-+
-+int
-+main (int argc, char **argv)
-+{
-+ int c;
-+ int errors;
-+ int make_backups = 0;
-+ int dest_is_dir;
-+ char *backup_suffix_string;
-+ char *version_control_string = NULL;
-+ struct cp_options x;
-+ char *target_directory = NULL;
-+ int target_directory_specified;
-+ unsigned int n_files;
-+ char **file;
-+
-+ program_name = argv[0];
-+ setlocale (LC_ALL, "");
-+ bindtextdomain (PACKAGE, LOCALEDIR);
-+ textdomain (PACKAGE);
-+
-+ atexit (close_stdout);
-+
-+ cp_option_init (&x);
-+
-+ /* FIXME: consider not calling getenv for SIMPLE_BACKUP_SUFFIX unless
-+ we'll actually use backup_suffix_string. */
-+ backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
-+
-+ errors = 0;
-+
-+ while ((c = getopt_long (argc, argv, "bfiuvS:V:", long_options, NULL)) != -1)
-+ {
-+ switch (c)
-+ {
-+ case 0:
-+ break;
-+
-+ case 'V': /* FIXME: this is deprecated. Remove it in 2001. */
-+ error (0, 0,
-+ _("warning: --version-control (-V) is obsolete; support for\
-+ it\nwill be removed in some future release. Use --backup=%s instead."
-+ ), optarg);
-+ /* Fall through. */
-+
-+ case 'b':
-+ make_backups = 1;
-+ if (optarg)
-+ version_control_string = optarg;
-+ break;
-+ case 'f':
-+ x.interactive = I_ALWAYS_YES;
-+ break;
-+ case 'i':
-+ x.interactive = I_ASK_USER;
-+ break;
-+ case REPLY_OPTION:
-+ x.interactive = XARGMATCH ("--reply", optarg,
-+ reply_args, reply_vals);
-+ break;
-+ case STRIP_TRAILING_SLASHES_OPTION:
-+ remove_trailing_slashes = 1;
-+ break;
-+ case TARGET_DIRECTORY_OPTION:
-+ target_directory = optarg;
-+ break;
-+ case 'u':
-+ x.update = 1;
-+ break;
-+ case 'v':
-+ x.verbose = 1;
-+ break;
-+ case 'S':
-+ make_backups = 1;
-+ backup_suffix_string = optarg;
-+ break;
-+ case_GETOPT_HELP_CHAR;
-+ case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
-+ default:
-+ usage (EXIT_FAILURE);
-+ }
-+ }
-+
-+ n_files = argc - optind;
-+ file = argv + optind;
-+
-+ target_directory_specified = (target_directory != NULL);
-+ if (target_directory == NULL && n_files != 0)
-+ target_directory = file[n_files - 1];
-+
-+ dest_is_dir = (n_files > 0 && isdir (target_directory));
-+
-+ if (n_files == 0 || (n_files == 1 && !target_directory_specified))
-+ {
-+ error (0, 0, _("missing file argument"));
-+ usage (EXIT_FAILURE);
-+ }
-+
-+ if (target_directory_specified)
-+ {
-+ if (!dest_is_dir)
-+ {
-+ error (0, 0, _("specified target, %s is not a directory"),
-+ quote (target_directory));
-+ usage (EXIT_FAILURE);
-+ }
-+ }
-+ else if (n_files > 2 && !dest_is_dir)
-+ {
-+ error (0, 0,
-+ _("when moving multiple files, last argument must be a directory"));
-+ usage (EXIT_FAILURE);
-+ }
-+
-+ if (backup_suffix_string)
-+ simple_backup_suffix = xstrdup (backup_suffix_string);
-+
-+ x.backup_type = (make_backups
-+ ? xget_version (_("backup type"),
-+ version_control_string)
-+ : none);
-+
-+ /* Move each arg but the last into the target_directory. */
-+ {
-+ unsigned int last_file_idx = (target_directory_specified
-+ ? n_files - 1
-+ : n_files - 2);
-+ unsigned int i;
-+
-+ /* Initialize the hash table only if we'll need it.
-+ The problem it is used to detect can arise only if there are
-+ two or more files to move. */
-+ if (last_file_idx)
-+ dest_info_init (&x);
-+
-+ for (i = 0; i <= last_file_idx; ++i)
-+ errors |= movefile (file[i], target_directory, dest_is_dir, &x);
-+ }
-+
-+ exit (errors);
-+}
-diff -Nur coreutils-5.0/src/runas.c coreutils-5.0.new/src/runas.c
---- coreutils-5.0/src/runas.c 1970-01-01 01:00:00.000000000 +0100
-+++ coreutils-5.0.new/src/runas.c 2003-06-06 03:01:12.000000000 +0200
-@@ -0,0 +1,215 @@
+ /* FIXME: consider not calling getenv for SIMPLE_BACKUP_SUFFIX unless
+ we'll actually use backup_suffix_string. */
+ backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
+diff -Nur coreutils-6.4/src/runcon.c coreutils-6.4.selinux/src/runcon.c
+--- coreutils-6.4/src/runcon.c 1970-01-01 00:00:00.000000000 +0000
++++ coreutils-6.4.selinux/src/runcon.c 2006-10-31 23:39:34.000000000 +0000
+@@ -0,0 +1,174 @@
+/*
-+ * runas [ context | [ -s sid ] |
++ * runcon [ context |
+ * ( [ -r role ] [-t type] [ -u user ] [ -l levelrange ] )
+ * command [arg1 [arg2 ...] ]
+ *
+ * attempt to run the specified command with the specified context.
+ *
-+ * -s sid : use the context corresponding to the specified sid
+ * -r role : use the current context with the specified role
+ * -t type : use the current context with the specified type
+ * -u user : use the current context with the specified user
+ * 4 N error
+ */
+
++#include <config.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <getopt.h>
-+#include <context.h>
-+#include <proc_secure.h>
++#include <selinux/context.h>
++#include <selinux/selinux.h>
+#include <errno.h>
++#include "system.h"
+extern int errno;
+
-+char *role = 0;
-+char *range = 0;
-+char *user = 0;
-+char *type = 0;
-+char *context = 0;
-+
+/* The name the program was run with. */
+char *program_name;
+
+void
+usage(char *str)
+{
-+ printf("Usage: %s [OPTION]... command [args]\n"
++ printf(_("Usage: %s [OPTION]... command [args]\n"
+ "Run a program in a different security context.\n\n"
+ " context Complete security context\n"
-+ " -s sid Security ID number\n"
+ " -t type (for same role as parent)\n"
+ " -u user identity\n"
+ " -r role\n"
+ " -l levelrange\n"
-+ " --help display this help and exit\n",
++ " --help display this help and exit\n"),
+ program_name);
+ exit(1);
+}
+int
+main(int argc,char **argv,char **envp )
+{
-+ context_t con;
-+ security_id_t sid = 0; /* 0 is not a vaild sid */
-+
-+ program_name = argv[0];
-+
-+ while (1) {
-+ int c;
-+ int this_option_optind = optind ? optind : 1;
-+ int option_index = 0;
-+ static struct option long_options[] = {
-+ { "sid", 1, 0, 's' },
-+ { "role", 1, 0, 'r' },
-+ { "type", 1, 0, 't' },
-+ { "user", 1, 0, 'u' },
-+ { "range", 1, 0, 'l' },
-+ { "help", 0, 0, '?' },
-+ { 0, 0, 0, 0 }
-+ };
-+ c = getopt_long(argc, argv, "s:r:t:u:l:?", long_options, &option_index);
-+ if ( c == -1 ) {
-+ break;
-+ }
-+ switch ( c ) {
-+ case 's':
-+ if ( !( sid == 0 ) ) {
-+ fprintf(stderr,"multiple sids\n");
-+ exit(1);
-+ }
-+ sid = (int)strtoul( optarg, (char **)NULL, 10);
-+
-+ /* Check for an invalid sid. */
-+ if( ( errno == ERANGE ) || ( sid == 0 ) ) {
-+ fprintf( stderr, "invalid sid\n" );
-+ exit( 1 );
-+ }
-+ break;
-+ case 'r':
-+ if ( role ) {
-+ fprintf(stderr,"multiple roles\n");
-+ exit(1);
-+ }
-+ role = optarg;
-+ break;
-+ case 't':
-+ if ( type ) {
-+ fprintf(stderr,"multiple types\n");
-+ exit(1);
-+ }
-+ type = optarg;
-+ break;
-+ case 'u':
-+ if ( user ) {
-+ fprintf(stderr,"multiple users\n");
-+ exit(1);
-+ }
-+ user = optarg;
-+ break;
-+ case 'l':
-+ if ( range ) {
-+ fprintf(stderr,"multiple levelranges\n");
-+ exit(1);
-+ }
-+ range = optarg;
-+ break;
-+ default:
-+ fprintf(stderr,"unrecognised option %c\n",c);
-+ case '?':
-+ usage(0);
-+ break;
-+ }
-+ }
-+ if ( ( !(user || role || type || range) ) &&
-+ ( sid == 0 ) ) {
-+ if ( optind >= argc ) {
-+ usage("must specify -t, -u, -l, -r, -s or context");
-+ }
-+ context = argv[optind++];
-+ }
-+
-+ if ( context ) {
-+ con = context_new(context);
-+ if (!con) {
-+ fprintf(stderr,"%s is not a valid context\n", context);
-+ exit(1);
-+ }
-+ } else if( sid == 0 ) { /* sid != 0 means sid already set by --sid */
-+ security_id_t mysid;
-+ char buff[1024];
-+ int len = sizeof(buff);
-+ mysid = getsecsid();
-+ if ( security_sid_to_context(mysid,
-+ buff,
-+ &len ) ) {
-+ perror("security_sid_to_context");
-+ exit(1);
-+ }
-+ con = context_new(buff);
-+ if (!con) {
-+ fprintf(stderr,"%s is not a valid context\n", buff);
-+ exit(1);
-+ }
-+ if ( user ) {
-+ context_user_set(con,user);
-+ }
-+ if ( type ) {
-+ context_type_set(con,type);
-+ }
-+ if ( range ) {
-+ context_range_set(con,range);
-+ }
-+ if ( role ) {
-+ context_role_set(con,role);
-+ }
-+ }
-+ if ( optind >= argc ) {
-+ usage("no command found");
-+ }
-+
-+#ifdef DEBUG_BROKEN_NEED_TO_HANDLE_SID_CASE
-+ fprintf(stderr,"Context to use is \"%s\"\n",context_str(con));
-+ fprintf(stderr,"Command is \"");
-+ {
-+ int tmpoptind = optind;
-+ while ( tmpoptind < argc ) {
-+ fprintf(stderr,"%s",argv[tmpoptind++]);
-+ if ( tmpoptind < argc ) {
-+ printf(" ");
-+ }
-+ }
-+ fprintf(stderr,"\"\n");
-+ }
-+#endif
-+
-+ if( sid == 0 ) { /* sid != 0 means sid already set by --sid */
-+ if ( security_context_to_sid(context_str(con),
-+ strlen(context_str(con))+1,&sid) ) {
-+ perror("security_context_to_sid");
-+ exit(1);
-+ }
-+ }
++ char *role = 0;
++ char *range = 0;
++ char *user = 0;
++ char *type = 0;
++ char *context = NULL;
++ security_context_t cur_context = NULL;
+
-+#ifdef DEBUG
-+ fprintf(stderr,"sid = %d\n",sid);
-+#endif
-+#ifdef NOT_NOW
-+ if ( execve_secure(argv[optind],argv+optind,envp,sid) ) {
-+#endif
-+ if ( execvp_secure(argv[optind],sid,argv+optind) ) {
-+ perror("execvp_secure");
-+ exit(1);
-+ }
-+ return 1; /* can't reach this statement.... */
++ context_t con;
++
++ program_name = argv[0];
++ setlocale (LC_ALL, "");
++ bindtextdomain (PACKAGE, LOCALEDIR);
++ textdomain (PACKAGE);
++
++ while (1) {
++ int c;
++ int this_option_optind = optind ? optind : 1;
++ int option_index = 0;
++ static struct option long_options[] = {
++ { "role", 1, 0, 'r' },
++ { "type", 1, 0, 't' },
++ { "user", 1, 0, 'u' },
++ { "range", 1, 0, 'l' },
++ { "help", 0, 0, '?' },
++ { 0, 0, 0, 0 }
++ };
++ c = getopt_long(argc, argv, "s:r:t:u:l:?", long_options, &option_index);
++ if ( c == -1 ) {
++ break;
++ }
++ switch ( c ) {
++ case 'r':
++ if ( role ) {
++ fprintf(stderr,_("multiple roles\n"));
++ exit(1);
++ }
++ role = optarg;
++ break;
++ case 't':
++ if ( type ) {
++ fprintf(stderr,_("multiple types\n"));
++ exit(1);
++ }
++ type = optarg;
++ break;
++ case 'u':
++ if ( user ) {
++ fprintf(stderr,_("multiple users\n"));
++ exit(1);
++ }
++ user = optarg;
++ break;
++ case 'l':
++ if ( range ) {
++ fprintf(stderr,_("multiple levelranges\n"));
++ exit(1);
++ }
++ range = optarg;
++ break;
++ default:
++ fprintf(stderr,_("unrecognised option %c\n"),c);
++ case '?':
++ usage(0);
++ break;
++ }
++ }
++ if ( !(user || role || type || range)) {
++ if ( optind >= argc ) {
++ usage(_("must specify -t, -u, -l, -r, or context"));
++ }
++ context = argv[optind++];
++ }
++
++ if ( optind >= argc ) {
++ usage(_("no command found"));
++ }
++
++ if ( context ) {
++ con = context_new(context);
++ if (!con) {
++ fprintf(stderr,_("%s is not a valid context\n"), context);
++ exit(1);
++ }
++ }
++ else {
++ getcon(&cur_context);
++ con = context_new(cur_context);
++ if (!con) {
++ fprintf(stderr,_("%s is not a valid context\n"), context);
++ exit(1);
++ }
++ if ( user ) {
++ context_user_set(con,user);
++ }
++ if ( type ) {
++ context_type_set(con,type);
++ }
++ if ( range ) {
++ context_range_set(con,range);
++ }
++ if ( role ) {
++ context_role_set(con,role);
++ }
++ }
++
++ if (setexeccon(context_str(con))!=0) {
++ fprintf(stderr,_("unable to setup security context %s\n"), context_str(con));
++ exit(1);
++ }
++ if (cur_context!=NULL)
++ freecon(cur_context);
++
++ if ( execvp(argv[optind],argv+optind) ) {
++ perror("execvp");
++ exit(1);
++ }
++ return 1; /* can't reach this statement.... */
+}
-diff -Nur coreutils-5.0/src/su.c.orig coreutils-5.0.new/src/su.c.orig
---- coreutils-5.0/src/su.c.orig 2002-08-31 09:28:18.000000000 +0200
-+++ coreutils-5.0.new/src/su.c.orig 1970-01-01 01:00:00.000000000 +0100
-@@ -1,583 +0,0 @@
--/* su for GNU. Run a shell with substitute user and group IDs.
-- Copyright (C) 1992-2002 Free Software Foundation, Inc.
--
-- This program is free software; you can redistribute it and/or modify
-- it under the terms of the GNU General Public License as published by
-- the Free Software Foundation; either version 2, or (at your option)
-- any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-- GNU General Public License for more details.
--
-- You should have received a copy of the GNU General Public License
-- along with this program; if not, write to the Free Software Foundation,
-- Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
--
--/* Run a shell with the real and effective UID and GID and groups
-- of USER, default `root'.
--
-- The shell run is taken from USER's password entry, /bin/sh if
-- none is specified there. If the account has a password, su
-- prompts for a password unless run by a user with real UID 0.
--
-- Does not change the current directory.
-- Sets `HOME' and `SHELL' from the password entry for USER, and if
-- USER is not root, sets `USER' and `LOGNAME' to USER.
-- The subshell is not a login shell.
--
-- If one or more ARGs are given, they are passed as additional
-- arguments to the subshell.
--
-- Does not handle /bin/sh or other shells specially
-- (setting argv[0] to "-su", passing -c only to certain shells, etc.).
-- I don't see the point in doing that, and it's ugly.
--
-- This program intentionally does not support a "wheel group" that
-- restricts who can su to UID 0 accounts. RMS considers that to
-- be fascist.
--
-- Options:
-- -, -l, --login Make the subshell a login shell.
-- Unset all environment variables except
-- TERM, HOME and SHELL (set as above), and USER
-- and LOGNAME (set unconditionally as above), and
-- set PATH to a default value.
-- Change to USER's home directory.
-- Prepend "-" to the shell's name.
-- -c, --commmand=COMMAND
-- Pass COMMAND to the subshell with a -c option
-- instead of starting an interactive shell.
-- -f, --fast Pass the -f option to the subshell.
-- -m, -p, --preserve-environment
-- Do not change HOME, USER, LOGNAME, SHELL.
-- Run $SHELL instead of USER's shell from /etc/passwd
-- unless not the superuser and USER's shell is
-- restricted.
-- Overridden by --login and --shell.
-- -s, --shell=shell Run SHELL instead of USER's shell from /etc/passwd
-- unless not the superuser and USER's shell is
-- restricted.
--
-- Compile-time options:
-- -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog.
-- -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog.
--
-- -DSYSLOG_NON_ROOT Log all su's, not just those to root (UID 0).
-- Never logs attempted su's to nonexistent accounts.
--
-- Written by David MacKenzie <djm@gnu.ai.mit.edu>. */
--
--#include <config.h>
--#include <stdio.h>
--#include <getopt.h>
--#include <sys/types.h>
--#include <pwd.h>
--#include <grp.h>
--
--/* Hide any system prototype for getusershell.
-- This is necessary because some Cray systems have a conflicting
-- prototype (returning `int') in <unistd.h>. */
--#define getusershell _getusershell_sys_proto_
--
--#include "system.h"
--#include "closeout.h"
--#include "dirname.h"
--
--#undef getusershell
--
--#if HAVE_SYSLOG_H && HAVE_SYSLOG
--# include <syslog.h>
--#else
--# undef SYSLOG_SUCCESS
--# undef SYSLOG_FAILURE
--# undef SYSLOG_NON_ROOT
--#endif
--
--#if HAVE_SYS_PARAM_H
--# include <sys/param.h>
--#endif
--
--#ifndef HAVE_ENDGRENT
--# define endgrent() ((void) 0)
--#endif
--
--#ifndef HAVE_ENDPWENT
--# define endpwent() ((void) 0)
--#endif
--
--#if HAVE_SHADOW_H
--# include <shadow.h>
--#endif
--
--#include "error.h"
--
--/* The official name of this program (e.g., no `g' prefix). */
--#define PROGRAM_NAME "su"
--
--#define AUTHORS "David MacKenzie"
--
--#if HAVE_PATHS_H
--# include <paths.h>
--#endif
--
--/* The default PATH for simulated logins to non-superuser accounts. */
--#ifdef _PATH_DEFPATH
--# define DEFAULT_LOGIN_PATH _PATH_DEFPATH
--#else
--# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
--#endif
--
--/* The default PATH for simulated logins to superuser accounts. */
--#ifdef _PATH_DEFPATH_ROOT
--# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
--#else
--# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
--#endif
--
--/* The shell to run if none is given in the user's passwd entry. */
--#define DEFAULT_SHELL "/bin/sh"
--
--/* The user to become if none is specified. */
--#define DEFAULT_USER "root"
--
--char *crypt ();
--char *getpass ();
--char *getusershell ();
--void endusershell ();
--void setusershell ();
--
--extern char **environ;
--
--static void run_shell (const char *, const char *, char **)
-- ATTRIBUTE_NORETURN;
--
--/* The name this program was run with. */
--char *program_name;
--
--/* If nonzero, pass the `-f' option to the subshell. */
--static int fast_startup;
--
--/* If nonzero, simulate a login instead of just starting a shell. */
--static int simulate_login;
--
--/* If nonzero, change some environment vars to indicate the user su'd to. */
--static int change_environment;
--
--static struct option const longopts[] =
--{
-- {"command", required_argument, 0, 'c'},
-- {"fast", no_argument, NULL, 'f'},
-- {"login", no_argument, NULL, 'l'},
-- {"preserve-environment", no_argument, &change_environment, 0},
-- {"shell", required_argument, 0, 's'},
-- {GETOPT_HELP_OPTION_DECL},
-- {GETOPT_VERSION_OPTION_DECL},
-- {0, 0, 0, 0}
--};
--
--/* Add VAL to the environment, checking for out of memory errors. */
--
--static void
--xputenv (char *val)
--{
-- if (putenv (val))
-- xalloc_die ();
--}
--
--/* Return a newly-allocated string whose contents concatenate
-- those of S1, S2, S3. */
--
--static char *
--concat (const char *s1, const char *s2, const char *s3)
--{
-- int len1 = strlen (s1), len2 = strlen (s2), len3 = strlen (s3);
-- char *result = (char *) xmalloc (len1 + len2 + len3 + 1);
--
-- strcpy (result, s1);
-- strcpy (result + len1, s2);
-- strcpy (result + len1 + len2, s3);
-- result[len1 + len2 + len3] = 0;
--
-- return result;
--}
--
--/* Return the number of elements in ARR, a null-terminated array. */
--
--static int
--elements (char **arr)
--{
-- int n = 0;
--
-- for (n = 0; *arr; ++arr)
-- ++n;
-- return n;
--}
--
--#if defined (SYSLOG_SUCCESS) || defined (SYSLOG_FAILURE)
--/* Log the fact that someone has run su to the user given by PW;
-- if SUCCESSFUL is nonzero, they gave the correct password, etc. */
--
--static void
--log_su (const struct passwd *pw, int successful)
--{
-- const char *new_user, *old_user, *tty;
--
--# ifndef SYSLOG_NON_ROOT
-- if (pw->pw_uid)
-- return;
--# endif
-- new_user = pw->pw_name;
-- /* The utmp entry (via getlogin) is probably the best way to identify
-- the user, especially if someone su's from a su-shell. */
-- old_user = getlogin ();
-- if (old_user == NULL)
-- {
-- /* getlogin can fail -- usually due to lack of utmp entry.
-- Resort to getpwuid. */
-- struct passwd *pwd = getpwuid (getuid ());
-- old_user = (pwd ? pwd->pw_name : "");
-- }
-- tty = ttyname (2);
-- if (tty == NULL)
-- tty = "none";
-- /* 4.2BSD openlog doesn't have the third parameter. */
-- openlog (base_name (program_name), 0
--# ifdef LOG_AUTH
-- , LOG_AUTH
--# endif
-- );
-- syslog (LOG_NOTICE,
--# ifdef SYSLOG_NON_ROOT
-- "%s(to %s) %s on %s",
--# else
-- "%s%s on %s",
--# endif
-- successful ? "" : "FAILED SU ",
--# ifdef SYSLOG_NON_ROOT
-- new_user,
--# endif
-- old_user, tty);
-- closelog ();
--}
--#endif
--
--/* Ask the user for a password.
-- Return 1 if the user gives the correct password for entry PW,
-- 0 if not. Return 1 without asking for a password if run by UID 0
-- or if PW has an empty password. */
--
--static int
--correct_password (const struct passwd *pw)
--{
-- char *unencrypted, *encrypted, *correct;
--#if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
-- /* Shadow passwd stuff for SVR3 and maybe other systems. */
-- struct spwd *sp = getspnam (pw->pw_name);
--
-- endspent ();
-- if (sp)
-- correct = sp->sp_pwdp;
-- else
--#endif
-- correct = pw->pw_passwd;
--
-- if (getuid () == 0 || correct == 0 || correct[0] == '\0')
-- return 1;
--
-- unencrypted = getpass (_("Password:"));
-- if (unencrypted == NULL)
-- {
-- error (0, 0, _("getpass: cannot open /dev/tty"));
-- return 0;
-- }
-- encrypted = crypt (unencrypted, correct);
-- memset (unencrypted, 0, strlen (unencrypted));
-- return strcmp (encrypted, correct) == 0;
--}
--
--/* Update `environ' for the new shell based on PW, with SHELL being
-- the value for the SHELL environment variable. */
--
--static void
--modify_environment (const struct passwd *pw, const char *shell)
--{
-- char *term;
--
-- if (simulate_login)
-- {
-- /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
-- Unset all other environment variables. */
-- term = getenv ("TERM");
-- environ = (char **) xmalloc (2 * sizeof (char *));
-- environ[0] = 0;
-- if (term)
-- xputenv (concat ("TERM", "=", term));
-- xputenv (concat ("HOME", "=", pw->pw_dir));
-- xputenv (concat ("SHELL", "=", shell));
-- xputenv (concat ("USER", "=", pw->pw_name));
-- xputenv (concat ("LOGNAME", "=", pw->pw_name));
-- xputenv (concat ("PATH", "=", (pw->pw_uid
-- ? DEFAULT_LOGIN_PATH
-- : DEFAULT_ROOT_LOGIN_PATH)));
-- }
-- else
-- {
-- /* Set HOME, SHELL, and if not becoming a super-user,
-- USER and LOGNAME. */
-- if (change_environment)
-- {
-- xputenv (concat ("HOME", "=", pw->pw_dir));
-- xputenv (concat ("SHELL", "=", shell));
-- if (pw->pw_uid)
-- {
-- xputenv (concat ("USER", "=", pw->pw_name));
-- xputenv (concat ("LOGNAME", "=", pw->pw_name));
-- }
-- }
-- }
--}
--
--/* Become the user and group(s) specified by PW. */
--
--static void
--change_identity (const struct passwd *pw)
--{
--#ifdef HAVE_INITGROUPS
-- errno = 0;
-- if (initgroups (pw->pw_name, pw->pw_gid) == -1)
-- error (EXIT_FAILURE, errno, _("cannot set groups"));
-- endgrent ();
--#endif
-- if (setgid (pw->pw_gid))
-- error (EXIT_FAILURE, errno, _("cannot set group id"));
-- if (setuid (pw->pw_uid))
-- error (EXIT_FAILURE, errno, _("cannot set user id"));
--}
--
--/* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
-- If COMMAND is nonzero, pass it to the shell with the -c option.
-- If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
-- arguments. */
--
--static void
--run_shell (const char *shell, const char *command, char **additional_args)
--{
-- const char **args;
-- int argno = 1;
--
-- if (additional_args)
-- args = (const char **) xmalloc (sizeof (char *)
-- * (10 + elements (additional_args)));
-- else
-- args = (const char **) xmalloc (sizeof (char *) * 10);
-- if (simulate_login)
-- {
-- char *arg0;
-- char *shell_basename;
--
-- shell_basename = base_name (shell);
-- arg0 = xmalloc (strlen (shell_basename) + 2);
-- arg0[0] = '-';
-- strcpy (arg0 + 1, shell_basename);
-- args[0] = arg0;
-- }
-- else
-- args[0] = base_name (shell);
-- if (fast_startup)
-- args[argno++] = "-f";
-- if (command)
-- {
-- args[argno++] = "-c";
-- args[argno++] = command;
-- }
-- if (additional_args)
-- for (; *additional_args; ++additional_args)
-- args[argno++] = *additional_args;
-- args[argno] = NULL;
-- execv (shell, (char **) args);
--
-- {
-- int exit_status = (errno == ENOENT ? 127 : 126);
-- error (0, errno, "%s", shell);
-- exit (exit_status);
-- }
--}
--
--/* Return 1 if SHELL is a restricted shell (one not returned by
-- getusershell), else 0, meaning it is a standard shell. */
--
--static int
--restricted_shell (const char *shell)
--{
-- char *line;
--
-- setusershell ();
-- while ((line = getusershell ()) != NULL)
-- {
-- if (*line != '#' && strcmp (line, shell) == 0)
-- {
-- endusershell ();
-- return 0;
-- }
-- }
-- endusershell ();
-- return 1;
--}
--
--void
--usage (int status)
--{
-- if (status != 0)
-- fprintf (stderr, _("Try `%s --help' for more information.\n"),
-- program_name);
-- else
-- {
-- printf (_("Usage: %s [OPTION]... [-] [USER [ARG]...]\n"), program_name);
-- fputs (_("\
--Change the effective user id and group id to that of USER.\n\
--\n\
-- -, -l, --login make the shell a login shell\n\
-- -c, --commmand=COMMAND pass a single COMMAND to the shell with -c\n\
-- -f, --fast pass -f to the shell (for csh or tcsh)\n\
-- -m, --preserve-environment do not reset environment variables\n\
-- -p same as -m\n\
-- -s, --shell=SHELL run SHELL if /etc/shells allows it\n\
--"), stdout);
-- fputs (HELP_OPTION_DESCRIPTION, stdout);
-- fputs (VERSION_OPTION_DESCRIPTION, stdout);
-- fputs (_("\
--\n\
--A mere - implies -l. If USER not given, assume root.\n\
--"), stdout);
-- printf (_("\nReport bugs to <%s>.\n"), PACKAGE_BUGREPORT);
-- close_stdout ();
-- }
-- exit (status);
--}
--
--int
--main (int argc, char **argv)
--{
-- int optc;
-- const char *new_user = DEFAULT_USER;
-- char *command = 0;
-- char **additional_args = 0;
-- char *shell = 0;
-- struct passwd *pw;
-- struct passwd pw_copy;
--
-- program_name = argv[0];
-- setlocale (LC_ALL, "");
-- bindtextdomain (PACKAGE, LOCALEDIR);
-- textdomain (PACKAGE);
--
-- fast_startup = 0;
-- simulate_login = 0;
-- change_environment = 1;
--
-- while ((optc = getopt_long (argc, argv, "c:flmps:", longopts, NULL)) != -1)
-- {
-- switch (optc)
-- {
-- case 0:
-- break;
--
-- case 'c':
-- command = optarg;
-- break;
--
-- case 'f':
-- fast_startup = 1;
-- break;
--
-- case 'l':
-- simulate_login = 1;
-- break;
--
-- case 'm':
-- case 'p':
-- change_environment = 0;
-- break;
--
-- case 's':
-- shell = optarg;
-- break;
--
-- case_GETOPT_HELP_CHAR;
--
-- case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
--
-- default:
-- usage (EXIT_FAILURE);
-- }
-- }
--
-- if (optind < argc && !strcmp (argv[optind], "-"))
-- {
-- simulate_login = 1;
-- ++optind;
-- }
-- if (optind < argc)
-- new_user = argv[optind++];
-- if (optind < argc)
-- additional_args = argv + optind;
--
-- pw = getpwnam (new_user);
-- if (pw == 0)
-- error (EXIT_FAILURE, 0, _("user %s does not exist"), new_user);
-- endpwent ();
--
-- /* Make sure pw->pw_shell is non-NULL. It may be NULL when NEW_USER
-- is a username that is retrieved via NIS (YP), but that doesn't have
-- a default shell listed. */
-- if (pw->pw_shell == NULL || pw->pw_shell[0] == '\0')
-- pw->pw_shell = (char *) DEFAULT_SHELL;
--
-- /* Make a copy of the password information and point pw at the local
-- copy instead. Otherwise, some systems (e.g. Linux) would clobber
-- the static data through the getlogin call from log_su. */
-- pw_copy = *pw;
-- pw = &pw_copy;
-- pw->pw_name = xstrdup (pw->pw_name);
-- pw->pw_dir = xstrdup (pw->pw_dir);
-- pw->pw_shell = xstrdup (pw->pw_shell);
--
-- if (!correct_password (pw))
-- {
--#ifdef SYSLOG_FAILURE
-- log_su (pw, 0);
--#endif
-- error (EXIT_FAILURE, 0, _("incorrect password"));
-- }
--#ifdef SYSLOG_SUCCESS
-- else
-- {
-- log_su (pw, 1);
-- }
--#endif
+diff -Nur coreutils-6.4/src/stat.c coreutils-6.4.selinux/src/stat.c
+--- coreutils-6.4/src/stat.c 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/src/stat.c 2006-10-31 23:39:48.000000000 +0000
+@@ -55,6 +55,13 @@
+ # include <fs_info.h>
+ #endif
+
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#define SECURITY_ID_T security_context_t
++#else
++#define SECURITY_ID_T char *
++#endif
++
+ #include "system.h"
+
+ #include "error.h"
+@@ -161,6 +168,7 @@
+ {"dereference", no_argument, NULL, 'L'},
+ {"file-system", no_argument, NULL, 'f'},
+ {"filesystem", no_argument, NULL, 'f'}, /* obsolete and undocumented alias */
++ {"context", no_argument, 0, 'Z'},
+ {"format", required_argument, NULL, 'c'},
+ {"printf", required_argument, NULL, PRINTF_OPTION},
+ {"terse", no_argument, NULL, 't'},
+@@ -397,7 +405,7 @@
+ /* print statfs info */
+ static void
+ print_statfs (char *pformat, size_t prefix_len, char m, char const *filename,
+- void const *data)
++ void const *data, SECURITY_ID_T scontext)
+ {
+ STRUCT_STATVFS const *statfsbuf = data;
+
+@@ -472,7 +480,9 @@
+ case 'd':
+ out_int (pformat, prefix_len, statfsbuf->f_ffree);
+ break;
-
-- if (shell == 0 && change_environment == 0)
-- shell = getenv ("SHELL");
-- if (shell != 0 && getuid () && restricted_shell (pw->pw_shell))
-- {
-- /* The user being su'd to has a nonstandard shell, and so is
-- probably a uucp account or has restricted access. Don't
-- compromise the account by allowing access with a standard
-- shell. */
-- error (0, 0, _("using restricted shell %s"), pw->pw_shell);
-- shell = 0;
-- }
-- if (shell == 0)
-- {
-- shell = xstrdup (pw->pw_shell);
++ case 'C':
++ out_string (pformat, prefix_len, scontext);
++ break;
+ default:
+ fputc ('?', stdout);
+ break;
+@@ -482,7 +492,7 @@
+ /* print stat info */
+ static void
+ print_stat (char *pformat, size_t prefix_len, char m,
+- char const *filename, void const *data)
++ char const *filename, void const *data, SECURITY_ID_T scontext)
+ {
+ struct stat *statbuf = (struct stat *) data;
+ struct passwd *pw_ent;
+@@ -595,6 +605,9 @@
+ else
+ out_uint (pformat, prefix_len, statbuf->st_ctime);
+ break;
++ case 'C':
++ out_string (pformat, prefix_len, scontext);
++ break;
+ default:
+ fputc ('?', stdout);
+ break;
+@@ -641,8 +654,8 @@
+
+ static void
+ print_it (char const *format, char const *filename,
+- void (*print_func) (char *, size_t, char, char const *, void const *),
+- void const *data)
++ void (*print_func) (char *, size_t, char, char const *, void const *, SECURITY_ID_T),
++ void const *data, SECURITY_ID_T scontext)
+ {
+ /* Add 2 to accommodate our conversion of the stat `%s' format string
+ to the longer printf `%llu' one. */
+@@ -683,7 +696,7 @@
+ putchar ('%');
+ break;
+ default:
+- print_func (dest, len + 1, *fmt_char, filename, data);
++ print_func (dest, len + 1, *fmt_char, filename, data, scontext);
+ break;
+ }
+ break;
+@@ -746,9 +759,17 @@
+
+ /* Stat the file system and print what we find. */
+ static bool
+-do_statfs (char const *filename, bool terse, char const *format)
++do_statfs (char const *filename, bool terse, bool secure, char const *format)
+ {
+ STRUCT_STATVFS statfsbuf;
++ SECURITY_ID_T scontext = NULL;
++#ifdef WITH_SELINUX
++ if(secure)
++ if (getfilecon(filename,&scontext)<0) {
++ perror (filename);
++ return false;
++ }
++#endif
+
+ if (STATFS (filename, &statfsbuf) != 0)
+ {
+@@ -759,25 +780,45 @@
+
+ if (format == NULL)
+ {
+- format = (terse
+- ? "%n %i %l %t %s %S %b %f %a %c %d\n"
+- : " File: \"%n\"\n"
+- " ID: %-8i Namelen: %-7l Type: %T\n"
+- "Block size: %-10s Fundamental block size: %S\n"
+- "Blocks: Total: %-10b Free: %-10f Available: %a\n"
+- "Inodes: Total: %-10c Free: %d\n");
- }
-- modify_environment (pw, shell);
--
-- change_identity (pw);
-- if (simulate_login && chdir (pw->pw_dir))
-- error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
--
-- run_shell (shell, command, additional_args);
--}
-diff -Nur coreutils-5.0/src/system.h coreutils-5.0.new/src/system.h
---- coreutils-5.0/src/system.h 2003-04-02 12:13:50.000000000 +0200
-+++ coreutils-5.0.new/src/system.h 2003-06-06 03:01:12.000000000 +0200
-@@ -29,6 +29,10 @@
- # define mkfifo(path, mode) (mknod ((path), (mode) | S_IFIFO, 0))
- #endif
++ if (terse) {
++ if(secure)
++ format = "%n %i %l %t %s %S %b %f %a %c %d %C\n";
++ else
++ format = "%n %i %l %t %s %S %b %f %a %c %d\n";
++ }
++ else
++ {
++ if(secure)
++ format = " File: \"%n\"\n"
++ " ID: %-8i Namelen: %-7l Type: %T\n"
++ "Block size: %-10s Fundamental block size: %S\n"
++ "Blocks: Total: %-10b Free: %-10f Available: %a\n"
++ "Inodes: Total: %-10c Free: %d\n"
++ " S_Context: %C\n";
++ else
++ format = " File: \"%n\"\n"
++ " ID: %-8i Namelen: %-7l Type: %T\n"
++ "Block size: %-10s Fundamental block size: %S\n"
++ "Blocks: Total: %-10b Free: %-10f Available: %a\n"
++ "Inodes: Total: %-10c Free: %d\n";
++ }
++ }
++ print_it (format, filename, print_statfs, &statfsbuf, scontext);
++#ifdef WITH_SELINUX
++ if (scontext != NULL)
++ freecon(scontext);
++#endif
+
+- print_it (format, filename, print_statfs, &statfsbuf);
+ return true;
+ }
+
+ /* stat the file and print what we find */
+ static bool
+-do_stat (char const *filename, bool follow_links, bool terse,
++do_stat (char const *filename, bool follow_links, bool terse, bool secure,
+ char const *format)
+ {
+ struct stat statbuf;
++ SECURITY_ID_T scontext = NULL;
+
+ if ((follow_links ? stat : lstat) (filename, &statbuf) != 0)
+ {
+@@ -785,11 +826,29 @@
+ return false;
+ }
-+#ifdef FLASK_LINUX
-+#define mkfifo_secure(path, mode, sid) (mknod_secure ((path), (mode) | S_IFIFO, 0, (sid)))
++#ifdef WITH_SELINUX
++ if(secure) {
++ int i;
++ if (follow_links)
++ i=lgetfilecon(filename, &scontext);
++ else
++ i=getfilecon(filename, &scontext);
++ if (i == -1)
++ {
++ perror (filename);
++ return false;
++ }
++ }
+#endif
+
- #if HAVE_SYS_PARAM_H
- # include <sys/param.h>
- #endif
-diff -Nur coreutils-5.0/tests/cp/Makefile.am coreutils-5.0.new/tests/cp/Makefile.am
---- coreutils-5.0/tests/cp/Makefile.am 2003-02-02 21:08:59.000000000 +0100
-+++ coreutils-5.0.new/tests/cp/Makefile.am 2003-06-06 03:01:13.000000000 +0200
-@@ -3,8 +3,8 @@
-
- TESTS = \
- preserve-2 r-vs-symlink link-preserve \
-- backup-1 no-deref-link1 no-deref-link2 no-deref-link3 backup-is-src \
-- same-file cp-mv-backup symlink-slash slink-2-slink fail-perm dir-slash \
-+ backup-1 backup-is-src \
-+ cp-mv-backup symlink-slash slink-2-slink fail-perm dir-slash \
- perm cp-HL special-bits link dir-rm-dest cp-parents deref-slink \
- dir-vs-file into-self
- EXTRA_DIST = $(TESTS)
-diff -Nur coreutils-5.0/tests/Makefile.am coreutils-5.0.new/tests/Makefile.am
---- coreutils-5.0/tests/Makefile.am 2003-03-31 09:07:35.000000000 +0200
-+++ coreutils-5.0.new/tests/Makefile.am 2003-06-06 03:01:12.000000000 +0200
-@@ -11,7 +11,7 @@
-
- SUBDIRS = \
- basename chgrp chmod chown cp cut date dd dircolors du expr factor \
-- fmt head install join ln ls ls-2 md5sum misc mkdir mv od pr rm rmdir \
-+ fmt head install join ln ls md5sum misc mkdir mv od pr rm rmdir \
- seq sha1sum shred sort stty sum tac tail tail-2 test touch tr tsort \
- unexpand uniq wc
-
-diff -Nur coreutils-5.0/tests/mv/Makefile.am coreutils-5.0.new/tests/mv/Makefile.am
---- coreutils-5.0/tests/mv/Makefile.am 2003-03-01 00:30:44.000000000 +0100
-+++ coreutils-5.0.new/tests/mv/Makefile.am 2003-06-06 03:01:13.000000000 +0200
-@@ -8,10 +8,10 @@
- i-link-no \
- part-fail \
- dup-source childproof i-4 update i-2 mv-special-1 \
-- into-self into-self-2 into-self-3 into-self-4 \
-+ into-self into-self-3 \
- backup-is-src \
- i-1 hard-link-1 force partition-perm to-symlink dir-file diag \
-- part-symlink part-rename trailing-slash
-+ part-rename trailing-slash
-
- EXTRA_DIST = $(TESTS) setup
- TESTS_ENVIRONMENT = \
+ if (format == NULL)
+ {
+ if (terse)
+ {
+- format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n";
++ if (secure)
++ format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o %C\n";
++ else
++ format = "%n %s %b %f %u %g %D %i %h %t %T %X %Y %Z %o\n";
+ }
+ else
+ {
+@@ -797,7 +856,17 @@
+ implemented. */
+ if (S_ISBLK (statbuf.st_mode) || S_ISCHR (statbuf.st_mode))
+ {
+- format =
++ if (secure)
++ format =
++ " File: %N\n"
++ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
++ "Device: %Dh/%dd\tInode: %-10i Links: %-5h"
++ " Device type: %t,%T\n"
++ "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n"
++ " S_Context: %C\n"
++ "Access: %x\n" "Modify: %y\n" "Change: %z\n";
++ else
++ format =
+ " File: %N\n"
+ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
+ "Device: %Dh/%dd\tInode: %-10i Links: %-5h"
+@@ -807,6 +876,15 @@
+ }
+ else
+ {
++ if (secure)
++ format =
++ " File: %N\n"
++ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
++ "Device: %Dh/%dd\tInode: %-10i Links: %-5h\n"
++ "Access: (%04a/%10.10A) Uid: (%5u/%8U) Gid: (%5g/%8G)\n"
++ "S_Context: %C\n"
++ "Access: %x\n" "Modify: %y\n" "Change: %z\n";
++ else
+ format =
+ " File: %N\n"
+ " Size: %-10s\tBlocks: %-10b IO Block: %-6o %F\n"
+@@ -816,7 +894,11 @@
+ }
+ }
+ }
+- print_it (format, filename, print_stat, &statbuf);
++ print_it (format, filename, print_stat, &statbuf, scontext);
++#ifdef WITH_SELINUX
++ if (scontext)
++ freecon(scontext);
++#endif
+ return true;
+ }
+
+@@ -841,6 +923,7 @@
+ --printf=FORMAT like --format, but interpret backslash escapes,\n\
+ and do not output a mandatory trailing newline.\n\
+ If you want a newline, include \\n in FORMAT.\n\
++ -Z, --context print the security context\n\
+ -t, --terse print the information in terse form\n\
+ "), stdout);
+ fputs (HELP_OPTION_DESCRIPTION, stdout);
+@@ -892,6 +975,7 @@
+ %c Total file nodes in file system\n\
+ %d Free file nodes in file system\n\
+ %f Free blocks in file system\n\
++ %C Security context in SELinux\n\
+ "), stdout);
+ fputs (_("\
+ %i File System ID in hex\n\
+@@ -915,6 +999,7 @@
+ int i;
+ bool follow_links = false;
+ bool fs = false;
++ bool secure = false;
+ bool terse = false;
+ char *format = NULL;
+ bool ok = true;
+@@ -927,7 +1012,7 @@
+
+ atexit (close_stdout);
+
+- while ((c = getopt_long (argc, argv, "c:fLt", long_options, NULL)) != -1)
++ while ((c = getopt_long (argc, argv, "c:fLtZ", long_options, NULL)) != -1)
+ {
+ switch (c)
+ {
+@@ -946,6 +1031,14 @@
+ case 'L':
+ follow_links = true;
+ break;
++ case 'Z':
++ if((is_selinux_enabled()>0))
++ secure = true;
++ else {
++ error (0, 0, _("Kernel is not SELinux enabled"));
++ usage (EXIT_FAILURE);
++ }
++ break;
+
+ case 'f':
+ fs = true;
+@@ -972,8 +1065,8 @@
+
+ for (i = optind; i < argc; i++)
+ ok &= (fs
+- ? do_statfs (argv[i], terse, format)
+- : do_stat (argv[i], follow_links, terse, format));
++ ? do_statfs (argv[i], terse, secure, format)
++ : do_stat (argv[i], follow_links, terse, secure, format));
+
+ exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+diff -Nur coreutils-6.4/tests/help-version coreutils-6.4.selinux/tests/help-version
+--- coreutils-6.4/tests/help-version 2006-10-22 16:54:15.000000000 +0000
++++ coreutils-6.4.selinux/tests/help-version 2006-10-31 23:39:34.000000000 +0000
+@@ -70,6 +70,8 @@
+
+ # Skip `test'; it doesn't accept --help or --version.
+ test $i = test && continue;
++ test $i = chcon && continue;
++ test $i = runcon && continue;
+
+ # false fails even when invoked with --help or --version.
+ if test $i = false; then
+@@ -190,7 +192,7 @@
+
+ for i in $all_programs; do
+ # Skip these.
+- case $i in chroot|stty|tty|false) continue;; esac
++ case $i in chroot|stty|tty|false|chcon|runcon) continue;; esac
+
+ rm -rf $tmp_in $tmp_in2 $tmp_dir $tmp_out
+ echo > $tmp_in