Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On 09/29/2016 03:27 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 3:15 PM, William Roberts >wrote: >> On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley wrote: >>> On 09/29/2016 02:46 PM, William Roberts wrote: On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley wrote: > On 09/29/2016 02:15 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley >> wrote: >>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: From: William Roberts Provide stubs to the public boolean API that always returns -1. On Android, boolean symbols are needed for: external/ltrace/sysdeps/linux-gnu/trace.c >>> >>> Is this really worth doing? >> >> It's this or disabling that selinux via #define, which that source has >> HAVE_LIBSELINUX. >> >> But it would seem confusing IMHO to have a libselinux.so, so one would >> set HAVE_LIBSELINUX=1, >> and you're getting link errors. > > Maybe I don't understand. Obviously it builds today with > external/libselinux without requiring this change. Why do we need this > now? > Richard Haines was doing further testing, and was building a different lunch target for the arm emulator and hit this issue. I have only tested x86_64 emulator. >>> >>> No, I mean that this is not required in external/libselinux (the Android >>> fork) today. So why is it needed here? The Android fork builds >>> src/booleans.c for the target. It doesn't hurt anything to leave the >>> code there. The underlying kernel interface via selinuxfs still exists. >>> There just won't be any booleans in the policy. >>> >> >> The target builds a modified booleans, if use booleans as is, we start >> down the config c file >> rabbit hole... >> >> external/selinux/libselinux/src/booleans.c:100: error: undefined >> reference to 'selinux_booleans_subs_path' >> external/selinux/libselinux/src/booleans.c:388: error: undefined >> reference to 'selinux_booleans_path' >> external/selinux/libselinux/src/booleans.c:529: error: undefined >> reference to 'selinux_booleans_path' >> external/selinux/libselinux/src/booleans.c:545: error: undefined >> reference to 'selinux_booleans_path' >> clang++.real: error: linker command failed with exit code 1 (use -v to >> see invocation) >> >> I can take a look at that and see how much of a PITA it would be to >> pull that in. > > external/selinux/libselinux/src/selinux_config.c:100: error: undefined > reference to 'fgets_unlocked' > external/selinux/libselinux/src/selinux_config.c:100: error: undefined > reference to 'fgets_unlocked' > external/selinux/libselinux/src/selinux_config.c:231: error: undefined > reference to 'require_seusers' > external/selinux/libselinux/src/selinux_config.c:231: error: undefined > reference to 'load_setlocaldefs' > > fgets should be easy enough > load_setlocaldefs is an exported integer value used in init_selinux_config() > require_seusers is another exported int form seusers.c > > I was figuring since we don't use any bools, to keep the size down, > just stubbing dummies is the > easiest route. > > We could do something like STATIC_CONFIG and just stub in what things > need and return the explicit paths. Never mind, I'll take your original patch. ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH 2/2] libselinux: set DISABLE_RPM default to y.
On 09/28/2016 12:00 PM, william.c.robe...@intel.com wrote: > From: William Roberts> > Change the default build behavior to always use DISABLE_RPM. > To get the old behavior call make with DISABLE_RPM=n. > > eg.) > make DISABLE_RPM=n I reverted this change. It would break rpm on RHEL 7 and earlier, so it is still too soon to make this the default ;( > > Signed-off-by: William Roberts > --- > libselinux/Makefile | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/libselinux/Makefile b/libselinux/Makefile > index 41d836c..cec2943 100644 > --- a/libselinux/Makefile > +++ b/libselinux/Makefile > @@ -1,7 +1,7 @@ > SUBDIRS = src include utils man > > DISABLE_SETRANS ?= n > -DISABLE_RPM ?= n > +DISABLE_RPM ?= y > ifeq ($(DISABLE_RPM),y) > DISABLE_FLAGS+= -DDISABLE_RPM > endif > ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: > From: William Roberts> > Provide stubs to the public boolean API that always returns -1. > > On Android, boolean symbols are needed for: > external/ltrace/sysdeps/linux-gnu/trace.c Thanks, applied. > > Signed-off-by: William Roberts > --- > libselinux/Makefile | 4 +++ > libselinux/src/booleans.c | 64 > +++ > 2 files changed, 58 insertions(+), 10 deletions(-) > > diff --git a/libselinux/Makefile b/libselinux/Makefile > index f607115..b5f32bb 100644 > --- a/libselinux/Makefile > +++ b/libselinux/Makefile > @@ -5,6 +5,7 @@ DISABLE_RPM ?= y > ANDROID_HOST ?= n > ifeq ($(ANDROID_HOST),y) > override DISABLE_SETRANS=y > + override DISABLE_BOOL=y > endif > ifeq ($(DISABLE_RPM),y) > DISABLE_FLAGS+= -DDISABLE_RPM > @@ -12,6 +13,9 @@ endif > ifeq ($(DISABLE_SETRANS),y) > DISABLE_FLAGS+= -DDISABLE_SETRANS > endif > +ifeq ($(DISABLE_BOOL),y) > + DISABLE_FLAGS+= -DDISABLE_BOOL > +endif > export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST > > USE_PCRE2 ?= n > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c > index c438af1..cbb0610 100644 > --- a/libselinux/src/booleans.c > +++ b/libselinux/src/booleans.c > @@ -25,6 +25,8 @@ > > #define SELINUX_BOOL_DIR "/booleans/" > > +#ifndef DISABLE_BOOL > + > static int filename_select(const struct dirent *d) > { > if (d->d_name[0] == '.' > @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) > goto out; > } > > -hidden_def(security_get_boolean_names) > - > char *selinux_boolean_sub(const char *name) > { > char *sub = NULL; > @@ -141,8 +141,6 @@ out: > return sub; > } > > -hidden_def(selinux_boolean_sub) > - > static int bool_open(const char *name, int flag) { > char *fname = NULL; > char *alt_name = NULL; > @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) > return val; > } > > -hidden_def(security_get_boolean_active) > - > int security_set_boolean(const char *name, int value) > { > int fd, ret; > @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) > return -1; > } > > -hidden_def(security_set_boolean) > - > int security_commit_booleans(void) > { > int fd, ret; > @@ -327,8 +321,6 @@ int security_commit_booleans(void) > return -1; > } > > -hidden_def(security_commit_booleans) > - > static char *strtrim(char *dest, char *source, int size) > { > int i = 0; > @@ -567,3 +559,55 @@ int security_load_booleans(char *path) > errno = EINVAL; > return errors ? -1 : 0; > } > + > +#else > +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), > + SELboolean * boollist __attribute__((unused)), > + int permanent __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_load_booleans(char *path __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_names(char ***names __attribute__((unused)), > + int *len __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_pending(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_active(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_set_boolean(const char *name __attribute__((unused)), > + int value __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_commit_booleans(void) > +{ > + return -1; > +} > + > +char *selinux_boolean_sub(const char *name __attribute__((unused))) > +{ > + return NULL; > +} > +#endif > + > +hidden_def(security_get_boolean_names) > +hidden_def(selinux_boolean_sub) > +hidden_def(security_get_boolean_active) > +hidden_def(security_set_boolean) > +hidden_def(security_commit_booleans) > ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On Thu, Sep 29, 2016 at 3:15 PM, William Robertswrote: > On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalley wrote: >> On 09/29/2016 02:46 PM, William Roberts wrote: >>> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley wrote: On 09/29/2016 02:15 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley > wrote: >> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: >>> From: William Roberts >>> >>> Provide stubs to the public boolean API that always returns -1. >>> >>> On Android, boolean symbols are needed for: >>> external/ltrace/sysdeps/linux-gnu/trace.c >> >> Is this really worth doing? > > It's this or disabling that selinux via #define, which that source has > HAVE_LIBSELINUX. > > But it would seem confusing IMHO to have a libselinux.so, so one would > set HAVE_LIBSELINUX=1, > and you're getting link errors. Maybe I don't understand. Obviously it builds today with external/libselinux without requiring this change. Why do we need this now? >>> >>> Richard Haines was doing further testing, and was building a different >>> lunch target for the >>> arm emulator and hit this issue. I have only tested x86_64 emulator. >> >> No, I mean that this is not required in external/libselinux (the Android >> fork) today. So why is it needed here? The Android fork builds >> src/booleans.c for the target. It doesn't hurt anything to leave the >> code there. The underlying kernel interface via selinuxfs still exists. >> There just won't be any booleans in the policy. >> > > The target builds a modified booleans, if use booleans as is, we start > down the config c file > rabbit hole... > > external/selinux/libselinux/src/booleans.c:100: error: undefined > reference to 'selinux_booleans_subs_path' > external/selinux/libselinux/src/booleans.c:388: error: undefined > reference to 'selinux_booleans_path' > external/selinux/libselinux/src/booleans.c:529: error: undefined > reference to 'selinux_booleans_path' > external/selinux/libselinux/src/booleans.c:545: error: undefined > reference to 'selinux_booleans_path' > clang++.real: error: linker command failed with exit code 1 (use -v to > see invocation) > > I can take a look at that and see how much of a PITA it would be to > pull that in. external/selinux/libselinux/src/selinux_config.c:100: error: undefined reference to 'fgets_unlocked' external/selinux/libselinux/src/selinux_config.c:100: error: undefined reference to 'fgets_unlocked' external/selinux/libselinux/src/selinux_config.c:231: error: undefined reference to 'require_seusers' external/selinux/libselinux/src/selinux_config.c:231: error: undefined reference to 'load_setlocaldefs' fgets should be easy enough load_setlocaldefs is an exported integer value used in init_selinux_config() require_seusers is another exported int form seusers.c I was figuring since we don't use any bools, to keep the size down, just stubbing dummies is the easiest route. We could do something like STATIC_CONFIG and just stub in what things need and return the explicit paths. -- Respectfully, William C Roberts ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On Thu, Sep 29, 2016 at 2:54 PM, Stephen Smalleywrote: > On 09/29/2016 02:46 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalley wrote: >>> On 09/29/2016 02:15 PM, William Roberts wrote: On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley wrote: > On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: >> From: William Roberts >> >> Provide stubs to the public boolean API that always returns -1. >> >> On Android, boolean symbols are needed for: >> external/ltrace/sysdeps/linux-gnu/trace.c > > Is this really worth doing? It's this or disabling that selinux via #define, which that source has HAVE_LIBSELINUX. But it would seem confusing IMHO to have a libselinux.so, so one would set HAVE_LIBSELINUX=1, and you're getting link errors. >>> >>> Maybe I don't understand. Obviously it builds today with >>> external/libselinux without requiring this change. Why do we need this now? >>> >> >> Richard Haines was doing further testing, and was building a different >> lunch target for the >> arm emulator and hit this issue. I have only tested x86_64 emulator. > > No, I mean that this is not required in external/libselinux (the Android > fork) today. So why is it needed here? The Android fork builds > src/booleans.c for the target. It doesn't hurt anything to leave the > code there. The underlying kernel interface via selinuxfs still exists. > There just won't be any booleans in the policy. > The target builds a modified booleans, if use booleans as is, we start down the config c file rabbit hole... external/selinux/libselinux/src/booleans.c:100: error: undefined reference to 'selinux_booleans_subs_path' external/selinux/libselinux/src/booleans.c:388: error: undefined reference to 'selinux_booleans_path' external/selinux/libselinux/src/booleans.c:529: error: undefined reference to 'selinux_booleans_path' external/selinux/libselinux/src/booleans.c:545: error: undefined reference to 'selinux_booleans_path' clang++.real: error: linker command failed with exit code 1 (use -v to see invocation) I can take a look at that and see how much of a PITA it would be to pull that in. ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalleywrote: > On 09/29/2016 02:15 PM, William Roberts wrote: >> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley wrote: >>> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: From: William Roberts Provide stubs to the public boolean API that always returns -1. On Android, boolean symbols are needed for: external/ltrace/sysdeps/linux-gnu/trace.c >>> >>> Is this really worth doing? >> >> It's this or disabling that selinux via #define, which that source has >> HAVE_LIBSELINUX. >> >> But it would seem confusing IMHO to have a libselinux.so, so one would >> set HAVE_LIBSELINUX=1, >> and you're getting link errors. > > Maybe I don't understand. Obviously it builds today with > external/libselinux without requiring this change. Why do we need this now? > Richard Haines was doing further testing, and was building a different lunch target for the arm emulator and hit this issue. I have only tested x86_64 emulator. ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On 09/29/2016 02:46 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 2:44 PM, Stephen Smalleywrote: >> On 09/29/2016 02:15 PM, William Roberts wrote: >>> On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalley wrote: On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: > From: William Roberts > > Provide stubs to the public boolean API that always returns -1. > > On Android, boolean symbols are needed for: > external/ltrace/sysdeps/linux-gnu/trace.c Is this really worth doing? >>> >>> It's this or disabling that selinux via #define, which that source has >>> HAVE_LIBSELINUX. >>> >>> But it would seem confusing IMHO to have a libselinux.so, so one would >>> set HAVE_LIBSELINUX=1, >>> and you're getting link errors. >> >> Maybe I don't understand. Obviously it builds today with >> external/libselinux without requiring this change. Why do we need this now? >> > > Richard Haines was doing further testing, and was building a different > lunch target for the > arm emulator and hit this issue. I have only tested x86_64 emulator. No, I mean that this is not required in external/libselinux (the Android fork) today. So why is it needed here? The Android fork builds src/booleans.c for the target. It doesn't hurt anything to leave the code there. The underlying kernel interface via selinuxfs still exists. There just won't be any booleans in the policy. ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On 09/29/2016 02:15 PM, William Roberts wrote: > On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalleywrote: >> On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: >>> From: William Roberts >>> >>> Provide stubs to the public boolean API that always returns -1. >>> >>> On Android, boolean symbols are needed for: >>> external/ltrace/sysdeps/linux-gnu/trace.c >> >> Is this really worth doing? > > It's this or disabling that selinux via #define, which that source has > HAVE_LIBSELINUX. > > But it would seem confusing IMHO to have a libselinux.so, so one would > set HAVE_LIBSELINUX=1, > and you're getting link errors. Maybe I don't understand. Obviously it builds today with external/libselinux without requiring this change. Why do we need this now? ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On Thu, Sep 29, 2016 at 2:08 PM, Stephen Smalleywrote: > On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: >> From: William Roberts >> >> Provide stubs to the public boolean API that always returns -1. >> >> On Android, boolean symbols are needed for: >> external/ltrace/sysdeps/linux-gnu/trace.c > > Is this really worth doing? It's this or disabling that selinux via #define, which that source has HAVE_LIBSELINUX. But it would seem confusing IMHO to have a libselinux.so, so one would set HAVE_LIBSELINUX=1, and you're getting link errors. Seems to be yet-another red-hat contribution from a long time ago: commit cec06ec8282c538a40bde968ae36fe8356daffaa Author: Petr Machata Date: Tue Apr 10 13:31:55 2012 +0200 Warn when we fail to trace and SELinux boolean deny_ptrace is in effect diff --git a/ChangeLog b/ChangeLog index c095263..6107a12 100644 > >> >> Signed-off-by: William Roberts >> --- >> libselinux/Makefile | 4 +++ >> libselinux/src/booleans.c | 64 >> +++ >> 2 files changed, 58 insertions(+), 10 deletions(-) >> >> diff --git a/libselinux/Makefile b/libselinux/Makefile >> index f607115..b5f32bb 100644 >> --- a/libselinux/Makefile >> +++ b/libselinux/Makefile >> @@ -5,6 +5,7 @@ DISABLE_RPM ?= y >> ANDROID_HOST ?= n >> ifeq ($(ANDROID_HOST),y) >> override DISABLE_SETRANS=y >> + override DISABLE_BOOL=y >> endif >> ifeq ($(DISABLE_RPM),y) >> DISABLE_FLAGS+= -DDISABLE_RPM >> @@ -12,6 +13,9 @@ endif >> ifeq ($(DISABLE_SETRANS),y) >> DISABLE_FLAGS+= -DDISABLE_SETRANS >> endif >> +ifeq ($(DISABLE_BOOL),y) >> + DISABLE_FLAGS+= -DDISABLE_BOOL >> +endif >> export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST >> >> USE_PCRE2 ?= n >> diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c >> index c438af1..cbb0610 100644 >> --- a/libselinux/src/booleans.c >> +++ b/libselinux/src/booleans.c >> @@ -25,6 +25,8 @@ >> >> #define SELINUX_BOOL_DIR "/booleans/" >> >> +#ifndef DISABLE_BOOL >> + >> static int filename_select(const struct dirent *d) >> { >> if (d->d_name[0] == '.' >> @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) >> goto out; >> } >> >> -hidden_def(security_get_boolean_names) >> - >> char *selinux_boolean_sub(const char *name) >> { >> char *sub = NULL; >> @@ -141,8 +141,6 @@ out: >> return sub; >> } >> >> -hidden_def(selinux_boolean_sub) >> - >> static int bool_open(const char *name, int flag) { >> char *fname = NULL; >> char *alt_name = NULL; >> @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) >> return val; >> } >> >> -hidden_def(security_get_boolean_active) >> - >> int security_set_boolean(const char *name, int value) >> { >> int fd, ret; >> @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) >> return -1; >> } >> >> -hidden_def(security_set_boolean) >> - >> int security_commit_booleans(void) >> { >> int fd, ret; >> @@ -327,8 +321,6 @@ int security_commit_booleans(void) >> return -1; >> } >> >> -hidden_def(security_commit_booleans) >> - >> static char *strtrim(char *dest, char *source, int size) >> { >> int i = 0; >> @@ -567,3 +559,55 @@ int security_load_booleans(char *path) >> errno = EINVAL; >> return errors ? -1 : 0; >> } >> + >> +#else >> +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), >> + SELboolean * boollist __attribute__((unused)), >> + int permanent __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_load_booleans(char *path __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_names(char ***names __attribute__((unused)), >> + int *len __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_pending(const char *name __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_get_boolean_active(const char *name __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_set_boolean(const char *name __attribute__((unused)), >> + int value __attribute__((unused))) >> +{ >> + return -1; >> +} >> + >> +int security_commit_booleans(void) >> +{ >> + return -1; >> +} >> + >> +char *selinux_boolean_sub(const char *name __attribute__((unused))) >> +{ >> + return NULL; >> +} >> +#endif >> + >> +hidden_def(security_get_boolean_names) >> +hidden_def(selinux_boolean_sub) >> +hidden_def(security_get_boolean_active) >> +hidden_def(security_set_boolean) >> +hidden_def(security_commit_booleans) >> > > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to
Re: [PATCH] libselinux: re-introduce DISABLE_BOOL=y
On 09/29/2016 02:02 PM, william.c.robe...@intel.com wrote: > From: William Roberts> > Provide stubs to the public boolean API that always returns -1. > > On Android, boolean symbols are needed for: > external/ltrace/sysdeps/linux-gnu/trace.c Is this really worth doing? > > Signed-off-by: William Roberts > --- > libselinux/Makefile | 4 +++ > libselinux/src/booleans.c | 64 > +++ > 2 files changed, 58 insertions(+), 10 deletions(-) > > diff --git a/libselinux/Makefile b/libselinux/Makefile > index f607115..b5f32bb 100644 > --- a/libselinux/Makefile > +++ b/libselinux/Makefile > @@ -5,6 +5,7 @@ DISABLE_RPM ?= y > ANDROID_HOST ?= n > ifeq ($(ANDROID_HOST),y) > override DISABLE_SETRANS=y > + override DISABLE_BOOL=y > endif > ifeq ($(DISABLE_RPM),y) > DISABLE_FLAGS+= -DDISABLE_RPM > @@ -12,6 +13,9 @@ endif > ifeq ($(DISABLE_SETRANS),y) > DISABLE_FLAGS+= -DDISABLE_SETRANS > endif > +ifeq ($(DISABLE_BOOL),y) > + DISABLE_FLAGS+= -DDISABLE_BOOL > +endif > export DISABLE_SETRANS DISABLE_RPM DISABLE_FLAGS ANDROID_HOST > > USE_PCRE2 ?= n > diff --git a/libselinux/src/booleans.c b/libselinux/src/booleans.c > index c438af1..cbb0610 100644 > --- a/libselinux/src/booleans.c > +++ b/libselinux/src/booleans.c > @@ -25,6 +25,8 @@ > > #define SELINUX_BOOL_DIR "/booleans/" > > +#ifndef DISABLE_BOOL > + > static int filename_select(const struct dirent *d) > { > if (d->d_name[0] == '.' > @@ -85,8 +87,6 @@ int security_get_boolean_names(char ***names, int *len) > goto out; > } > > -hidden_def(security_get_boolean_names) > - > char *selinux_boolean_sub(const char *name) > { > char *sub = NULL; > @@ -141,8 +141,6 @@ out: > return sub; > } > > -hidden_def(selinux_boolean_sub) > - > static int bool_open(const char *name, int flag) { > char *fname = NULL; > char *alt_name = NULL; > @@ -262,8 +260,6 @@ int security_get_boolean_active(const char *name) > return val; > } > > -hidden_def(security_get_boolean_active) > - > int security_set_boolean(const char *name, int value) > { > int fd, ret; > @@ -297,8 +293,6 @@ int security_set_boolean(const char *name, int value) > return -1; > } > > -hidden_def(security_set_boolean) > - > int security_commit_booleans(void) > { > int fd, ret; > @@ -327,8 +321,6 @@ int security_commit_booleans(void) > return -1; > } > > -hidden_def(security_commit_booleans) > - > static char *strtrim(char *dest, char *source, int size) > { > int i = 0; > @@ -567,3 +559,55 @@ int security_load_booleans(char *path) > errno = EINVAL; > return errors ? -1 : 0; > } > + > +#else > +int security_set_boolean_list(size_t boolcnt __attribute__((unused)), > + SELboolean * boollist __attribute__((unused)), > + int permanent __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_load_booleans(char *path __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_names(char ***names __attribute__((unused)), > + int *len __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_pending(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_get_boolean_active(const char *name __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_set_boolean(const char *name __attribute__((unused)), > + int value __attribute__((unused))) > +{ > + return -1; > +} > + > +int security_commit_booleans(void) > +{ > + return -1; > +} > + > +char *selinux_boolean_sub(const char *name __attribute__((unused))) > +{ > + return NULL; > +} > +#endif > + > +hidden_def(security_get_boolean_names) > +hidden_def(selinux_boolean_sub) > +hidden_def(security_get_boolean_active) > +hidden_def(security_set_boolean) > +hidden_def(security_commit_booleans) > ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
[PATCH 1/3] libselinux: renamed andriod label backend source file
Signed-off-by: Janis Danisevskis--- libselinux/src/Makefile | 2 +- libselinux/src/label_android_property.c | 304 libselinux/src/label_backends_android.c | 304 3 files changed, 305 insertions(+), 305 deletions(-) delete mode 100644 libselinux/src/label_android_property.c create mode 100644 libselinux/src/label_backends_android.c diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 2c61fad..cba8383 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -85,7 +85,7 @@ ifeq ($(ANDROID_HOST),y) DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ -DBUILD_HOST SRCS= callbacks.c freecon.c label.c label_file.c \ - label_android_property.c regex.c label_support.c \ + label_backends_android.c regex.c label_support.c \ matchpathcon.c setrans_client.c sha1.c endif diff --git a/libselinux/src/label_android_property.c b/libselinux/src/label_android_property.c deleted file mode 100644 index 290b438..000 --- a/libselinux/src/label_android_property.c +++ /dev/null @@ -1,304 +0,0 @@ -/* - * Property Service contexts backend for labeling Android - * property keys - */ - -#include -#include -#include -#include -#include -#include -#include -#include "callbacks.h" -#include "label_internal.h" - -/* A property security context specification. */ -typedef struct spec { - struct selabel_lookup_rec lr; /* holds contexts for lookup result */ - char *property_key; /* property key string */ -} spec_t; - -/* Our stored configuration */ -struct saved_data { - /* -* The array of specifications is sorted for longest -* prefix match -*/ - spec_t *spec_arr; - unsigned int nspec; /* total number of specifications */ -}; - -static int cmp(const void *A, const void *B) -{ - const struct spec *sp1 = A, *sp2 = B; - - if (strncmp(sp1->property_key, "*", 1) == 0) - return 1; - if (strncmp(sp2->property_key, "*", 1) == 0) - return -1; - - size_t L1 = strlen(sp1->property_key); - size_t L2 = strlen(sp2->property_key); - - return (L1 < L2) - (L1 > L2); -} - -/* - * Warn about duplicate specifications. - */ -static int nodups_specs(struct saved_data *data, const char *path) -{ - int rc = 0; - unsigned int ii, jj; - struct spec *curr_spec, *spec_arr = data->spec_arr; - - for (ii = 0; ii < data->nspec; ii++) { - curr_spec = _arr[ii]; - for (jj = ii + 1; jj < data->nspec; jj++) { - if (!strcmp(spec_arr[jj].property_key, - curr_spec->property_key)) { - rc = -1; - errno = EINVAL; - if (strcmp(spec_arr[jj].lr.ctx_raw, - curr_spec->lr.ctx_raw)) { - selinux_log - (SELINUX_ERROR, -"%s: Multiple different specifications for %s (%s and %s).\n", -path, curr_spec->property_key, -spec_arr[jj].lr.ctx_raw, -curr_spec->lr.ctx_raw); - } else { - selinux_log - (SELINUX_ERROR, -"%s: Multiple same specifications for %s.\n", -path, curr_spec->property_key); - } - } - } - } - return rc; -} - -static int process_line(struct selabel_handle *rec, - const char *path, char *line_buf, - int pass, unsigned lineno) -{ - int items; - char *prop = NULL, *context = NULL; - struct saved_data *data = (struct saved_data *)rec->data; - spec_t *spec_arr = data->spec_arr; - unsigned int nspec = data->nspec; - const char *errbuf = NULL; - - items = read_spec_entries(line_buf, , 2, , ); - if (items < 0) { - items = errno; - selinux_log(SELINUX_ERROR, - "%s: line %u error due to: %s\n", path, - lineno, errbuf ?: strerror(errno)); - errno = items; - return -1; - } - - if (items == 0) - return items; - - if (items != 2) { - selinux_log(SELINUX_ERROR, - "%s: line %u is missing fields\n", path, - lineno); - free(prop); - errno = EINVAL; -
[PATCH 3/3] libselinux: makes android label back ends configurable
Android label back ends are not configurable by NO_ANDROID_BACKEND, which is set if on ANDROID_HOST != y. Signed-off-by: Janis Danisevskis--- libselinux/src/Makefile | 3 +++ libselinux/src/label.c | 10 -- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index cba8383..7169230 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -87,6 +87,9 @@ DISABLE_FLAGS+= -DNO_MEDIA_BACKEND -DNO_DB_BACKEND -DNO_X_BACKEND \ SRCS= callbacks.c freecon.c label.c label_file.c \ label_backends_android.c regex.c label_support.c \ matchpathcon.c setrans_client.c sha1.c +else +DISABLE_FLAGS+= -DNO_ANDROID_BACKEND +SRCS:= $(filter-out label_backends_android.c, $(SRCS)) endif SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./ $(DISABLE_FLAGS) diff --git a/libselinux/src/label.c b/libselinux/src/label.c index eb0e766..60639cf 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -35,6 +35,12 @@ #define CONFIG_DB_BACKEND(fnptr) #endif +#ifdef NO_ANDROID_BACKEND +#define CONFIG_ANDROID_BACKEND(fnptr) NULL +#else +#define CONFIG_ANDROID_BACKEND(fnptr) (&(fnptr)) +#endif + typedef int (*selabel_initfunc)(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts); @@ -44,8 +50,8 @@ static selabel_initfunc initfuncs[] = { CONFIG_MEDIA_BACKEND(selabel_media_init), CONFIG_X_BACKEND(selabel_x_init), CONFIG_DB_BACKEND(selabel_db_init), - _property_init, - _service_init, + CONFIG_ANDROID_BACKEND(selabel_property_init), + CONFIG_ANDROID_BACKEND(selabel_service_init), }; static void selabel_subs_fini(struct selabel_sub *ptr) -- 1.9.1 ___ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
Re: [PATCH 2/3] libselinux: android: fix lax service context lookup
William: Good thing you mention checkfc. I added you as a reviewer. On Thu, Sep 29, 2016 at 12:57 PM, William Robertswrote: > do you have the corresponding changes to checkfc on AOSP? > > On Thu, Sep 29, 2016 at 7:39 AM, Janis Danisevskis > wrote: > > We use the same lookup function for service contexts > > that we use for property contexts. However, property > > contexts are namespace based and only compare the > > prefix. This may lead to service associations with > > a wrong label. > > > > This patch introduces a new back end for android > > services with a stricter lookup function. Now the > > service name must match the key of the service label > > exactly. > > > > Signed-off-by: Janis Danisevskis > > --- > > libselinux/include/selinux/label.h | 2 ++ > > libselinux/src/label.c | 1 + > > libselinux/src/label_backends_android.c | 54 > +++-- > > libselinux/src/label_internal.h | 3 ++ > > libselinux/utils/selabel_digest.c | 2 ++ > > libselinux/utils/selabel_lookup.c | 2 ++ > > 6 files changed, 62 insertions(+), 2 deletions(-) > > > > diff --git a/libselinux/include/selinux/label.h > b/libselinux/include/selinux/label.h > > index f0b1e10..277287e 100644 > > --- a/libselinux/include/selinux/label.h > > +++ b/libselinux/include/selinux/label.h > > @@ -34,6 +34,8 @@ struct selabel_handle; > > #define SELABEL_CTX_DB 3 > > /* Android property service contexts */ > > #define SELABEL_CTX_ANDROID_PROP 4 > > +/* Android service contexts */ > > +#define SELABEL_CTX_ANDROID_SERVICE 5 > > > > /* > > * Available options > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > > index 96a4ff1..eb0e766 100644 > > --- a/libselinux/src/label.c > > +++ b/libselinux/src/label.c > > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = { > > CONFIG_X_BACKEND(selabel_x_init), > > CONFIG_DB_BACKEND(selabel_db_init), > > _property_init, > > + _service_init, > > }; > > > > static void selabel_subs_fini(struct selabel_sub *ptr) > > diff --git a/libselinux/src/label_backends_android.c > b/libselinux/src/label_backends_android.c > > index 290b438..4d6ec86 100644 > > --- a/libselinux/src/label_backends_android.c > > +++ b/libselinux/src/label_backends_android.c > > @@ -244,7 +244,7 @@ static void closef(struct selabel_handle *rec) > > free(data); > > } > > > > -static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, > > +static struct selabel_lookup_rec *property_lookup(struct selabel_handle > *rec, > > const char *key, > > int __attribute__((unused)) > type) > > { > > @@ -279,6 +279,38 @@ finish: > > return ret; > > } > > > > +static struct selabel_lookup_rec *service_lookup(struct selabel_handle > *rec, > > + const char *key, int __attribute__((unused)) type) > > +{ > > + struct saved_data *data = (struct saved_data *)rec->data; > > + spec_t *spec_arr = data->spec_arr; > > + unsigned int i; > > + struct selabel_lookup_rec *ret = NULL; > > + > > + if (!data->nspec) { > > + errno = ENOENT; > > + goto finish; > > + } > > + > > + for (i = 0; i < data->nspec; i++) { > > + if (strcmp(spec_arr[i].property_key, key) == 0) > > + break; > > + if (strcmp(spec_arr[i].property_key, "*") == 0) > > + break; > > + } > > + > > + if (i >= data->nspec) { > > + /* No matching specification. */ > > + errno = ENOENT; > > + goto finish; > > + } > > + > > + ret = _arr[i].lr; > > + > > +finish: > > + return ret; > > +} > > + > > static void stats(struct selabel_handle __attribute__((unused)) *rec) > > { > > selinux_log(SELINUX_WARNING, "'stats' functionality not > implemented.\n"); > > @@ -298,7 +330,25 @@ int selabel_property_init(struct selabel_handle > *rec, > > rec->data = data; > > rec->func_close = > > rec->func_stats = > > - rec->func_lookup = > > + rec->func_lookup = _lookup; > > + > > + return init(rec, opts, nopts); > > +} > > + > > +int selabel_service_init(struct selabel_handle *rec, > > + const struct selinux_opt *opts, unsigned nopts) > > +{ > > + struct saved_data *data; > > + > > + data = (struct saved_data *)malloc(sizeof(*data)); > > + if (!data) > > + return -1; > > + memset(data, 0, sizeof(*data)); > > + > > + rec->data = data; > > + rec->func_close = > > + rec->func_stats = > > + rec->func_lookup = _lookup; > > > > return init(rec, opts, nopts); > > } > > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_ > internal.h > > index
[PATCH 2/3] libselinux: android: fix lax service context lookup
We use the same lookup function for service contexts that we use for property contexts. However, property contexts are namespace based and only compare the prefix. This may lead to service associations with a wrong label. This patch introduces a new back end for android services with a stricter lookup function. Now the service name must match the key of the service label exactly. Signed-off-by: Janis Danisevskis--- libselinux/include/selinux/label.h | 2 ++ libselinux/src/label.c | 1 + libselinux/src/label_backends_android.c | 54 +++-- libselinux/src/label_internal.h | 3 ++ libselinux/utils/selabel_digest.c | 2 ++ libselinux/utils/selabel_lookup.c | 2 ++ 6 files changed, 62 insertions(+), 2 deletions(-) diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h index f0b1e10..277287e 100644 --- a/libselinux/include/selinux/label.h +++ b/libselinux/include/selinux/label.h @@ -34,6 +34,8 @@ struct selabel_handle; #define SELABEL_CTX_DB 3 /* Android property service contexts */ #define SELABEL_CTX_ANDROID_PROP 4 +/* Android service contexts */ +#define SELABEL_CTX_ANDROID_SERVICE 5 /* * Available options diff --git a/libselinux/src/label.c b/libselinux/src/label.c index 96a4ff1..eb0e766 100644 --- a/libselinux/src/label.c +++ b/libselinux/src/label.c @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = { CONFIG_X_BACKEND(selabel_x_init), CONFIG_DB_BACKEND(selabel_db_init), _property_init, + _service_init, }; static void selabel_subs_fini(struct selabel_sub *ptr) diff --git a/libselinux/src/label_backends_android.c b/libselinux/src/label_backends_android.c index 290b438..4d6ec86 100644 --- a/libselinux/src/label_backends_android.c +++ b/libselinux/src/label_backends_android.c @@ -244,7 +244,7 @@ static void closef(struct selabel_handle *rec) free(data); } -static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, +static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec, const char *key, int __attribute__((unused)) type) { @@ -279,6 +279,38 @@ finish: return ret; } +static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec, + const char *key, int __attribute__((unused)) type) +{ + struct saved_data *data = (struct saved_data *)rec->data; + spec_t *spec_arr = data->spec_arr; + unsigned int i; + struct selabel_lookup_rec *ret = NULL; + + if (!data->nspec) { + errno = ENOENT; + goto finish; + } + + for (i = 0; i < data->nspec; i++) { + if (strcmp(spec_arr[i].property_key, key) == 0) + break; + if (strcmp(spec_arr[i].property_key, "*") == 0) + break; + } + + if (i >= data->nspec) { + /* No matching specification. */ + errno = ENOENT; + goto finish; + } + + ret = _arr[i].lr; + +finish: + return ret; +} + static void stats(struct selabel_handle __attribute__((unused)) *rec) { selinux_log(SELINUX_WARNING, "'stats' functionality not implemented.\n"); @@ -298,7 +330,25 @@ int selabel_property_init(struct selabel_handle *rec, rec->data = data; rec->func_close = rec->func_stats = - rec->func_lookup = + rec->func_lookup = _lookup; + + return init(rec, opts, nopts); +} + +int selabel_service_init(struct selabel_handle *rec, + const struct selinux_opt *opts, unsigned nopts) +{ + struct saved_data *data; + + data = (struct saved_data *)malloc(sizeof(*data)); + if (!data) + return -1; + memset(data, 0, sizeof(*data)); + + rec->data = data; + rec->func_close = + rec->func_stats = + rec->func_lookup = _lookup; return init(rec, opts, nopts); } diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index 7c55531..6a9481a 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec, int selabel_property_init(struct selabel_handle *rec, const struct selinux_opt *opts, unsigned nopts) hidden; +int selabel_service_init(struct selabel_handle *rec, + const struct selinux_opt *opts, + unsigned nopts) hidden; /* * Labeling internal structures diff --git a/libselinux/utils/selabel_digest.c b/libselinux/utils/selabel_digest.c index 38162a5..e4d84a5 100644 --- a/libselinux/utils/selabel_digest.c +++ b/libselinux/utils/selabel_digest.c @@ -92,6 +92,8 @@ int main(int argc, char **argv)
Re: [PATCH 2/3] libselinux: android: fix lax service context lookup
do you have the corresponding changes to checkfc on AOSP? On Thu, Sep 29, 2016 at 7:39 AM, Janis Danisevskiswrote: > We use the same lookup function for service contexts > that we use for property contexts. However, property > contexts are namespace based and only compare the > prefix. This may lead to service associations with > a wrong label. > > This patch introduces a new back end for android > services with a stricter lookup function. Now the > service name must match the key of the service label > exactly. > > Signed-off-by: Janis Danisevskis > --- > libselinux/include/selinux/label.h | 2 ++ > libselinux/src/label.c | 1 + > libselinux/src/label_backends_android.c | 54 > +++-- > libselinux/src/label_internal.h | 3 ++ > libselinux/utils/selabel_digest.c | 2 ++ > libselinux/utils/selabel_lookup.c | 2 ++ > 6 files changed, 62 insertions(+), 2 deletions(-) > > diff --git a/libselinux/include/selinux/label.h > b/libselinux/include/selinux/label.h > index f0b1e10..277287e 100644 > --- a/libselinux/include/selinux/label.h > +++ b/libselinux/include/selinux/label.h > @@ -34,6 +34,8 @@ struct selabel_handle; > #define SELABEL_CTX_DB 3 > /* Android property service contexts */ > #define SELABEL_CTX_ANDROID_PROP 4 > +/* Android service contexts */ > +#define SELABEL_CTX_ANDROID_SERVICE 5 > > /* > * Available options > diff --git a/libselinux/src/label.c b/libselinux/src/label.c > index 96a4ff1..eb0e766 100644 > --- a/libselinux/src/label.c > +++ b/libselinux/src/label.c > @@ -45,6 +45,7 @@ static selabel_initfunc initfuncs[] = { > CONFIG_X_BACKEND(selabel_x_init), > CONFIG_DB_BACKEND(selabel_db_init), > _property_init, > + _service_init, > }; > > static void selabel_subs_fini(struct selabel_sub *ptr) > diff --git a/libselinux/src/label_backends_android.c > b/libselinux/src/label_backends_android.c > index 290b438..4d6ec86 100644 > --- a/libselinux/src/label_backends_android.c > +++ b/libselinux/src/label_backends_android.c > @@ -244,7 +244,7 @@ static void closef(struct selabel_handle *rec) > free(data); > } > > -static struct selabel_lookup_rec *lookup(struct selabel_handle *rec, > +static struct selabel_lookup_rec *property_lookup(struct selabel_handle *rec, > const char *key, > int __attribute__((unused)) type) > { > @@ -279,6 +279,38 @@ finish: > return ret; > } > > +static struct selabel_lookup_rec *service_lookup(struct selabel_handle *rec, > + const char *key, int __attribute__((unused)) type) > +{ > + struct saved_data *data = (struct saved_data *)rec->data; > + spec_t *spec_arr = data->spec_arr; > + unsigned int i; > + struct selabel_lookup_rec *ret = NULL; > + > + if (!data->nspec) { > + errno = ENOENT; > + goto finish; > + } > + > + for (i = 0; i < data->nspec; i++) { > + if (strcmp(spec_arr[i].property_key, key) == 0) > + break; > + if (strcmp(spec_arr[i].property_key, "*") == 0) > + break; > + } > + > + if (i >= data->nspec) { > + /* No matching specification. */ > + errno = ENOENT; > + goto finish; > + } > + > + ret = _arr[i].lr; > + > +finish: > + return ret; > +} > + > static void stats(struct selabel_handle __attribute__((unused)) *rec) > { > selinux_log(SELINUX_WARNING, "'stats' functionality not > implemented.\n"); > @@ -298,7 +330,25 @@ int selabel_property_init(struct selabel_handle *rec, > rec->data = data; > rec->func_close = > rec->func_stats = > - rec->func_lookup = > + rec->func_lookup = _lookup; > + > + return init(rec, opts, nopts); > +} > + > +int selabel_service_init(struct selabel_handle *rec, > + const struct selinux_opt *opts, unsigned nopts) > +{ > + struct saved_data *data; > + > + data = (struct saved_data *)malloc(sizeof(*data)); > + if (!data) > + return -1; > + memset(data, 0, sizeof(*data)); > + > + rec->data = data; > + rec->func_close = > + rec->func_stats = > + rec->func_lookup = _lookup; > > return init(rec, opts, nopts); > } > diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h > index 7c55531..6a9481a 100644 > --- a/libselinux/src/label_internal.h > +++ b/libselinux/src/label_internal.h > @@ -39,6 +39,9 @@ int selabel_db_init(struct selabel_handle *rec, > int selabel_property_init(struct selabel_handle *rec, > const struct selinux_opt *opts, > unsigned nopts) hidden; > +int selabel_service_init(struct selabel_handle *rec, > +