[PATCH 1/2] find: add SELinux support

From: Kamil Dudka <kdudka@...>

* find/defs.h: Add SELinux related definitions.
* find/tree.c: Add -context predicate to lookup.
* find/pred.c: Handle %Z printf directive.
* find/parser.c: Parse -context predicate and %Z printf directive.
* find/find.1: Mention -context predicate and %Z printf directive.
* doc/find.texi: Mention -context predicate and %Z printf directive.
* find/Makefile.am: Add SELinux libraries.
* import-gnulib.config: Require gnulib module selinux-h.
---
 ChangeLog            |   12 +++++
 NEWS                 |    4 ++
 doc/find.texi        |   17 +++++++
 find/Makefile.am     |    2 +-
 find/defs.h          |    6 +++
 find/find.1          |    4 ++
 find/parser.c        |  123 +++++++++++++++++++++++++++++++++++++++++++++++++-
 find/pred.c          |   38 +++++++++++++++
 find/tree.c          |    2 +
 import-gnulib.config |    1 +
 10 files changed, 206 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 558f023..0d990f5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2009-07-11  Kamil Dudka  <kdudka@...>
+
+ find: add SELinux support
+ * find/defs.h: Add SELinux related definitions.
+ * find/tree.c: Add -context predicate to lookup.
+ * find/pred.c: Handle %Z printf directive.
+ * find/parser.c: Parse -context predicate and %Z printf directive.
+ * find/find.1: Mention -context predicate and %Z printf directive.
+ * doc/find.texi: Mention -context predicate and %Z printf directive.
+ * find/Makefile.am: Add SELinux libraries.
+ * import-gnulib.config: Require gnulib module selinux-h.
+
 2009-06-11  James Youngman  <jay@...>
 
  Make import-gnulib.sh faster in the common case where neither
diff --git a/NEWS b/NEWS
index cc5fbc0..0675bb2 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ GNU findutils NEWS - User visible changes. -*- outline -*- (allout)
 
 * Major changes in release 4.5.6, YYYY-MM-DD
 
+** Functional Enhancements to find
+
+patch #4848: Patch - Support for SELinux
+
 ** Bug Fixes
 
 #24873: Duplicate fprint option corrupts output
diff --git a/doc/find.texi b/doc/find.texi
index 6a11564..9fa207a 100644
--- a/doc/find.texi
+++ b/doc/find.texi
@@ -1242,6 +1242,14 @@ situation.
 
 @end deffn
 
+@deffn Test -context pattern
+True if file's SELinux context matches the pattern @var{pattern}.
+The pattern uses shell glob matching.
+
+This predicate is supported only on @code{find} versions compiled with
+SELinux support and only when SELinux is enabled.
+@end deffn
+
 @node Contents
 @section Contents
 
@@ -1733,6 +1741,7 @@ from the novel you are reading.
 * Size Directives::
 * Location Directives::
 * Time Directives::
+* Other Directives::
 * Formatting Flags::
 @end menu
 
@@ -1890,6 +1899,14 @@ File's last modification time in the format specified by @var{k}
 (@pxref{Time Formats}).
 @end table
 
+@node Other Directives
+@subsubsection Other Directives
+
+@table @code
+@item %Z
+File's SELinux context, or empty string if the file has no SELinux context.
+@end table
+
 @node Time Formats
 @subsection Time Formats
 
diff --git a/find/Makefile.am b/find/Makefile.am
index 91dba85..c0a4164 100644
--- a/find/Makefile.am
+++ b/find/Makefile.am
@@ -27,7 +27,7 @@ endif
 
 EXTRA_DIST = defs.h sharefile.h $(man_MANS)
 INCLUDES = -I../gnulib/lib -I$(top_srcdir)/lib -I$(top_srcdir)/gnulib/lib -I../intl -DLOCALEDIR=\"$(localedir)\"
-LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@
+LDADD = ./libfindtools.a ../lib/libfind.a ../gnulib/lib/libgnulib.a $(LIBINTL) $(LIB_CLOCK_GETTIME) $(LIB_CLOSE) @FINDLIBS@ @LIB_SELINUX@
 man_MANS = find.1
 SUBDIRS = . testsuite
 
diff --git a/find/defs.h b/find/defs.h
index 692328a..c5a491a 100644
--- a/find/defs.h
+++ b/find/defs.h
@@ -48,6 +48,7 @@ Please stop compiling the program now
 #include <stdbool.h> /* for bool/boolean */
 #include <stdint.h> /* for uintmax_t */
 #include <sys/stat.h> /* S_ISUID etc. */
+#include <selinux/selinux.h>
 
 
 
@@ -319,6 +320,7 @@ struct predicate
     struct samefile_file_id samefileid; /* samefile */
     mode_t type; /* type */
     struct format_val printf_vec; /* printf fprintf fprint ls fls print0 fprint0 print */
+    security_context_t scontext; /* security context */
   } args;
 
   /* The next predicate in the user input sequence,
@@ -463,6 +465,7 @@ PREDICATEFUNCTION pred_used;
 PREDICATEFUNCTION pred_user;
 PREDICATEFUNCTION pred_writable;
 PREDICATEFUNCTION pred_xtype;
+PREDICATEFUNCTION pred_context;
 
 
 
@@ -605,6 +608,9 @@ struct options
    */
   int regex_options;
 
+  /* function used to get file context */
+  int (*x_getfilecon) ();
+
   /* Optimisation level.  One is the default.
    */
   unsigned short optimisation_level;
diff --git a/find/find.1 b/find/find.1
index e2c1aaa..e48f655 100644
--- a/find/find.1
+++ b/find/find.1
@@ -930,6 +930,8 @@ if \fIc\fR is `l'.  In other words, for symbolic links,
 checks the type of the file that
 .B \-type
 does not check.
+.IP "\-context \fIpattern\fR"
+(SELinux only) Security context of the file matches glob \fIpattern\fR.
 
 .SS ACTIONS
 .IP "\-delete\fR"
@@ -1351,6 +1353,8 @@ File's type (like in
 U=unknown type (shouldn't happen)
 .IP %Y
 File's type (like %y), plus follow symlinks: L=loop, N=nonexistent
+.IP %Z
+(SELinux only) file's security context.
 .PP
 A `%' character followed by any other character is discarded, but the
 other character is printed (don't rely on this, as further format
diff --git a/find/parser.c b/find/parser.c
index 427c14a..179061a 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -53,6 +53,8 @@
 #include <unistd.h>
 #include <sys/stat.h>
 
+#include <selinux/selinux.h>
+
 #if ENABLE_NLS
 # include <libintl.h>
 # define _(Text) gettext (Text)
@@ -155,6 +157,7 @@ static boolean parse_noignore_race PARAMS((const struct parser_table*, char *arg
 static boolean parse_warn          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 static boolean parse_xtype         PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 static boolean parse_quit          PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
+static boolean parse_context       PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 
 boolean parse_print             PARAMS((const struct parser_table*, char *argv[], int *arg_ptr));
 
@@ -251,6 +254,7 @@ static struct parser_table const parse_table[] =
   PARSE_TEST       ("cmin",                  cmin),     /* GNU */
   PARSE_TEST       ("cnewer",                cnewer),     /* GNU */
   {ARG_TEST,       "ctime",                  parse_time, pred_ctime}, /* POSIX */
+  PARSE_TEST       ("context",               context),      /* GNU */
   PARSE_POSOPT     ("daystart",              daystart),     /* GNU */
   PARSE_ACTION     ("delete",                delete), /* GNU, Mac OS, FreeBSD */
   PARSE_OPTION     ("d",                     d), /* Mac OS X, FreeBSD, NetBSD, OpenBSD, but deprecated  in favour of -depth */
@@ -347,6 +351,85 @@ static struct parser_table const parse_table[] =
 static const char *first_nonoption_arg = NULL;
 static const struct parser_table *noop = NULL;
 
+static int
+fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
+{
+  /* Our original getfilecon () call failed.  Perhaps we can't follow a
+   * symbolic link.  If that might be the problem, lgetfilecon () the link.
+   * Otherwise, admit defeat. */
+  switch (errno)
+    {
+      case ENOENT:
+      case ENOTDIR:
+#ifdef DEBUG_STAT
+ fprintf (stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling "
+ "back on lgetfilecon()\n", name);
+#endif
+ return lgetfilecon (name, p);
+
+      case EACCES:
+      case EIO:
+      case ELOOP:
+      case ENAMETOOLONG:
+#ifdef EOVERFLOW
+      case EOVERFLOW:        /* EOVERFLOW is not #defined on UNICOS. */
+#endif
+      default:
+ return prev_rv;
+    }
+}
+
+/* optionh_getfilecon () implements the getfilecon operation when the
+ * -H option is in effect.
+ *
+ * If the item to be examined is a command-line argument, we follow
+ * symbolic links.  If the getfilecon () call fails on the command-line
+ * item, we fall back on the properties of the symbolic link.
+ *
+ * If the item to be examined is not a command-line argument, we
+ * examine the link itself. */
+int
+optionh_getfilecon (const char *name, security_context_t *p)
+{
+  int rv;
+  if (0 == state.curdepth)
+    {
+      /* This file is from the command line; dereference the link (if it is
+ a link). */
+      rv = getfilecon (name, p);
+      if (0 == rv)
+ return 0;               /* success */
+      else
+ return fallback_getfilecon (name, p, rv);
+    }
+  else
+    {
+      /* Not a file on the command line; do not dereference the link. */
+      return lgetfilecon (name, p);
+    }
+}
+
+/* optionl_getfilecon () implements the getfilecon operation when the
+ * -L option is in effect.  That option makes us examine the thing the
+ * symbolic link points to, not the symbolic link itself. */
+int
+optionl_getfilecon (const char *name, security_context_t *p)
+{
+  int rv = getfilecon (name, p);
+  if (0 == rv)
+    return 0;                  /* normal case. */
+  else
+    return fallback_getfilecon (name, p, rv);
+}
+
+/* optionp_getfilecon () implements the stat operation when the -P
+ * option is in effect (this is also the default).  That option makes
+ * us examine the symbolic link itself, not the thing it points to. */
+int
+optionp_getfilecon (const char *name, security_context_t *p)
+{
+  return lgetfilecon (name, p);
+}
 
 void
 check_option_combinations(const struct predicate *p)
@@ -450,11 +533,13 @@ set_follow_state(enum SymlinkOption opt)
  {
  case SYMLINK_ALWAYS_DEREF:  /* -L */
   options.xstat = optionl_stat;
+  options.x_getfilecon = optionl_getfilecon;
   options.no_leaf_check = true;
   break;
 
  case SYMLINK_NEVER_DEREF: /* -P (default) */
   options.xstat = optionp_stat;
+  options.x_getfilecon = optionp_getfilecon;
   /* Can't turn no_leaf_check off because the user might have specified
    * -noleaf anyway
    */
@@ -462,6 +547,7 @@ set_follow_state(enum SymlinkOption opt)
 
  case SYMLINK_DEREF_ARGSONLY: /* -H */
   options.xstat = optionh_stat;
+  options.x_getfilecon = optionh_getfilecon;
   options.no_leaf_check = true;
  }
     }
@@ -1127,8 +1213,10 @@ tests (N can be +N or -N or N): -amin N -anewer FILE -atime N -cmin N\n\
       -nouser -nogroup -path PATTERN -perm [+-]MODE -regex PATTERN\n\
       -readable -writable -executable\n\
       -wholename PATTERN -size N[bcwkMG] -true -type [bcdpflsD] -uid N\n\
-      -used N -user NAME -xtype [bcdpfls]\n"));
+      -used N -user NAME -xtype [bcdpfls]"));
   puts (_("\
+      -context CONTEXT\n"));
+  puts (_("\n\
 actions: -delete -print0 -printf FORMAT -fprintf FILE FORMAT -print \n\
       -fprint0 FILE -fprint FILE -ls -fls FILE -prune -quit\n\
       -exec COMMAND ; -exec COMMAND {} + -ok COMMAND ;\n\
@@ -2523,6 +2611,11 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr)
   printf("LEAF_OPTIMISATION ");
   ++features;
 #endif
+  if (0 < is_selinux_enabled ())
+    {
+      printf ("SELINUX ");
+      ++features;
+    }
 
   flags = 0;
   if (is_fts_enabled(&flags))
@@ -2558,6 +2651,31 @@ parse_version (const struct parser_table* entry, char **argv, int *arg_ptr)
 }
 
 static boolean
+parse_context (const struct parser_table* entry, char **argv, int *arg_ptr)
+{
+  struct predicate *our_pred;
+
+  if ((argv == NULL) || (argv[*arg_ptr] == NULL))
+    return false;
+
+  if (is_selinux_enabled () <= 0)
+    {
+      error (1, 0, _("invalid predicate -context: SELinux is not enabled."));
+      return false;
+    }
+  our_pred = insert_primary (entry);
+  our_pred->est_success_rate = 0.01f;
+  our_pred->need_stat = false;
+#ifdef DEBUG
+  our_pred->p_name = find_pred_name (pred_context);
+#endif /*DEBUG*/
+  our_pred->args.scontext = argv[*arg_ptr];
+
+  (*arg_ptr)++;
+  return true;
+}
+
+static boolean
 parse_xdev (const struct parser_table* entry, char **argv, int *arg_ptr)
 {
   options.stay_on_filesystem = true;
@@ -2808,7 +2926,7 @@ insert_fprintf (struct format_val *vec,
   if (*scan2 == '.')
     for (scan2++; ISDIGIT (*scan2); scan2++)
       /* Do nothing. */ ;
-  if (strchr ("abcdDfFgGhHiklmMnpPsStuUyY", *scan2))
+  if (strchr ("abcdDfFgGhHiklmMnpPsStuUyYZ", *scan2))
     {
       segmentp = make_segment (segmentp, format, scan2 - format,
        KIND_FORMAT, *scan2, 0,
@@ -2940,6 +3058,7 @@ make_segment (struct segment **segment,
     case 'h': /* leading directories part of path */
     case 'p': /* pathname */
     case 'P': /* pathname with ARGV element stripped */
+    case 'Z': /* SELinux security context */
       *fmt++ = 's';
       break;
 
diff --git a/find/pred.c b/find/pred.c
index 1b95959..3e95bf2 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -47,6 +47,8 @@
 #include "error.h"
 #include "verify.h"
 
+#include <selinux/selinux.h>
+
 #if ENABLE_NLS
 # include <libintl.h>
 # define _(Text) gettext (Text)
@@ -230,6 +232,7 @@ struct pred_assoc pred_table[] =
   {pred_user, "user    "},
   {pred_writable, "writable "},
   {pred_xtype, "xtype   "},
+  {pred_context, "context"},
   {0, "none    "}
 };
 #endif
@@ -1054,6 +1057,22 @@ do_fprintf(struct format_val *dest,
      mode_to_filetype(stat_buf->st_mode & S_IFMT));
   }
   break;
+ case 'Z':               /* SELinux security context */
+  {
+    security_context_t scontext;
+    int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+    if (rv < 0)
+      {
+ error (0, errno, "getfilecon: %s",
+    safely_quote_err_filename (0, pathname));
+      }
+    else
+      {
+ checked_fprintf (dest, segment->text, scontext);
+ freecon (scontext);
+      }
+  }
+  break;
  }
       /* end of KIND_FORMAT case */
       break;
@@ -1866,6 +1885,25 @@ pred_xtype (const char *pathname, struct stat *stat_buf, struct predicate *pred_
    */
   return (pred_type (pathname, &sbuf, pred_ptr));
 }
+
+
+boolean
+pred_context (const char *pathname, struct stat *stat_buf,
+      struct predicate *pred_ptr)
+{
+  security_context_t scontext;
+  int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+  if (rv < 0)
+    {
+      error (0, errno, "getfilecon: %s", safely_quote_err_filename (0, pathname));
+      return false;
+    }
+
+  rv = (fnmatch (pred_ptr->args.scontext, scontext, 0) == 0);
+  freecon (scontext);
+  return rv;
+}
+
 
 /*  1) fork to get a child; parent remembers the child pid
     2) child execs the command requested
diff --git a/find/tree.c b/find/tree.c
index 929c5f6..8ab1527 100644
--- a/find/tree.c
+++ b/find/tree.c
@@ -906,6 +906,7 @@ static struct pred_cost_lookup costlookup[] =
     { pred_cmin      ,  NeedsStatInfo,       },
     { pred_cnewer    ,  NeedsStatInfo,       },
     { pred_comma     ,  NeedsNothing,        },
+    { pred_context   ,  NeedsAccessInfo      },
     { pred_ctime     ,  NeedsStatInfo,       },
     { pred_delete    ,  NeedsSyncDiskHit     },
     { pred_empty     ,  NeedsStatInfo        },
@@ -1441,6 +1442,7 @@ get_new_pred (const struct parser_table *entry)
   last_pred->need_type = true;
   last_pred->need_inum = false;
   last_pred->args.str = NULL;
+  last_pred->args.scontext = NULL;
   last_pred->pred_next = NULL;
   last_pred->pred_left = NULL;
   last_pred->pred_right = NULL;
diff --git a/import-gnulib.config b/import-gnulib.config
index 1d7a43b..cbb384e 100644
--- a/import-gnulib.config
+++ b/import-gnulib.config
@@ -65,6 +65,7 @@ realloc
 regex
 rpmatch
 savedir
+selinux-h
 stat-macros
 stat-time
 stdint
--
1.5.6.5

* find/pred.c (do_fprintf): If getfilecon fails, print the
relevant segment anyway, with the file context expanding to an
empty string.
* find/parser.c (make_segment): For %Z, set the cost to
NeedsAccessInfo.

Signed-off-by: James Youngman <jay@...>
---
 find/parser.c |    4 ++++
 find/pred.c   |    7 +++++++
 2 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/find/parser.c b/find/parser.c
index 179061a..438f588 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -3058,7 +3058,11 @@ make_segment (struct segment **segment,
     case 'h': /* leading directories part of path */
     case 'p': /* pathname */
     case 'P': /* pathname with ARGV element stripped */
+      *fmt++ = 's';
+      break;
+
     case 'Z': /* SELinux security context */
+      mycost = NeedsAccessInfo;
       *fmt++ = 's';
       break;
 
diff --git a/find/pred.c b/find/pred.c
index 3e95bf2..77c2aac 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1057,14 +1057,21 @@ do_fprintf(struct format_val *dest,
      mode_to_filetype(stat_buf->st_mode & S_IFMT));
   }
   break;
+
  case 'Z':               /* SELinux security context */
   {
     security_context_t scontext;
     int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
     if (rv < 0)
       {
+ /* If getfilecon fails, there will in the general case
+   still be some text to print.   We just make %Z expand
+   to an empty string. */
+ checked_fprintf (dest, segment->text, "");
+
  error (0, errno, "getfilecon: %s",
     safely_quote_err_filename (0, pathname));
+ state.exit_status = 1;
       }
     else
       {
--
1.5.6.5

On Saturday 11 of July 2009 17:05:18 James Youngman wrote:
Thanks for digging up the SELinux patch!

Kamil

On Sat July 11 2009 18:10:49 James Youngman wrote:
I've conducted some testing on Debian and it behaves a bit weird. I am not
sure yet, if the find is broken, or my Debian installation itself:

# uname -a
Linux debian 2.6.26-2-amd64 #1 SMP Sun Jun 21 04:47:08 UTC 2009 x86_64
GNU/Linux

# (cd find && find -maxdepth 1 -printf "%p %Z\n")
. user_u:object_r:user_home_t:s0
./.cvsignore user_u:object_r:user_home_t:s0
./fstype.o unconfined_u:object_r:user_home_t:s0
...

# find find -maxdepth 1 -printf "%p %Z\n"
find user_u:object_r:user_home_t:s0                            
find/.cvsignore user_u:object_r:user_home_t:s0                
find/fstype.o find: getfilecon: `find/fstype.o': No such file or directory

find/finddata.o find: getfilecon: `find/finddata.o': No such file or directory

...

As time permits I will keep on trying to zero in this.

Kamil

Hello,

On Mon July 13 2009 17:48:15 Kamil Dudka wrote:
> As time permits I will keep on trying to zero in this.

attached are strace outputs from Fedora and Debian. I can see one suspicious
place in that - this is the first main difference between Fedora and Debian:

Fedora strace:
    open("m4", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
    fcntl(5, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
    fchdir(5)                               = 0
    getdents(5, /* 14 entries */, 32768)    = 456
    getdents(5, /* 0 entries */, 32768)     = 0
    close(5)                                = 0

Debian strace:
    open("m4", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
    fcntl(5, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
    fchdir(5)                               = 0
    getdents(5, /* 14 entries */, 32768)    = 456
    getdents(5, /* 0 entries */, 32768)     = 0
    close(5)                                = 0

In other words on Debian find does not change the working directory before
calling lgetxattr syscall. That's why lgetxattr does not see the file and
returns ENOENT (No such file or directory).

Does anybody here guess what's going on? (before I investigate it further)

Kamil


execve("/usr/local/bin/find", ["find", "m4", "-printf", "%Z\\n"], [/* 17 vars */]) = 0
brk(0)                                  = 0xe52000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e04a3000
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e04a1000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=61363, ...}) = 0
mmap(NULL, 61363, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb7e0492000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/librt.so.1", O_RDONLY)       = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p!\0\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=31656, ...}) = 0
mmap(NULL, 2128848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7e0080000
mprotect(0x7fb7e0087000, 2093056, PROT_NONE) = 0
mmap(0x7fb7e0286000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7fb7e0286000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libm.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P>\0\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=534736, ...}) = 0
mmap(NULL, 2629848, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7dfdfd000
mprotect(0x7fb7dfe7f000, 2093056, PROT_NONE) = 0
mmap(0x7fb7e007e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x81000) = 0x7fb7e007e000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libselinux.so.1", O_RDONLY)  = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240]\0\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=113672, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e0491000
mmap(NULL, 2213648, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7dfbe0000
mprotect(0x7fb7dfbfb000, 2093056, PROT_NONE) = 0
mmap(0x7fb7dfdfa000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1a000) = 0x7fb7dfdfa000
mmap(0x7fb7dfdfc000, 1808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb7dfdfc000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\346\1\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1375536, ...}) = 0
mmap(NULL, 3482264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7df88d000
mprotect(0x7fb7df9d6000, 2097152, PROT_NONE) = 0
mmap(0x7fb7dfbd6000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x149000) = 0x7fb7dfbd6000
mmap(0x7fb7dfbdb000, 17048, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb7dfbdb000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libpthread.so.0", O_RDONLY)  = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300W\0\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=125836, ...}) = 0
mmap(NULL, 2204512, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7df672000
mprotect(0x7fb7df688000, 2093056, PROT_NONE) = 0
mmap(0x7fb7df887000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x7fb7df887000
mmap(0x7fb7df889000, 13152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fb7df889000
close(3)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\r\0\0\0\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0644, st_size=14608, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e0490000
mmap(NULL, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fb7df46e000
mprotect(0x7fb7df470000, 2097152, PROT_NONE) = 0
mmap(0x7fb7df670000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7fb7df670000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e048f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e048e000
arch_prctl(ARCH_SET_FS, 0x7fb7e048e760) = 0
open("/dev/urandom", O_RDONLY)          = 3
read(3, "T\231x\373\313abE"..., 8)      = 8
close(3)                                = 0
mprotect(0x7fb7df670000, 4096, PROT_READ) = 0
mprotect(0x7fb7df887000, 4096, PROT_READ) = 0
mprotect(0x7fb7dfbd6000, 16384, PROT_READ) = 0
mprotect(0x7fb7dfdfa000, 4096, PROT_READ) = 0
mprotect(0x7fb7e007e000, 4096, PROT_READ) = 0
mprotect(0x7fb7e0286000, 4096, PROT_READ) = 0
mprotect(0x7fb7e04a4000, 4096, PROT_READ) = 0
munmap(0x7fb7e0492000, 61363)           = 0
set_tid_address(0x7fb7e048e7f0)         = 3112
set_robust_list(0x7fb7e048e800, 0x18)   = 0
futex(0x7fffe84a300c, FUTEX_WAKE_PRIVATE, 1) = 0
rt_sigaction(SIGRTMIN, {0x7fb7df677650, [], SA_RESTORER|SA_SIGINFO, 0x7fb7df6807b0}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x7fb7df6776e0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7fb7df6807b0}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
brk(0)                                  = 0xe52000
brk(0xe73000)                           = 0xe73000
open("/etc/selinux/config", O_RDONLY)   = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=584, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e04a0000
read(3, "# This file controls the state of"..., 4096) = 584
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0x7fb7e04a0000, 4096)            = 0
statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY)          = 3
read(3, "1"..., 19)                     = 1
close(3)                                = 0
futex(0x7fb7dfdfc6e8, FUTEX_WAKE_PRIVATE, 2147483647) = 0
uname({sys="Linux", node="debian", ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
gettimeofday({1247565515, 943389}, NULL) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=1316224, ...}) = 0
mmap(NULL, 1316224, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fb7e034c000
close(3)                                = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e04a0000
read(3, "# Locale name alias data base.\n# "..., 4096) = 2570
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0x7fb7e04a0000, 4096)            = 0
open("/usr/local/share/locale/en_US.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/locale/en_US.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/locale/en_US/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/locale/en.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/locale/en.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/local/share/locale/en/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
open(".", O_RDONLY)                     = 3
fchdir(3)                               = 0
newfstatat(AT_FDCWD, "m4", {st_mode=02, st_size=17592186044416, ...}, AT_SYMLINK_NOFOLLOW) = 0
lgetxattr("m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = -1 EINVAL (Invalid argument)
socket(PF_FILE, SOCK_STREAM, 0)         = 4
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
connect(4, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
close(4)                                = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fb7e04a0000
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
openat(AT_FDCWD, "m4", O_RDONLY)        = 4
fstat(4, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl(4, F_GETFL)                       = 0x8000 (flags O_RDONLY|O_LARGEFILE)
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
fcntl(4, F_DUPFD, 3)                    = 5
getdents(4, /* 14 entries */, 4096)     = 456
getdents(4, /* 0 entries */, 4096)      = 0
close(4)                                = 0
dup(5)                                  = 4
fcntl(4, F_GETFD)                       = 0
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
lgetxattr(".cvsignore", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("nullsort.m4", "security.selinux", 0xe56280, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/nullsort.m4'"..., 28) = 28
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr(".gitignore", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("order-bad.bin", "security.selinux", 0xe56a90, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/order-bad.bin'"..., 30) = 30
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("findlib.m4", "security.selinux", 0xe56ae0, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/findlib.m4'"..., 27) = 27
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("Makefile.am", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("withfts.m4", "security.selinux", 0xe56ae0, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/withfts.m4'"..., 27) = 27
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("order-good.bin", "security.selinux", 0xe56ae0, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/order-good.bin'"..., 31) = 31
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("Makefile.in", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("noreturn.m4", "security.selinux", 0xe56ae0, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/noreturn.m4'"..., 28) = 28
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("mkinstalldirs.m4", "security.selinux", 0xe56ae0, 255) = -1 ENOENT (No such file or directory)
write(2, "find: "..., 6)                = 6
write(2, "getfilecon: `m4/mkinstalldirs.m4'"..., 33) = 33
write(2, ": No such file or directory"..., 27) = 27
write(2, "\n"..., 1)                    = 1
write(1, "\n"..., 1)                    = 1
lgetxattr("Makefile", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
close(4)                                = 0
close(5)                                = 0
close(1)                                = 0
munmap(0x7fb7e04a0000, 4096)            = 0
close(2)                                = 0
exit_group(1)                           = ?

execve("/usr/bin/find", ["find", "m4", "-printf", "%Z\\n"], [/* 66 vars */]) = 0
brk(0)                                  = 0x111a000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2da5000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2da4000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=152944, ...}) = 0
mmap(NULL, 152944, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f91a2d7e000
close(3)                                = 0
open("/lib64/librt.so.1", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220!\300\6:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=49352, ...}) = 0
mmap(0x3a06c00000, 2128816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a06c00000
mprotect(0x3a06c07000, 2093056, PROT_NONE) = 0
mmap(0x3a06e06000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x3a06e06000
close(3)                                = 0
open("/lib64/libm.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p>\0\6:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=615312, ...}) = 0
mmap(0x3a06000000, 2633944, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a06000000
mprotect(0x3a06082000, 2097152, PROT_NONE) = 0
mmap(0x3a06282000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x82000) = 0x3a06282000
close(3)                                = 0
open("/lib64/libselinux.so.1", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320T@\7:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=120464, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2d7d000
mmap(0x3a07400000, 2217720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a07400000
mprotect(0x3a0741c000, 2093056, PROT_NONE) = 0
mmap(0x3a0761b000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b000) = 0x3a0761b000
mmap(0x3a0761d000, 1784, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3a0761d000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\353\201\5:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1825544, ...}) = 0
mmap(0x3a05800000, 3594344, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a05800000
mprotect(0x3a05964000, 2097152, PROT_NONE) = 0
mmap(0x3a05b64000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x164000) = 0x3a05b64000
mmap(0x3a05b69000, 18536, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3a05b69000
close(3)                                = 0
open("/lib64/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300X@\6:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=148528, ...}) = 0
mmap(0x3a06400000, 2208640, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a06400000
mprotect(0x3a06417000, 2093056, PROT_NONE) = 0
mmap(0x3a06616000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x3a06616000
mmap(0x3a06618000, 13184, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3a06618000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY)     = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\r\300\5:\0\0\0@"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=23208, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2d7c000
mmap(0x3a05c00000, 2109696, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3a05c00000
mprotect(0x3a05c02000, 2097152, PROT_NONE) = 0
mmap(0x3a05e02000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x3a05e02000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2d7b000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2d7a000
arch_prctl(ARCH_SET_FS, 0x7f91a2d7a790) = 0
mprotect(0x3a06e06000, 4096, PROT_READ) = 0
mprotect(0x3a06282000, 4096, PROT_READ) = 0
mprotect(0x3a0761b000, 4096, PROT_READ) = 0
mprotect(0x3a05b64000, 16384, PROT_READ) = 0
mprotect(0x3a06616000, 4096, PROT_READ) = 0
mprotect(0x3a0561e000, 4096, PROT_READ) = 0
mprotect(0x3a05e02000, 4096, PROT_READ) = 0
munmap(0x7f91a2d7e000, 152944)          = 0
set_tid_address(0x7f91a2d7a860)         = 25802
set_robust_list(0x7f91a2d7a870, 0x18)   = 0
futex(0x7fffb417944c, FUTEX_WAKE_PRIVATE, 1) = 0
futex(0x7fffb417944c, 0x189 /* FUTEX_??? */, 1, NULL, 7f91a2d7a790) = -1 EAGAIN (Resource temporarily unavailable)
rt_sigaction(SIGRTMIN, {0x3a06405750, [], SA_RESTORER|SA_SIGINFO, 0x3a0640ee90}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {0x3a064057e0, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x3a0640ee90}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=10240*1024, rlim_max=RLIM_INFINITY}) = 0
brk(0)                                  = 0x111a000
brk(0x113b000)                          = 0x113b000
open("/etc/selinux/config", O_RDONLY)   = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=439, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2da3000
read(3, "\n# This file controls the state o"..., 4096) = 439
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0x7f91a2da3000, 4096)            = 0
statfs("/selinux", {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY)          = 3
read(3, "1"..., 19)                     = 1
close(3)                                = 0
uname({sys="Linux", node="dhcp-lab-205.englab.brq.redhat.com", ...}) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=84748752, ...}) = 0
mmap(NULL, 84748752, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f919dca7000
close(3)                                = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2da3000
read(3, "# Locale name alias data base.\n# "..., 4096) = 2512
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0x7f91a2da3000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/findutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
open(".", O_RDONLY)                     = 3
fchdir(3)                               = 0
newfstatat(AT_FDCWD, "m4", {st_mode=02, st_size=17592186044416, ...}, AT_SYMLINK_NOFOLLOW) = 0
open(".", O_RDONLY|O_NOCTTY|O_NONBLOCK|O_DIRECTORY|O_NOFOLLOW) = 4
fchdir(4)                               = 0
lgetxattr("m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
socket(PF_FILE, 0x80001 /* SOCK_??? */, 0) = 5
connect(5, {sa_family=AF_FILE, path="/var/run/setrans/.setrans-unix"...}, 110) = -1 ENOENT (No such file or directory)
close(5)                                = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 9), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f91a2da3000
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
open("m4", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
fcntl(5, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
fchdir(5)                               = 0
getdents(5, /* 14 entries */, 32768)    = 456
getdents(5, /* 0 entries */, 32768)     = 0
close(5)                                = 0
newfstatat(AT_FDCWD, "findlib.m4", {st_mode=01, st_size=8452495638528, ...}, AT_SYMLINK_NOFOLLOW) = 0
lgetxattr("findlib.m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("noreturn.m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("mkinstalldirs.m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("withfts.m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("order-good.bin", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("Makefile", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("nullsort.m4", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr(".gitignore", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("Makefile.in", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("order-bad.bin", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr("Makefile.am", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
lgetxattr(".cvsignore", "security.selinux", "unconfined_u:object_r:user_home_t:s0", 255) = 37
write(1, "unconfined_u:object_r:user_home_t"..., 37) = 37
fchdir(4)                               = 0
fchdir(4)                               = 0
close(4)                                = 0
close(1)                                = 0
munmap(0x7f91a2da3000, 4096)            = 0
close(2)                                = 0
exit_group(0)                           = ?

On Tue July 14 2009 14:02:36 Kamil Dudka wrote:
> attached are strace outputs from Fedora and Debian. I can see one
> suspicious place in that - this is the first main difference between Fedora
> and Debian:

Oops, once again:

Fedora strace:
    open("m4", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 5
    fcntl(5, F_GETFD)                       = 0x1 (flags FD_CLOEXEC)
    fchdir(5)                               = 0
    getdents(5, /* 14 entries */, 32768)    = 456
    getdents(5, /* 0 entries */, 32768)     = 0
    close(5)                                = 0

Debian strace:
    openat(AT_FDCWD, "m4", O_RDONLY)        = 4
    fstat(4, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
    fcntl(4, F_GETFL)                       = 0x8000 (flags O_RDONLY|
O_LARGEFILE)
    fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
    fcntl(4, F_DUPFD, 3)                    = 5
    getdents(4, /* 14 entries */, 4096)     = 456
    getdents(4, /* 0 entries */, 4096)      = 0
    close(4)                                = 0

> In other words on Debian find does not change the working directory before
> calling lgetxattr syscall. That's why lgetxattr does not see the file and
> returns ENOENT (No such file or directory).
>
> Does anybody here guess what's going on? (before I investigate it further)

Kamil

Kamil Dudka <kdudka <at> redhat.com> writes:

>
> In other words on Debian find does not change the working directory before
> calling lgetxattr syscall. That's why lgetxattr does not see the file and
> returns ENOENT (No such file or directory).

One thing to look at would be kernel versions; not all kernels support openat
and friends, so on older kernels, the fts traversal algorithms have to fake
openat by using chdir, but on newer kernels, there are no chdir.  Meanwhile, it
may be worth begging the kernel and glibc folks to consider implementing
lgetxattrat and friends.

--
Eric Blake

On Tue July 14 2009 21:31:22 Eric Blake wrote: Sorry for confusion. My previous testing was completely wrong because I ran
older version of findutils on Fedora. With the current git version it fails
on Fedora, too. It means something has been changed within findutils and/or
gnulib in the meantime.

The attached incremental patch fixes it. Now it works on both Fedora and
Debian. But unfortunately it does not work with the stable version (4.4.2)
of findutils. Could anybody point me to the relevant change in findutils
code? Thanks in advance!

Kamil



[findutils-selinux-inc.patch]

---

diff --git a/find/pred.c b/find/pred.c
index 77c2aac..ffc239b 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1061,7 +1061,7 @@ do_fprintf(struct format_val *dest,
  case 'Z':               /* SELinux security context */
   {
     security_context_t scontext;
-    int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+    int rv = (*options.x_getfilecon) (pathname, &scontext);
     if (rv < 0)
       {
  /* If getfilecon fails, there will in the general case
@@ -1899,7 +1899,7 @@ pred_context (const char *pathname, struct stat *stat_buf,
       struct predicate *pred_ptr)
 {
   security_context_t scontext;
-  int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+  int rv = (*options.x_getfilecon) (pathname, &scontext);
   if (rv < 0)
     {
       error (0, errno, "getfilecon: %s", safely_quote_err_filename (0, pathname));

---

On Mon July 20 2009 13:33:23 Kamil Dudka wrote:
> Sorry for confusion. My previous testing was completely wrong because I ran
> older version of findutils on Fedora. With the current git version it fails
> on Fedora, too. It means something has been changed within findutils and/or
> gnulib in the meantime.
>
> The attached incremental patch fixes it. Now it works on both Fedora and
> Debian. But unfortunately it does not work with the stable version (4.4.2)
> of findutils. Could anybody point me to the relevant change in findutils
> code? Thanks in advance!

This seems to be the relevant change:

http://git.savannah.gnu.org/gitweb/?p=findutils.git;a=commitdiff;h=214320ca225da9c3f85c35fddd59c07045d6a6ff

Kamil

Kamil Dudka wrote:
With the FTS_CWDFD-adding change you spotted,
I suspect that you should be using an FD-based function,
like getfileconat or lgetfileconat from coreutils.

On Thu July 30 2009 13:57:00 Jim Meyering wrote:
> > The attached incremental patch fixes it. Now it works on both Fedora and
> > Debian. But unfortunately it does not work with the stable version
> > (4.4.2) of findutils. Could anybody point me to the relevant change in
> > findutils code? Thanks in advance!
>
> With the FTS_CWDFD-adding change you spotted,
> I suspect that you should be using an FD-based function,
> like getfileconat or lgetfileconat from coreutils.

It's probably always better to use a FD-based function when working with
an opened file. However this is not the case I think. Only FD of the traversed
directory is available when getfilecon() is called. If I want to use FD
of an opened  file, I need to open the file first. Then I am obviously
encountering the same problem with relative paths.

James, what do you think the proper solution is? Is it correct to expect that
the CWD is changed (or not changed) during the directory tree traverse?

Kamil

Kamil Dudka wrote:

With FTS_CWDFD, the working directory does not change.
Instead, fts->fts_cwd_fd is what changes.
You can use getfileconat (fts->fts_cwd_fd, relative_name, &context) to
get the desired context.

> James, what do you think the proper solution is? Is it correct to expect that
> the CWD is changed (or not changed) during the directory tree traverse?
>
> Kamil

On Thu August 6 2009 12:16:58 Jim Meyering wrote:
Thanks for the explanation! But the module selinux-at does not seem to be
in gnulib. How can I then use it within findutils? I guess it's not good
idea to copy the code to findutils repo...

Kamil

On Thu August 6 2009 12:36:06 Kamil Dudka wrote:
I can see it's heavily based on modules openat and selinux-h which are
available in gnulib. Anyway what's the reason why the selinux-at module is
not included in gnulib? Would by possible to move it from coreutils to gnulib?

Kamil

Kamil Dudka wrote:
I'll move them to gnulib.

On Thu August 6 2009 13:23:38 Jim Meyering wrote:
Thanks!

Just let me note there is no explicit dependency on the openat module (namely
lib/at-func.c). Is the dependency implied somehow?

Kamil

...
>> I'll move them to gnulib.
>
> Thanks!
>
> Just let me note there is no explicit dependency on the openat module (namely
> lib/at-func.c). Is the dependency implied somehow?

Good point.
I'll add that module dependency.  Thanks.

I'll also do a stand-alone test, which should
expose any other missing dependencies.

On Thursday 06 of August 2009 14:01:37 Jim Meyering wrote: Thanks for the quick response. An incremental patch is attached for review.
I'll merge it with the original patch if the change is ok.

Kamil

[find-selinux-inc.patch]

---

diff --git a/find/defs.h b/find/defs.h
index c834baa..481c013 100644
--- a/find/defs.h
+++ b/find/defs.h
@@ -613,7 +613,7 @@ struct options
   int regex_options;
 
   /* function used to get file context */
-  int (*x_getfilecon) ();
+  int (*x_getfilecon) (int, const char *, security_context_t *);
 
   /* Optimisation level.  One is the default.
    */
diff --git a/find/parser.c b/find/parser.c
index c8b847f..330eb38 100644
--- a/find/parser.c
+++ b/find/parser.c
@@ -53,7 +53,7 @@
 #include <unistd.h>
 #include <sys/stat.h>
 
-#include <selinux/selinux.h>
+#include "selinux-at.h"
 
 #if ENABLE_NLS
 # include <libintl.h>
@@ -352,7 +352,8 @@ static const char *first_nonoption_arg = NULL;
 static const struct parser_table *noop = NULL;
 
 static int
-fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
+fallback_getfilecon (int fd, const char *name, security_context_t *p,
+     int prev_rv)
 {
   /* Our original getfilecon () call failed.  Perhaps we can't follow a
    * symbolic link.  If that might be the problem, lgetfilecon () the link.
@@ -365,7 +366,7 @@ fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
  fprintf (stderr, "fallback_getfilecon(): getfilecon(%s) failed; falling "
  "back on lgetfilecon()\n", name);
 #endif
- return lgetfilecon (name, p);
+ return lgetfileconat (fd, name, p);
 
       case EACCES:
       case EIO:
@@ -389,23 +390,23 @@ fallback_getfilecon (const char *name, security_context_t *p, int prev_rv)
  * If the item to be examined is not a command-line argument, we
  * examine the link itself. */
 int
-optionh_getfilecon (const char *name, security_context_t *p)
+optionh_getfilecon (int fd, const char *name, security_context_t *p)
 {
   int rv;
   if (0 == state.curdepth)
     {
       /* This file is from the command line; dereference the link (if it is
  a link). */
-      rv = getfilecon (name, p);
+      rv = getfileconat (fd, name, p);
       if (0 == rv)
  return 0;               /* success */
       else
- return fallback_getfilecon (name, p, rv);
+ return fallback_getfilecon (fd, name, p, rv);
     }
   else
     {
       /* Not a file on the command line; do not dereference the link. */
-      return lgetfilecon (name, p);
+      return lgetfileconat (fd, name, p);
     }
 }
 
@@ -413,22 +414,22 @@ optionh_getfilecon (const char *name, security_context_t *p)
  * -L option is in effect.  That option makes us examine the thing the
  * symbolic link points to, not the symbolic link itself. */
 int
-optionl_getfilecon (const char *name, security_context_t *p)
+optionl_getfilecon (int fd, const char *name, security_context_t *p)
 {
-  int rv = getfilecon (name, p);
+  int rv = getfileconat (fd, name, p);
   if (0 == rv)
     return 0;                  /* normal case. */
   else
-    return fallback_getfilecon (name, p, rv);
+    return fallback_getfilecon (fd, name, p, rv);
 }
 
 /* optionp_getfilecon () implements the stat operation when the -P
  * option is in effect (this is also the default).  That option makes
  * us examine the symbolic link itself, not the thing it points to. */
 int
-optionp_getfilecon (const char *name, security_context_t *p)
+optionp_getfilecon (int fd, const char *name, security_context_t *p)
 {
-  return lgetfilecon (name, p);
+  return lgetfileconat (fd, name, p);
 }
 
 void
@@ -2706,7 +2707,7 @@ parse_context (const struct parser_table* entry, char **argv, int *arg_ptr)
       error (1, 0, _("invalid predicate -context: SELinux is not enabled."));
       return false;
     }
-  our_pred = insert_primary (entry);
+  our_pred = insert_primary (entry, NULL);
   our_pred->est_success_rate = 0.01f;
   our_pred->need_stat = false;
 #ifdef DEBUG
diff --git a/find/pred.c b/find/pred.c
index 77c2aac..5c47290 100644
--- a/find/pred.c
+++ b/find/pred.c
@@ -1061,7 +1061,8 @@ do_fprintf(struct format_val *dest,
  case 'Z':               /* SELinux security context */
   {
     security_context_t scontext;
-    int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+    int rv = (*options.x_getfilecon) (state.cwd_dir_fd, state.rel_pathname,
+      &scontext);
     if (rv < 0)
       {
  /* If getfilecon fails, there will in the general case
@@ -1899,7 +1900,8 @@ pred_context (const char *pathname, struct stat *stat_buf,
       struct predicate *pred_ptr)
 {
   security_context_t scontext;
-  int rv = (*options.x_getfilecon) (state.rel_pathname, &scontext);
+  int rv = (*options.x_getfilecon) (state.cwd_dir_fd, state.rel_pathname,
+    &scontext);
   if (rv < 0)
     {
       error (0, errno, "getfilecon: %s", safely_quote_err_filename (0, pathname));
diff --git a/import-gnulib.config b/import-gnulib.config
index cbb384e..699c417 100644
--- a/import-gnulib.config
+++ b/import-gnulib.config
@@ -1,7 +1,7 @@
 # findutils gnulib.config -*- sh -*-
 
 # What version of gnulib to use?
-gnulib_version="b653eda3ac4864de205419d9f41eec267cb89eeb"
+gnulib_version="27aa230554a630b52c2ce1540f6274c0aa4eaed1"
 destdir="gnulib"
 
 # Random extra gnulib files needed for findutils.
@@ -65,7 +65,7 @@ realloc
 regex
 rpmatch
 savedir
-selinux-h
+selinux-at
 stat-macros
 stat-time
 stdint

---

Kamil Dudka wrote:
I glanced through quickly, and didn't see anything fishy.

Kamil Dudka wrote:
Before now, afaik, coreutils was the only package using selinux-at.