From c9b8d9da73d8f530df9a8672413d1db842ff45d5 Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Mon, 4 Jul 2016 11:42:14 +0100
Subject: [PATCH] libselinux: If autorelabel, force permissive mode.

Signed-off-by: Richard W.M. Jones <rjones@redhat.com>
---
 libselinux/src/load_policy.c | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index 4f39fc7..337a8a9 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -315,7 +315,8 @@ hidden_def(selinux_mkload_policy)
  */
 int selinux_init_load_policy(int *enforce)
 {
-	int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1;
+	int rc = 0, orig_enforce = 0, seconfig = -2, secmdline = -1,
+		seautorelabel = -1;
 	FILE *cfg;
 	char *buf;
 
@@ -332,6 +333,17 @@ int selinux_init_load_policy(int *enforce)
 	 */
 	selinux_getenforcemode(&seconfig);
 
+	/*
+	 * If /.autorelabel exists then we should start in permissive
+	 * mode because (a) the labels on the filesystem are known to
+	 * be bogus and so should not be trusted to make security
+	 * decisions, but more practically (b) mislabelled files may
+	 * cause services & processes required for relabelling to fail.
+	 */
+	if (access("/.autorelabel", F_OK) == 0) {
+		seautorelabel = 0;
+	}
+
 	/* Check for an override of the mode via the kernel command line. */
 	rc = mount("proc", "/proc", "proc", 0, 0);
 	cfg = fopen("/proc/cmdline", "r");
@@ -342,12 +354,18 @@ int selinux_init_load_policy(int *enforce)
 			fclose(cfg);
 			return -1;
 		}
-		if (fgets(buf, selinux_page_size, cfg) &&
-		    (tmp = strstr(buf, "enforcing="))) {
-			if (tmp == buf || isspace(*(tmp - 1))) {
+		if (fgets(buf, selinux_page_size, cfg)) {
+			if ((tmp = strstr(buf, "enforcing=")) &&
+			    (tmp == buf || isspace(*(tmp - 1)))) {
 				secmdline =
 				    atoi(tmp + sizeof("enforcing=") - 1);
 			}
+			else if ((tmp = strstr(buf, "autorelabel")) &&
+				 (tmp == buf || isspace(*(tmp - 1))) &&
+				 (tmp + sizeof("autorelabel") - 1 == '\0' ||
+				  isspace(tmp + sizeof("autorelabel") - 1))) {
+				seautorelabel = 0;
+			}
 		}
 		fclose(cfg);
 		free(buf);
@@ -357,7 +375,9 @@ int selinux_init_load_policy(int *enforce)
 	 * Determine the final desired mode.
 	 * Command line argument takes precedence, then config file. 
 	 */
-	if (secmdline >= 0)
+	if (seautorelabel >= 0)
+		*enforce = seautorelabel;
+	else if (secmdline >= 0)
 		*enforce = secmdline;
 	else if (seconfig >= 0)
 		*enforce = seconfig;
-- 
2.7.4