[yocto] [meta-selinux][RFC 01/10] policycoreutils: Add FTS_NOCHDIR flag to fts_open.

[Philip Tricca]

This works around a bug in the libc currently in use. FTS functions are
supposed to change the current working directory as they walk the file
hierarchy. The fts_accpath member of the FTSENT structure relies on this
behavior and without it the path is not relative to cwd as expected.
Supplying the FTS_NOCHDIR disables this optimization and causes
fts_accpath to be relative to the directory where the traversal started.

An alternative fix could replace the use of fts_accpath with fts_path
which is absolute.

Signed-off-by: Philip Tricca <flihp at twobit.us>
---
 .../policycoreutils-setfiles-path.patch            | 27 ++++++++++++++++++++++
 recipes-security/selinux/policycoreutils_2.3.bb    |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch

diff --git a/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch b/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch
new file mode 100644
index 0000000..c87af98
--- /dev/null
+++ b/recipes-security/selinux/policycoreutils/policycoreutils-setfiles-path.patch
@@ -0,0 +1,27 @@
+Subject: Replace fts_accpath with fts_path in restore.c.
+Author: Philip Tricca <flihp at twobit.us>
+
+To label filesystems in an alternative root directory we need to use the
+'-r' flag with the setfiles utility. The current implementation uses the
+fts_accpath member of the FTSENT structure which is reletive to the "current
+directory". This fails in the pseudo environment but for a reason I don't
+fully understand.
+
+This patch replaces the use of fts_accpath with fts_path which is relative
+to the root specified in the traversal. By invoking setfiles with an absolute
+path we're ensured that fts_path will be an absolute path to the file being
+relabeled.
+
+Index: policycoreutils/setfiles/setfiles.c
+===================================================================
+--- policycoreutils.orig/setfiles/setfiles.c
++++ policycoreutils/setfiles/setfiles.c
+@@ -194,7 +194,7 @@ int main(int argc, char **argv)
+ 		r_opts.expand_realpath = 0;
+ 		r_opts.abort_on_error = 1;
+ 		r_opts.add_assoc = 1;
+-		r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV;
++		r_opts.fts_flags = FTS_PHYSICAL | FTS_XDEV | FTS_NOCHDIR;
+ 		ctx_validate = 1;
+ 	} else {
+ 		/*
diff --git a/recipes-security/selinux/policycoreutils_2.3.bb b/recipes-security/selinux/policycoreutils_2.3.bb
index 447e6c9..2dee62e 100644
--- a/recipes-security/selinux/policycoreutils_2.3.bb
+++ b/recipes-security/selinux/policycoreutils_2.3.bb
@@ -13,4 +13,5 @@ SRC_URI += "\
 	file://policycoreutils-semanage-edit-user.patch \
 	file://policycoreutils-process-ValueError-for-sepolicy-seobject.patch \
 	file://policycoreutils-fix-TypeError-for-seobject.py.patch \
+	file://policycoreutils-setfiles-path.patch \
 	"
-- 
2.1.4