Add support for SELinux labeling

Running `firejail --noprofile --private-bin=bash,ls ls -1Za /usr/bin`
shows that the SELinux labels are not correct:
```
user_u:object_r:user_tmpfs_t:s0 .
     system_u:object_r:usr_t:s0 ..
user_u:object_r:user_tmpfs_t:s0 bash
user_u:object_r:user_tmpfs_t:s0 ls
```

After fixing this:
```
       system_u:object_r:bin_t:s0 .
       system_u:object_r:usr_t:s0 ..
system_u:object_r:shell_exec_t:s0 bash
       system_u:object_r:bin_t:s0 ls
```

Most copied files and created directories should now have correct
labels (bind mounted objects keep their labels). This is useful to
avoid having to change the SELinux rules when using Firejail.

1 files changed, 57 insertions, 0 deletions

diff --git a/src/fcopy/main.c b/src/fcopy/main.c
index 5c4a76753..83d9c17e6 100644
--- a/src/fcopy/main.c
+++ b/src/fcopy/main.c
@@ -24,6 +24,15 @@
 #include <errno.h>
 #include <pwd.h>
 
+#if HAVE_SELINUX
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <selinux/context.h>
+#include <selinux/label.h>
+#include <selinux/selinux.h>
+#endif
+
 int arg_quiet = 0;
 int arg_debug = 0;
 static int arg_follow_link = 0;
@@ -36,6 +45,52 @@ static unsigned file_cnt = 0;
 static char *outpath = NULL;
 static char *inpath = NULL;
 
+#if HAVE_SELINUX
+static struct selabel_handle *label_hnd = NULL;
+static int selinux_enabled = -1;
+#endif
+
+// copy from firejail/selinux.c
+static void selinux_relabel_path(const char *path, const char *inside_path)
+{
+#if HAVE_SELINUX
+        char procfs_path[64];
+        char *fcon = NULL;
+        int fd;
+        struct stat st;
+
+        if (selinux_enabled == -1)
+                selinux_enabled = is_selinux_enabled();
+
+        if (!selinux_enabled)
+                return;
+
+        if (!label_hnd)
+                label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+
+        /* Open the file as O_PATH, to pin it while we determine and adjust the label */
+        fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
+        if (fd < 0)
+                return;
+        if (fstat(fd, &st) < 0)
+                goto close;
+
+        if (selabel_lookup_raw(label_hnd, &fcon, inside_path, st.st_mode)  == 0) {
+                sprintf(procfs_path, "/proc/self/fd/%i", fd);
+                if (arg_debug)
+                        printf("Relabeling %s as %s (%s)\n", path, inside_path, fcon);
+
+                setfilecon_raw(procfs_path, fcon);
+        }
+        freecon(fcon);
+ close:
+        close(fd);
+#else
+        (void) path;
+        (void) inside_path;
+#endif
+}
+
 // modified version of the function from util.c
 static void copy_file(const char *srcname, const char *destname, mode_t mode, uid_t uid, gid_t gid) {
         assert(srcname);
@@ -87,6 +142,8 @@ static void copy_file(const char *srcname, const char *destname, mode_t mode, ui
         close(src);
         close(dst);
 
+        selinux_relabel_path(destname, srcname);
+
         return;
 
 errexit: