- release 2

[packages/coreutils.git] / coreutils-selinux.patch

diff -Nur coreutils-5.0/README coreutils-5.0.new/README
--- coreutils-5.0/README        2003-03-29 15:24:00.000000000 +0100
+++ coreutils-5.0.new/README    2003-06-20 12:10:09.000000000 +0200
@@ -7,11 +7,11 @@
 
 The programs that can be built with this package are:
 
-  basename cat chgrp chmod chown chroot cksum comm cp csplit cut date dd
+  basename cat chcon chgrp chmod chown chroot cksum comm cp csplit cut date dd
   df dir dircolors dirname du echo env expand expr factor false fmt fold
   ginstall groups head hostid hostname id join kill link ln logname ls
   md5sum mkdir mkfifo mknod mv nice nl nohup od paste pathchk pinky pr
-  printenv printf ptx pwd readlink rm rmdir seq sha1sum shred sleep sort
+  printenv printf ptx pwd readlink rm rmdir runcon seq sha1sum shred sleep sort
   split stat stty su sum sync tac tail tee test touch tr true tsort tty
   uname unexpand uniq unlink uptime users vdir wc who whoami yes
 
diff -Nur coreutils-5.0/man/Makefile.am coreutils-5.0.new/man/Makefile.am
--- coreutils-5.0/man/Makefile.am       2003-06-20 12:00:57.000000000 +0200
+++ coreutils-5.0.new/man/Makefile.am   2003-06-20 12:12:08.000000000 +0200
@@ -9,7 +9,7 @@
   rm.1 rmdir.1 seq.1 sha1sum.1 shred.1 sleep.1 sort.1 split.1 stat.1 stty.1 \
   su.1 sum.1 sync.1 tac.1 tail.1 tee.1 test.1 touch.1 tr.1 true.1 tsort.1 \
   tty.1 uname.1 unexpand.1 uniq.1 unlink.1 uptime.1 users.1 vdir.1 wc.1 \
-  who.1 whoami.1 yes.1
+  who.1 whoami.1 yes.1 chcon.1 runcon.1
 man_MANS = getgid.1
 
 man_aux = $(dist_man_MANS:.1=.x)
@@ -111,6 +111,8 @@
 who.1:         $(common_dep)   $(srcdir)/who.x         ../src/who.c
 whoami.1:      $(common_dep)   $(srcdir)/whoami.x      ../src/whoami.c
 yes.1:         $(common_dep)   $(srcdir)/yes.x         ../src/yes.c
+chcon.1:       $(common_dep)   $(srcdir)/chcon.x       ../src/chcon.c
+runcon.1:      $(common_dep)   $(srcdir)/runcon.x      ../src/runcon.c
 
 SUFFIXES = .x .1
 
diff -Nur coreutils-5.0/man/chcon.x coreutils-5.0.new/man/chcon.x
--- coreutils-5.0/man/chcon.x   1970-01-01 01:00:00.000000000 +0100
+++ coreutils-5.0.new/man/chcon.x       2003-06-20 12:10:08.000000000 +0200
@@ -0,0 +1,4 @@
+[NAME]
+chcon \- change file security context
+[DESCRIPTION]
+.\" Add any additional description here
diff -Nur coreutils-5.0/man/runcon.x coreutils-5.0.new/man/runcon.x
--- coreutils-5.0/man/runcon.x  1970-01-01 01:00:00.000000000 +0100
+++ coreutils-5.0.new/man/runcon.x      2003-06-20 12:10:08.000000000 +0200
@@ -0,0 +1,2 @@
+[DESCRIPTION]
+.\" Add any additional description here
diff -Nur coreutils-5.0/src/Makefile.am coreutils-5.0.new/src/Makefile.am
--- coreutils-5.0/src/Makefile.am       2003-06-20 12:00:57.000000000 +0200
+++ coreutils-5.0.new/src/Makefile.am   2003-06-20 12:11:21.000000000 +0200
@@ -4,13 +4,13 @@
 EXTRA_SCRIPTS = nohup
 
 bin_SCRIPTS = groups @OPTIONAL_BIN_ZCRIPTS@
-bin_PROGRAMS = chgrp chown chmod cp dd dircolors du \
+bin_PROGRAMS = chgrp chown chmod chcon cp dd dircolors du \
   ginstall link ln dir vdir ls mkdir \
   mkfifo mknod mv readlink rm rmdir shred stat sync touch unlink \
   cat cksum comm csplit cut expand fmt fold head join md5sum \
   nl od paste pr ptx sha1sum sort split sum tac tail tr tsort unexpand uniq wc \
   basename date dirname echo env expr factor false getgid \
-  hostname id kill logname pathchk printenv printf pwd seq sleep tee \
+  hostname id kill logname pathchk printenv printf pwd runcon seq sleep tee \
   test true tty whoami yes \
   @OPTIONAL_BIN_PROGS@ @DF_PROG@
 
@@ -24,15 +24,15 @@
   groups.sh nohup.sh wheel-gen.pl
 CLEANFILES = $(SCRIPTS) su
 
-INCLUDES = -I.. -I$(srcdir) -I$(top_srcdir)/lib -I../lib
-DEFS = -DLOCALEDIR=\"$(localedir)\" -DSHAREDIR=\"$(datadir)\" @DEFS@
+INCLUDES = -I.. -I$(srcdir) -I$(top_srcdir)/lib -I../lib 
+DEFS = -DLOCALEDIR=\"$(localedir)\" -DSHAREDIR=\"$(datadir)\" -DWITH_SELINUX @DEFS@
 
 # Sometimes, the expansion of @LIBINTL@ includes -lc which may
 # include modules defining variables like `optind', so libfetish.a
 # must precede @LIBINTL@ in order to ensure we use GNU getopt.
 # But libfetish.a must also follow @LIBINTL@, since libintl uses
 # replacement functions defined in libfetish.a.
-LDADD = ../lib/libfetish.a @LIBINTL@ ../lib/libfetish.a
+LDADD = ../lib/libfetish.a @LIBINTL@ ../lib/libfetish.a -lselinux -lattr
 
 dir_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
 ls_LDADD = $(LDADD) @LIB_CLOCK_GETTIME@
diff -Nur coreutils-5.0/src/chcon.c coreutils-5.0.new/src/chcon.c
--- coreutils-5.0/src/chcon.c   1970-01-01 01:00:00.000000000 +0100
+++ coreutils-5.0.new/src/chcon.c       2003-06-20 12:10:08.000000000 +0200
@@ -0,0 +1,321 @@
+/* chcontext -- change security context of a pathname */
+
+#include <config.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <grp.h>
+#include <getopt.h>
+#include <selinux/selinux.h>
+
+#include "system.h"
+#include "error.h"
+#include "savedir.h"
+#include "group-member.h"
+
+enum Change_status
+{
+  CH_SUCCEEDED,
+  CH_FAILED,
+  CH_NO_CHANGE_REQUESTED
+};
+
+enum Verbosity
+{
+  /* Print a message for each file that is processed.  */
+  V_high,
+
+  /* Print a message for each file whose attributes we change.  */
+  V_changes_only,
+
+  /* Do not be verbose.  This is the default. */
+  V_off
+};
+
+static int change_dir_context PARAMS ((const char *dir, security_context_t context,
+                                      const struct stat *statp));
+
+/* The name the program was run with. */
+char *program_name;
+
+/* If nonzero, and the systems has support for it, change the context
+   of symbolic links rather than any files they point to.  */
+static int change_symlinks;
+
+/* If nonzero, change the context of directories recursively. */
+static int recurse;
+
+/* If nonzero, force silence (no error messages). */
+static int force_silent;
+
+/* Level of verbosity.  */
+static enum Verbosity verbosity = V_off;
+
+/* The name of the context file is being given. */
+static const char *contextname;
+
+/* The argument to the --reference option.  Use the context of this file.
+   This file must exist.  */
+static char *reference_file;
+
+/* If nonzero, display usage information and exit.  */
+static int show_help;
+
+/* If nonzero, print the version on standard output and exit.  */
+static int show_version;
+
+static struct option const long_options[] =
+{
+  {"recursive", no_argument, 0, 'R'},
+  {"changes", no_argument, 0, 'c'},
+  {"no-dereference", no_argument, 0, 'h'},
+  {"silent", no_argument, 0, 'f'},
+  {"quiet", no_argument, 0, 'f'},
+  {"reference", required_argument, 0, CHAR_MAX + 1},
+  {"context", required_argument, 0, CHAR_MAX + 2},
+  {"verbose", no_argument, 0, 'v'},
+  {"help", no_argument, &show_help, 1},
+  {"version", no_argument, &show_version, 1},
+  {0, 0, 0, 0}
+};
+
+/* Tell the user how/if the context of FILE has been changed.
+   CHANGED describes what (if anything) has happened. */
+
+static void
+describe_change (const char *file, enum Change_status changed)
+{
+  const char *fmt;
+  switch (changed)
+    {
+    case CH_SUCCEEDED:
+      fmt = _("context of %s changed to %s\n");
+      break;
+    case CH_FAILED:
+      fmt = _("failed to change context of %s to %s\n");
+      break;
+    case CH_NO_CHANGE_REQUESTED:
+      fmt = _("context of %s retained as %s\n");
+      break;
+    default:
+      abort ();
+    }
+  printf (fmt, file, contextname);
+}
+
+/* Change the context of FILE to CONTEXT.
+   If it is a directory and -R is given, recurse.
+   Return 0 if successful, 1 if errors occurred. */
+
+static int
+change_file_context (const char *file, security_context_t context)
+{
+  struct stat file_stats;
+  security_context_t file_context=NULL;
+  int errors = 0;
+
+  if ((lgetfilecon(file, &file_context)<0) && (errno != ENODATA))
+
+    {
+      if (force_silent == 0)
+       error (0, errno, "%s", file);
+      return 1;
+    }
+
+  if ((file_context==NULL) || strcmp(context,file_context)!=0)
+    {
+      int fail;
+
+      if (change_symlinks)
+       fail = lsetfilecon (file, context);
+      else
+       fail = setfilecon (file, context);
+
+      if (verbosity == V_high || (verbosity == V_changes_only && !fail))
+       describe_change (file, (fail ? CH_FAILED : CH_SUCCEEDED));
+
+      if (fail)
+       {
+         errors = 1;
+         if (force_silent == 0)
+           {
+             error (0, errno, "%s", file);
+           }
+       }
+    }
+  else if (verbosity == V_high)
+    {
+      describe_change (file, CH_NO_CHANGE_REQUESTED);
+    }
+
+  freecon(file_context);
+
+  if (recurse) {
+    if (lstat(file, &file_stats)==0)
+      if (S_ISDIR (file_stats.st_mode))
+                errors |= change_dir_context (file, context, &file_stats);
+  }
+  return errors;
+}
+
+/* Recursively change context of the files in directory DIR
+   to CONTEXT CONTEXT.
+   STATP points to the results of lstat on DIR.
+   Return 0 if successful, 1 if errors occurred. */
+
+static int
+change_dir_context (const char *dir, security_context_t context, const struct stat *statp)
+{
+  char *name_space, *namep;
+  char *path;                  /* Full path of each entry to process. */
+  unsigned dirlength;          /* Length of `dir' and '\0'. */
+  unsigned filelength;         /* Length of each pathname to process. */
+  unsigned pathlength;         /* Bytes allocated for `path'. */
+  int errors = 0;
+
+  errno = 0;
+  name_space = savedir (dir);
+  if (name_space == NULL)
+    {
+      if (errno)
+        {
+         if (force_silent == 0)
+           error (0, errno, "%s", dir);
+         return 1;
+       }
+      else
+       error (1, 0, _("virtual memory exhausted"));
+    }
+
+  dirlength = strlen (dir) + 1;        /* + 1 is for the trailing '/'. */
+  pathlength = dirlength + 1;
+  /* Give `path' a dummy value; it will be reallocated before first use. */
+  path = xmalloc (pathlength);
+  strcpy (path, dir);
+  path[dirlength - 1] = '/';
+
+  for (namep = name_space; *namep; namep += filelength - dirlength)
+    {
+      filelength = dirlength + strlen (namep) + 1;
+      if (filelength > pathlength)
+       {
+         pathlength = filelength * 2;
+         path = xrealloc (path, pathlength);
+       }
+      strcpy (path + dirlength, namep);
+      errors |= change_file_context (path, context);
+    }
+  free (path);
+  free (name_space);
+  return errors;
+}
+
+static void
+usage (int status)
+{
+  if (status != 0)
+    fprintf (stderr, _("Try `%s --help' for more information.\n"),
+            program_name);
+  else
+    {
+      printf (_("\
+Usage: %s [OPTION]... CONTEXT FILE...\n\
+  or:  %s [OPTION]... --reference=RFILE FILE...\n\
+"),
+       program_name, program_name, program_name);
+      printf (_("\
+Change the security context of each FILE to CONTEXT.\n\
+\n\
+  -c, --changes          like verbose but report only when a change is made\n\
+  -h, --no-dereference   affect symbolic links instead of any referenced file\n\
+                         (available only on systems with lchown system call)\n\
+  -f, --silent, --quiet  suppress most error messages\n\
+      --reference=RFILE  use RFILE's group instead of using a CONTEXT value\n\
+  -R, --recursive        change files and directories recursively\n\
+  -v, --verbose          output a diagnostic for every file processed\n\
+      --help             display this help and exit\n\
+      --version          output version information and exit\n\
+"));
+      close_stdout ();
+    }
+  exit (status);
+}
+
+int
+main (int argc, char **argv)
+{
+  security_context_t context = NULL;
+  security_context_t ref_context = NULL;
+  int errors = 0;
+  int optc;
+  
+  program_name = argv[0];
+  setlocale (LC_ALL, "");
+  bindtextdomain (PACKAGE, LOCALEDIR);
+  textdomain (PACKAGE);
+
+  recurse = force_silent = 0;
+  
+  while ((optc = getopt_long (argc, argv, "Rcfhv", long_options, NULL)) != -1)
+  {
+         switch (optc)
+         {
+         case 0:
+                 break;
+         case CHAR_MAX + 1:
+                 reference_file = optarg;
+                 break;
+         case 'R':
+                 recurse = 1;
+                 break;
+         case 'c':
+                 verbosity = V_changes_only;
+                 break;
+         case 'f':
+                 force_silent = 1;
+                 break;
+         case 'h':
+                 change_symlinks = 1;
+                 break;
+         case 'v':
+                 verbosity = V_high;
+                 break;
+         default:
+                 usage (1);
+         }
+  }
+
+  if (show_version)
+  {
+     printf ("chcon (%s) %s\n", GNU_PACKAGE, VERSION);
+     close_stdout ();
+     exit (0);
+  }
+
+  if (show_help)
+    usage (0);
+
+  if (argc - optind + ( (reference_file || ( context > 0 ) ) ? 1 : 0) <= 1)
+  {
+     error (0, 0, _("too few arguments"));
+     usage (1);
+  }
+  
+  if (reference_file)
+    {
+      if (getfilecon (reference_file, &ref_context)<0)
+       error (1, errno, "%s", reference_file);
+
+      context = ref_context;
+    }
+  else {
+     context = argv[optind++];
+  }
+  for (; optind < argc; ++optind)
+     errors |= change_file_context (argv[optind], context);
+
+  if (verbosity != V_off)
+    close_stdout ();
+  if (ref_context != NULL)
+    freecon(ref_context);
+  exit (errors);
+}
diff -Nur coreutils-5.0/src/copy.c coreutils-5.0.new/src/copy.c
--- coreutils-5.0/src/copy.c    2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/copy.c        2003-06-20 12:10:08.000000000 +0200
@@ -46,6 +46,10 @@
 #include "same.h"
 #include "xreadlink.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>          /* for is_selinux_enabled() */
+#endif
+
 #define DO_CHOWN(Chown, File, New_uid, New_gid)                                \
   (Chown (File, New_uid, New_gid)                                      \
    /* If non-root uses -p, it's ok if we can't preserve ownership.     \
@@ -1233,6 +1237,26 @@
      In such cases, set this variable to zero.  */
   preserve_metadata = 1;
 
+#ifdef WITH_SELINUX
+  if (x->preserve_security_context) 
+    {
+      security_context_t con;
+
+      if (lgetfilecon (src_path, &con) < 0)
+       {
+         error (0, errno, _("cannot lgetfilecon %s"), quote (src_path));
+         return 1;
+       }
+      if (setfscreatecon(con) < 0) 
+       {
+         freecon(con);
+         error (0, errno, _("cannot set setfscreatecon %s"), quote (con));
+         return 1;
+      }
+      freecon(con);
+  }
+#endif
+
   if (S_ISDIR (src_mode))
     {
       struct dir_list *dir;
@@ -1302,8 +1326,13 @@
        }
 
       /* Are we crossing a file system boundary?  */
-      if (x->one_file_system && device != 0 && device != src_sb.st_dev)
+      if (x->one_file_system && device != 0 && device != src_sb.st_dev) {
+#ifdef WITH_SELINUX
+       if (x->preserve_security_context) 
+         setfscreatecon(NULL);
+#endif
        return 0;
+      }
 
       /* Copy the contents of the directory.  */
 
@@ -1442,6 +1471,11 @@
            }
        }
 
+#ifdef WITH_SELINUX
+      if (x->preserve_security_context) 
+       setfscreatecon(NULL);
+#endif
+
       /* There's no need to preserve timestamps or permissions.  */
       preserve_metadata = 0;
 
@@ -1474,7 +1508,7 @@
   if (command_line_arg)
     record_file (x->dest_info, dst_path, NULL);
 
-  if ( ! preserve_metadata)
+  if ( ! preserve_metadata) 
     return 0;
 
   /* POSIX says that `cp -p' must restore the following:
@@ -1576,6 +1610,11 @@
 
 un_backup:
 
+#ifdef WITH_SELINUX
+  if (x->preserve_security_context) 
+    setfscreatecon(NULL);
+#endif
+
   /* We have failed to create the destination file.
      If we've just added a dev/ino entry via the remember_copied
      call above (i.e., unless we've just failed to create a hard link),
diff -Nur coreutils-5.0/src/copy.h coreutils-5.0.new/src/copy.h
--- coreutils-5.0/src/copy.h    2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/copy.h        2003-06-20 12:10:08.000000000 +0200
@@ -105,6 +105,9 @@
   int preserve_ownership;
   int preserve_mode;
   int preserve_timestamps;
+#ifdef WITH_SELINUX
+  int preserve_security_context;
+#endif
 
   /* Enabled for mv, and for cp by the --preserve=links option.
      If nonzero, attempt to preserve in the destination files any
diff -Nur coreutils-5.0/src/cp.c coreutils-5.0.new/src/cp.c
--- coreutils-5.0/src/cp.c      2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/cp.c  2003-06-20 12:10:08.000000000 +0200
@@ -52,6 +52,10 @@
 
 #define AUTHORS N_ ("Torbjorn Granlund, David MacKenzie, and Jim Meyering")
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>          /* for is_selinux_enabled() */
+#endif
+
 #ifndef _POSIX_VERSION
 uid_t geteuid ();
 #endif
@@ -149,6 +153,9 @@
   {"update", no_argument, NULL, 'u'},
   {"verbose", no_argument, NULL, 'v'},
   {"version-control", required_argument, NULL, 'V'}, /* Deprecated. FIXME. */
+#ifdef WITH_SELINUX
+  {"context", required_argument, NULL, 'X'},
+#endif
   {GETOPT_HELP_OPTION_DECL},
   {GETOPT_VERSION_OPTION_DECL},
   {NULL, 0, NULL, 0}
@@ -198,6 +205,9 @@
                                  additional attributes: links, all\n\
 "), stdout);
       fputs (_("\
+  -c                           same as --preserve=context\n\
+"), stdout);
+      fputs (_("\
       --no-preserve=ATTR_LIST  don't preserve the specified attributes\n\
       --parents                append source path to DIRECTORY\n\
   -P                           same as `--no-dereference'\n\
@@ -225,6 +235,7 @@
                                  destination file is missing\n\
   -v, --verbose                explain what is being done\n\
   -x, --one-file-system        stay on this file system\n\
+  -X, --context=CONTEXT        set security context of copy to CONTEXT\n\
 "), stdout);
       fputs (HELP_OPTION_DESCRIPTION, stdout);
       fputs (VERSION_OPTION_DESCRIPTION, stdout);
@@ -756,8 +767,8 @@
        {
          new_dest = (char *) dest;
        }
-
-      return copy (source, new_dest, new_dst, x, &unused, NULL);
+      ret=copy (source, new_dest, new_dst, x, &unused, NULL);
+      return ret;
     }
 
   /* unreachable */
@@ -781,6 +792,10 @@
   x->preserve_mode = 0;
   x->preserve_timestamps = 0;
 
+#ifdef WITH_SELINUX
+  x->preserve_security_context = 0;
+#endif
+
   x->require_preserve = 0;
   x->recursive = 0;
   x->sparse_mode = SPARSE_AUTO;
@@ -808,19 +823,20 @@
       PRESERVE_TIMESTAMPS,
       PRESERVE_OWNERSHIP,
       PRESERVE_LINK,
+      PRESERVE_CONTEXT,
       PRESERVE_ALL
     };
   static enum File_attribute const preserve_vals[] =
     {
       PRESERVE_MODE, PRESERVE_TIMESTAMPS,
-      PRESERVE_OWNERSHIP, PRESERVE_LINK, PRESERVE_ALL
+      PRESERVE_OWNERSHIP, PRESERVE_LINK, PRESERVE_CONTEXT, PRESERVE_ALL
     };
 
   /* Valid arguments to the `--preserve' option. */
   static char const* const preserve_args[] =
     {
       "mode", "timestamps",
-      "ownership", "links", "all", 0
+      "ownership", "links", "context", "all", 0
     };
 
   char *arg_writable = xstrdup (arg);
@@ -855,11 +871,16 @@
          x->preserve_links = on_off;
          break;
 
+       case PRESERVE_CONTEXT:
+         x->preserve_security_context = on_off;
+         break;
+
        case PRESERVE_ALL:
          x->preserve_mode = on_off;
          x->preserve_timestamps = on_off;
          x->preserve_ownership = on_off;
          x->preserve_links = on_off;
+         x->preserve_security_context = on_off;
          break;
 
        default:
@@ -882,6 +903,10 @@
   struct cp_options x;
   int copy_contents = 0;
   char *target_directory = NULL;
+#ifdef WITH_SELINUX
+  security_context_t scontext = NULL;
+  int is_selinux_enabled_flag= is_selinux_enabled();
+#endif
 
   program_name = argv[0];
   setlocale (LC_ALL, "");
@@ -896,7 +921,11 @@
      we'll actually use backup_suffix_string.  */
   backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
 
+#ifdef WITH_SELINUX
+  while ((c = getopt_long (argc, argv, "abcdfHilLprsuvxPRS:V:X:Z:", long_opts, NULL))
+#else
   while ((c = getopt_long (argc, argv, "abdfHilLprsuvxPRS:V:", long_opts, NULL))
+#endif
         != -1)
     {
       switch (c)
@@ -987,6 +1016,36 @@
          x.preserve_timestamps = 1;
          x.require_preserve = 1;
          break;
+#ifdef WITH_SELINUX
+       case 'c':
+         if ( scontext != NULL ) { 
+             (void) fprintf(stderr, "%s: cannot force target context <-- %s and preserve it\n", argv[0], scontext);
+           exit( 1 );
+         }
+         else if (is_selinux_enabled_flag) 
+           x.preserve_security_context = 1;
+         break;
+
+       case 'X':
+         /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled_flag ) {
+           fprintf( stderr, "Warning:  ignoring --context (-X). "
+                            "It requires a SELinux enabled kernel.\n" );
+           break;
+         }
+         if ( x.preserve_security_context ) {
+           (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], optarg);
+           exit( 1 );
+         }
+         scontext = optarg;
+         /* if there's a security_context given set new path 
+            components to that context, too */
+         if ( setfscreatecon(scontext) < 0 ) {
+           (void) fprintf(stderr, _("cannot set default security context %s"), scontext);
+           exit( 1 );
+         }
+         break;
+#endif
 
        case PARENTS_OPTION:
          flag_path = 1;
diff -Nur coreutils-5.0/src/id.c coreutils-5.0.new/src/id.c
--- coreutils-5.0/src/id.c      2003-03-27 23:39:46.000000000 +0100
+++ coreutils-5.0.new/src/id.c  2003-06-20 12:10:08.000000000 +0200
@@ -46,6 +46,20 @@
 
 int getugroups ();
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+static void print_context PARAMS ((char* context));
+/* Print the SELinux context */
+static void
+print_context(char *context)
+{
+  printf ("%s", context);
+}
+
+/* If nonzero, output only the SELinux context. -c */
+static int just_context = 0;
+
+#endif
 static void print_user (uid_t uid);
 static void print_group (gid_t gid);
 static void print_group_list (const char *username);
@@ -64,8 +78,14 @@
 /* The number of errors encountered so far. */
 static int problems = 0;
 
+/* The SELinux context */
+/* Set `context' to a known invalid value so print_full_info() will *
+ * know when `context' has not been set to a meaningful value.      */
+static security_context_t context=NULL;
+
 static struct option const longopts[] =
 {
+  {"context", no_argument, NULL, 'c'},
   {"group", no_argument, NULL, 'g'},
   {"groups", no_argument, NULL, 'G'},
   {"name", no_argument, NULL, 'n'},
@@ -89,6 +109,7 @@
 Print information for USERNAME, or the current user.\n\
 \n\
   -a              ignore, for compatibility with other versions\n\
+  -c, --context   print only the context\n\
   -g, --group     print only the effective group ID\n\
   -G, --groups    print all group IDs\n\
   -n, --name      print a name instead of a number, for -ugG\n\
@@ -110,6 +131,7 @@
 main (int argc, char **argv)
 {
   int optc;
+  int is_selinux_enabled_flag=is_selinux_enabled();
 
   /* If nonzero, output the list of all group IDs. -G */
   int just_group_list = 0;
@@ -127,7 +149,7 @@
 
   atexit (close_stdout);
 
-  while ((optc = getopt_long (argc, argv, "agnruG", longopts, NULL)) != -1)
+  while ((optc = getopt_long (argc, argv, "acgnrsuG", longopts, NULL)) != -1)
     {
       switch (optc)
        {
@@ -136,6 +158,17 @@
        case 'a':
          /* Ignore -a, for compatibility with SVR4.  */
          break;
+#ifdef WITH_SELINUX
+        case 'c':
+         /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled_flag ) {
+           fprintf( stderr, "Sorry, --context (-c) can be used only on "
+                            "a selinux-enabled kernel.\n" );
+           exit( 1 );
+         }
+          just_context = 1;
+          break;
+#endif
        case 'g':
          just_group = 1;
          break;
@@ -158,8 +191,28 @@
        }
     }
 
-  if (just_user + just_group + just_group_list > 1)
-    error (EXIT_FAILURE, 0, _("cannot print only user and only group"));
+#ifdef WITH_SELINUX
+  if (argc - optind == 1)
+    is_selinux_enabled_flag = 0;
+
+  if( just_context  && !is_selinux_enabled_flag)
+    error (1, 0, _("\
+cannot display context when selinux not enabled or when displaying the id\n\
+of a different user"));
+
+  /* If we are on a selinux-enabled kernel, get our context.    *
+   * Otherwise, leave the context variable alone - it has *
+   * been initialized known invalid value; if we see this invalid   *
+   * value later, we will know we are on a non-selinux kernel.         */
+  if( is_selinux_enabled_flag )
+    {
+      if (getcon(&context))
+        error (1, 0, "can't get process context");
+    }
+#endif
+
+  if (just_user + just_group + just_group_list + just_context > 1)
+    error (EXIT_FAILURE, 0, _("cannot print \"only\" of more than one choice"));
 
   if (just_user + just_group + just_group_list == 0 && (use_real || use_name))
     error (EXIT_FAILURE, 0,
@@ -190,6 +243,10 @@
     print_group (use_real ? rgid : egid);
   else if (just_group_list)
     print_group_list (argv[optind]);
+#ifdef WITH_SELINUX
+  else if (just_context)
+    print_context (context);
+#endif
   else
     print_full_info (argv[optind]);
   putchar ('\n');
@@ -397,4 +454,9 @@
     free (groups);
   }
 #endif /* HAVE_GETGROUPS */
+#ifdef WITH_SELINUX
+  if ( context != NULL ) {
+    printf(" context=%s",context);
+  }
+#endif
 }
diff -Nur coreutils-5.0/src/install.c coreutils-5.0.new/src/install.c
--- coreutils-5.0/src/install.c 2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/install.c     2003-06-20 12:10:08.000000000 +0200
@@ -50,6 +50,10 @@
 # include <sys/wait.h>
 #endif
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>          /* for is_selinux_enabled() */
+#endif
+
 struct passwd *getpwnam ();
 struct group *getgrnam ();
 
@@ -126,11 +130,17 @@
 static struct option const long_options[] =
 {
   {"backup", optional_argument, NULL, 'b'},
+#ifdef WITH_SELINUX
+  {"context", required_argument, NULL, 'X'},
+#endif
   {"directory", no_argument, NULL, 'd'},
   {"group", required_argument, NULL, 'g'},
   {"mode", required_argument, NULL, 'm'},
   {"owner", required_argument, NULL, 'o'},
   {"preserve-timestamps", no_argument, NULL, 'p'},
+#ifdef WITH_SELINUX
+  {"preserve_context", no_argument, NULL, 'P'},
+#endif
   {"strip", no_argument, NULL, 's'},
   {"suffix", required_argument, NULL, 'S'},
   {"version-control", required_argument, NULL, 'V'}, /* Deprecated. FIXME. */
@@ -247,6 +257,9 @@
 
   x->update = 0;
   x->verbose = 0;
+#ifdef WITH_SELINUX
+  x->preserve_security_context = 0;
+#endif
   x->xstat = stat;
   x->dest_info = NULL;
   x->src_info = NULL;
@@ -265,6 +278,11 @@
   struct cp_options x;
   int n_files;
   char **file;
+#ifdef WITH_SELINUX
+  security_context_t scontext = NULL;
+ /* set iff kernel has extra selinux system calls */
+  int is_selinux_enabled_flag = is_selinux_enabled();
+#endif
 
   program_name = argv[0];
   setlocale (LC_ALL, "");
@@ -285,7 +303,11 @@
      we'll actually use backup_suffix_string.  */
   backup_suffix_string = getenv ("SIMPLE_BACKUP_SUFFIX");
 
+#ifdef WITH_SELINUX
+  while ((optc = getopt_long (argc, argv, "bcCsDdg:m:o:pPX:vV:S:Z:", long_options,
+#else
   while ((optc = getopt_long (argc, argv, "bcCsDdg:m:o:pvV:S:", long_options,
+#endif
                              NULL)) != -1)
     {
       switch (optc)
@@ -338,6 +360,39 @@
          make_backups = 1;
          backup_suffix_string = optarg;
          break;
+#ifdef WITH_SELINUX
+       case 'P':
+       /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled_flag ) {
+           fprintf( stderr, "Warning:  ignoring --preserve_context (-P) "
+                            "because the kernel is not selinux-enabled.\n" );
+           break;
+         }
+         if ( scontext!=NULL ) { /* scontext could be NULL because of calloc() failure */
+             (void) fprintf(stderr, "%s: cannot force target context to '%s' and preserve it\n", argv[0], scontext);
+           exit( 1 );
+         }
+         x.preserve_security_context = 1;
+         break ;
+       case 'X':
+         /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled_flag ) {
+           fprintf( stderr, "Warning:  ignoring --context (-X) "
+                            "because the kernel is not selinux-enabled.\n" );
+           break;
+         }
+         if ( x.preserve_security_context ) {
+
+                   (void) fprintf(stderr, "%s: cannot force target context == '%s' and preserve it\n", argv[0], optarg);
+           exit( 1 );
+         }
+         scontext = optarg;
+         if (setfscreatecon(scontext)) {
+           (void) fprintf(stderr, "%s: cannot setup default context == '%s'\n", argv[0], scontext);
+           exit(1);
+         }
+         break;
+#endif
        case_GETOPT_HELP_CHAR;
        case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
        default:
@@ -721,6 +776,11 @@
   -S, --suffix=SUFFIX override the usual backup suffix\n\
   -v, --verbose       print the name of each directory as it is created\n\
 "), stdout);
+      fputs (_("\
+  -P, --preserve_context (Selinux) Preserve security context\n\
+  -X, --context=CONTEXT  (Selinux) Set security context of files and directories\n\
+"), stdout);
+
       fputs (HELP_OPTION_DESCRIPTION, stdout);
       fputs (VERSION_OPTION_DESCRIPTION, stdout);
       fputs (_("\
diff -Nur coreutils-5.0/src/ls.c coreutils-5.0.new/src/ls.c
--- coreutils-5.0/src/ls.c      2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/ls.c  2003-06-20 12:10:08.000000000 +0200
@@ -130,6 +130,12 @@
 
 #define AUTHORS N_ ("Richard Stallman and David MacKenzie")
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+int is_selinux_enabled_flag= 0;
+static int print_scontext       = 0;
+#endif
+
 #define obstack_chunk_alloc malloc
 #define obstack_chunk_free free
 
@@ -227,6 +233,10 @@
     /* For long listings, true if the file has an access control list.  */
     bool have_acl;
 #endif
+
+#ifdef WITH_SELINUX
+    security_context_t scontext;
+#endif
   };
 
 #if HAVE_ACL || USE_ACL
@@ -290,6 +300,9 @@
 static void sort_files (void);
 static void parse_ls_color (void);
 void usage (int status);
+#ifdef WITH_SELINUX
+static void print_scontext_format PARAMS ((const struct fileinfo *f));
+#endif
 
 /* The name the program was run with, stripped of any leading path. */
 char *program_name;
@@ -379,7 +392,12 @@
     one_per_line,              /* -1 */
     many_per_line,             /* -C */
     horizontal,                        /* -x */
-    with_commas                        /* -m */
+#ifdef WITH_SELINUX
+    with_commas,               /* -m */
+    security_format
+#else
+    with_commas                        /* -m */
+#endif
   };
 
 static enum format format;
@@ -700,6 +718,11 @@
   SHOW_CONTROL_CHARS_OPTION,
   SI_OPTION,
   SORT_OPTION,
+#ifdef WITH_SELINUX
+  CONTEXT_OPTION,
+  LCONTEXT_OPTION,
+  SCONTEXT_OPTION,
+#endif
   TIME_OPTION,
   TIME_STYLE_OPTION
 };
@@ -743,6 +766,11 @@
   {"time-style", required_argument, 0, TIME_STYLE_OPTION},
   {"color", optional_argument, 0, COLOR_OPTION},
   {"block-size", required_argument, 0, BLOCK_SIZE_OPTION},
+#ifdef WITH_SELINUX
+  {"context", no_argument, 0, CONTEXT_OPTION},
+  {"lcontext", no_argument, 0, LCONTEXT_OPTION},
+  {"scontext", no_argument, 0, SCONTEXT_OPTION},
+#endif
   {"author", no_argument, 0, AUTHOR_OPTION},
   {GETOPT_HELP_OPTION_DECL},
   {GETOPT_VERSION_OPTION_DECL},
@@ -752,12 +780,19 @@
 static char const *const format_args[] =
 {
   "verbose", "long", "commas", "horizontal", "across",
-  "vertical", "single-column", 0
+  "vertical", "single-column", 
+#ifdef WITH_SELINUX
+  "context",
+#endif
+  0
 };
 
 static enum format const format_types[] =
 {
   long_format, long_format, with_commas, horizontal, horizontal,
+#ifdef WITH_SELINUX
+  security_format,
+#endif
   many_per_line, one_per_line
 };
 
@@ -1121,6 +1156,9 @@
 
   format_needs_stat = sort_type == sort_time || sort_type == sort_size
     || format == long_format
+#ifdef WITH_SELINUX
+    || format == security_format || print_scontext
+#endif
     || dereference == DEREF_ALWAYS
     || print_block_size || print_inode;
   format_needs_type = (format_needs_stat == 0
@@ -1243,6 +1281,11 @@
   /* Record whether there is an option specifying sort type.  */
   int sort_type_specified = 0;
 
+#ifdef WITH_SELINUX
+  /* 1 iff kernel has new selinux system calls */
+  is_selinux_enabled_flag= is_selinux_enabled();
+#endif
+
   qmark_funny_chars = 0;
 
   /* initialize all switches to default settings */
@@ -1293,6 +1336,9 @@
   all_files = 0;
   really_all_files = 0;
   ignore_patterns = 0;
+#ifdef WITH_SELINUX
+  print_scontext       = 0;
+#endif
 
   /* FIXME: put this in a function.  */
   {
@@ -1656,6 +1702,31 @@
 
        case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
 
+#ifdef WITH_SELINUX
+
+#define check_selinux() if (!is_selinux_enabled_flag) { \
+           fprintf( stderr, "Sorry, this option can only be used " \
+                            "on a SELinux kernel.\n" ); \
+           exit( EXIT_FAILURE ); \
+}
+
+       case CONTEXT_OPTION: /* new security format */
+               check_selinux();
+               print_scontext = 1;
+               format = security_format;
+               break;
+       case LCONTEXT_OPTION: /* long format plus security context */
+               check_selinux();
+               print_scontext = 1;
+               format = long_format;
+               break;
+       case SCONTEXT_OPTION: /* short form of new security format */
+               check_selinux();
+               print_scontext = 0;
+               format = security_format;
+               break;
+#endif
+
        default:
          usage (EXIT_FAILURE);
        }
@@ -2301,6 +2372,10 @@
       free (files[i].name);
       if (files[i].linkname)
        free (files[i].linkname);
+#ifdef WITH_SELINUX
+      if (files[i].scontext)
+       freecon (files[i].scontext);
+#endif
     }
 
   files_index = 0;
@@ -2372,6 +2447,11 @@
            {
              int need_lstat;
              err = stat (path, &files[files_index].stat);
+#ifdef WITH_SELINUX
+             if (err>=0) 
+               if (is_selinux_enabled_flag)
+                 getfilecon(path, &files[files_index].scontext);
+#endif
 
              if (dereference == DEREF_COMMAND_LINE_ARGUMENTS)
                break;
@@ -2390,6 +2470,12 @@
 
        default: /* DEREF_NEVER */
          err = lstat (path, &files[files_index].stat);
+#ifdef WITH_SELINUX
+         if (err>=0) 
+           if (is_selinux_enabled_flag)
+             lgetfilecon(path, &files[files_index].scontext);
+#endif
+
          break;
        }
 
@@ -2819,6 +2905,16 @@
          DIRED_PUTCHAR ('\n');
        }
       break;
+
+#ifdef WITH_SELINUX
+    case security_format:
+      for (i = 0; i < files_index; i++)
+      {
+        print_scontext_format (files + i);
+        DIRED_PUTCHAR ('\n');
+      }
+      break;
+#endif
     }
 }
 
@@ -3082,6 +3178,14 @@
       p += strlen (p);
     }
 
+#ifdef WITH_SELINUX
+
+  if ( print_scontext ) {
+    sprintf (p, "%-32s ", f->scontext);
+    p += strlen (p);
+  }
+#endif
+
   DIRED_INDENT ();
   DIRED_FPUTS (buf, stdout, p - buf);
   print_name_with_quoting (f->name, FILE_OR_LINK_MODE (f), f->linkok,
@@ -3874,6 +3978,16 @@
   -X                         sort alphabetically by entry extension\n\
   -1                         list one file per line\n\
 "), stdout);
+#ifdef WITH_SELINUX
+printf(_("SELINUX options:\n\n\
+      --lcontext             Display security context.   Enable -l. Lines\n\
+                               will probably be too wide for most displays.\n\
+      --context              Display security context so it fits on most\n\
+                               displays.  Displays only mode, user, group,\n\
+                               security context and file name.\n\
+      --scontext             Display only security context and file name.\n\
+"));
+#endif
       fputs (HELP_OPTION_DESCRIPTION, stdout);
       fputs (VERSION_OPTION_DESCRIPTION, stdout);
       fputs (_("\n\
@@ -3892,3 +4006,79 @@
     }
   exit (status);
 }
+
+#ifdef WITH_SELINUX
+
+static void
+print_scontext_format (const struct fileinfo *f)
+{
+  char modebuf[12];
+
+  /* 7 fields that may require LONGEST_HUMAN_READABLE bytes,
+     1 10-byte mode string,
+     9 spaces, one following each of these fields, and
+     1 trailing NUL byte.  */
+
+  char init_bigbuf[7 * LONGEST_HUMAN_READABLE + 10  + 9 + 1];
+  char *buf = init_bigbuf;
+  size_t bufsize = sizeof (init_bigbuf);
+  size_t s;
+  char *p;
+  const char *fmt;
+  char *user_name;
+  char *group_name;
+  int rv;
+  char *scontext;
+
+  p = buf;
+
+  if ( print_scontext ) { /* zero means terse listing */
+    mode_string (f->stat.st_mode, modebuf);
+    modebuf[10] = (FILE_HAS_ACL (f) ? '+' : ' ');
+    modebuf[11] = '\0';
+
+    /* print mode */
+
+    (void) sprintf (p, "%s ", modebuf);
+    p += strlen (p);
+
+    /* print standard user and group */
+
+    user_name = (numeric_ids ? NULL : getuser (f->stat.st_uid));
+    if (user_name)
+      (void) sprintf (p, "%-8.8s ", user_name);
+    else
+      (void) sprintf (p, "%-8u ", (unsigned int) f->stat.st_uid);
+    p += strlen (p);
+
+    if ( print_group ) {
+      group_name = (numeric_ids ? NULL : getgroup (f->stat.st_gid));
+      if (group_name)
+       (void) sprintf (p, "%-8.8s ", group_name);
+      else
+       (void) sprintf (p, "%-8u ", (unsigned int) f->stat.st_gid);
+      p += strlen (p);
+    }
+  }
+
+  (void) sprintf (p, "%-32s ", f->scontext);
+  p += strlen (p);
+ 
+  DIRED_INDENT ();
+  DIRED_FPUTS (buf, stdout, p - buf);
+  print_name_with_quoting (f->name, f->stat.st_mode, f->linkok, &dired_obstack);
+ 
+  if (f->filetype == symbolic_link) {
+      if (f->linkname) {
+         DIRED_FPUTS_LITERAL (" -> ", stdout);
+         print_name_with_quoting (f->linkname, f->linkmode, f->linkok - 1, NULL);
+         if (indicator_style != none)
+           print_type_indicator (f->linkmode);
+      }
+  }
+  else {
+    if (indicator_style != none)
+      print_type_indicator (f->stat.st_mode);
+  }
+}
+#endif
diff -Nur coreutils-5.0/src/mkdir.c coreutils-5.0.new/src/mkdir.c
--- coreutils-5.0/src/mkdir.c   2002-09-23 09:35:27.000000000 +0200
+++ coreutils-5.0.new/src/mkdir.c       2003-06-20 12:10:08.000000000 +0200
@@ -34,6 +34,10 @@
 
 #define AUTHORS "David MacKenzie"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>          /* for is_selinux_enabled() */
+#endif
+
 /* The name this program was run with. */
 char *program_name;
 
@@ -42,6 +46,9 @@
 
 static struct option const longopts[] =
 {
+#ifdef WITH_SELINUX
+  {"context", required_argument, NULL, 'c'},
+#endif
   {"mode", required_argument, NULL, 'm'},
   {"parents", no_argument, NULL, 'p'},
   {"verbose", no_argument, NULL, 'v'},
@@ -63,6 +70,11 @@
 Create the DIRECTORY(ies), if they do not already exist.\n\
 \n\
 "), stdout);
+#ifdef WITH_SELINUX
+      printf (_("\
+  -c, --context=CONTEXT (Selinux) set security context to CONTEXT\n\
+"));
+#endif
       fputs (_("\
 Mandatory arguments to long options are mandatory for short options too.\n\
 "), stdout);
@@ -97,7 +109,11 @@
 
   create_parents = 0;
 
+#ifdef WITH_SELINUX
+  while ((optc = getopt_long (argc, argv, "pm:s:c:v", longopts, NULL)) != -1)
+#else
   while ((optc = getopt_long (argc, argv, "pm:v", longopts, NULL)) != -1)
+#endif
     {
       switch (optc)
        {
@@ -112,6 +128,20 @@
        case 'v': /* --verbose  */
          verbose_fmt_string = _("created directory %s");
          break;
+#ifdef WITH_SELINUX
+       case 'c':
+         /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled()) {
+           fprintf( stderr, "Sorry, --context (-c) can be used only on "
+                            "a selinux-enabled kernel.\n" );
+           exit( 1 );
+         }
+         if (setfscreatecon(optarg)) {
+           fprintf( stderr, "Sorry, cannot set default context to %s.\n", optarg);
+           exit( 1 );
+         }
+         break;
+#endif
        case_GETOPT_HELP_CHAR;
        case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
        default:
diff -Nur coreutils-5.0/src/mkfifo.c coreutils-5.0.new/src/mkfifo.c
--- coreutils-5.0/src/mkfifo.c  2002-08-31 09:29:21.000000000 +0200
+++ coreutils-5.0.new/src/mkfifo.c      2003-06-20 12:10:08.000000000 +0200
@@ -32,11 +32,18 @@
 
 #define AUTHORS "David MacKenzie"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>          /* for is_selinux_enabled() */
+#endif
+
 /* The name this program was run with. */
 char *program_name;
 
 static struct option const longopts[] =
 {
+#ifdef WITH_SELINUX
+  {"context", required_argument, NULL, 'c'},
+#endif
   {"mode", required_argument, NULL, 'm'},
   {GETOPT_HELP_OPTION_DECL},
   {GETOPT_VERSION_OPTION_DECL},
@@ -57,6 +64,11 @@
 Create named pipes (FIFOs) with the given NAMEs.\n\
 \n\
 "), stdout);
+#ifdef WITH_SELINUX
+      printf (_("\
+  -c, --context=CONTEXT   set security context (quoted string)\n\
+"), stdout);
+#endif
       fputs (_("\
 Mandatory arguments to long options are mandatory for short options too.\n\
 "), stdout);
@@ -92,7 +104,11 @@
 #ifndef S_ISFIFO
   error (4, 0, _("fifo files not supported"));
 #else
+#ifdef WITH_SELINUX
+  while ((optc = getopt_long (argc, argv, "m:c:", longopts, NULL)) != -1)
+#else
   while ((optc = getopt_long (argc, argv, "m:", longopts, NULL)) != -1)
+#endif
     {
       switch (optc)
        {
@@ -101,6 +117,19 @@
        case 'm':
          specified_mode = optarg;
          break;
+#ifdef WITH_SELINUX
+       case 'c':
+         if( !is_selinux_enabled()) {
+           fprintf( stderr, "Sorry, --context (-c) can be used only on "
+                            "a selinux-enabled kernel.\n" );
+           exit( 1 );
+         }
+         if (setfscreatecon(optarg)) {
+           fprintf( stderr, "Sorry, cannot set default context to %s.\n", optarg);
+           exit( 1 );
+         }
+         break;
+#endif
        case_GETOPT_HELP_CHAR;
        case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
        default:
diff -Nur coreutils-5.0/src/mknod.c coreutils-5.0.new/src/mknod.c
--- coreutils-5.0/src/mknod.c   2002-12-14 15:14:59.000000000 +0100
+++ coreutils-5.0.new/src/mknod.c       2003-06-20 12:10:08.000000000 +0200
@@ -36,8 +36,15 @@
 /* The name this program was run with. */
 char *program_name;
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 static struct option const longopts[] =
 {
+#ifdef WITH_SELINUX
+  {"context", required_argument, NULL, 'c'},
+#endif
   {"mode", required_argument, NULL, 'm'},
   {GETOPT_HELP_OPTION_DECL},
   {GETOPT_VERSION_OPTION_DECL},
@@ -58,6 +65,11 @@
 Create the special file NAME of the given TYPE.\n\
 \n\
 "), stdout);
+#ifdef WITH_SELINUX
+      fputs(_("\
+  -c, --context=CONTEXT   set security context (quoted string)\n\
+"), stdout);
+#endif
       fputs (_("\
 Mandatory arguments to long options are mandatory for short options too.\n\
 "), stdout);
@@ -102,7 +114,11 @@
 
   specified_mode = NULL;
 
+#ifdef WITH_SELINUX
+  while ((optc = getopt_long (argc, argv, "m:s:c:", longopts, NULL)) != -1)
+#else
   while ((optc = getopt_long (argc, argv, "m:", longopts, NULL)) != -1)
+#endif
     {
       switch (optc)
        {
@@ -111,6 +127,20 @@
        case 'm':
          specified_mode = optarg;
          break;
+#ifdef WITH_SELINUX
+       case 'c':
+         /* politely decline if we're not on a selinux-enabled kernel. */
+         if( !is_selinux_enabled()) {
+           fprintf( stderr, "Sorry, --context (-c) can be used only on "
+                            "a selinux-enabled kernel.\n" );
+           exit( 1 );
+         }
+         if (setfscreatecon(optarg)) {
+           fprintf( stderr, "Sorry, cannot set default context to %s.\n", optarg);
+           exit( 1 );
+         }
+         break;
+#endif
        case_GETOPT_HELP_CHAR;
        case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
        default:
diff -Nur coreutils-5.0/src/mv.c coreutils-5.0.new/src/mv.c
--- coreutils-5.0/src/mv.c      2003-06-20 12:01:02.000000000 +0200
+++ coreutils-5.0.new/src/mv.c  2003-06-20 12:10:08.000000000 +0200
@@ -37,6 +37,9 @@
 #include "path-concat.h"
 #include "quote.h"
 #include "remove.h"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>        /* for is_selinux_enabled() */
+#endif
 
 /* The official name of this program (e.g., no `g' prefix).  */
 #define PROGRAM_NAME "mv"
@@ -139,6 +142,9 @@
 
   x->update = 0;
   x->verbose = 0;
+#ifdef WITH_SELINUX
+  x->preserve_security_context = 0;
+#endif
   x->xstat = lstat;
   x->dest_info = NULL;
   x->src_info = NULL;
@@ -324,6 +330,10 @@
                                  equivalent to --reply=query\n\
 "), stdout);
       fputs (_("\
+  -c                           preserve security context when source and\n\
+                               destination are on different file systems\n\
+"), stdout);
+      fputs (_("\
       --reply={yes,no,query}   specify how to handle the prompt about an\n\
                                  existing destination file\n\
       --strip-trailing-slashes remove any trailing slashes from each SOURCE\n\
@@ -387,7 +397,11 @@
 
   errors = 0;
 
+#ifdef WITH_SELINUX
+  while ((c = getopt_long (argc, argv, "bcfiuvS:V:", long_options, NULL)) != -1)
+#else
   while ((c = getopt_long (argc, argv, "bfiuvS:V:", long_options, NULL)) != -1)
+#endif
     {
       switch (c)
        {
@@ -406,6 +420,15 @@
          if (optarg)
            version_control_string = optarg;
          break;
+#ifdef WITH_SELINUX
+       case 'c':
+         if (is_selinux_enabled())
+           x.preserve_security_context = 1;
+         else
+           fprintf( stderr, "Warning:  ignoring -c. "
+                            "It requires a SELinux enabled kernel.\n" );
+         break;
+#endif
        case 'f':
          x.interactive = I_ALWAYS_YES;
          break;
diff -Nur coreutils-5.0/src/runcon.c coreutils-5.0.new/src/runcon.c
--- coreutils-5.0/src/runcon.c  1970-01-01 01:00:00.000000000 +0100
+++ coreutils-5.0.new/src/runcon.c      2003-06-20 12:10:08.000000000 +0200
@@ -0,0 +1,169 @@
+/*
+ * runcon [ context |
+ *         ( [ -r role ] [-t type] [ -u user ] [ -l levelrange ] )
+ *         command [arg1 [arg2 ...] ]
+ *
+ * attempt to run the specified command with the specified context.
+ * 
+ * -r role  : use the current context with the specified role
+ * -t type  : use the current context with the specified type
+ * -u user  : use the current context with the specified user
+ * -l level : use the current context with the specified level range
+ *
+ * Contexts are interpreted as follows:
+ *
+ * Number of       MLS
+ * components    system?
+ *
+ *     1            -         type
+ *     2            -         role:type
+ *     3            Y         role:type:range
+ *     3            N         user:role:type
+ *     4            Y         user:role:type:range
+ *     4            N         error
+ */
+
+#include <unistd.h>
+#include <stdio.h>
+#include <getopt.h>
+#include <selinux/context.h>
+#include <selinux/selinux.h>
+#include <errno.h>
+extern int errno;
+
+/* The name the program was run with. */
+char *program_name;
+
+void
+usage(char *str)
+{
+  printf("Usage: %s [OPTION]... command [args]\n"
+         "Run a program in a different security context.\n\n"
+         "  context       Complete security context\n"
+         "  -t            type (for same role as parent)\n"
+         "  -u            user identity\n"
+         "  -r            role\n"
+         "  -l            levelrange\n"
+         "    --help      display this help and exit\n",
+         program_name);
+  exit(1);
+}
+
+int 
+main(int argc,char **argv,char **envp )
+{
+  char *role    = 0;
+  char *range   = 0;
+  char *user    = 0;
+  char *type    = 0;
+  char *context = NULL;
+  security_context_t cur_context = NULL;
+
+  context_t      con;
+
+  program_name = argv[0];
+  
+  while (1) {
+    int c;
+    int this_option_optind = optind ? optind : 1;
+    int option_index = 0;
+    static struct option long_options[] = {
+      { "role", 1, 0, 'r' },
+      { "type", 1, 0, 't' },
+      { "user", 1, 0, 'u' },
+      { "range", 1, 0, 'l' },
+      { "help", 0, 0, '?' },
+      { 0, 0, 0, 0 }
+    };
+    c = getopt_long(argc, argv, "s:r:t:u:l:?", long_options, &option_index);
+    if ( c == -1 ) {
+      break;
+    }
+    switch ( c ) {
+    case 'r':
+      if ( role ) {
+       fprintf(stderr,"multiple roles\n");
+       exit(1);
+      }
+      role = optarg;
+      break;
+    case 't':
+      if ( type ) {
+       fprintf(stderr,"multiple types\n");
+       exit(1);
+      }
+      type = optarg;
+      break;
+    case 'u':
+      if ( user ) {
+       fprintf(stderr,"multiple users\n");
+       exit(1);
+      }
+      user = optarg;
+      break;
+    case 'l':
+      if ( range ) {
+       fprintf(stderr,"multiple levelranges\n");
+       exit(1);
+      }
+      range = optarg;
+      break;
+    default:
+      fprintf(stderr,"unrecognised option %c\n",c);
+    case '?':
+      usage(0);
+      break;
+    }
+  }
+  if ( !(user || role || type || range)) {
+    if ( optind >= argc ) {
+      usage("must specify -t, -u, -l, -r, or context");
+    }
+    context = argv[optind++];
+  }
+  
+  if ( optind >= argc ) {
+    usage("no command found");
+  }
+
+  if ( context ) {
+    con = context_new(context);
+    if (!con) {
+      fprintf(stderr,"%s is not a valid context\n", context);
+      exit(1);
+    }
+  }
+  else {
+    getcon(&cur_context);
+    con = context_new(cur_context);
+    if (!con) {
+      fprintf(stderr,"%s is not a valid context\n", context);
+      exit(1);
+    }
+    if ( user ) {
+      context_user_set(con,user);
+    }
+    if ( type ) {
+      context_type_set(con,type);
+    }
+    if ( range ) {
+      context_range_set(con,range);
+    }
+    if ( role ) {
+      context_role_set(con,role);
+    }
+  }
+  
+  if (setexeccon(context_str(con))!=0) {
+    fprintf(stderr,"unable to setup security context %s\n", context_str(con));
+    exit(1);
+  }
+  if (cur_context!=NULL) 
+    freecon(cur_context);
+
+  if ( execvp(argv[optind],argv+optind) ) {
+    perror("execvp");
+    exit(1);
+  }
+  return 1; /* can't reach this statement.... */
+}
diff -Nur coreutils-5.0/tests/cp/Makefile.am coreutils-5.0.new/tests/cp/Makefile.am
--- coreutils-5.0/tests/cp/Makefile.am  2003-02-02 21:08:59.000000000 +0100
+++ coreutils-5.0.new/tests/cp/Makefile.am      2003-06-20 12:10:09.000000000 +0200
@@ -3,8 +3,8 @@
 
 TESTS = \
   preserve-2 r-vs-symlink link-preserve \
-  backup-1 no-deref-link1 no-deref-link2 no-deref-link3 backup-is-src \
-  same-file cp-mv-backup symlink-slash slink-2-slink fail-perm dir-slash \
+  backup-1 backup-is-src \
+  cp-mv-backup symlink-slash slink-2-slink fail-perm dir-slash \
   perm cp-HL special-bits link dir-rm-dest cp-parents deref-slink \
   dir-vs-file into-self
 EXTRA_DIST = $(TESTS)