Re: [PATCH] Port to SELinux 3.1

Fri, 20 Nov 2020 06:56:39 -0800 

On 20/11/2020 00:12, Bernhard Voelker wrote:

* ! DISCLAIMER ! *
   ! I don't have a system which has SELinux enabled, nor have I ever really 
used SELinux.
   ! Therefore, I crafted the following on a best-effort basis, and tested it 
only on my
   ! system which has the selinux-devel package installed, once with the 
default configure
   ! options and once with --without-selinux.

My openSUSE:Tumbleweed has updated to SELinux 3.1 a couple of weeks ago.
Since then, I see the following warnings:

     CC       lib/selinux-at.o
   In file included from lib/selinux-at.c:21:
   lib/selinux-at.h:34:1: error: 'security_context_t' is deprecated 
[-Werror=deprecated-declarations]
      34 | int  getfileconat (int dir_fd, char const *file, security_context_t 
*con);
         | ^~~

   ...

     CC       src/selinux.o
   src/selinux.c: In function 'defaultcon':
   src/selinux.c:131:3: error: 'matchpathcon' is deprecated: Use selabel_lookup 
instead [-Werror=deprecated-declarations]
     131 |   if (matchpathcon (path, mode, &scon) < 0)
         |   ^~
   In file included from ./lib/selinux/selinux.h:25,
                    from src/selinux.c:20:
   /usr/include/selinux/selinux.h:500:12: note: declared here
     500 | extern int matchpathcon(const char *path,
         |            ^~~~~~~~~~~~

The attached 2 patches attempt to fix this:

* [PATCH] selinux-h: add label stubs
   File 'gnulib-se-label.patch'.
   This gnulib patch creates the stubs for se-label similar to the se-context 
stubs.

* [PATCH] install,cp,mv,mkdir,mkfifo,mknod: port to SELinux 3.1
   File 
'~/gnulib-se-label/0001-install-cp-mv-mkdir-mkfifo-mknod-port-to-SELinux-3.1.patch'.
   This coreutils patch updates gnulib to latest (including the above gnulib 
patch),
   and replaces the deprecated matchpathcon calls.

To go past the 'public-submodule-commit' error, one has to run the tests like:
   make check gl_public_submodule_commit=

Is this the right approach?
Does it work on systems having SELinux enabled?
Does it work on systems with SELinux < 3.1?
Does it work on systems with SELinux >= 3.1?
If yes, then I'd forward to gnulib patch to ... well, gnulib.


Thanks a lot for looking at this.
I can confirm this works on fedora 32 (selinux 3.0), and all tests pass.
I can confirm that without this on fedora 33 (selinux 3.1), the build fails as 
you indicated.
However the build still fails on fedora 33 for me
due to the remaining security_context_t use in lib/selinux-at.h

Karel, could you help with SELinux testing on latest fedora?

thanks,
Pádraig

Reply via email to