Merge pull request #2781 from keszybz/selinux-and-warnings

Selinux loading fix and warning cleanups

20 files changed, 209 insertions, 31 deletions

diff --git a/.gitignore b/.gitignore
index 56a60ba726..18db046cac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -246,7 +246,9 @@
 /test-ring
 /test-rlimit-util
 /test-sched-prio
+/test-selinux
 /test-set
+/test-sizeof
 /test-sigbus
 /test-signal-util
 /test-siphash24
diff --git a/Makefile.am b/Makefile.am
index 4f9072c0ff..0f17bad8b1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1479,7 +1479,9 @@ tests += \
 	test-dns-domain \
 	test-install-root \
 	test-rlimit-util \
-	test-signal-util
+	test-signal-util \
+	test-selinux \
+	test-sizeof
 
 if HAVE_ACL
 tests += \
@@ -1873,6 +1875,18 @@ test_signal_util_SOURCES = \
 test_signal_util_LDADD = \
 	libshared.la
 
+test_selinux_SOURCES = \
+	src/test/test-selinux.c
+
+test_selinux_LDADD = \
+	libshared.la
+
+test_sizeof_SOURCES = \
+	src/test/test-sizeof.c
+
+test_sizeof_LDADD = \
+	libshared.la
+
 BUILT_SOURCES += \
 	src/test/test-hashmap-ordered.c
 
diff --git a/src/basic/formats-util.h b/src/basic/formats-util.h
index ce516b117d..9b4e8e98fa 100644
--- a/src/basic/formats-util.h
+++ b/src/basic/formats-util.h
@@ -49,7 +49,7 @@
 #if SIZEOF_TIME_T == 8
 #  define PRI_TIME PRIi64
 #elif SIZEOF_TIME_T == 4
-#  define PRI_TIME PRIu32
+#  define PRI_TIME "li"
 #else
 #  error Unknown time_t size
 #endif
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index 6c63b9d652..5e6181f662 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -80,31 +80,23 @@ void mac_selinux_retest(void) {
 #endif
 }
 
-int mac_selinux_init(const char *prefix) {
+int mac_selinux_init(void) {
         int r = 0;
 
 #ifdef HAVE_SELINUX
         usec_t before_timestamp, after_timestamp;
         struct mallinfo before_mallinfo, after_mallinfo;
 
-        if (!mac_selinux_use())
+        if (label_hnd)
                 return 0;
 
-        if (label_hnd)
+        if (!mac_selinux_use())
                 return 0;
 
         before_mallinfo = mallinfo();
         before_timestamp = now(CLOCK_MONOTONIC);
 
-        if (prefix) {
-                struct selinux_opt options[] = {
-                        { .type = SELABEL_OPT_SUBSET, .value = prefix },
-                };
-
-                label_hnd = selabel_open(SELABEL_CTX_FILE, options, ELEMENTSOF(options));
-        } else
-                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-
+        label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
         if (!label_hnd) {
                 log_enforcing("Failed to initialize SELinux context: %m");
                 r = security_getenforce() == 1 ? -errno : 0;
@@ -225,7 +217,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
                 return -errno;
 
         sclass = string_to_security_class("process");
-        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
+        r = security_compute_create_raw(mycon, fcon, sclass, (security_context_t *) label);
         if (r < 0)
                 return -errno;
 #endif
@@ -304,7 +296,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
                 return -ENOMEM;
 
         sclass = string_to_security_class("process");
-        r = security_compute_create(mycon, fcon, sclass, (security_context_t *) label);
+        r = security_compute_create_raw(mycon, fcon, sclass, (security_context_t *) label);
         if (r < 0)
                 return -errno;
 #endif
@@ -358,7 +350,7 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 
                 log_enforcing("Failed to determine SELinux security context for %s: %m", path);
         } else {
-                if (setfscreatecon(filecon) >= 0)
+                if (setfscreatecon_raw(filecon) >= 0)
                         return 0; /* Success! */
 
                 log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index 27e8edb41b..ce6bc8e44c 100644
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -29,7 +29,7 @@ bool mac_selinux_use(void);
 bool mac_selinux_have(void);
 void mac_selinux_retest(void);
 
-int mac_selinux_init(const char *prefix);
+int mac_selinux_init(void);
 void mac_selinux_finish(void);
 
 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs);
diff --git a/src/core/main.c b/src/core/main.c
index 02c0488208..1783b9c7af 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1369,7 +1369,7 @@ int main(int argc, char *argv[]) {
                         dual_timestamp_get(&security_finish_timestamp);
                 }
 
-                if (mac_selinux_init(NULL) < 0) {
+                if (mac_selinux_init() < 0) {
                         error_message = "Failed to initialize SELinux policy";
                         goto finish;
                 }
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index c37e32e96b..d11756e615 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -706,7 +706,7 @@ int main(int argc, char *argv[]) {
         log_open();
 
         umask(0022);
-        mac_selinux_init("/etc");
+        mac_selinux_init();
 
         if (argc != 1) {
                 log_error("This program takes no arguments.");
diff --git a/src/locale/localed.c b/src/locale/localed.c
index cc86c61edb..46405ca68a 100644
--- a/src/locale/localed.c
+++ b/src/locale/localed.c
@@ -1296,7 +1296,7 @@ int main(int argc, char *argv[]) {
         log_open();
 
         umask(0022);
-        mac_selinux_init("/etc");
+        mac_selinux_init();
 
         if (argc != 1) {
                 log_error("This program takes no arguments.");
diff --git a/src/login/logind.c b/src/login/logind.c
index 933602eb08..d5f6757bd3 100644
--- a/src/login/logind.c
+++ b/src/login/logind.c
@@ -1126,7 +1126,7 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        r = mac_selinux_init("/run");
+        r = mac_selinux_init();
         if (r < 0) {
                 log_error_errno(r, "Could not initialize labelling: %m");
                 goto finish;
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index c7e2ab14d6..161ea03412 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -48,7 +48,7 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
-        r = mac_selinux_init(NULL);
+        r = mac_selinux_init();
         if (r < 0) {
                 log_error_errno(r, "SELinux setup failed: %m");
                 goto finish;
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 863c628323..4377f1b910 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -1820,7 +1820,7 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
-        r = mac_selinux_init(NULL);
+        r = mac_selinux_init();
         if (r < 0) {
                 log_error_errno(r, "SELinux setup failed: %m");
                 goto finish;
diff --git a/src/test/test-selinux.c b/src/test/test-selinux.c
new file mode 100644
index 0000000000..c2152269f8
--- /dev/null
+++ b/src/test/test-selinux.c
@@ -0,0 +1,117 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2016 Zbigniew Jędrzejewski-Szmek
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sys/stat.h>
+
+#include "alloc-util.h"
+#include "fd-util.h"
+#include "log.h"
+#include "selinux-util.h"
+#include "time-util.h"
+
+static void test_testing(void) {
+        bool b;
+
+        log_info("============ %s ==========", __func__);
+
+        b = mac_selinux_use();
+        log_info("mac_selinux_use → %d", b);
+
+        b = mac_selinux_have();
+        log_info("mac_selinux_have → %d", b);
+
+        mac_selinux_retest();
+
+        b = mac_selinux_use();
+        log_info("mac_selinux_use → %d", b);
+
+        b = mac_selinux_have();
+        log_info("mac_selinux_have → %d", b);
+}
+
+static void test_loading(void) {
+        usec_t n1, n2;
+        int r;
+
+        log_info("============ %s ==========", __func__);
+
+        n1 = now(CLOCK_MONOTONIC);
+        r = mac_selinux_init();
+        n2 = now(CLOCK_MONOTONIC);
+        log_info_errno(r, "mac_selinux_init → %d (%m) %.2fs", r, (n2 - n1)/1e6);
+}
+
+static void test_cleanup(void) {
+        usec_t n1, n2;
+
+        log_info("============ %s ==========", __func__);
+
+        n1 = now(CLOCK_MONOTONIC);
+        mac_selinux_finish();
+        n2 = now(CLOCK_MONOTONIC);
+        log_info("mac_selinux_finish → %.2fs", (n2 - n1)/1e6);
+}
+
+static void test_misc(const char* fname) {
+        _cleanup_(mac_selinux_freep) char *label = NULL, *label2 = NULL, *label3 = NULL;
+        int r;
+        _cleanup_close_ int fd = -1;
+
+        log_info("============ %s ==========", __func__);
+
+        r = mac_selinux_get_our_label(&label);
+        log_info_errno(r, "mac_selinux_get_our_label → %d (%m), \"%s\"", r, label);
+
+        r = mac_selinux_get_create_label_from_exe(fname, &label2);
+        log_info_errno(r, "mac_selinux_create_label_from_exe → %d (%m), \"%s\"", r, label2);
+
+        fd = socket(AF_INET, SOCK_DGRAM, 0);
+        assert_se(fd >= 0);
+
+        r = mac_selinux_get_child_mls_label(fd, fname, label2, &label3);
+        log_info_errno(r, "mac_selinux_get_child_mls_label → %d (%m), \"%s\"", r, label3);
+}
+
+static void test_create_file_prepare(const char* fname) {
+        int r;
+
+        log_info("============ %s ==========", __func__);
+
+        r = mac_selinux_create_file_prepare(fname, S_IRWXU);
+        log_info_errno(r, "mac_selinux_create_file_prepare → %d (%m)", r);
+
+        mac_selinux_create_file_clear();
+}
+
+int main(int argc, char **argv) {
+        const char *path = SYSTEMD_BINARY_PATH;
+        if (argc >= 2)
+                path = argv[1];
+
+        log_set_max_level(LOG_DEBUG);
+        log_parse_environment();
+
+        test_testing();
+        test_loading();
+        test_misc(path);
+        test_create_file_prepare(path);
+        test_cleanup();
+
+        return 0;
+}
diff --git a/src/test/test-sizeof.c b/src/test/test-sizeof.c
new file mode 100644
index 0000000000..8f99a13772
--- /dev/null
+++ b/src/test/test-sizeof.c
@@ -0,0 +1,53 @@
+/***
+  This file is part of systemd.
+
+  Copyright 2016 Zbigniew Jędrzejewski-Szmek
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "log.h"
+#include "time-util.h"
+
+/* Print information about various types. Useful when diagnosing
+ * gcc diagnostics on an unfamiliar architecture. */
+
+#pragma GCC diagnostic ignored "-Wtype-limits"
+
+#define info(t)                                                 \
+        log_info("%s → %zu bits%s", STRINGIFY(t),               \
+                 sizeof(t)*CHAR_BIT,                            \
+                 strstr(STRINGIFY(t), "signed") ? "" :          \
+                 ((t)-1 < (t)0 ? ", signed" : ", unsigned"));
+
+int main(void) {
+        info(char);
+        info(signed char);
+        info(unsigned char);
+        info(short unsigned);
+        info(unsigned);
+        info(long unsigned);
+        info(long long unsigned);
+
+        info(float);
+        info(double);
+        info(long double);
+
+        info(size_t);
+        info(ssize_t);
+        info(time_t);
+        info(usec_t);
+
+        return 0;
+}
diff --git a/src/test/test-udev.c b/src/test/test-udev.c
index 9cc64f7c68..d01789fe08 100644
--- a/src/test/test-udev.c
+++ b/src/test/test-udev.c
@@ -93,7 +93,7 @@ int main(int argc, char *argv[]) {
                 return EXIT_FAILURE;
 
         log_debug("version %s", VERSION);
-        mac_selinux_init("/dev");
+        mac_selinux_init();
 
         action = argv[1];
         if (action == NULL) {
diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c
index 0febc36af8..ffec609c69 100644
--- a/src/timedate/timedated.c
+++ b/src/timedate/timedated.c
@@ -173,7 +173,7 @@ static int context_write_data_local_rtc(Context *c) {
                 }
         }
 
-        mac_selinux_init("/etc");
+        mac_selinux_init();
         return write_string_file_atomic_label("/etc/adjtime", w);
 }
 
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 2ab0468c12..946808fbec 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -2288,7 +2288,7 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
-        mac_selinux_init(NULL);
+        mac_selinux_init();
 
         items = ordered_hashmap_new(&string_hash_ops);
         globs = ordered_hashmap_new(&string_hash_ops);
diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c
index 7bd2c1ea42..a6a873e5de 100644
--- a/src/udev/udevadm.c
+++ b/src/udev/udevadm.c
@@ -93,7 +93,7 @@ int main(int argc, char *argv[]) {
 
         log_parse_environment();
         log_open();
-        mac_selinux_init("/dev");
+        mac_selinux_init();
 
         while ((c = getopt_long(argc, argv, "+dhV", options, NULL)) >= 0)
                 switch (c) {
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index bb92f16352..243df7386f 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -1695,7 +1695,7 @@ int main(int argc, char *argv[]) {
 
         umask(022);
 
-        r = mac_selinux_init("/dev");
+        r = mac_selinux_init();
         if (r < 0) {
                 log_error_errno(r, "could not initialize labelling: %m");
                 goto exit;
diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c
index 931e583785..da306a4444 100644
--- a/src/update-done/update-done.c
+++ b/src/update-done/update-done.c
@@ -101,7 +101,7 @@ int main(int argc, char *argv[]) {
                 return EXIT_FAILURE;
         }
 
-        r = mac_selinux_init(NULL);
+        r = mac_selinux_init();
         if (r < 0) {
                 log_error_errno(r, "SELinux setup failed: %m");
                 goto finish;
diff --git a/src/user-sessions/user-sessions.c b/src/user-sessions/user-sessions.c
index 8bf44e2100..9b29b5ba1d 100644
--- a/src/user-sessions/user-sessions.c
+++ b/src/user-sessions/user-sessions.c
@@ -40,7 +40,7 @@ int main(int argc, char*argv[]) {
 
         umask(0022);
 
-        mac_selinux_init(NULL);
+        mac_selinux_init();
 
         if (streq(argv[1], "start")) {
                 int r = 0;