Bruno Haible wrote: > Hi Jim, > >> +int getfileconat (int fd, char const *file, security_context_t *con); >> +int lgetfileconat (int fd, char const *file, security_context_t *con); >> +int setfileconat (int fd, char const *file, security_context_t con); >> +int lsetfileconat (int fd, char const *file, security_context_t con); > > These functions have no specification, neither in the .h file nor in the .c > file. A specification is probably easy to make up, by reference to getfilecon > and setfilecon (for which gnulib also lacks documentation, btw, see [1] and > [2]). > >> +gl_save_LIBS=$LIBS >> + LIB_SELINUX= >> + AC_SEARCH_LIBS([setfilecon], [selinux], >> + [test "$ac_cv_search_setfilecon" = "none required" || >> + LIB_SELINUX=$ac_cv_search_setfilecon]) >> + AC_SUBST(LIB_SELINUX) >> +LIBS=$gl_save_LIBS > > These lines is not necessary; LIB_SELINUX is already set by > m4/selinux-selinux-h.m4, which is part of the 'selinux-h' module, > on which 'selinux-at' depends. > >> +Include: >> +selinux-at.h > > The filename here should be enclosed in double-quotes or angle brackets, > otherwise "gnulib-tool --extract-include-directive selinux-at" and > MODULES.html.sh produce an unusable output. > > Bruno > > > [1] http://lists.gnu.org/archive/html/bug-gnulib/2008-10/msg00399.html > [2] http://lists.gnu.org/archive/html/bug-gnulib/2008-10/msg00400.html
Thanks again. This addresses your comments in this file (not yet those in the links): >From 733e7c2482a9c937b3491704fe97fe7f14622dad Mon Sep 17 00:00:00 2001 From: Jim Meyering <[email protected]> Date: Fri, 7 Aug 2009 10:57:17 +0200 Subject: [PATCH] selinux-at: remove redundant m4 code, add documentation * modules/selinux-at (configure.ac): Remove redundant code. LIB_SELINUX is already set via the dependent module, selinux-h. (Include): Add quotes around selinux-at.h. * lib/selinux-at.h: Add documentation. Reported by Bruno Haible in http://marc.info/?l=gnulib-bug&m=124958988300749 --- ChangeLog | 10 ++++++++++ lib/selinux-at.h | 37 +++++++++++++++++++++++++++++++++---- modules/selinux-at | 9 +-------- 3 files changed, 44 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1ce6194..1b3af02 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2009-08-07 Jim Meyering <[email protected]> + + selinux-at: remove redundant m4 code, add documentation + * modules/selinux-at (configure.ac): Remove redundant code. + LIB_SELINUX is already set via the dependent module, selinux-h. + (Include): Add quotes around selinux-at.h. + * lib/selinux-at.h: Add documentation. + Reported by Bruno Haible in + http://marc.info/?l=gnulib-bug&m=124958988300749 + 2009-08-07 Bruno Haible <[email protected]> Avoid link error on MacOS X 10.3 and 10.4. diff --git a/lib/selinux-at.h b/lib/selinux-at.h index 212e252..cd7bf94 100644 --- a/lib/selinux-at.h +++ b/lib/selinux-at.h @@ -17,7 +17,36 @@ #include <selinux/selinux.h> #include <selinux/context.h> -int getfileconat (int fd, char const *file, security_context_t *con); -int lgetfileconat (int fd, char const *file, security_context_t *con); -int setfileconat (int fd, char const *file, security_context_t con); -int lsetfileconat (int fd, char const *file, security_context_t con); +/* These are the dir-fd-relative variants of the functions without the + "at" suffix. For example, getfileconat (AT_FDCWD, file, &c) is usually + equivalent to getfileconat (file, &c). The emulation is accomplished + by first attempting getfilecon ("/proc/self/fd/DIRFD/FILE", &c). + Failing that, simulate it via save_cwd/fchdir/getfilecon/restore_cwd. + If either the save_cwd or the restore_cwd fails (relatively unlikely), + then give a diagnostic and exit nonzero. */ + +/* dir-fd-relative getfilecon. Set *CON to the SELinux security context + of the file specified by DIRFD and FILE and return the length of *CON. + DIRFD and FILE are interpreted as for fstatat[*]. A non-NULL *CON + must be freed with freecon. Upon error, set *CON to NULL, set errno + and return -1. + [*] with flags=0 here, with flags=AT_SYMLINK_NOFOLLOW for lgetfileconat */ +int getfileconat (int dirfd, char const *file, security_context_t *con); + +/* dir-fd-relative lgetfilecon. This function is just like getfileconat, + except when DIRFD and FILE specify a symlink: lgetfileconat operates on + the symlink, while getfileconat operates on the referent of the symlink. */ +int lgetfileconat (int dirfd, char const *file, security_context_t *con); + +/* dir-fd-relative setfilecon. Set the SELinux security context of + the file specified by DIRFD and FILE to CON. DIRFD and FILE are + interpreted as for fstatat[*]. Upon success, return 0. + Otherwise, return -1 and set errno. */ +int setfileconat (int dirfd, char const *file, security_context_t con); + +/* dir-fd-relative lsetfilecon. This function is just like setfileconat, + except that rather than dereferencing a symlink, this function affects it. */ +/* dir-fd-relative lsetfilecon. This function is just like setfileconat, + except when DIRFD and FILE specify a symlink: lsetfileconat operates on + the symlink, while setfileconat operates on the referent of the symlink. */ +int lsetfileconat (int dirfd, char const *file, security_context_t con); diff --git a/modules/selinux-at b/modules/selinux-at index 191429a..925219d 100644 --- a/modules/selinux-at +++ b/modules/selinux-at @@ -12,18 +12,11 @@ selinux-h configure.ac: AC_CHECK_HEADERS([selinux/flask.h]) AC_LIBOBJ([selinux-at]) -gl_save_LIBS=$LIBS - LIB_SELINUX= - AC_SEARCH_LIBS([setfilecon], [selinux], - [test "$ac_cv_search_setfilecon" = "none required" || - LIB_SELINUX=$ac_cv_search_setfilecon]) - AC_SUBST(LIB_SELINUX) -LIBS=$gl_save_LIBS Makefile.am: Include: -selinux-at.h +"selinux-at.h" License: GPL -- 1.6.4.115.g33d49
