--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2009-08-07  Jim Meyering  <meyering@redhat.com>
+
+	selinux-at: remove redundant m4 code, add documentation
+	* modules/selinux-at (configure.ac): Remove redundant code.
+	LIB_SELINUX is already set via the dependent module, selinux-h.
+	(Include): Add quotes around selinux-at.h.
+	* lib/selinux-at.h: Add documentation.
+	Reported by Bruno Haible in
+	http://marc.info/?l=gnulib-bug&m=124958988300749
+
 2009-08-07  Bruno Haible  <bruno@clisp.org>
 
 	Avoid link error on MacOS X 10.3 and 10.4.

--- a/lib/selinux-at.h
+++ b/lib/selinux-at.h
@@ -17,7 +17,36 @@
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 
-int  getfileconat (int fd, char const *file, security_context_t *con);
-int lgetfileconat (int fd, char const *file, security_context_t *con);
-int  setfileconat (int fd, char const *file, security_context_t con);
-int lsetfileconat (int fd, char const *file, security_context_t con);
+/* These are the dir-fd-relative variants of the functions without the
+   "at" suffix.  For example, getfileconat (AT_FDCWD, file, &c) is usually
+   equivalent to getfileconat (file, &c).  The emulation is accomplished
+   by first attempting getfilecon ("/proc/self/fd/DIRFD/FILE", &c).
+   Failing that, simulate it via save_cwd/fchdir/getfilecon/restore_cwd.
+   If either the save_cwd or the restore_cwd fails (relatively unlikely),
+   then give a diagnostic and exit nonzero.  */
+
+/* dir-fd-relative getfilecon.  Set *CON to the SELinux security context
+   of the file specified by DIRFD and FILE and return the length of *CON.
+   DIRFD and FILE are interpreted as for fstatat[*].  A non-NULL *CON
+   must be freed with freecon.  Upon error, set *CON to NULL, set errno
+   and return -1.
+   [*] with flags=0 here, with flags=AT_SYMLINK_NOFOLLOW for lgetfileconat  */
+int  getfileconat (int dirfd, char const *file, security_context_t *con);
+
+/* dir-fd-relative lgetfilecon.  This function is just like getfileconat,
+   except when DIRFD and FILE specify a symlink:  lgetfileconat operates on
+   the symlink, while getfileconat operates on the referent of the symlink.  */
+int lgetfileconat (int dirfd, char const *file, security_context_t *con);
+
+/* dir-fd-relative setfilecon.  Set the SELinux security context of
+   the file specified by DIRFD and FILE to CON.  DIRFD and FILE are
+   interpreted as for fstatat[*].  Upon success, return 0.
+   Otherwise, return -1 and set errno.  */
+int  setfileconat (int dirfd, char const *file, security_context_t con);
+
+/* dir-fd-relative lsetfilecon.  This function is just like setfileconat,
+   except that rather than dereferencing a symlink, this function affects it. */
+/* dir-fd-relative lsetfilecon.  This function is just like setfileconat,
+   except when DIRFD and FILE specify a symlink:  lsetfileconat operates on
+   the symlink, while setfileconat operates on the referent of the symlink.  */
+int lsetfileconat (int dirfd, char const *file, security_context_t con);

--- a/modules/selinux-at
+++ b/modules/selinux-at
@@ -12,18 +12,11 @@
 configure.ac:
 AC_CHECK_HEADERS([selinux/flask.h])
 AC_LIBOBJ([selinux-at])
-gl_save_LIBS=$LIBS
-  LIB_SELINUX=
-  AC_SEARCH_LIBS([setfilecon], [selinux],
-                 [test "$ac_cv_search_setfilecon" = "none required" ||
-                  LIB_SELINUX=$ac_cv_search_setfilecon])
-  AC_SUBST(LIB_SELINUX)
-LIBS=$gl_save_LIBS
 
 Makefile.am:
 
 Include:
-selinux-at.h
+"selinux-at.h"
 
 License:
 GPL