* ! DISCLAIMER ! *
! I don't have a system which has SELinux enabled, nor have I ever really
used SELinux.
! Therefore, I crafted the following on a best-effort basis, and tested it
only on my
! system which has the selinux-devel package installed, once with the default
configure
! options and once with --without-selinux.
My openSUSE:Tumbleweed has updated to SELinux 3.1 a couple of weeks ago.
Since then, I see the following warnings:
CC lib/selinux-at.o
In file included from lib/selinux-at.c:21:
lib/selinux-at.h:34:1: error: 'security_context_t' is deprecated
[-Werror=deprecated-declarations]
34 | int getfileconat (int dir_fd, char const *file, security_context_t
*con);
| ^~~
...
CC src/selinux.o
src/selinux.c: In function 'defaultcon':
src/selinux.c:131:3: error: 'matchpathcon' is deprecated: Use selabel_lookup
instead [-Werror=deprecated-declarations]
131 | if (matchpathcon (path, mode, &scon) < 0)
| ^~
In file included from ./lib/selinux/selinux.h:25,
from src/selinux.c:20:
/usr/include/selinux/selinux.h:500:12: note: declared here
500 | extern int matchpathcon(const char *path,
| ^~~~~~~~~~~~
The attached 2 patches attempt to fix this:
* [PATCH] selinux-h: add label stubs
File 'gnulib-se-label.patch'.
This gnulib patch creates the stubs for se-label similar to the se-context
stubs.
* [PATCH] install,cp,mv,mkdir,mkfifo,mknod: port to SELinux 3.1
File
'~/gnulib-se-label/0001-install-cp-mv-mkdir-mkfifo-mknod-port-to-SELinux-3.1.patch'.
This coreutils patch updates gnulib to latest (including the above gnulib
patch),
and replaces the deprecated matchpathcon calls.
To go past the 'public-submodule-commit' error, one has to run the tests like:
make check gl_public_submodule_commit=
Is this the right approach?
Does it work on systems having SELinux enabled?
Does it work on systems with SELinux < 3.1?
Does it work on systems with SELinux >= 3.1?
If yes, then I'd forward to gnulib patch to ... well, gnulib.
Have a nice day,
Berny
>From e50474b28a62fa12ee621c7d46d6f8132c842f3b Mon Sep 17 00:00:00 2001
From: Bernhard Voelker <m...@bernhard-voelker.de>
Date: Wed, 21 Oct 2020 20:38:40 +0200
Subject: [PATCH] install,cp,mv,mkdir,mkfifo,mknod: port to SELinux 3.1
The new SELinux release deprecated the 'matchpathcon' function, and the
typedef 'security_context_t'.
* gnulib: Update submodule to latest, mainly for these two commits:
> selinux-h: add label stubs
> selinux-at, selinux-h: port to SELinux 3.1
* src/install.c (setdefaultfilecon): Replace deprecated matchpathcon
by selabel_open, selabel_lookup and selabel_close.
* src/selinux.c (<selinux/label.h>): Add #include.
(defaultcon): Likewise.
(restorecon_private): Likewise.
* .gitignore (/lib/se-label.h): Add entry.
---
.gitignore | 1 +
gnulib | 2 +-
src/install.c | 13 +++++++++++--
src/selinux.c | 20 ++++++++++++++++++--
4 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/.gitignore b/.gitignore
index e1abcdfb7..6ee38438b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -86,6 +86,7 @@
/lib/ref-del.sed
/lib/sched.h
/lib/se-context.h
+/lib/se-label.h
/lib/se-selinux.h
/lib/selinux
/lib/signal.h
diff --git a/gnulib b/gnulib
index 2d386f229..d08237934 160000
--- a/gnulib
+++ b/gnulib
@@ -1 +1 @@
-Subproject commit 2d386f229aba9ecda85736b931e2964d7922d90e
+Subproject commit d0823793490b9dae0578df2cd75c6a7e077ab6c2
diff --git a/src/install.c b/src/install.c
index a94053f4d..3b557af74 100644
--- a/src/install.c
+++ b/src/install.c
@@ -24,6 +24,7 @@
#include <pwd.h>
#include <grp.h>
#include <selinux/selinux.h>
+#include <selinux/label.h>
#include <sys/wait.h>
#include "system.h"
@@ -316,6 +317,8 @@ setdefaultfilecon (char const *file)
struct stat st;
char *scontext = NULL;
static bool first_call = true;
+ struct selabel_handle *hnd;
+ struct selinux_opt sel_options[SELABEL_NOPT] = {};
if (selinux_enabled != 1)
{
@@ -365,12 +368,17 @@ setdefaultfilecon (char const *file)
/* If there's an error determining the context, or it has none,
return to allow default context. Note the "<<none>>" check
is only needed for libselinux < 1.20 (2005-01-04). */
- if ((matchpathcon (file, st.st_mode, &scontext) != 0)
+ hnd = selabel_open (SELABEL_CTX_FILE, sel_options, SELABEL_NOPT);
+ if (!hnd)
+ return;
+
+ if ((selabel_lookup (hnd, &scontext, file, st.st_mode) < 0)
|| STREQ (scontext, "<<none>>"))
{
if (scontext != NULL)
freecon (scontext);
- return;
+ selabel_close (hnd);
+ return;
}
if (lsetfilecon (file, scontext) < 0 && errno != ENOTSUP)
@@ -379,6 +387,7 @@ setdefaultfilecon (char const *file)
quotef_n (0, file), quote_n (1, scontext));
freecon (scontext);
+ selabel_close (hnd);
return;
}
#else
diff --git a/src/selinux.c b/src/selinux.c
index 874ad5b6d..f626fd0e7 100644
--- a/src/selinux.c
+++ b/src/selinux.c
@@ -19,6 +19,7 @@
#include <config.h>
#include <selinux/selinux.h>
#include <selinux/context.h>
+#include <selinux/label.h>
#include <sys/types.h>
#include "die.h"
@@ -116,6 +117,8 @@ defaultcon (char const *path, mode_t mode)
const char *contype;
char *constr;
char *newpath = NULL;
+ struct selabel_handle *hnd;
+ struct selinux_opt sel_options[SELABEL_NOPT] = {};
if (! IS_ABSOLUTE_FILE_NAME (path))
{
@@ -128,7 +131,11 @@ defaultcon (char const *path, mode_t mode)
path = newpath;
}
- if (matchpathcon (path, mode, &scon) < 0)
+ hnd = selabel_open (SELABEL_CTX_FILE, sel_options, SELABEL_NOPT);
+ if (!hnd)
+ goto quit;
+
+ if (selabel_lookup (hnd, &scon, path, mode) < 0)
{
/* "No such file or directory" is a confusing error,
when processing files, when in fact it was the
@@ -161,6 +168,7 @@ quit:
freecon (scon);
freecon (tcon);
free (newpath);
+ selabel_close (hnd);
return rc;
}
@@ -188,6 +196,8 @@ restorecon_private (char const *path, bool local)
const char *contype;
char *constr;
int fd;
+ struct selabel_handle *hnd = NULL;
+ struct selinux_opt sel_options[SELABEL_NOPT] = {};
if (local)
{
@@ -218,7 +228,11 @@ restorecon_private (char const *path, bool local)
goto quit;
}
- if (matchpathcon (path, sb.st_mode, &scon) < 0)
+ hnd = selabel_open (SELABEL_CTX_FILE, sel_options, SELABEL_NOPT);
+ if (!hnd)
+ goto quit;
+
+ if (selabel_lookup (hnd, &scon, path, sb.st_mode) < 0)
{
/* "No such file or directory" is a confusing error,
when processing files, when in fact it was the
@@ -265,6 +279,8 @@ quit:
context_free (tcontext);
freecon (scon);
freecon (tcon);
+ if (hnd)
+ selabel_close (hnd);
return rc;
}
--
2.29.2
>From d0823793490b9dae0578df2cd75c6a7e077ab6c2 Mon Sep 17 00:00:00 2001
From: Bernhard Voelker <m...@bernhard-voelker.de>
Date: Thu, 19 Nov 2020 22:40:21 +0100
Subject: [PATCH] selinux-h: add label stubs
* lib/se-label.c: Add file.
* lib/se-label.in.h: Likewise.
* m4/selinux-label-h.m4: Likewise.
* modules/selinux-h (Files): Reference the above new files.
(configure.ac): Call gl_HEADERS_SELINUX_LABEL_H.
(Makefile.am): Add se-label.in.h and se-label.c.
(selinux/label.h): Generate from se-label.in.h if necessary.
* lib/se-selinux.in.h (struct selinux_opt): Define.
* lib/selinux-at.h: Include <selinux/label.h> as well.
---
ChangeLog | 12 ++++++++
lib/se-label.c | 3 ++
lib/se-label.in.h | 65 +++++++++++++++++++++++++++++++++++++++++++
lib/se-selinux.in.h | 6 ++++
lib/selinux-at.h | 1 +
m4/selinux-label-h.m4 | 22 +++++++++++++++
modules/selinux-h | 24 +++++++++++++++-
7 files changed, 132 insertions(+), 1 deletion(-)
create mode 100644 lib/se-label.c
create mode 100644 lib/se-label.in.h
create mode 100644 m4/selinux-label-h.m4
diff --git a/ChangeLog b/ChangeLog
index 52524da54..c45a32485 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2020-11-19 Bernhard Voelker <m...@bernhard-voelker.de>
+
+ selinux-h: add label stubs
+ * lib/se-label.c: Add file.
+ * lib/se-label.in.h: Likewise.
+ * m4/selinux-label-h.m4: Likewise.
+ * modules/selinux-h (Files): Reference the above new files.
+ (configure.ac): Call gl_HEADERS_SELINUX_LABEL_H.
+ (Makefile.am): Add se-label.in.h and se-label.c.
+ (selinux/label.h): Generate from se-label.in.h if necessary.
+ * lib/selinux-at.h: Include <selinux/label.h> as well.
+
2020-11-19 Siddhesh Poyarekar <siddh...@gotplt.org>
vcs-to-changelog: Expect spaces in file names
diff --git a/lib/se-label.c b/lib/se-label.c
new file mode 100644
index 000000000..16d706fd8
--- /dev/null
+++ b/lib/se-label.c
@@ -0,0 +1,3 @@
+#include <config.h>
+#define SE_LABEL_INLINE _GL_EXTERN_INLINE
+#include <selinux/label.h>
diff --git a/lib/se-label.in.h b/lib/se-label.in.h
new file mode 100644
index 000000000..af45e6e6e
--- /dev/null
+++ b/lib/se-label.in.h
@@ -0,0 +1,65 @@
+/* SELinux-related headers.
+ Copyright (C) 2020 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+/* Written by Bernhard Voelker, 2020. */
+
+#ifndef SELINUX_LABEL_H
+# define SELINUX_LABEL_H
+
+# include <errno.h>
+# include <selinux/selinux.h> /* for struct selinux_opt */
+
+#ifndef _GL_INLINE_HEADER_BEGIN
+ #error "Please include config.h first."
+#endif
+_GL_INLINE_HEADER_BEGIN
+#ifndef SE_LABEL_INLINE
+# define SE_LABEL_INLINE _GL_INLINE
+#endif
+
+/* The definition of _GL_UNUSED_PARAMETER is copied here. */
+
+/* Available backend: file contexts */
+#define SELABEL_CTX_FILE 0
+
+/* Total number of SELABEL_OPT options */
+#define SELABEL_NOPT 6
+
+/*
+ * Opaque type used for all label handles.
+ */
+struct selabel_handle;
+
+SE_LABEL_INLINE struct selabel_handle *
+selabel_open (unsigned int backend _GL_UNUSED_PARAMETER,
+ const struct selinux_opt *opts _GL_UNUSED_PARAMETER,
+ unsigned nopts _GL_UNUSED_PARAMETER)
+ { errno = ENOTSUP; return 0; }
+
+SE_LABEL_INLINE void
+selabel_close (struct selabel_handle *handle _GL_UNUSED_PARAMETER)
+ { errno = ENOTSUP; return; }
+
+SE_LABEL_INLINE int
+selabel_lookup (struct selabel_handle *handle _GL_UNUSED_PARAMETER,
+ char **con _GL_UNUSED_PARAMETER,
+ const char *key_GL_UNUSED_PARAMETER,
+ int type_GL_UNUSED_PARAMETER)
+ { errno = ENOTSUP; return -1; }
+
+_GL_INLINE_HEADER_END
+
+#endif
diff --git a/lib/se-selinux.in.h b/lib/se-selinux.in.h
index 022596bb8..323ae17db 100644
--- a/lib/se-selinux.in.h
+++ b/lib/se-selinux.in.h
@@ -42,6 +42,12 @@ _GL_INLINE_HEADER_BEGIN
# if !GNULIB_defined_security_types
+/* Structure for passing options, used by AVC and label subsystems */
+struct selinux_opt {
+ int type;
+ const char *value;
+};
+
typedef unsigned short security_class_t;
# define is_selinux_enabled() 0
diff --git a/lib/selinux-at.h b/lib/selinux-at.h
index 50537f80f..d8fe305f4 100644
--- a/lib/selinux-at.h
+++ b/lib/selinux-at.h
@@ -16,6 +16,7 @@
#include <selinux/selinux.h>
#include <selinux/context.h>
+#include <selinux/label.h>
/* These are the dir-fd-relative variants of the functions without the
"at" suffix. For example, getfileconat (AT_FDCWD, file, &c) is usually
diff --git a/m4/selinux-label-h.m4 b/m4/selinux-label-h.m4
new file mode 100644
index 000000000..52925e767
--- /dev/null
+++ b/m4/selinux-label-h.m4
@@ -0,0 +1,22 @@
+# serial 1 -*- Autoconf -*-
+# Copyright (C) 2020 Free Software Foundation, Inc.
+# This file is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# From Bernhard Voelker
+# Provide <selinux/label.h>, if necessary.
+
+AC_DEFUN([gl_HEADERS_SELINUX_LABEL_H],
+[
+ AC_REQUIRE([gl_LIBSELINUX])
+ if test "$with_selinux" != no; then
+ AC_CHECK_HEADERS([selinux/label.h],
+ [SELINUX_LABEL_H=],
+ [SELINUX_LABEL_H=selinux/label.h])
+ else
+ SELINUX_LABEL_H=selinux/label.h
+ fi
+ AC_SUBST([SELINUX_LABEL_H])
+ AM_CONDITIONAL([GL_GENERATE_SELINUX_LABEL_H], [test -n "$SELINUX_LABEL_H"])
+])
diff --git a/modules/selinux-h b/modules/selinux-h
index e074e673f..674767715 100644
--- a/modules/selinux-h
+++ b/modules/selinux-h
@@ -4,10 +4,13 @@ SELinux-related headers for systems that lack them.
Files:
lib/getfilecon.c
lib/se-context.in.h
+lib/se-label.in.h
lib/se-selinux.in.h
lib/se-context.c
+lib/se-label.c
lib/se-selinux.c
m4/selinux-context-h.m4
+m4/selinux-label-h.m4
m4/selinux-selinux-h.m4
Depends-on:
@@ -18,12 +21,13 @@ snippet/unused-parameter
configure.ac:
gl_HEADERS_SELINUX_SELINUX_H
gl_HEADERS_SELINUX_CONTEXT_H
+gl_HEADERS_SELINUX_LABEL_H
if test "$with_selinux" != no && test "$ac_cv_header_selinux_selinux_h" = yes; then
AC_LIBOBJ([getfilecon])
fi
Makefile.am:
-lib_SOURCES += se-context.in.h se-selinux.in.h se-context.c se-selinux.c
+lib_SOURCES += se-context.in.h se-label.in.h se-selinux.in.h se-context.c se-label.c se-selinux.c
BUILT_SOURCES += selinux/selinux.h
selinux/selinux.h: se-selinux.in.h $(top_builddir)/config.status $(UNUSED_PARAMETER_H)
@@ -58,11 +62,29 @@ selinux/context.h: $(top_builddir)/config.status
rm -f $@
endif
MOSTLYCLEANFILES += selinux/context.h selinux/context.h-t
+
+BUILT_SOURCES += $(SELINUX_LABEL_H)
+if GL_GENERATE_SELINUX_LABEL_H
+selinux/label.h: se-label.in.h $(top_builddir)/config.status $(UNUSED_PARAMETER_H)
+ $(AM_V_at)$(MKDIR_P) selinux
+ $(AM_V_GEN)rm -f $@-t $@ && \
+ { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */' && \
+ sed -e '/definition of _GL_UNUSED_PARAMETER/r $(UNUSED_PARAMETER_H)' \
+ < $(srcdir)/se-label.in.h; \
+ } > $@-t && \
+ chmod a-x $@-t && \
+ mv $@-t $@
+else
+selinux/label.h: $(top_builddir)/config.status
+ rm -f $@
+endif
+MOSTLYCLEANFILES += selinux/label.h selinux/label.h-t
MOSTLYCLEANDIRS += selinux
Include:
<selinux/selinux.h>
<selinux/context.h>
+<selinux/label.h>
Link:
$(LIB_SELINUX)
--
2.29.2
