Update ChangeLog

If a service has the same name as the runlevel it is in, openrc will
crash on changing to such runlevel. It goes in a recursive madness and
eventually gets a SEGV while in snprintf (don't know why).

This fixes two errors:
1. ls_dir stats files not with full path -> stat always returns != 0
2. ls_dir adds files to list if stat failed

This fixes #53.

X-Gentoo-Bug: 537304
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=537304

BUSYBOX.md

@@ -1,6 +1,4 @@
-Using Busybox as your Default Shell
------------------------------------
-
+# Using Busybox as your Default Shell with OpenRC
 
 If you have/bin/sh linked to busybox, you need to be aware of several
 incompatibilities between busybox's applets and the standalone
@@ -27,5 +25,8 @@ CONFIG_SETFONT -- The setfont applet does not support the -u option from kbd.
 CONFIG_IP -- The ip applet  doesn't support the "scope" modifier for
 "ip route add" and "ip address add".
 
+CONFIG_BB_SYSCTL -- The sysctl applet does not support the --system command
+line switch.
+
 There is work to get most of these supported by busybox, so this file
 will be updated as things change.

FEATURE-REMOVAL-SCHEDULE.md

@@ -1,34 +1,31 @@
+# Features Scheduled for Removal
+
 The following is a list of files and features that are going to be removed in
 the source tree.  Every entry should contain what exactly is going away, why it
 is happening, and who is going to be doing the work.  When the feature is
 removed, it should also be removed from this file.
 
----------------------------
-
-What: Service pause action
+## Service pause action
 
 When: 1.0
 
-Why: ...
+Why: The same affect can be obtained with the --nodeps option to stop.
 
 Who:
 
----------------------------
-
-What: start-stop-daemon options --startas, --chuid , --oknodo
+## start-stop-daemon options --startas, --chuid , --oknodo
 
 When: 1.0
 
 Why: Obsolete or replaced by other options.
-	 --startas => use --name or --exec
-	 --chuid => use --user
-	 --oknodo => ignore return code instead
+
+* --startas => use --name or --exec
+* --chuid => use --user
+* --oknodo => ignore return code instead
 
 Who:
 
----------------------------
-
-What: runscript and rc symbolic links
+## runscript and rc symbolic links
 
 When: 1.0
 
@@ -37,9 +34,7 @@ Why: Deprecated in favor of openrc-run and openrc due to naming
 
 Who:
 
----------------------------
-
-What: support for the opts variable in service scripts
+## support for the opts variable in service scripts
 
 When: 1.0
 
@@ -48,9 +43,7 @@ Why: Depprecated in favor of extra_commands, extra_started_commands
 
 Who:
 
----------------------------
-
-What: support for local_start and local_stop
+## support for local_start and local_stop
 
 When: 1.0
 
@@ -58,9 +51,7 @@ Why: Depprecated in favor of executable scripts in @SYSCONFDIR@/local.d
 
 Who:
 
----------------------------
-
-What: the mtab service script
+## the mtab service script
 
 When: make warnings more visible in 1.0, remove in 2.0
 
@@ -68,5 +59,3 @@ Why: /etc/mtab should be a symbolic link to /proc/self/mounts on modern
 	 Linux systems
 
 Who:
-
----------------------------

HISTORY.md

@@ -1,3 +1,5 @@
+# OpenRC History
+
 This history of OpenRC was written by Daniel Robbins, Roy Marples, William
 Hubbs and others.
 

Makefile

@@ -2,7 +2,10 @@
 # Copyright (c) 2007-2009 Roy Marples <roy@marples.name>
 # Released under the 2-clause BSD license.
 
-include Makefile.inc
+TOP:=		${dir ${realpath ${firstword ${MAKEFILE_LIST}}}}
+MK=			${TOP}/mk
+
+include ${TOP}/Makefile.inc
 
 SUBDIR=		conf.d etc init.d local.d man scripts sh src sysctl.d
 
@@ -17,12 +20,11 @@ SUBDIR+=	runlevels
 
 INSTALLAFTER=	_installafter
 
-MK= 		mk
 include ${MK}/sys.mk
 include ${MK}/os.mk
 include ${MK}/subdir.mk
 include ${MK}/dist.mk
-include ${MK}/git.mk
+include ${MK}/gitver.mk
 
 _installafter:
 ifeq (${MKPREFIX},yes)

Makefile.inc

@@ -1,3 +1,3 @@
 NAME=		openrc
-VERSION=	0.13.8
+VERSION=	0.15.1
 PKG=		${NAME}-${VERSION}

NEWS.md

@@ -1,9 +1,30 @@
-OpenRC NEWS
+# OpenRC NEWS
 
-This file will contain a list of notable changes for each release.
+This file will contain a list of notable changes for each release. Note
+the information in this file is in reverse order.
 
-OpenRC-0.13.2
-=============
+## OpenRC-0.14
+
+The binfmt service, which registers misc binary formats with the Linux
+kernel, has been separated from the procfs service. This service will be
+automatically added to the boot runlevel for new Linux installs. When
+you upgrade, you will need to use rc-update to add it to your boot
+runlevel.
+
+The procfs service no longer automounts the deprecated usbfs and
+usbdevfs file systems. Nothing should be using usbdevfs any longer, and
+if you still need usbfs it can be added to fstab.
+
+Related to the above change, the procfs service no longer attempts to
+modprobe the usbcore module. If your device manager does not load it,
+you will need to configure the modules service to do so.
+
+The override order of binfmt.d and tmpfiles.d directories has been
+changed to match systemd. Files in /run/binfmt.d and /run/tmpfiles.d
+override their /usr/lib counterparts, and files in the /etc counterparts
+override both /usr/lib and /run.
+
+## OpenRC-0.13.2
 
 A chroot variable has been added to the service script variables.
 This fixes the support for running a service in a chroot.
@@ -12,8 +33,7 @@ This is documented in man 8 openrc-run.
 The netmount service now mounts nfs file systems.
 This change was made to correct a fix for an earlier bug.
 
-OpenRC-0.13
-===========
+## OpenRC-0.13
 
 /sbin/rc was renamed to /sbin/openrc and /sbin/runscript was renamed to
 /sbin/openrc-run due to naming conflicts with other software.
@@ -36,8 +56,7 @@ kernel. If not, it attempts to mount tmpfs.
 If none of these is available, an error message is displayed and static
 /dev is assumed.
 
-OpenRC-0.12
-===========
+## OpenRC-0.12
 
 The net.* scripts, originally from Gentoo Linux, have
 been removed. If you need these scripts, look for a package called

README

@@ -1,66 +0,0 @@
-OpenRC README
-
-
-Installation
-------------
-make install
-Yup, that simple. Works with GNU make.
-
-You may wish to tweak the installation with the below arguments
-PROGLDFLAGS=-static
-LIBNAME=lib64
-DESTDIR=/tmp/openrc-image
-MKNET=no
-MKPAM=pam
-MKPREFIX=yes
-MKPKGCONFIG=no
-MKSELINUX=yes
-MKSTATICLIBS=no
-MKTERMCAP=ncurses
-MKTERMCAP=termcap
-MKTOOLS=yes
-PKG_PREFIX=/usr/pkg
-LOCAL_PREFIX=/usr/local
-PREFIX=/usr/local
-
-We don't support building a static OpenRC with PAM.
-You may need to use PROGLDFLAGS=-Wl,-Bstatic on glibc instead of just -static.
-If you debug memory under valgrind, add -DDEBUG_MEMORY to your CPPFLAGS
-so that all malloc memory should be freed at exit.
-If you are building OpenRC for a Gentoo Prefix installation, add
-MKPREFIX=yes.
-
-You can also brand OpenRC if you so wish like so
-BRANDING=\"Gentoo/$(uname -s)\"
-
-PKG_PREFIX should be set to where packages install to by default.
-LOCAL_PREFIX should be set when to where user maintained packages are.
-Only set LOCAL_PREFIX if different from PKG_PREFIX.
-PREFIX should be set when OpenRC is not installed to /.
-
-If any of the following files exist then we do not overwrite them
-/etc/devd.conf
-/etc/rc
-/etc/rc.shutdown
-/etc/conf.d/*
-
-rc and rc.shutdown are the hooks from the BSD init into OpenRC.
-devd.conf is modified from FreeBSD to call /etc/rc.devd which is a generic
-hook into OpenRC.
-inittab is the same, but for SysVInit as used by most Linux distributions.
-This can be found in the support folder.
-Obviously, if you're installing this onto a system that does not use OpenRC
-by default then you may wish to backup the above listed files, remove them
-and then install so that the OS hooks into OpenRC.
-
-init.d.misc is not installed by default as the scripts will need
-tweaking on a per distro basis. They are also non essential to the operation
-of the system.
-
-Reporting Bugs
---------------
-Since Gentoo Linux is hosting OpenRC development, Bugs should go to
-the Gentoo Bugzilla:
-	http://bugs.gentoo.org/
-They should be filed under the "Gentoo Hosted Projects" product and
-the "openrc" component.

README.md

@@ -0,0 +1,99 @@
+# OpenRC README
+
+OpenRC is a dependency-based init system that works with the
+system-provided init program, normally `/sbin/init`. Currently, it does
+not have an init program of its own.
+
+## Installation
+
+OpenRC requires GNU make.
+
+Once you have GNU Make installed, the default OpenRC installation can be
+executed using this command:
+
+make install
+
+## Configuration
+
+You may wish to configure the installation by passing one or more of the
+below arguments to the make command
+
+```
+PROGLDFLAGS=-static
+LIBNAME=lib64
+DESTDIR=/tmp/openrc-image
+MKNET=no
+MKPAM=pam
+MKPREFIX=yes
+MKPKGCONFIG=no
+MKSELINUX=yes
+MKSTATICLIBS=no
+MKTERMCAP=ncurses
+MKTERMCAP=termcap
+MKTOOLS=yes
+PKG_PREFIX=/usr/pkg
+LOCAL_PREFIX=/usr/local
+PREFIX=/usr/local
+BRANDING=\"Gentoo/$(uname -s)\"
+```
+
+## Notes
+
+We don't support building a static OpenRC with PAM.
+
+You may need to use `PROGLDFLAGS=-Wl,-Bstatic` on glibc instead of just `-static`.
+
+If you debug memory under valgrind, add `-DDEBUG_MEMORY`
+to your `CPPFLAGS` so that all malloc memory should be freed at exit.
+
+If you are building OpenRC for a Gentoo Prefix installation, add `MKPREFIX=yes`.
+
+`PKG_PREFIX` should be set to where packages install to by default.
+
+`LOCAL_PREFIX` should be set when to where user maintained packages are.
+Only set `LOCAL_PREFIX` if different from `PKG_PREFIX`.
+
+`PREFIX` should be set when OpenRC is not installed to /.
+
+If any of the following files exist then we do not overwrite them
+
+```
+/etc/devd.conf
+/etc/rc
+/etc/rc.shutdown
+/etc/conf.d/*
+```
+
+`rc` and `rc.shutdown` are the hooks from the BSD init into OpenRC.
+
+`devd.conf` is modified from FreeBSD to call `/etc/rc.devd` which is a
+generic hook into OpenRC.
+
+`inittab` is the same, but for SysVInit as used by most Linux distributions.
+This can be found in the support folder.
+
+Obviously, if you're installing this onto a system that does not use
+OpenRC by default then you may wish to backup the above listed files,
+remove them and then install so that the OS hooks into OpenRC.
+
+`init.d.misc` is not installed by default as the scripts will need
+tweaking on a per distro basis. They are also non essential to the
+operation of the system.
+
+## Reporting Bugs
+
+If you are using Gentoo Linux, bugs can be filed on their bugzilla under
+the `gentoo hosted projects` product and the `openrc` component [1].
+Otherwise, you can report issues on our github [2].
+
+Better yet, if you can contribute code, please feel free to submit pull
+requests [3].
+
+## IRC Channel
+
+We have an official irc channel, #openrc on freenode, feel free to join
+us there.
+
+[1]	https://bugs.gentoo.org/
+[2]	https://github.com/openrc/openrc/issues
+[3]	https://github.com/openrc/openrc/pulls

STYLE-GUIDE.md

@@ -1,23 +1,23 @@
+# OpenRC Style Guide
+
 This is the openrc style manual.  It governs the coding style of all code
 in this repository.  Follow it.  Contact openrc@gentoo.org for any questions
 or fixes you might notice.
 
-##########
-# C CODE #
-##########
+## C CODE
 
-The BSD Kernel Normal Form (KNF) style is used:
-	http://en.wikipedia.org/wiki/Indent_style#BSD_KNF_style
-Basically, it's like K&R/LKML, but wrapped lines that are indented use 4 spaces.
+The BSD Kernel Normal Form (KNF) style is used [1]. Basically, it is like
+K&R/LKML, but wrapped lines that are indented use 4 spaces. Here are the
+highlights.
 
-Highlights:
-	- no trailing whitespace
-	- indented code use tabs (not line wrapped)
-	- cuddle the braces (except for functions)
-	- space after native statements and before paren (for/if/while/...)
-	- no space between function and paren
-	- pointer asterisk cuddles the variable, not the type
+- no trailing whitespace
+- indented code use tabs (not line wrapped)
+- cuddle the braces (except for functions)
+- space after native statements and before paren (for/if/while/...)
+- no space between function and paren
+- pointer asterisk cuddles the variable, not the type
 
+```
 void foo(int c)
 {
 	int ret = 0;
@@ -32,16 +32,15 @@ void foo(int c)
 
 	return ret;
 }
+```
 
-##################
-# COMMIT MESSAGES #
-##################
+## COMMIT MESSAGES
 
 The following is an example of a correctly formatted git commit message
 for this repository. Most of this information came from this blog post
-[1], so I would like to thank the author.
+[2], so I would like to thank the author.
 
-### cut here ###
+```
 Capitalized, short (50 chars or less) summary
 
 More detailed explanatory text, if necessary.  Wrap it to about 72
@@ -67,7 +66,7 @@ Further paragraphs come after blank lines.
 Reported-by: User Name <email>
 X-[Distro]-Bug: BugID
 X-[Distro]-Bug-URL: URL for the bug (on the distribution's web site typically)
-### cut here ###
+```
 
 If you did not write the code and the patch does not include authorship
 information in a format git can use, please use the --author option of the
@@ -81,5 +80,5 @@ different from the author and committer.
   *BSD. Also, [Distro] should be replaced with the name of the
   distribution, e.g. X-Gentoo-Bug.
 
-[1] http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
-
+[1]	http://en.wikipedia.org/wiki/Indent_style#BSD_KNF_style
+[2] http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html

etc/rc.conf.Linux

@@ -2,14 +2,15 @@
 # LINUX SPECIFIC OPTIONS
 
 # This is the subsystem type. Valid options on Linux:
-# ""        - nothing special
-# "lxc"     - Linux Containers
-# "openvz"  - Linux OpenVZ
-# "prefix"  - Prefix
-# "uml"     - Usermode Linux
-# "vserver" - Linux vserver
-# "xen0"    - Xen0 Domain
-# "xenU"    - XenU Domain
+# ""               - nothing special
+# "lxc"            - Linux Containers
+# "openvz"         - Linux OpenVZ
+# "prefix"         - Prefix
+# "uml"            - Usermode Linux
+# "vserver"        - Linux vserver
+# "systemd-nspawn" - Container created by the systemd-nspawn utility
+# "xen0"           - Xen0 Domain
+# "xenU"           - XenU Domain
 # If this is commented out, automatic detection will be used.
 #
 # This should be set to the value representing the environment this file is

etc/rc.in

@@ -10,9 +10,9 @@
 trap : SIGINT
 trap "echo 'Boot interrupted'; exit 1" SIGQUIT
 
-/sbin/rc sysinit || exit 1
-/sbin/rc boot || exit 1
-/sbin/rc default
+/sbin/openrc sysinit || exit 1
+/sbin/openrc boot || exit 1
+/sbin/openrc default
 
 # We don't actually care if rc default worked or not, we should exit 0
 # to allow logins

etc/rc.shutdown.in

@@ -14,4 +14,4 @@ LD_LIBRARY_PATH="/lib${LD_LIBRARY_PATH:+:}${LDLIBRARY_PATH}" ; export LD_LIBRARY
 [ -z "$TERM" -o "$TERM" = "dumb" ] && TERM="@TERM@" && export TERM
 
 action=${1:-shutdown}
-exec /sbin/rc "${action}"
+exec /sbin/openrc "${action}"

init.d/.gitignore

@@ -23,6 +23,7 @@ modules
 mount-ro
 mtab
 numlock
+osclock
 procfs
 staticroute
 sysfs

init.d/Makefile

@@ -2,7 +2,7 @@ include ../mk/net.mk
 
 DIR=	${INITDIR}
 SRCS=	bootmisc.in fsck.in hostname.in local.in localmount.in loopback.in \
-	netmount.in root.in savecache.in swap.in swapfiles.in \
+	netmount.in osclock.in root.in savecache.in swap.in swapfiles.in \
 	tmpfiles.setup.in swclock.in sysctl.in urandom.in ${SRCS-${OS}}
 BIN=	${OBJS}
 
@@ -21,7 +21,7 @@ SRCS-FreeBSD=	hostid.in moused.in newsyslog.in pf.in rarpd.in rc-enabled.in \
 SRCS-FreeBSD+=	adjkerntz.in devd.in dumpon.in encswap.in ipfw.in \
 		mixer.in nscd.in powerd.in syscons.in
 
-SRCS-Linux=	devfs.in dmesg.in hwclock.in consolefont.in keymaps.in \
+SRCS-Linux=	binfmt.in devfs.in dmesg.in hwclock.in consolefont.in keymaps.in \
 		killprocs.in modules.in mount-ro.in mtab.in numlock.in \
 		procfs.in sysfs.in termencoding.in tmpfiles.dev.in
 

init.d/binfmt.in

@@ -0,0 +1,20 @@
+#!@SBINDIR@/openrc-run
+# Copyright 2015 William Hubbs <w.d.hubbs@gmail.com>
+# Released under the 2-clause BSD license.
+
+description="Register misc binary format handlers"
+
+depend()
+{
+	after procfs
+	use modules devfs
+	keyword -openvz -prefix -systemd-nspawn -vserver -lxc
+}
+
+start()
+{
+	ebegin "Loading custom binary format handlers"
+	"$RC_LIBEXECDIR"/sh/binfmt.sh
+	eend $?
+return 0
+}

init.d/bootmisc.in

@@ -119,11 +119,32 @@ clean_run()
 {
 	[ "$RC_SYS" = VSERVER -o "$RC_SYS" = LXC ] && return 0
 	local dir
+	# If / is still read-only due to a problem, this will fail!
+	if ! checkpath -W /; then
+		eerror "/ is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	if ! checkpath -W /tmp; then
+		eerror "/tmp is not writable; unable to clean up underlying /run"
+		return 1
+	fi
+	# Now we know that we can modify /tmp and /
+	# if mktemp -d fails, it returns an EMPTY string
+	# STDERR: mktemp: failed to create directory via template ‘/tmp/tmp.XXXXXXXXXX’: Read-only file system
+	# STDOUT: ''
+	rc=0
 	dir=$(mktemp -d)
-	mount --bind / $dir
-	rm -rf $dir/run/*
-	umount $dir
-	rm -rf $dir
+	if [ -n "$dir" -a -d $dir -a -w $dir ]; then
+		mount --bind / $dir && rm -rf $dir/run/* || rc=1
+		umount $dir
+		rm -rf $dir
+	else
+		rc=1
+	fi
+	if [ $rc -ne 0 ]; then
+		eerror "Could not clean up underlying /run on /"
+		return 1
+	fi
 }
 
 start()

init.d/consolefont.in

@@ -8,7 +8,7 @@ depend()
 {
 	need localmount termencoding
 	after hotplug bootmisc
-	keyword -openvz -prefix -uml -vserver -xenu -lxc
+	keyword -openvz -prefix -systemd-nspawn -uml -vserver -xenu -lxc
 }
 
 start()

init.d/devfs.in

@@ -8,7 +8,7 @@ depend()
 {
 	provide dev-mount
 	before dev
-	keyword -prefix -vserver -lxc
+	keyword -prefix -systemd-nspawn -vserver -lxc
 }
 
 mount_dev()

init.d/dmesg.in

@@ -7,7 +7,7 @@ description="Set the dmesg level for a cleaner boot"
 depend()
 {
 	before dev modules
-	keyword -lxc -prefix -vserver
+	keyword -lxc -prefix -systemd-nspawn -vserver
 }
 
 start()

init.d/fsck.in

@@ -9,7 +9,7 @@ _IFS="
 depend()
 {
 	use dev clock modules
-	keyword -jail -openvz -prefix -timeout -vserver -lxc -uml
+	keyword -jail -openvz -prefix -systemd-nspawn -timeout -vserver -lxc -uml
 }
 
 _abort() {

init.d/hostname.in

@@ -5,7 +5,7 @@
 description="Sets the hostname of the machine."
 
 depend() {
-	keyword -prefix -lxc
+	keyword -prefix -systemd-nspawn -lxc
 }
 
 start()

init.d/hwclock.in

@@ -28,7 +28,7 @@ depend()
 	else
 		before *
 	fi
-	keyword -openvz -prefix -uml -vserver -xenu -lxc
+	keyword -openvz -prefix -systemd-nspawn -uml -vserver -xenu -lxc
 }
 
 setupopts()

init.d/keymaps.in

@@ -8,7 +8,7 @@ depend()
 {
 	need localmount termencoding
 	after bootmisc
-	keyword -openvz -prefix -uml -vserver -xenu -lxc
+	keyword -openvz -prefix -systemd-nspawn -uml -vserver -xenu -lxc
 }
 
 start()

init.d/local.in

@@ -14,12 +14,13 @@ start()
 {
 	ebegin "Starting local"
 
-	local file has_errors=0 retval
+	local file has_errors=0 redirect retval
+	yesno $rc_verbose || redirect='> /dev/null 2>&1'
 	eindent
 	for file in @SYSCONFDIR@/local.d/*.start; do
 		if [ -x "${file}" ]; then
 			vebegin "Executing \"${file}\""
-			"${file}" 2>&1 >/dev/null
+			eval "${file}" $redirect
 			retval=$?
 			if [ ${retval} -ne 0 ]; then
 				has_errors=1
@@ -52,12 +53,13 @@ stop()
 {
 	ebegin "Stopping local"
 
-	local file has_errors=0 retval
+	local file has_errors=0 redirect retval
+	yesno $rc_verbose || redirect='> /dev/null 2>&1'
 	eindent
 	for file in @SYSCONFDIR@/local.d/*.stop; do
 		if [ -x "${file}" ]; then
 			vebegin "Executing \"${file}\""
-			"${file}" 2>&1 >/dev/null
+			eval "${file}" $redirect
 			retval=$?
 			if [ ${retval} -ne 0 ]; then
 				has_errors=1

init.d/localmount.in

@@ -9,7 +9,7 @@ depend()
 	need fsck
 	use lvm modules mtab
 	after lvm modules
-	keyword -jail -prefix -vserver -lxc
+	keyword -jail -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/loopback.in

@@ -6,7 +6,7 @@ description="Configures the loopback interface."
 
 depend()
 {
-	keyword -jail -prefix -vserver
+	keyword -jail -prefix -systemd-nspawn -vserver
 }
 
 start()

init.d/modules.in

@@ -7,7 +7,7 @@ description="Loads a user defined list of kernel modules."
 depend()
 {
 	use isapnp
-	keyword -openvz -prefix -vserver -lxc
+	keyword -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/mount-ro.in

@@ -7,7 +7,7 @@ description="Re-mount filesytems read-only for a clean reboot."
 depend()
 {
 	need killprocs savecache
-	keyword -openvz -prefix -vserver -lxc
+	keyword -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/mtab.in

@@ -7,33 +7,35 @@ description="Update /etc/mtab to match what the kernel knows about"
 depend()
 {
 	need root
-	keyword -prefix
+	keyword -prefix -systemd-nspawn
 }
 
 start()
 {
-	if [ -L /etc/mtab ]; then
-		return 0
-	fi
-
+	[ -L /etc/mtab ] && return 0
+	local rc=0
 	ebegin "Updating /etc/mtab"
-	vewarn "The support for updating /etc/mtab as a file is"
-	vewarn "deprecated and will be removed in the future."
-	vewarn "Please run the following command as root on your system."
-	vewarn
-	vewarn "ln -snf /proc/self/mounts /etc/mtab"
-	if ! echo 2>/dev/null >/etc/mtab; then
-		ewend 1 "/etc/mtab is not updateable"
-		return 0
+	if ! checkpath -W /etc; then
+		rc=1
+	elif [ ! -e /etc/mtab ]; then
+		ln -snf /proc/self/mounts /etc/mtab
+	else
+		ewarn "The support for updating /etc/mtab as a file is"
+		ewarn "deprecated and will be removed in the future."
+		ewarn "Please run the following command as root on your system."
+		ewarn
+		ewarn "ln -snf /proc/self/mounts /etc/mtab"
+		ewarn
+
+		# With / as tmpfs we cannot umount -at tmpfs in localmount as that
+		# makes / readonly and dismounts all tmpfs even if in use which is
+		# not good. Luckily, umount uses /etc/mtab instead of /proc/mounts
+		# which allows this hack to work.
+		grep -v "^[! ]* / tmpfs " /proc/mounts > /etc/mtab
+
+		# Remove stale backups
+		rm -f /etc/mtab~ /etc/mtab~~
 	fi
-
-	# With / as tmpfs we cannot umount -at tmpfs in localmount as that
-	# makes / readonly and dismounts all tmpfs even if in use which is
-	# not good. Luckily, umount uses /etc/mtab instead of /proc/mounts
-	# which allows this hack to work.
-	grep -v "^[! ]* / tmpfs " /proc/mounts > /etc/mtab
-
-	# Remove stale backups
-	rm -f /etc/mtab~ /etc/mtab~~
-	eend 0
+	eend $rc "/etc is not writable; unable to create /etc/mtab"
+	return 0
 }

init.d/netmount.in

@@ -7,9 +7,9 @@ description="Mounts network shares according to /etc/fstab."
 depend()
 {
 	config /etc/fstab
-	use afc-client amd autofs openvpn
+	use afc-client amd nfsclient autofs openvpn
 	use dns
-	keyword -jail -prefix -vserver -lxc
+	keyword -jail -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/numlock.in

@@ -9,7 +9,7 @@ ttyn=${rc_tty_number:-${RC_TTY_NUMBER:-12}}
 depend()
 {
 	need localmount
-	keyword -openvz -prefix -vserver -lxc
+	keyword -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 _setleds()

init.d/osclock.in

@@ -0,0 +1,12 @@
+#!@SBINDIR@/openrc-run
+# Copyright (c) 2014 Ralph Sennhauser <sera@igentoo.org>
+# Released under the 2-clause BSD license.
+
+# Can be used on OSs that take care of the clock.
+
+description="Provides clock"
+
+depend()
+{
+	provide clock
+}

init.d/procfs.in

@@ -8,66 +8,20 @@ depend()
 {
 	use modules devfs
 	need localmount
-	keyword -openvz -prefix -vserver -lxc
+	keyword -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()
 {
-	# Make sure we insert usbcore if it's a module
-	if [ -f /proc/modules -a ! -d /sys/module/usbcore -a ! -d /proc/bus/usb ]; then
-		modprobe -q usbcore
-	fi
-
-	[ -e /proc/filesystems ] || return 0
-
 	# Setup Kernel Support for miscellaneous Binary Formats
 	if [ -d /proc/sys/fs/binfmt_misc -a ! -e /proc/sys/fs/binfmt_misc/register ]; then
+		modprobe -q binfmt-misc
 		if grep -qs binfmt_misc /proc/filesystems; then
 			ebegin "Mounting misc binary format filesystem"
 			mount -t binfmt_misc -o nodev,noexec,nosuid \
 				binfmt_misc /proc/sys/fs/binfmt_misc
-			if eend $? ; then
-				local fmts
-				ebegin "Loading custom binary format handlers"
-				fmts=$(grep -hsv -e '^[#;]' -e '^[[:space:]]*$' \
-					/run/binfmt.d/*.conf \
-					/etc/binfmt.d/*.conf \
-					""/usr/lib/binfmt.d/*.conf)
-				if [ -n "${fmts}" ]; then
-					echo "${fmts}" > /proc/sys/fs/binfmt_misc/register
-				fi
 				eend $?
-			fi
 		fi
 	fi
-
-	[ "$RC_SYS" = "OPENVZ" ] && return 0
-
-	# Check what USB fs the kernel support.  Currently
-	# 2.5+ kernels, and later 2.4 kernels have 'usbfs',
-	# while older kernels have 'usbdevfs'.
-	if [ -d /proc/bus/usb -a ! -e /proc/bus/usb/devices ]; then
-		local usbfs=$(grep -Fow usbfs /proc/filesystems ||
-			grep -Fow usbdevfs /proc/filesystems)
-		if [ -n "$usbfs" ]; then
-			ebegin "Mounting USB device filesystem [$usbfs]"
-			local usbgid="$(getent group usb | \
-				sed -e 's/.*:.*:\(.*\):.*/\1/')"
-			mount -t $usbfs \
-				-o ${usbgid:+devmode=0664,devgid=$usbgid,}noexec,nosuid \
-				usbfs /proc/bus/usb
-			eend $?
-		fi
-	fi
-
-	# Setup Kernel Support for SELinux
-	if [ -d /sys/fs/selinux ] && ! mountinfo -q /sys/fs/selinux; then
-		if grep -qs selinuxfs /proc/filesystems; then
-			ebegin "Mounting SELinux filesystem"
-			mount -t selinuxfs selinuxfs /sys/fs/selinux
-			eend $?
-		fi
-	fi
-
 	return 0
 }

init.d/root.in

@@ -7,7 +7,7 @@ description="Mount the root fs read/write"
 depend()
 {
 	need fsck
-	keyword -jail -openvz -prefix -vserver -lxc
+	keyword -jail -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/savecache.in

@@ -13,8 +13,8 @@ start()
 			return 1
 		fi
 	fi
-	if ! checkpath -W "$RC_LIBEXECDIR"/cache; then
-		ewarn "WARNING: ${RC_LIBEXECDIR}/cache is not writable!"
+	if ! checkpath -W "$RC_LIBEXECDIR"; then
+		ewarn "WARNING: ${RC_LIBEXECDIR} is not writable!"
 		if ! yesno "${RC_GOINGDOWN}"; then
 			ewarn "Unable to save deptree cache"
 			return 1
@@ -25,12 +25,12 @@ start()
 	local rc=
 	if [ ! -d "$RC_LIBEXECDIR"/cache ]; then
 		rm -rf "$RC_LIBEXECDIR"/cache
-		if ! mkdir "$RC_LIBEXECDIR"/cache; then
+		if ! mkdir -p "$RC_LIBEXECDIR"/cache; then
 			rc=$?
 			if yesno "${RC_GOINGDOWN}"; then
 				rc=0
 			fi
-			eend $rc
+			eend $rc "Unable to create $RC_SVCDIR/cache"
 			return $rc
 		fi
 	fi

init.d/savecore.in

@@ -23,7 +23,7 @@ start()
 		# Don't quote ${dump_device}, so that if it's unset,
 		# savecore will check on the partitions listed in fstab
 		# without errors in the output
-		savecore -C "$dump_dir" $dump_device >/dev/null
+		savecore -C $dump_device >/dev/null
 	else
 		ls "$dump_dir"/bsd* > /dev/null 2>&1
 	fi

init.d/swap.in

@@ -5,7 +5,7 @@
 depend()
 {
 	before localmount
-	keyword -jail -openvz -prefix -vserver -lxc
+	keyword -jail -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/swapfiles.in

@@ -5,7 +5,7 @@
 depend()
 {
 	need localmount
-	keyword -jail -openvz -prefix -vserver -lxc
+	keyword -jail -openvz -prefix -systemd-nspawn -vserver -lxc
 }
 
 start()

init.d/swclock.in

@@ -8,7 +8,7 @@ depend()
 {
 	before *
 	provide clock
-	keyword -openvz -prefix -uml -vserver -xenu -lxc
+	keyword -openvz -prefix -systemd-nspawn -uml -vserver -xenu -lxc
 }
 
 # swclock is an OpenRC built in

init.d/sysctl.GNU.in

@@ -1,4 +1,4 @@
-#!@PREFIX@/sbin/runscript
+#!@PREFIX@/sbin/openrc-run
 # Copyright (c) 2007-2009 Roy Marples <roy@marples.name>
 # Released under the 2-clause BSD license.
 #FIXME: Modify for GNU/Hurd

init.d/sysctl.Linux.in

@@ -5,12 +5,15 @@
 depend()
 {
 	before bootmisc logger
-	keyword -prefix -vserver
+	keyword -prefix -systemd-nspawn -vserver
 }
 
 start()
 {
+	local quiet
+	yesno $rc_verbose || quiet=-q
+
 	ebegin "Configuring kernel parameters"
-	sysctl --system
+	sysctl ${quiet} --system
 	eend $? "Unable to configure some kernel parameters"
 }

init.d/sysfs.in

@@ -8,7 +8,7 @@ sysfs_opts=nodev,noexec,nosuid
 
 depend()
 {
-	keyword -lxc -prefix -vserver
+	keyword -lxc -prefix -systemd-nspawn -vserver
 }
 
 mount_sys()
@@ -82,6 +82,15 @@ mount_misc()
 		fi
 	fi
 
+	# Setup Kernel Support for SELinux
+	if [ -d /sys/fs/selinux ] && ! mountinfo -q /sys/fs/selinux; then
+		if grep -qs selinuxfs /proc/filesystems; then
+			ebegin "Mounting SELinux filesystem"
+			mount -t selinuxfs selinuxfs /sys/fs/selinux
+			eend $?
+		fi
+	fi
+
 	# setup up kernel support for efivarfs
 	# slightly complicated, as if it's build as a module but NOT yet loaded,
 	# it will NOT appear in /proc/filesystems yet

init.d/termencoding.in

@@ -9,7 +9,7 @@ ttyn=${rc_tty_number:-${RC_TTY_NUMBER:-12}}
 
 depend()
 {
-	keyword -lxc -openvz -prefix -uml -vserver -xenu
+	keyword -lxc -openvz -prefix -systemd-nspawn -uml -vserver -xenu
 	use root
 	after bootmisc
 }

init.d/tmpfiles.dev.in

@@ -2,7 +2,7 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Released under the 2-clause BSD license.
 
-description="set up tmpfiles.d entries"
+description="Set up tmpfiles.d entries"
 
 depend()
 {
@@ -13,7 +13,7 @@ depend()
 
 start()
 {
-	ebegin "setting up tmpfiles.d entries for /dev"
+	ebegin "Setting up tmpfiles.d entries for /dev"
 	@LIBEXECDIR@/sh/tmpfiles.sh --prefix=/dev --create --boot ${tmpfiles_opts}
 	eend $?
 	return 0

init.d/tmpfiles.setup.in

@@ -2,7 +2,7 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Released under the 2-clause BSD license.
 
-description="set up tmpfiles.d entries"
+description="Set up tmpfiles.d entries"
 
 depend()
 {
@@ -11,7 +11,7 @@ depend()
 
 start()
 {
-	ebegin "setting up tmpfiles.d entries"
+	ebegin "Setting up tmpfiles.d entries"
 	@LIBEXECDIR@/sh/tmpfiles.sh --exclude-prefix=/dev --create --remove --boot \
 		${tmpfiles_opts}
 	eend $?

init.d/urandom.in

@@ -8,7 +8,7 @@ description="Initializes the random number generator."
 depend()
 {
 	need localmount
-	keyword -jail -lxc -openvz -prefix
+	keyword -jail -lxc -openvz -prefix -systemd-nspawn
 }
 
 save_seed()

man/rc-update.8

@@ -87,7 +87,7 @@ If the
 .Fl s , -stack
 option is given then we either add or remove the runlevel from the runlevel.
 This allows inheritance of runlevels.
-
+.Pp
 If the
 .Fl a, -all
 option is given, we remove the service from all runlevels. This is

mk/depend.mk

@@ -6,7 +6,7 @@ IGNOREFILES+=	.depend
 
 .depend: ${SRCS}
 	rm -f .depend
-	${CC} ${CPPFLAGS} -MM ${SRCS} > .depend
+	${CC} ${LOCAL_CPPFLAGS} ${CPPFLAGS} -MM ${SRCS} > .depend
 
 depend: .depend extra_depend
 

mk/dist.mk

@@ -2,7 +2,7 @@
 # Copyright (c) 2008 Roy Marples <roy@marples.name>
 # Released under the 2-clause BSD license.
 
-GITREF?=	HEAD
+GITREF?=	${VERSION}
 DISTPREFIX?=	${NAME}-${VERSION}
 DISTFILE?=	${DISTPREFIX}.tar.bz2
 
@@ -17,7 +17,7 @@ SNAPDIR=	${DISTPREFIX}-${SNAP}
 SNAPFILE=	${SNAPDIR}.tar.bz2
 
 changelog:
-	git log ${CHANGELOG_LIMIT} --format=medium > ChangeLog
+	git log ${CHANGELOG_LIMIT} --format=full > ChangeLog
 
 dist:
 	git archive --prefix=${DISTPREFIX}/ ${GITREF} | bzip2 > ${DISTFILE}
@@ -34,7 +34,7 @@ snapshot:
 	mkdir /tmp/${SNAPDIR}
 	cp -RPp * /tmp/${SNAPDIR}
 	(cd /tmp/${SNAPDIR}; make clean)
-	find /tmp/${SNAPDIR} -name .svn -exec rm -rf -- {} \; 2>/dev/null || true
+	rm -rf /tmp/${SNAPDIR}/.git 2>/dev/null || true
 	tar -cvjpf ${SNAPFILE} -C /tmp ${SNAPDIR}
 	rm -rf /tmp/${SNAPDIR}
 	ls -l ${SNAPFILE}

mk/lib.mk

@@ -21,10 +21,10 @@ _LIBS+=			${SHLIB_NAME}
 CLEANFILES+=		${OBJS} ${SOBJS} ${_LIBS} ${SHLIB_LINK}
 
 %.o: %.c
-	${CC} ${CFLAGS} ${CPPFLAGS} -c $< -o $@
+	${CC} ${LOCAL_CFLAGS} ${LOCAL_CPPFLAGS} ${CFLAGS} ${CPPFLAGS} -c $< -o $@
 
 %.So: %.c
-	${CC} ${PICFLAG} -DPIC ${CPPFLAGS} ${CFLAGS} -c $< -o $@
+	${CC} ${PICFLAG} -DPIC ${LOCAL_CFLAGS} ${LOCAL_CPPFLAGS} ${CPPFLAGS} ${CFLAGS} -c $< -o $@
 
 all: depend ${_LIBS}
 
@@ -40,7 +40,7 @@ ${SHLIB_NAME}:	${SOBJS}
 	@${ECHO} building shared library $@
 	@rm -f $@ ${SHLIB_LINK}
 	@ln -fs $@ ${SHLIB_LINK}
-	${CC} ${CFLAGS} ${LDFLAGS} -shared -Wl,-x \
+	${CC} ${LOCAL_CFLAGS} ${CFLAGS} ${LOCAL_LDFLAGS} ${LDFLAGS} -shared -Wl,-x \
 	-o $@ -Wl,-soname,${SONAME} \
 	${SOBJS} ${LDADD}
 

mk/os-GNU.mk

@@ -4,5 +4,5 @@
 SFX=		.GNU.in
 PKG_PREFIX?=	/usr
 
-CPPFLAGS+=	-D_BSD_SOURCE -D_XOPEN_SOURCE=700 -DMAXPATHLEN=4096 -DMAX_PATH=4096
+CPPFLAGS+=	-D_BSD_SOURCE -D_XOPEN_SOURCE=700 -DMAXPATHLEN=4096 -DPATH_MAX=4096
 LIBDL=		-Wl,-Bdynamic -ldl

mk/os-Linux.mk

@@ -4,11 +4,24 @@
 SFX=		.Linux.in
 PKG_PREFIX?=	/usr
 
-CPPFLAGS+=	-D_BSD_SOURCE -D_XOPEN_SOURCE=700
+CPPFLAGS+=	-D_BSD_SOURCE -D_DEFAULT_SOURCE -D_XOPEN_SOURCE=700
 LIBDL=		-Wl,-Bdynamic -ldl
 
 ifeq (${MKSELINUX},yes)
 CPPFLAGS+= -DHAVE_SELINUX
-LIBSELINUX= -lselinux
+LIBSELINUX?= -lselinux
 LDADD += $(LIBSELINUX)
+
+ifneq (${MKPAM},pam)
+# if using selinux but not pam then we need crypt
+LIBCRYPT?= -lcrypt
+LDADD += $(LIBCRYPT)
+endif
+
+endif
+
+ifeq (${MKAUDIT},yes)
+LIBAUDIT?=	-laudit
+CPPFLAGS+=	-DHAVE_AUDIT
+LDADD+=		${LIBAUDIT}
 endif

mk/pam.mk

@@ -3,6 +3,12 @@ LIBPAM?=	-lpam
 CPPFLAGS+=	-DHAVE_PAM
 LDADD+=		${LIBPAM}
 
+ifeq (${MKSELINUX},yes)
+# with selinux, pam_misc is needed too
+LIBPAM_MISC?=	-lpam_misc
+LDADD+=		${LIBPAM_MISC}
+endif
+
 PAMDIR?=	/etc/pam.d
 PAMMODE?=	0644
 else ifneq (${MKPAM},)

mk/prog.mk

@@ -1,4 +1,4 @@
-# rules to build a library
+# rules to build a program
 # based on FreeBSD's bsd.prog.mk
 
 # Copyright (c) 2008 Roy Marples <roy@marples.name>
@@ -25,10 +25,10 @@ CLEANFILES+=		${OBJS} ${PROG}
 all: depend ${PROG}
 
 %.o: %.c
-	${CC} ${CFLAGS} ${CPPFLAGS} -c $< -o $@
+	${CC} ${LOCAL_CFLAGS} ${LOCAL_CPPFLAGS} ${CFLAGS} ${CPPFLAGS} -c $< -o $@
 
 ${PROG}: ${SCRIPTS} ${OBJS}
-	${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LDADD}
+	${CC} ${LOCAL_CFLAGS} ${LOCAL_LDFLAGS}  ${CFLAGS} ${LDFLAGS} -o $@ ${OBJS} ${LDADD}
 
 clean:
 	rm -f ${CLEANFILES}

runlevels/Makefile

@@ -34,7 +34,8 @@ BOOT-FreeBSD+=	hostid newsyslog savecore syslogd
 # FreeBSD specific stuff
 BOOT-FreeBSD+=	adjkerntz dumpon syscons
 
-BOOT-Linux+=	hwclock keymaps modules mtab procfs termencoding tmpfiles.setup
+BOOT-Linux+=	binfmt hwclock keymaps modules mtab procfs termencoding \
+	tmpfiles.setup
 SHUTDOWN-Linux=	killprocs mount-ro
 SYSINIT-Linux=	devfs dmesg sysfs tmpfiles.dev
 

sh/.gitignore

@@ -1,10 +1,11 @@
 functions.sh
 gendepends.sh
 rc-functions.sh
-runscript.sh
+openrc-run.sh
 cgroup-release-agent.sh
 init.sh
 init-early.sh
 rc-cgroup.sh
 tmpfiles.sh
 migrate-to-run.sh
+binfmt.sh

sh/Makefile

@@ -1,8 +1,8 @@
 DIR=	${LIBEXECDIR}/sh
 SRCS=	init.sh.in functions.sh.in gendepends.sh.in \
-	rc-functions.sh.in runscript.sh.in tmpfiles.sh.in ${SRCS-${OS}}
+	openrc-run.sh.in rc-functions.sh.in tmpfiles.sh.in ${SRCS-${OS}}
 INC=	rc-mount.sh functions.sh rc-functions.sh
-BIN=	gendepends.sh init.sh runscript.sh tmpfiles.sh ${BIN-${OS}}
+BIN=	gendepends.sh init.sh openrc-run.sh tmpfiles.sh ${BIN-${OS}}
 
 INSTALLAFTER=	_installafter
 
@@ -12,9 +12,9 @@ include ${MK}/os.mk
 SRCS-FreeBSD=
 BIN-FreeBSD=
 
-SRCS-Linux=	cgroup-release-agent.sh.in init-early.sh.in migrate-to-run.sh.in \
-	rc-cgroup.sh.in
-BIN-Linux=	cgroup-release-agent.sh init-early.sh migrate-to-run.sh \
+SRCS-Linux=	binfmt.sh.in cgroup-release-agent.sh.in init-early.sh.in \
+	migrate-to-run.sh.in rc-cgroup.sh.in
+BIN-Linux=	binfmt.sh cgroup-release-agent.sh init-early.sh migrate-to-run.sh \
 	rc-cgroup.sh
 
 SRCS-NetBSD=

sh/binfmt.sh.in

@@ -0,0 +1,85 @@
+#!@SHELL@
+# This is a reimplementation of the systemd binfmt.d code to register
+# misc binary formats with the kernel.
+#
+# Copyright (c) 2015 William Hubbs <w.d.hubbs@gmail.com>
+# Released under the 2-clause BSD license.
+#
+# See the binfmt.d manpage as well:
+# http://0pointer.de/public/systemd-man/binfmt.d.html
+# This script should match the manpage as of 2015/03/31
+#
+
+apply_file() {
+	[ $# -lt 1 ] && return 0
+	FILE="$1"
+	LINENUM=0
+
+	### FILE FORMAT ###
+	# See https://www.kernel.org/doc/Documentation/binfmt_misc.txt
+	while read line; do
+		LINENUM=$(( LINENUM+1 ))
+		case $line in
+			\#*) continue ;;
+			\;*) continue ;;
+		esac
+
+		echo "${line}" > /proc/sys/fs/binfmt_misc/register
+		rc=$?
+		if [ $rc -ne 0 ]; then
+			printf "binfmt: invalid entry on line %d of \`%s'\n" \
+				"$LINENUM" "$FILE" >&2
+			error=1
+		fi
+	done <$FILE
+	return $rc
+}
+
+[ -e /proc/sys/fs/binfmt_misc/register ] || exit 0
+error=0
+if [ $# -gt 0 ]; then
+	while [ $# -gt 0 ]; do
+		apply_file "$1"
+		shift
+	done
+else
+	# The hardcoding of these paths is intentional; we are following the
+	# systemd spec.
+	binfmt_dirs='/usr/lib/binfmt.d/ /run/binfmt.d/ /etc/binfmt.d/'
+	binfmt_basenames=''
+	binfmt_d=''
+
+	# Build a list of sorted unique basenames
+	# directories declared later in the binfmt_d list will override earlier
+	# directories, on a per file basename basis.
+	# `/run/binfmt.d/foo.conf' supersedes `/usr/lib/binfmt.d/foo.conf'.
+	# `/run/binfmt.d/foo.conf' will always be read after `/etc/binfmt.d/bar.conf'
+	for d in ${binfmt_dirs} ; do
+		[ -d $d ] && for f in ${d}/*.conf ; do
+			case "${f##*/}" in
+				systemd.conf|systemd-*.conf) continue;;
+			esac
+			[ -e $f ] && binfmt_basenames="${binfmt_basenames}\n${f##*/}"
+		done # for f in ${d}
+	done # for d in ${binfmt_dirs}
+	binfmt_basenames="$(printf "${binfmt_basenames}\n" | sort -u )"
+
+	for b in $binfmt_basenames ; do
+		real_f=''
+		for d in $binfmt_dirs ; do
+			f=${d}/${b}
+			[ -e "${f}" ] && real_f=$f
+		done
+		[ -e "${real_f}" ] && binfmt_d="${binfmt_d} ${real_f}"
+	done
+
+	# loop through the gathered fragments, sorted globally by filename.
+	# `/run/binfmt.d/foo.conf' will always be read after `/etc/binfmt.d/bar.conf'
+	for FILE in $binfmt_d ; do
+		apply_file "$FILE"
+	done
+fi
+
+exit $error
+
+# vim: set ts=2 sw=2 sts=2 noet ft=sh:

sh/openrc-run.sh.in

@@ -1,5 +1,5 @@
 #!@SHELL@
-# Shell wrapper for runscript
+# Shell wrapper for openrc-run
 
 # Copyright (c) 2007-2009 Roy Marples <roy@marples.name>
 # Released under the 2-clause BSD license.
@@ -34,7 +34,10 @@ sourcex()
 
 sourcex "@LIBEXECDIR@/sh/functions.sh"
 sourcex "@LIBEXECDIR@/sh/rc-functions.sh"
-[ "$RC_SYS" != "PREFIX" ] && sourcex -e "@LIBEXECDIR@/sh/rc-cgroup.sh"
+case $RC_SYS in
+	PREFIX|SYSTEMD-NSPAWN) ;;
+	*) sourcex -e "@LIBEXECDIR@/sh/rc-cgroup.sh";;
+esac
 
 # Support LiveCD foo
 if sourcex -e "/sbin/livecd-functions.sh"; then
@@ -189,10 +192,6 @@ status()
 }
 
 yesno $RC_DEBUG && set -x
-if yesno "${rc_verbose:-$RC_VERBOSE}"; then
-	EINFO_VERBOSE=yes
-	export EINFO_VERBOSE
-fi
 
 _conf_d=${RC_SERVICE%/*}/../conf.d
 # If we're net.eth0 or openvpn.work then load net or openvpn config
@@ -213,6 +212,12 @@ unset _conf_d
 # Load any system overrides
 sourcex -e "@SYSCONFDIR@/rc.conf"
 
+# Set verbose mode
+if yesno "${rc_verbose:-$RC_VERBOSE}"; then
+	EINFO_VERBOSE=yes
+	export EINFO_VERBOSE
+fi
+
 for _cmd; do
 	if [ "$_cmd" != status -a "$_cmd" != describe ]; then
 		# Apply any ulimit defined

sh/rc-cgroup.sh.in

@@ -1,6 +1,7 @@
 #!@SHELL@
 # Copyright (c) 2012 Alexander Vershilov <qnikst@gentoo.org>
 # Released under the 2-clause BSD license.
+
 extra_stopped_commands="${extra_stopped_commands} cgroup_cleanup"
 description_cgroup_cleanup="Kill all processes in the cgroup"
 
@@ -47,7 +48,7 @@ cgroup_set_values()
 			$controller.*)
 				if [ -n "$name" -a -f "$cgroup/$name" -a -n "$val" ]; then
 					veinfo "$RC_SVCNAME: Setting $cgroup/$name to $val"
-					echo $val > "$cgroup/$name"
+					printf "%s" "$val" > "$cgroup/$name"
 				fi
 				name=$1
 				val=
@@ -60,12 +61,12 @@ cgroup_set_values()
 	done
 	if [ -n "$name" -a -f "$cgroup/$name" -a -n "$val" ]; then
 		veinfo "$RC_SVCNAME: Setting $cgroup/$name to $val"
-		echo $val > "$cgroup/$name"
+		printf "%s" "$val" > "$cgroup/$name"
 	fi
 
 	if [ -f "$cgroup/tasks" ]; then
 		veinfo "$RC_SVCNAME: adding to $cgroup/tasks"
-		echo 0 > "$cgroup/tasks"
+		printf "%d" 0 > "$cgroup/tasks"
 	fi
 
 	return 0
@@ -78,14 +79,14 @@ cgroup_add_service()
     # cgroups. But may lead to a problems where that inheriting
     # is needed.
 	for d in /sys/fs/cgroup/* ; do
-		[ -f "${d}"/tasks ] && echo 0 > "${d}"/tasks
+		[ -f "${d}"/tasks ] && printf "%d" 0 > "${d}"/tasks
 	done
 
 	openrc_cgroup=/sys/fs/cgroup/openrc
 	if [ -d "$openrc_cgroup" ]; then
 		cgroup="$openrc_cgroup/$RC_SVCNAME"
 		mkdir -p "$cgroup"
-		[ -f "$cgroup/tasks" ] && echo 0 > "$cgroup/tasks"
+		[ -f "$cgroup/tasks" ] && printf "%d" 0 > "$cgroup/tasks"
 	fi
 }
 

sh/rc-functions.sh.in

@@ -85,7 +85,7 @@ get_bootparam()
 	return 1
 }
 
-# Called from runscript.sh or gendepends.sh
+# Called from openrc-run.sh or gendepends.sh
 _depend() {
 	depend
 	local _rc_svcname=$(shell_var "$RC_SVCNAME") _deptype= _depends=

sh/tmpfiles.sh.in

@@ -245,7 +245,7 @@ PREFIX=
 FILE=
 fragments=
 # XXX: The harcoding of /usr/lib/ is an explicit choice by upstream
-tmpfiles_dirs='/usr/lib/tmpfiles.d/ /etc/tmpfiles.d/ /run/tmpfiles.d/'
+tmpfiles_dirs='/usr/lib/tmpfiles.d/ /run/tmpfiles.d/ /etc/tmpfiles.d/'
 tmpfiles_basenames=''
 tmpfiles_d=''
 # Build a list of sorted unique basenames

src/libeinfo/Makefile

@@ -4,7 +4,7 @@ SRCS=			libeinfo.c
 INCS=			einfo.h
 VERSION_MAP=		einfo.map
 
-CPPFLAGS+=		-I../includes
+LOCAL_CPPFLAGS+=		-I../includes
 
 MK=			../../mk
 include ${MK}/lib.mk

src/librc/Makefile

@@ -7,7 +7,7 @@ VERSION_MAP=	rc.map
 
 LDADD+=		${LIBKVM}
 
-CPPFLAGS+=	-I../includes
+LOCAL_CPPFLAGS+=	-I../includes
 
 MK=		../../mk
 include ${MK}/lib.mk

src/librc/librc-daemon.c

@@ -99,7 +99,7 @@ rc_find_pids(const char *exec, const char *const *argv, uid_t uid, pid_t pid)
 	pid_t p;
 	char buffer[PATH_MAX];
 	struct stat sb;
-	pid_t runscript_pid = 0;
+	pid_t openrc_pid = 0;
 	char *pp;
 	RC_PIDLIST *pids = NULL;
 	RC_PID *pi;
@@ -108,7 +108,7 @@ rc_find_pids(const char *exec, const char *const *argv, uid_t uid, pid_t pid)
 		return NULL;
 
 	/*
-	  We never match RC_RUNSCRIPT_PID if present so we avoid the below
+	  We never match RC_OPENRC_PID if present so we avoid the below
 	  scenario
 
 	  /etc/init.d/ntpd stop does
@@ -118,9 +118,9 @@ rc_find_pids(const char *exec, const char *const *argv, uid_t uid, pid_t pid)
 	  nasty
 	*/
 
-	if ((pp = getenv("RC_RUNSCRIPT_PID"))) {
-		if (sscanf(pp, "%d", &runscript_pid) != 1)
-			runscript_pid = 0;
+	if ((pp = getenv("RC_OPENRC_PID"))) {
+		if (sscanf(pp, "%d", &openrc_pid) != 1)
+			openrc_pid = 0;
 	}
 
 	/*
@@ -146,7 +146,7 @@ rc_find_pids(const char *exec, const char *const *argv, uid_t uid, pid_t pid)
 	while ((entry = readdir(procdir)) != NULL) {
 		if (sscanf(entry->d_name, "%d", &p) != 1)
 			continue;
-		if (runscript_pid != 0 && runscript_pid == p)
+		if (openrc_pid != 0 && openrc_pid == p)
 			continue;
 		if (pid != 0 && pid != p)
 			continue;
@@ -510,6 +510,8 @@ rc_service_daemons_crashed(const char *service)
 	RC_STRINGLIST *list = NULL;
 	RC_STRING *s;
 	size_t i;
+	char *ch_root;
+	char *spidfile;
 
 	path += snprintf(dirpath, sizeof(dirpath), RC_SVCDIR "/daemons/%s",
 	    basename_c(service));
@@ -554,8 +556,8 @@ rc_service_daemons_crashed(const char *service)
 		}
 		fclose(fp);
 
-		char *ch_root = rc_service_value_get(basename_c(service), "chroot");
-		char *spidfile = pidfile;
+		ch_root = rc_service_value_get(basename_c(service), "chroot");
+		spidfile = pidfile;
 		if (ch_root && pidfile) {
 			spidfile = xmalloc(strlen(ch_root) + strlen(pidfile) + 1);
 			strcpy(spidfile, ch_root);

src/librc/librc.c

@@ -101,7 +101,9 @@ ls_dir(const char *dir, int options)
 					continue;
 			}
 			if (options & LS_DIR) {
-				if (stat(d->d_name, &buf) == 0 &&
+				snprintf(file, sizeof(file), "%s/%s",
+				    dir, d->d_name);
+				if (stat(file, &buf) != 0 ||
 				    !S_ISDIR(buf.st_mode))
 					continue;
 			}
@@ -294,6 +296,8 @@ rc_sys_v1(void)
 		return RC_SYS_OPENVZ; /* old test */
 	else if (file_regex("/proc/1/environ", "container=lxc"))
 		return RC_SYS_LXC;
+	else if (file_regex("/proc/1/environ", "container=systemd-nspawn"))
+		return RC_SYS_SYSTEMD_NSPAWN;
 #endif
 
 	return NULL;

src/librc/rc.h.in

@@ -332,6 +332,7 @@ bool rc_service_daemons_crashed(const char *);
 #define RC_SYS_OPENVZ  "OPENVZ"
 #define RC_SYS_LXC     "LXC"
 #define RC_SYS_PREFIX  "PREFIX"
+#define RC_SYS_SYSTEMD_NSPAWN "SYSTEMD-NSPAWN"
 #define RC_SYS_UML     "UML"
 #define RC_SYS_VSERVER "VSERVER"
 #define RC_SYS_XEN0    "XEN0"

src/rc/Makefile

@@ -1,8 +1,8 @@
 PROG=		openrc
-SRCS=		checkpath.c fstabinfo.c mountinfo.c start-stop-daemon.c \
+SRCS=		checkpath.c fstabinfo.c mountinfo.c openrc-run.c \
 		rc-applets.c rc-depend.c rc-logger.c \
 		rc-misc.c rc-plugin.c rc-service.c rc-status.c rc-update.c \
-		runscript.c rc.c swclock.c
+		rc.c start-stop-daemon.c swclock.c
 
 ifeq (${MKSELINUX},yes)
 SRCS+=		rc-selinux.c
@@ -35,14 +35,14 @@ RC_SBINLINKS=	mark_service_starting mark_service_started \
 ALL_LINKS=	${BINLINKS} ${SBINLINKS} ${RC_BINLINKS} ${RC_SBINLINKS}
 CLEANFILES+=	${ALL_LINKS}
 
-CPPFLAGS+=	-I../includes -I../librc -I../libeinfo
-LDFLAGS+=	-L../librc -L../libeinfo
+LOCAL_CPPFLAGS=-I../includes -I../librc -I../libeinfo
+LOCAL_LDFLAGS=-L../librc -L../libeinfo
 LDADD+=		-lutil -lrc -leinfo
 
 include ../../Makefile.inc
 MK=		../../mk
 include ${MK}/prog.mk
-include ${MK}/git.mk
+include ${MK}/gitver.mk
 include ${MK}/cc.mk
 
 include ${MK}/termcap.mk

src/rc/checkpath.c

@@ -45,10 +45,7 @@
 #include "builtins.h"
 #include "einfo.h"
 #include "rc-misc.h"
-
-#ifdef HAVE_SELINUX
 #include "rc-selinux.h"
-#endif
 
 typedef enum {
 	inode_unknown = 0,
@@ -68,7 +65,7 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
 	int u;
 
 	memset(&st, 0, sizeof(st));
-	if (stat(path, &st) || trunc) {
+	if (lstat(path, &st) || trunc) {
 		if (type == inode_file) {
 			einfo("%s: creating file", path);
 			if (!mode) /* 664 */
@@ -133,6 +130,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
 	}
 
 	if (mode && (st.st_mode & 0777) != mode) {
+		if ((type != inode_dir) && (st.st_nlink > 1)) {
+			eerror("%s: chmod: %s %s", applet, "Too many hard links to", path);
+			return -1;
+		}
+		if (S_ISLNK(st.st_mode)) {
+			eerror("%s: chmod: %s %s", applet, path, " is a symbolic link");
+			return -1;
+		}
 		einfo("%s: correcting mode", path);
 		if (chmod(path, mode)) {
 			eerror("%s: chmod: %s", applet, strerror(errno));
@@ -141,6 +146,14 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
 	}
 
 	if (chowner && (st.st_uid != uid || st.st_gid != gid)) {
+		if ((type != inode_dir) && (st.st_nlink > 1)) {
+			eerror("%s: chown: %s %s", applet, "Too many hard links to", path);
+			return -1;
+		}
+		if (S_ISLNK(st.st_mode)) {
+			eerror("%s: chown: %s %s", applet, path, " is a symbolic link");
+			return -1;
+		}
 		einfo("%s: correcting owner", path);
 		if (chown(path, uid, gid)) {
 			eerror("%s: chown: %s", applet, strerror(errno));
@@ -148,10 +161,8 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
 		}
 	}
 
-#ifdef HAVE_SELINUX
 	if (selinux_on)
 		selinux_util_label(path);
-#endif
 
 	return 0;
 }
@@ -280,10 +291,8 @@ int checkpath(int argc, char **argv)
 	if (gr)
 		gid = gr->gr_gid;
 
-#ifdef HAVE_SELINUX
 	if (selinux_util_open() == 1)
 		selinux_on = true;
-#endif
 
 	while (optind < argc) {
 		if (writable)
@@ -293,10 +302,8 @@ int checkpath(int argc, char **argv)
 		optind++;
 	}
 
-#ifdef HAVE_SELINUX
 	if (selinux_on)
 		selinux_util_close();
-#endif
 
 	return retval;
 }

src/rc/openrc-run.c

@@ -1,5 +1,5 @@
 /*
- * runscript.c
+ * openrc-run.c
  * Handle launching of init scripts.
  */
 
@@ -66,10 +66,7 @@
 #include "rc.h"
 #include "rc-misc.h"
 #include "rc-plugin.h"
-
-#ifdef HAVE_SELINUX
 #include "rc-selinux.h"
-#endif
 
 #define PREFIX_LOCK	RC_SVCDIR "/prefix.lock"
 
@@ -373,18 +370,18 @@ svc_exec(const char *arg1, const char *arg2)
 			dup2(slave_tty, STDERR_FILENO);
 		}
 
-		if (exists(RC_SVCDIR "/runscript.sh")) {
-			execl(RC_SVCDIR "/runscript.sh",
-			    RC_SVCDIR "/runscript.sh",
+		if (exists(RC_SVCDIR "/openrc-run.sh")) {
+			execl(RC_SVCDIR "/openrc-run.sh",
+			    RC_SVCDIR "/openrc-run.sh",
 			    service, arg1, arg2, (char *) NULL);
-			eerror("%s: exec `" RC_SVCDIR "/runscript.sh': %s",
+			eerror("%s: exec `" RC_SVCDIR "/openrc-run.sh': %s",
 			    service, strerror(errno));
 			_exit(EXIT_FAILURE);
 		} else {
-			execl(RC_LIBEXECDIR "/sh/runscript.sh",
-			    RC_LIBEXECDIR "/sh/runscript.sh",
+			execl(RC_LIBEXECDIR "/sh/openrc-run.sh",
+			    RC_LIBEXECDIR "/sh/openrc-run.sh",
 			    service, arg1, arg2, (char *) NULL);
-			eerror("%s: exec `" RC_LIBEXECDIR "/sh/runscript.sh': %s",
+			eerror("%s: exec `" RC_LIBEXECDIR "/sh/openrc-run.sh': %s",
 			    service, strerror(errno));
 			_exit(EXIT_FAILURE);
 		}
@@ -1165,6 +1162,11 @@ openrc_run(int argc, char **argv)
 	   subshells the init script may create so that our mark_service_*
 	   functions can always instruct us of this change */
 	snprintf(pidstr, sizeof(pidstr), "%d", (int) getpid());
+	setenv("RC_OPENRC_PID", pidstr, 1);
+	/*
+	 * RC_RUNSCRIPT_PID is deprecated, but we will keep it for a while
+	 * for safety.
+	 */
 	setenv("RC_RUNSCRIPT_PID", pidstr, 1);
 
 	/* eprefix is kinda klunky, but it works for our purposes */
@@ -1191,10 +1193,8 @@ openrc_run(int argc, char **argv)
 		eprefix(prefix);
 	}
 
-#ifdef HAVE_SELINUX
 	/* Ok, we are ready to go, so setup selinux if applicable */
-	selinux_setup(argc, argv);
-#endif
+	selinux_setup(argv);
 
 	deps = true;
 

src/rc/rc-applets.c

@@ -329,7 +329,7 @@ do_mark_service(int argc, char **argv)
 	bool ok = false;
 	char *svcname = getenv("RC_SVCNAME");
 	char *service = NULL;
-	char *runscript_pid;
+	char *openrc_pid;
 	/* char *mtime; */
 	pid_t pid;
 	RC_SERVICE bit;
@@ -350,7 +350,7 @@ do_mark_service(int argc, char **argv)
 		eerrorx("%s: unknown applet", applet);
 
 	/* If we're marking ourselves then we need to inform our parent
-	   runscript process so they do not mark us based on our exit code */
+	   openrc-run process so they do not mark us based on our exit code */
 	/*
 	 * FIXME: svcname and service are almost always equal except called from a
 	 * shell with just argv[1] - So that doesn't seem to do what Roy initially
@@ -359,8 +359,8 @@ do_mark_service(int argc, char **argv)
 	 * openrc@gentoo.org).
 	 */
 	if (ok && svcname && strcmp(svcname, service) == 0) {
-		runscript_pid = getenv("RC_RUNSCRIPT_PID");
-		if (runscript_pid && sscanf(runscript_pid, "%d", &pid) == 1)
+		openrc_pid = getenv("RC_OPENRC_PID");
+		if (openrc_pid && sscanf(openrc_pid, "%d", &pid) == 1)
 			if (kill(pid, SIGHUP) != 0)
 				eerror("%s: failed to signal parent %d: %s",
 				    applet, pid, strerror(errno));
@@ -369,10 +369,10 @@ do_mark_service(int argc, char **argv)
 		   in control as well */
 		/*
 		l = strlen(RC_SVCDIR "/exclusive") + strlen(svcname) +
-		    strlen(runscript_pid) + 4;
+		    strlen(openrc_pid) + 4;
 		mtime = xmalloc(l);
 		snprintf(mtime, l, RC_SVCDIR "/exclusive/%s.%s",
-		    svcname, runscript_pid);
+		    svcname, openrc_pid);
 		if (exists(mtime) && unlink(mtime) != 0)
 			eerror("%s: unlink: %s", applet, strerror(errno));
 		free(mtime);

src/rc/rc-selinux.c

@@ -1,7 +1,7 @@
 /*
-  rc-selinux.c
-  SELinux helpers to get and set contexts.
-*/
+ * rc-selinux.c
+ * SELinux helpers to get and set contexts.
+ */
 
 /*
  * Copyright (c) 2014 Jason Zaman <jason@perfinion.com>
@@ -31,11 +31,18 @@
 #include <stddef.h>
 #include <errno.h>
 #include <dlfcn.h>
-
-#include <sys/stat.h>
+#include <ctype.h>
+#include <limits.h>
+#include <pwd.h>
+#include <unistd.h>
 
 #include <selinux/selinux.h>
 #include <selinux/label.h>
+#include <selinux/get_default_type.h>
+#include <selinux/context.h>
+
+#include <sys/stat.h>
+#include <sys/types.h>
 
 #include "einfo.h"
 #include "queue.h"
@@ -44,11 +51,28 @@
 #include "rc-plugin.h"
 #include "rc-selinux.h"
 
-#define SELINUX_LIB     RC_LIBDIR "/runscript_selinux.so"
+/* the context files for selinux */
+#define RUN_INIT_FILE "run_init_type"
+#define INITRC_FILE "initrc_context"
 
-static void (*selinux_run_init_old) (void);
-static void (*selinux_run_init_new) (int argc, char **argv);
+#ifdef HAVE_AUDIT
+#include <libaudit.h>
+#endif
 
+/* PAM or shadow for authentication */
+#ifdef HAVE_PAM
+#    define PAM_SERVICE_NAME "run_init" /* the name of this program for PAM */
+#    include <security/pam_appl.h>
+#    include <security/pam_misc.h>
+#else
+#    define PASSWORD_PROMPT "Password:"
+#    include <crypt.h>
+#    include <shadow.h>
+#    include <string.h>
+#endif
+
+
+/* The handle for the fcontext lookups */
 static struct selabel_handle *hnd = NULL;
 
 int selinux_util_label(const char *path)
@@ -133,33 +157,243 @@ int selinux_util_close(void)
 	return 0;
 }
 
-void selinux_setup(int argc, char **argv)
+/*
+ * This will check the users password and return 0 on success or -1 on fail
+ *
+ * We ask for the password to make sure it is intended vs run by malicious software.
+ * Actual authorization is covered by the policy itself.
+ */
+static int check_password(char *username)
 {
-	void *lib_handle = NULL;
+	int ret = 1;
+#ifdef HAVE_PAM
+	pam_handle_t *pamh;
+	int pam_err = 0;
+	const struct pam_conv pconv = {
+		misc_conv,
+		NULL
+	};
 
-	if (!exists(SELINUX_LIB))
-		return;
+	pam_err = pam_start(PAM_SERVICE_NAME, username, &pconv, &pamh);
+	if (pam_err != PAM_SUCCESS) {
+		ret = -1;
+		goto outpam;
+	}
 
-	lib_handle = dlopen(SELINUX_LIB, RTLD_NOW | RTLD_GLOBAL);
-	if (!lib_handle) {
-		eerror("dlopen: %s", dlerror());
+	pam_err = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK);
+	if (pam_err != PAM_SUCCESS) {
+		ret = -1;
+		goto outpam;
+	}
+
+	ret = 0;
+outpam:
+	pam_end(pamh, pam_err);
+	pamh = NULL;
+
+#else /* authenticating via /etc/shadow instead */
+	struct spwd *spw;
+	char *password;
+	char *attempt;
+
+	spw = getspnam(username);
+	if (!spw) {
+		eerror("Failed to read shadow entry");
+		ret = -1;
+		goto outshadow;
+	}
+
+	attempt = getpass(PASSWORD_PROMPT);
+	if (!attempt) {
+		ret = -1;
+		goto outshadow;
+	}
+
+	if (*spw->sp_pwdp == '\0' && *attempt == '\0') {
+		ret = -1;
+		goto outshadow;
+	}
+
+	/* salt must be at least two characters long */
+	if (!(spw->sp_pwdp[0] && spw->sp_pwdp[1])) {
+		ret = -1;
+		goto outshadow;
+	}
+
+	/* encrypt the password attempt */
+	password = crypt(attempt, spw->sp_pwdp);
+
+	if (password && strcmp(password, spw->sp_pwdp) == 0)
+		ret = 0;
+	else
+		ret = -1;
+outshadow:
+#endif
+	return ret;
+}
+
+/* Authenticates the user, returns 0 on success, 1 on fail */
+static int check_auth()
+{
+	struct passwd *pw;
+	uid_t uid;
+
+#ifdef HAVE_AUDIT
+	uid = audit_getloginuid();
+	if (uid == (uid_t) -1)
+		uid = getuid();
+#else
+	uid = getuid();
+#endif
+
+	pw = getpwuid(uid);
+	if (!pw) {
+		eerror("cannot find your entry in the passwd file.");
+		return (-1);
+	}
+
+	printf("Authenticating %s.\n", pw->pw_name);
+
+	/* do the actual check */
+	if (check_password(pw->pw_name) == 0) {
+		return 0;
+	}
+
+	eerrorx("Authentication failed for %s", pw->pw_name);
+	return 1;
+}
+
+/*
+ * Read the context from the given context file. context must be free'd by the user.
+ */
+static int read_context_file(const char *filename, char **context)
+{
+	int ret = -1;
+	FILE *fp;
+	char filepath[PATH_MAX];
+	char *line = NULL;
+	char *p;
+	char *p2;
+	size_t len = 0;
+	ssize_t read;
+
+	memset(filepath, '\0', PATH_MAX);
+	snprintf(filepath, PATH_MAX - 1, "%s/%s", selinux_contexts_path(), filename);
+
+	fp = fopen(filepath, "r");
+	if (fp == NULL) {
+		eerror("Failed to open context file: %s", filename);
+		return -1;
+	}
+
+	while ((read = getline(&line, &len, fp)) != -1) {
+		/* cut off spaces before the string */
+		p = line;
+		while (isspace(*p) && *p != '\0')
+			p++;
+
+		/* empty string, skip */
+		if (*p == '\0')
+			continue;
+
+		/* cut off spaces after the string */
+		p2 = p;
+		while (!isspace(*p2) && *p2 != '\0')
+			p2++;
+		*p2 = '\0';
+
+		*context = xstrdup(p);
+		ret = 0;
+		break;
+	}
+
+	free(line);
+	fclose(fp);
+	return ret;
+}
+
+void selinux_setup(char **argv)
+{
+	char *new_context = NULL;
+	char *curr_context = NULL;
+	context_t curr_con;
+	char *curr_t = NULL;
+	char *run_init_t = NULL;
+
+	/* Return, if selinux is disabled. */
+	if (is_selinux_enabled() < 1) {
 		return;
 	}
 
-	selinux_run_init_old = (void (*)(void))
-	    dlfunc(lib_handle, "selinux_runscript");
-	selinux_run_init_new = (void (*)(int, char **))
-	    dlfunc(lib_handle, "selinux_runscript2");
+	if (read_context_file(RUN_INIT_FILE, &run_init_t) != 0) {
+		/* assume a reasonable default, rather than bailing out */
+		run_init_t = xstrdup("run_init_t");
+		ewarn("Assuming SELinux run_init type is %s", run_init_t);
+	}
 
-	/* Use new run_init if it exists, else fall back to old */
-	if (selinux_run_init_new)
-		selinux_run_init_new(argc, argv);
-	else if (selinux_run_init_old)
-		selinux_run_init_old();
-	else
-		/* This shouldnt happen... probably corrupt lib */
-		eerrorx
-		    ("run_init is missing from runscript_selinux.so!");
+	/* Get our current context. */
+	if (getcon(&curr_context) < 0) {
+		if (errno == ENOENT) {
+			/* should only hit this if proc is not mounted.  this
+			 * happens on Gentoo right after init starts, when
+			 * the init script processing starts.
+			 */
+			goto out;
+		} else {
+			perror("getcon");
+			exit(1);
+		}
+	}
 
-	dlclose(lib_handle);
+	/* extract the type from the context */
+	curr_con = context_new(curr_context);
+	curr_t = xstrdup(context_type_get(curr_con));
+	/* dont need them anymore so free() now */
+	context_free(curr_con);
+	free(curr_context);
+
+	/* if we are not in the run_init domain, we should not do anything */
+	if (strncmp(run_init_t, curr_t, strlen(run_init_t)) != 0) {
+		goto out;
+	}
+
+	free(curr_t);
+	free(run_init_t);
+
+	if (check_auth() != 0) {
+		eerrorx("Authentication failed.");
+	}
+
+	/* Get the context for the script to be run in. */
+	if (read_context_file(INITRC_FILE, &new_context) != 0) {
+		/* assume a reasonable default, rather than bailing out */
+		new_context = xstrdup("system_u:system_r:initrc_t");
+		ewarn("Assuming SELinux initrc context is %s", new_context);
+	}
+
+	/* Set the new context */
+	if (setexeccon(new_context) < 0) {
+		eerrorx("Could not set SELinux exec context to %s.", new_context);
+	}
+
+	free(new_context);
+
+	/*
+	 * exec will recycle ptys so try and use open_init_pty if it exists
+	 * which will open the pty with initrc_devpts_t, if it doesnt exist,
+	 * fall back to plain exec
+	 */
+	if (access("/usr/sbin/open_init_pty", X_OK)) {
+		if (execvp("/usr/sbin/open_init_pty", argv)) {
+			perror("execvp");
+			exit(-1);
+		}
+	} else if (execvp(argv[1], argv + 1)) {
+		perror("execvp");
+		exit(-1);
+	}
+
+out:
+	free(run_init_t);
+	free(curr_t);
 }

src/rc/rc-selinux.h

@@ -26,10 +26,24 @@
 #ifndef RC_SELINUX_UTIL_H
 #define RC_SELINUX_UTIL_H
 
+#ifdef HAVE_SELINUX
+
 int selinux_util_open(void);
 int selinux_util_label(const char *path);
 int selinux_util_close(void);
 
-void selinux_setup(int argc, char **argv);
+void selinux_setup(char **argv);
+
+#else
+
+/* always return false for selinux_util_open() */
+#define selinux_util_open() (0)
+#define selinux_util_label(x) do { } while(0)
+#define selinux_util_close() do { } while(0)
+
+#define selinux_setup(x) do { } while(0)
+
+#endif
+
 
 #endif

src/rc/rc.c

@@ -519,7 +519,7 @@ runlevel_config(const char *service, const char *level)
 }
 
 static void
-do_stop_services(const RC_STRINGLIST *types_n, const RC_STRINGLIST *start_services,
+do_stop_services(RC_STRINGLIST *types_n, RC_STRINGLIST *start_services,
 				 const RC_STRINGLIST *stop_services, const RC_DEPTREE *deptree,
 				 const char *newlevel, bool parallel, bool going_down)
 {

src/rc/start-stop-daemon.c

@@ -678,6 +678,7 @@ start_stop_daemon(int argc, char **argv)
 	int tid = 0;
 	char *redirect_stderr = NULL;
 	char *redirect_stdout = NULL;
+	int stdin_fd;
 	int stdout_fd;
 	int stderr_fd;
 	pid_t pid, spid;
@@ -919,10 +920,13 @@ start_stop_daemon(int argc, char **argv)
 			exec = name;
 		if (name && start)
 			*argv = name;
-	} else if (name)
+	} else if (name) {
 		*--argv = name;
-	else if (exec)
+		++argc;
+    } else if (exec) {
 		*--argv = exec;
+		++argc;
+	};
 
 	if (stop || sig != -1) {
 		if (sig == -1)
@@ -1075,7 +1079,7 @@ start_stop_daemon(int argc, char **argv)
 			exit (EXIT_SUCCESS);
 
 		einfon("Would start");
-		while (argc-- >= 0)
+		while (argc-- > 0)
 			printf(" %s", *argv++);
 		printf("\n");
 		eindent();
@@ -1244,6 +1248,7 @@ start_stop_daemon(int argc, char **argv)
 			setenv("PATH", newpath, 1);
 		}
 
+		stdin_fd = devnull_fd;
 		stdout_fd = devnull_fd;
 		stderr_fd = devnull_fd;
 		if (redirect_stdout) {
@@ -1263,7 +1268,8 @@ start_stop_daemon(int argc, char **argv)
 				    applet, redirect_stderr, strerror(errno));
 		}
 
-		/* We don't redirect stdin as some daemons may need it */
+		if (background)
+			dup2(stdin_fd, STDIN_FILENO);
 		if (background || redirect_stdout || rc_yesno(getenv("EINFO_QUIET")))
 			dup2(stdout_fd, STDOUT_FILENO);
 		if (background || redirect_stderr || rc_yesno(getenv("EINFO_QUIET")))