3 files changed, 76 insertions, 0 deletions

diff --git a/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
new file mode 100644
index 0000000..dc27aaa
--- /dev/null
+++ b/recipes-security/selinux/libselinux/libselinux-mount-procfs-before-check.patch
@@ -0,0 +1,74 @@
+commit 9df498884665d79474b79f0f30d1cd67df11bd3e
+Author: Ben Shelton <ben.shelton@ni.com>
+Date:   Wed Apr 15 15:56:57 2015 -0500
+
+    libselinux: Mount procfs before checking /proc/filesystems
+    
+    In the case where the SELinux security module is not loaded in the
+    kernel and it's early enough in the boot process that /proc has not yet
+    been mounted, selinuxfs_exists() will incorrectly return 1, and
+    selinux_init_load_policy() will print a message like this to the
+    console:
+    
+    Mount failed for selinuxfs on /sys/fs/selinux:  No such file or directory
+    
+    To fix this, mount the procfs before attempting to open
+    /proc/filesystems, and unmount it when done if it was initially not
+    mounted.  This is the same thing that selinux_init_load_policy() does
+    when reading /proc/cmdline.
+    
+    Signed-off-by: Ben Shelton <ben.shelton@ni.com>
+
+Upstream-Status: Accepted
+
+diff --git a/src/init.c b/src/init.c
+index 6d1ef33..179e0d0 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -11,6 +11,7 @@
+ #include <sys/vfs.h>
+ #include <stdint.h>
+ #include <limits.h>
++#include <sys/mount.h>
+ 
+ #include "dso.h"
+ #include "policy.h"
+@@ -54,15 +55,20 @@ static int verify_selinuxmnt(const char *mnt)
+ 
+ int selinuxfs_exists(void)
+ {
+-       int exists = 0;
++       int exists = 0, mnt_rc = 0;
+        FILE *fp = NULL;
+        char *buf = NULL;
+        size_t len;
+        ssize_t num;
+ 
++       mnt_rc = mount("proc", "/proc", "proc", 0, 0);
++
+        fp = fopen("/proc/filesystems", "r");
+-       if (!fp)
+-               return 1; /* Fail as if it exists */
++       if (!fp) {
++               exists = 1; /* Fail as if it exists */
++               goto out;
++       }
++
+        __fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 
+        num = getline(&buf, &len, fp);
+@@ -76,6 +82,14 @@ int selinuxfs_exists(void)
+ 
+        free(buf);
+        fclose(fp);
++
++out:
++#ifndef MNT_DETACH
++#define MNT_DETACH 2
++#endif
++       if (mnt_rc == 0)
++               umount2("/proc", MNT_DETACH);
++
+        return exists;
+ }
+ hidden_def(selinuxfs_exists)
diff --git a/recipes-security/selinux/libselinux_2.4.bb b/recipes-security/selinux/libselinux_2.4.bb
index ac80bdd..64fa81d 100644
--- a/recipes-security/selinux/libselinux_2.4.bb
+++ b/recipes-security/selinux/libselinux_2.4.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
         file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
         file://libselinux-get-pywrap-depends-on-selinux.py.patch \
         file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
+        file://libselinux-mount-procfs-before-check.patch \
         "
diff --git a/recipes-security/selinux/libselinux_git.bb b/recipes-security/selinux/libselinux_git.bb
index 1cd4dde..20b5534 100644
--- a/recipes-security/selinux/libselinux_git.bb
+++ b/recipes-security/selinux/libselinux_git.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
         file://libselinux-define-FD_CLOEXEC-as-necessary.patch \
         file://libselinux-get-pywrap-depends-on-selinux.py.patch \
         file://0001-src-Makefile-fix-includedir-in-libselinux.pc.patch \
+        file://libselinux-mount-procfs-before-check.patch \
         "