daemon: Bind-mount /sys/fs/selinux into sysroot when running commands.

Even though we are already bind-mounting /sys, it is necessary to also
bind-mount /sys/fs/selinux in order for SELinux commands (in
particular, 'load_policy') to work.

This fixes/reverts commit 7367729ec7.

daemon/command.c

@@ -48,7 +48,8 @@ struct bind_state {
   char *sysroot_dev_pts;
   char *sysroot_proc;
   char *sysroot_sys;
-  bool dev_ok, dev_pts_ok, proc_ok, sys_ok;
+  char *sysroot_sys_fs_selinux;
+  bool dev_ok, dev_pts_ok, proc_ok, sys_ok, sys_fs_selinux_ok;
 };
 
 struct resolver_state {
@@ -76,14 +77,17 @@ bind_mount (struct bind_state *bs)
   bs->sysroot_dev_pts = sysroot_path ("/dev/pts");
   bs->sysroot_proc = sysroot_path ("/proc");
   bs->sysroot_sys = sysroot_path ("/sys");
+  bs->sysroot_sys_fs_selinux = sysroot_path ("/sys/fs/selinux");
 
   if (bs->sysroot_dev == NULL || bs->sysroot_dev_pts == NULL ||
-      bs->sysroot_proc == NULL || bs->sysroot_sys == NULL) {
+      bs->sysroot_proc == NULL || bs->sysroot_sys == NULL ||
+      bs->sysroot_sys_fs_selinux == NULL) {
     reply_with_perror ("malloc");
     free (bs->sysroot_dev);
     free (bs->sysroot_dev_pts);
     free (bs->sysroot_proc);
     free (bs->sysroot_sys);
+    free (bs->sysroot_sys_fs_selinux);
     return -1;
   }
 
@@ -95,6 +99,8 @@ bind_mount (struct bind_state *bs)
   bs->proc_ok = r != -1;
   r = command (NULL, NULL, str_mount, "--bind", "/sys", bs->sysroot_sys, NULL);
   bs->sys_ok = r != -1;
+  r = command (NULL, NULL, str_mount, "--bind", "/sys/fs/selinux", bs->sysroot_sys_fs_selinux, NULL);
+  bs->sys_fs_selinux_ok = r != -1;
 
   bs->mounted = true;
 
@@ -111,6 +117,8 @@ static void
 free_bind_state (struct bind_state *bs)
 {
   if (bs->mounted) {
+    if (bs->sys_fs_selinux_ok) umount_ignore_fail (bs->sysroot_sys_fs_selinux);
+    free (bs->sysroot_sys_fs_selinux);
     if (bs->sys_ok) umount_ignore_fail (bs->sysroot_sys);
     free (bs->sysroot_sys);
     if (bs->proc_ok) umount_ignore_fail (bs->sysroot_proc);