New option to --secontext=... (also available as -e secontext=...)
- mismatch: print expected context on mismatch

When using 'mismatch', an additional check is made on the context by
reading the context database and comparing the output after stripping
the unwanted part (e.g. stripping nothing in 'full' mode, keeping the
type only in default mode):
- if it differs, prints the expected context after printing '!!'
- if not, don't print anything

Example with /home/rmetrich/GIT/strace/autom4te.cache/output.3 file:

----
$ matchpathcon /home/rmetrich/GIT/strace/autom4te.cache/output.3
/home/rmetrich/GIT/strace/autom4te.cache/output.3	unconfined_u:object_r:user_home_t:s0

$ ls -Z /home/rmetrich/GIT/strace/autom4te.cache/output.3
system_u:object_r:user_home_t:s0 /home/rmetrich/GIT/strace/autom4te.cache/output.3
----

From above, we see the user part differs ('unconfined_u' vs 'system_u')

Output in '!full' mode (no diff found on type):

----
$ strace --secontext=mismatch -e statx stat /home/rmetrich/GIT/strace/autom4te.cache/output.3
... statx(AT_FDCWD, "/home/rmetrich/GIT/strace/autom4te.cache/output.3" [user_home_t], ...
----

Output in 'full' mode (diff found on user):

----
... statx(AT_FDCWD, "/home/rmetrich/GIT/strace/autom4te.cache/output.3" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...
----

* NEWS: Mention this change.
* doc/strace.1.in: Document it.
* m4/st_selinux.m4 (st_SELINUX): Check for selabel_open
and selabel_lookup.
* src/filter_qualify.c [ENABLE_SECONTEXT]: Include "secontext.h".
[ENABLE_SECONTEXT] (secontext_set): New variable.
[ENABLE_SECONTEXT] (secontextstr_to_uint, qualify_secontext): New
functions.
(qual_options) [ENABLE_SECONTEXT]: Add "secontext".
* src/secontext.c: Include <sys/stat.h>, <unistd.h>, <selinux/label.h>,
"largefile_wrappers.h", "number_set.h", and "xmalloc.h".
(selinux_context, selinux_context_full): Remove.
(getcontext): Use is_number_in_set instead of selinux_context_full.
(selinux_getpidcon): Use is_number_in_set instead of selinux_context.
(get_expected_filecontext): New function.
(selinux_getfdcon, selinux_getfilecon): Use it to print context mismatch
if SECONTEXT_MISMATCH is set in secontext_set.
* src/secontext.h (selinux_context, selinux_context_full): Remove.
(secontext_bits): New enum.
(secontext_set, qualify_secontext, selinux_set_format): New
declarations.
* src/strace.c (SECONTEXT_E_QUAL): New macro.
(usage): Use it, describe --secontext.
(init) [ENABLE_SECONTEXT]: Call qualify_secontext, rename
GETOPT_SECONTEXT to GETOPT_QUAL_SECONTEXT, use is_number_in_set
instead of selinux_context.
(init) [ENABLE_SECONTEXT] (secontext_qual): New variable.
(init) [ENABLE_SECONTEXT] <GETOPT_QUAL_SECONTEXT>: Use it.
* tests/.gitignore: Add *--secontext_full_mismatch,
*--secontext_full_mismatch.c, *--secontext_mismatch, and
*--secontext_mismatch.c.
* tests/gen_secontext.sh: Generate *--secontext_full_mismatch.c
and *--secontext_mismatch.c.
* tests/gen_tests.in (access--secontext_full_mismatch,
access--secontext_mismatch, chmod--secontext_full_mismatch,
chmod--secontext_mismatch, execve--secontext_full_mismatch,
execve--secontext_mismatch, execveat--secontext_full_mismatch,
execveat--secontext_mismatch, faccessat--secontext_full_mismatch,
faccessat--secontext_mismatch, faccessat-y--secontext_full_mismatch,
faccessat-y--secontext_mismatch, fanotify_mark--secontext_full_mismatch,
fanotify_mark--secontext_mismatch, fchmod--secontext_full_mismatch,
fchmod--secontext_mismatch, fchmod-y--secontext_full_mismatch,
fchmod-y--secontext_mismatch, fchmodat--secontext_full_mismatch,
fchmodat--secontext_mismatch, fchownat--secontext_full_mismatch,
fchownat--secontext_mismatch, file_handle--secontext_full_mismatch,
file_handle--secontext_mismatch, linkat--secontext_full_mismatch,
linkat--secontext_mismatch, open--secontext_full_mismatch,
open--secontext_mismatch, openat--secontext_full_mismatch,
openat--secontext_mismatch): New tests.
* tests/linkat.c: Include <string.h>.
(main) [PRINT_SECONTEXT_MISMATCH]: Check context mismatch.
* tests/options-syntax.test: Check --secontext and -e secontext syntax.
* tests/secontext.h (secontext_field): New enum.
(secontext_full_file, secontext_short_file): Add "mismatch" argument.
(update_secontext_type): Rename to update_secontext_field, add "field"
argument.
(SECONTEXT_FILE): Conditionalize "mismatch" argument passed to
secontext_full_file and secontext_short_file on
PRINT_SECONTEXT_MISMATCH.
* tests/secontext.c: Include <sys/stat.h> and <selinux/label.h>.
(get_type_from_context, raw_expected_secontext_full_file,
raw_expected_secontext_short_file): New functions.
(raw_secontext_short_file, raw_secontext_short_pid): Use
get_type_from_context.
(secontext_full_file): Add "mismatch" argument, use
raw_expected_secontext_full_file if mismatch is enabled.
(secontext_short_file): Add "mismatch" argument, use
raw_expected_secontext_short_file if mismatch is enabled.
(update_secontext_type): Rename to update_secontext_field, add "field"
argument.

Co-authored-by: Dmitry V. Levin <ldv@strace.io>