Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
On 10/01/2026 03:12, Pádraig Brady wrote: On 10/01/2026 01:53, Bruno Haible via Gnulib discussion list wrote: Hi Michael, This patch has two problems: 1) It very much looks like it has not been tested. If you submit a patch, by default, we assume that we can trust it because you have tested it. You can, alternatively, submit an untested patch, but then _say_so_, that it is untested. The && and in the wrong place yes, but the patch is reviewable. 2) The patch confuses two functionalities: - (a) whether to interface with libselinux, - (b) whether to build the chcon, runcon programs. By the GNU Coding Standards [1], (a) should be triggered by a --with-* configure option; whereas (b) should be triggered by a --enable-* configure option. So, instead of changing the meaning of the --with-selinux / --without-selinux options, what we would need is a patch that enables the build of the chcon, runcon programs conditionally based on some --enable-* option. Bruno [1] https://www.gnu.org/prep/standards/html_node/Configuration.html runcon and chcon do link with libselinux on my Fedora system, but yes the stubs don't need libselinux. The idea with the coreutils 9.9 change¹ was to not bother building stub chcon and runcon on systems without libselinux, though you could override that default and force building those utils with the --with-selinux option. I didn't think adding another config variable was warranted for this. Also buildilng of those utils can be controlled directly with the ./configure --enable-install-program=runcon,chcon (and vice versa with --enable-no-install-program=PROG_LIST). We just thought this was better default behavior, but we can revert that change if it's problematic. But yes in testing now without libselinux and --with-selinux the stubs are not built because without Michael's change with_selinux is forced to no, which impacts the coreutils configure logic. I'll think a bit more about all this tomorrow. BTW that `test -d /selinux` should be updated to also check for the "/sys/fs/selinux" dir. cheers, Padraig ¹ https://github.com/coreutils/coreutils/commit/8ba47d09a I've changed this instead to the following 2 patches. The first fixes this issue by only overriding the with_selinux variable in the default case where neither --with-selinux or --without-selinux is provided. This better aligns with what the user requested, and also seems more consistent since there are no other instances of this in gnulib as indicated by git grep -E 'with_[a-z]*=(yes|no) m4 I tested this in coretuils with and without libselinux, with and without selinux.h, and with various ./configure option combinations. The second patch uses the more modern /sys/fs/selinux path so that we now warn if users are building without selinux devel libs on a system that is in fact running selinux. cheers, PadraigFrom 2d8f0bb05cce3c76e81e35b31c0ef3f52171b8aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Sat, 10 Jan 2026 19:12:41 + Subject: [PATCH 1/2] selinux-h: only override default --with-selinux user setting * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): Only override the default with_selinux user setting, leaving explicit --with-selinux untouched. E.g., coreutils uses --with-selinux to force build the runcon and chcon stubs on systems without libselinux. --- ChangeLog | 8 m4/selinux-selinux-h.m4 | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3a70f44748..e0e475 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2026-01-10 Pádraig Brady + + selinux-h: only override default --with-selinux user setting + * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): Only override the default + with_selinux user setting, leaving explicit --with-selinux untouched. + E.g., coreutils uses --with-selinux to force build the runcon + and chcon stubs on systems without libselinux. + 2026-01-09 Bruno Haible announce-gen: Fix instructions for verifying the SHA3-256 checksums. diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4 index 5b93446162..89c3c1582b 100644 --- a/m4/selinux-selinux-h.m4 +++ b/m4/selinux-selinux-h.m4 @@ -92,6 +92,8 @@ AC_DEFUN([gl_LIBSELINUX], AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.]) fi -with_selinux=no +if test "$with_selinux" = maybe; then + with_selinux=no +fi fi ]) -- 2.52.0 From 3dfe3ab6c1f07982d8649fbc21078ddd7f010547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= Date: Sat, 10 Jan 2026 19:17:54 + Subject: [PATCH 2/2] selinux-h: warning about missing libselinux on modern systems * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): /sys/fs/selinux is generally used since Linux kernel 2.6, so test that also. --- ChangeLog | 6 ++ m4/selinux-seli
Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
Michael Daniels wrote: > > 1) It very much looks like it has not been tested. > > Dammit. I did test a very similar patch (differing only in the placement of > &&), > then changed the placement of the && to conform to the GNU coding standards. > And I didn't test because surely that tiny change can't matter. Yeah, I can relate to that experience :) I've made the same mistake (tweaking after testing) many times too. It isn't obvious that one needs backslashes on the line before '&&'. The better habit is "tweak then test", rather "test then tweak". But yes, often it turns into "tweak then test then tweak then test again"... Bruno
Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
Hi Bruno, Thanks for responding! > 1) It very much looks like it has not been tested. Dammit. I did test a very similar patch (differing only in the placement of &&), then changed the placement of the && to conform to the GNU coding standards. And I didn't test because surely that tiny change can't matter. Someday, I'll learn my lesson... Apologies. > 2) The patch confuses two functionalities: > - (a) whether to interface with libselinux, > - (b) whether to build the chcon, runcon programs. >By the GNU Coding Standards, (a) should be triggered by a --with-* >configure option; whereas (b) should be triggered by a --enable-* >configure option. > >So, instead of changing the meaning of the --with-selinux / >--without-selinux options, what we would need is a patch that >enables the build of the chcon, runcon programs conditionally based >on some --enable-* option. That makes sense, thanks for the explanation. (For what it's worth, I was going off of coreutils commit 8ba47d09a33f0740e071a8394f3504e0fb57948e and the corresponding entry in the version 9.9 release announcement, which both documented its intent to use --with-selinux for both purposes.) Unfortunately, I doubt I'll be able to provide that patch for coreutils in the next week or so. (I had thought that the patch I provided was nearly at the limit of my automake capabilities at the moment, but clearly it in fact exceeded them :) ) So if this email could please be considered a bug report in coreutils, that would be much appreciated. Thanks again, Michael
Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
On 10/01/2026 01:53, Bruno Haible via Gnulib discussion list wrote: Hi Michael, This patch has two problems: 1) It very much looks like it has not been tested. If you submit a patch, by default, we assume that we can trust it because you have tested it. You can, alternatively, submit an untested patch, but then _say_so_, that it is untested. The && and in the wrong place yes, but the patch is reviewable. 2) The patch confuses two functionalities: - (a) whether to interface with libselinux, - (b) whether to build the chcon, runcon programs. By the GNU Coding Standards [1], (a) should be triggered by a --with-* configure option; whereas (b) should be triggered by a --enable-* configure option. So, instead of changing the meaning of the --with-selinux / --without-selinux options, what we would need is a patch that enables the build of the chcon, runcon programs conditionally based on some --enable-* option. Bruno [1] https://www.gnu.org/prep/standards/html_node/Configuration.html runcon and chcon do link with libselinux on my Fedora system, but yes the stubs don't need libselinux. The idea with the coreutils 9.9 change¹ was to not bother building stub chcon and runcon on systems without libselinux, though you could override that default and force building those utils with the --with-selinux option. I didn't think adding another config variable was warranted for this. Also buildilng of those utils can be controlled directly with the ./configure --enable-install-program=runcon,chcon (and vice versa with --enable-no-install-program=PROG_LIST). We just thought this was better default behavior, but we can revert that change if it's problematic. But yes in testing now without libselinux and --with-selinux the stubs are not built because without Michael's change with_selinux is forced to no, which impacts the coreutils configure logic. I'll think a bit more about all this tomorrow. BTW that `test -d /selinux` should be updated to also check for the "/sys/fs/selinux" dir. cheers, Padraig ¹ https://github.com/coreutils/coreutils/commit/8ba47d09a
Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
Hi Michael, This patch has two problems: 1) It very much looks like it has not been tested. If you submit a patch, by default, we assume that we can trust it because you have tested it. You can, alternatively, submit an untested patch, but then _say_so_, that it is untested. 2) The patch confuses two functionalities: - (a) whether to interface with libselinux, - (b) whether to build the chcon, runcon programs. By the GNU Coding Standards [1], (a) should be triggered by a --with-* configure option; whereas (b) should be triggered by a --enable-* configure option. So, instead of changing the meaning of the --with-selinux / --without-selinux options, what we would need is a patch that enables the build of the chcon, runcon programs conditionally based on some --enable-* option. Bruno [1] https://www.gnu.org/prep/standards/html_node/Configuration.html
Re: [PATCH] selinux-h: only disable SELinux when a warning is provided
Oops, meant to send to bug-gnulib (CCd). Apologies. On Fri, Jan 9, 2026 at 6:43 PM Michael Daniels wrote: > > * m4/selinux-selinux-h.m4: only continue without SELinux in the > situation in which the warning is provided > (i.e. the current system supports SELinux but libselinux is missing). > > Previously, SELinux was disabled whenever libselinux was missing, which, > for coreutils >= 9.9, is incorrect (as chcon/runcon should be built > whenever --with-selinux is provided to the configure script, > and neither of those actually need libselinux). > --- > m4/selinux-selinux-h.m4 | 12 ++-- > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4 > index 5b93446162..90efb3 100644 > --- a/m4/selinux-selinux-h.m4 > +++ b/m4/selinux-selinux-h.m4 > @@ -86,12 +86,12 @@ AC_DEFUN([gl_LIBSELINUX], >fi >AC_SUBST([LIB_SELINUX]) > > - # Warn if SELinux is found but libselinux is absent; > - if test "$ac_cv_search_setfilecon" = no; then > -if test "$host" = "$build" && test -d /selinux; then > - AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) > - AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux > support.]) > -fi > + # Disable SELinux support if SELinux is found but libselinux is absent > + if test "$ac_cv_search_setfilecon" = no > + && test "$host" = "$build" > + && test -d /selinux; then > +AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) > +AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.]) > with_selinux=no >fi > ]) > -- > 2.51.2 >
