--- cfengine-2.1.22/Makefile.in.selinux	2007-02-25 07:28:27.000000000 -0800
+++ cfengine-2.1.22/Makefile.in	2007-02-25 07:29:43.000000000 -0800
@@ -128,6 +128,7 @@
 LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
 LIBOBJS = @LIBOBJS@
 LIBS = @LIBS@
+LIB_SELINUX = @LIB_SELINUX@
 LTLIBOBJS = @LTLIBOBJS@
 MAKEINFO = @MAKEINFO@
 NEED_SETGID = @NEED_SETGID@
--- cfengine-2.1.22/configure.ac.selinux	2007-02-25 06:58:36.000000000 -0800
+++ cfengine-2.1.22/configure.ac	2007-02-25 07:45:46.000000000 -0800
@@ -537,6 +537,18 @@
 
 
 dnl ######################################################################
+dnl Give the chance to enable SELINUX
+dnl ######################################################################
+dnl 
+AC_ARG_ENABLE(selinux, dnl 
+               [  --enable-selinux              Enable use of the SELINUX libraries],
+               [AC_DEFINE(WITH_SELINUX, 1, [Define if you want to use SELINUX])
+               LIB_SELINUX="-lselinux"
+               LIBS="$LIBS $LIB_SELINUX"
+               AC_SUBST(LIB_SELINUX)])
+
+
+dnl ######################################################################
 dnl OS specific stuff
 dnl ######################################################################

--- cfengine-2.1.22/src/cf.defs.h.selinux	2007-02-25 12:03:59.000000000 -0800
+++ cfengine-2.1.22/src/cf.defs.h	2007-02-25 12:04:24.000000000 -0800
@@ -267,6 +267,9 @@
 # include <sched.h>
 #endif
 
+#ifdef WITH_SELINUX
+# include <selinux/selinux.h> 
+#endif
 
 /*******************************************************************/
 /* Various defines                                                 */
--- cfengine-2.1.22/src/item-file.c.selinux	2007-02-25 06:40:04.000000000 -0800
+++ cfengine-2.1.22/src/item-file.c	2007-02-25 12:11:39.000000000 -0800
@@ -107,6 +107,17 @@
   char stamp[CF_BUFSIZE]; 
   time_t STAMPNOW;
   STAMPNOW = time((time_t *)NULL);
+#ifdef WITH_SELINUX
+  int selinux_enabled=0;
+  security_context_t scontext=NULL;
+
+  selinux_enabled = (is_selinux_enabled()>0);
+  if(selinux_enabled)
+      {
+      /* get current security context */
+      getfilecon(file, &scontext);
+      }
+#endif
 
 if (stat(file,&statbuf) == -1)
    {
@@ -185,6 +196,13 @@
 chmod(file,statbuf.st_mode);                    /* Restore file permissions etc */
 chown(file,statbuf.st_uid,statbuf.st_gid);
 umask(mask); 
+#ifdef WITH_SELINUX
+if(selinux_enabled)
+    {
+    /* restore file context */
+    setfilecon(file,scontext);
+    }
+#endif
 return true;
 }
 
--- cfengine-2.1.22/src/image.c.selinux	2007-03-04 16:31:57.000000000 -0400
+++ cfengine-2.1.22/src/image.c	2007-03-18 09:31:48.000000000 -0400
@@ -1122,6 +1122,14 @@
 rsrcfork=0;
 #endif
 
+#ifdef WITH_SELINUX
+int selinux_enabled=0;
+/* need to keep track of security context of destination file (if any) */
+security_context_t scontext=NULL;
+struct stat cur_dest;
+int dest_exists;
+selinux_enabled = (is_selinux_enabled()>0);
+#endif
 
 Debug2("CopyReg(%s,%s)\n",source,dest);
 
@@ -1131,6 +1139,24 @@
    return false;
    }
 
+#ifdef WITH_SELINUX
+if(selinux_enabled)
+    {
+    dest_exists = stat(dest,&cur_dest);
+    if(dest_exists == 0)
+        {
+        /* get current security context of destination file */
+        getfilecon(dest,&scontext);
+        }
+    else
+        {
+        /* use default security context when creating destination file */
+        matchpathcon(dest,0,&scontext);
+        setfscreatecon(scontext);
+        }
+    }
+#endif
+
  /* Make an assoc array of inodes used to preserve hard links */
 
 linkable = CompressedArrayValue(ip->inode_cache,sstat.st_ino);
@@ -1438,7 +1464,24 @@
     utime(dest,&timebuf);
 #endif
     }
- 
+
+#ifdef WITH_SELINUX
+if(selinux_enabled)
+    {
+    if(dest_exists == 0)
+        {
+        /* set dest context to whatever it was before copy */
+        setfilecon(dest,scontext);
+        }
+    else
+        {
+        /* set create context back to default */
+        setfscreatecon(NULL);
+        }
+    freecon(scontext);
+    }
+#endif
+
  return true;
 }