Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
FYI The implementation at www.ghostscript.com/doc/jbig2dec/sha1.c and CryptLib are both from the same original author Steve ReidI've now tested and timed both implementations along with the Android version + openssl. openssl and Steve's implementations are about twice as fast as the Android version. I'll submit a patch based on the sha1 files extracted from CryptLib as that is the latest one to be updated. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
Stephen Smalley wrote: On 10/20/2015 09:42 AM, Joshua Brindle wrote: Stephen Smalley wrote: Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to solve this in a manner that avoids such issues. LGPL explicitly allows non-GPL programs to link against an LGPL licensed library without tainting the non-GPL program, which is the whole point of the LGPL. Is there some other issue with static linking or something? Yes, that's the concern. So, not static linking but a fully static binary that would pull gnutls into the binary? What static binaries exist like that? It is not a great idea to carry around system level libraries statically. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On Oct 20, 2015 7:46 AM, "Stephen Smalley"wrote: > > On 10/20/2015 08:27 AM, Richard Haines wrote: >> >> >> >> >> >>> On Monday, 19 October 2015, 19:10, Stephen Smalley wrote: On 10/18/2015 11:00 AM, Richard Haines wrote: > On Sunday, 18 October 2015, 15:07, Dominick Grift >>> >>> wrote: >> -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: >> >> I added openssl to libselinux to support the new >>> >>> selabel_digest(3) >> >> function. >> >> I'm not aware of any issues between openssl and gnutls, >>> >>> however as >> >> >> selabel_digest was only added last week I guess not much testing. >> Well apart from myself as I'm currently adding the >>> >>> selinux_restorecon >> >> feature that makes use of it. >> > > Thanks for clarifying, I am not hitting any issues with it just > wondering if instead of openssl, gnutls could be used for this and if > so, if this should be somehow supported or not. I tried using gnutls after I read your initial email, however I could not find a way to generate the same digest as openssl (I changed the SHA1 function to gnutls_hmac_fast(3) with various algorithms and used the selabel_digest util to compare digests). It could be that I should use some other function but I could not find any useful info on this (including web searches). If anyone knows how to resolve this please let me know. I guess what is supported (openssl or gnutls) would be down to the maintainers. >>> >>> >>> Wondering if dependency on openssl might be a license issue for Debian >>> or others. Apparently openssl license is considered GPL-incompatible >>> [1] [2], and obviously libselinux is linked by a variety of GPL-licensed >>> programs. Fedora seems to view this as falling under the system library >>> exception [3] but not clear that other distributions would view it that >>> way. On the other hand, using gnutls would be subject to the reverse >>> problem; it would make libselinux depend on a LGPL library, and that >>> could create issues for non-GPL programs that statically link >>> libselinux. We might need to revert this change and revisit how to >> >> >>> solve this in a manner that avoids such issues. >> >> >> >> Would building with the Android mincrypt SHA functions help regarding the >> licensing issues ??? I've attached a quick patch that seems to work okay >> using Android system/core/libmincrypt/sha.c > > > That looks BSD-licensed and thus broadly compatible. We would need to amend libselinux/LICENSE to add that license information and we would need to hide those functions from being exposed outside of the library. Other alternative would be to look for a public domain SHA implementation and use that. > > Will CryptLib work: http://unlicense.org/ > > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
> On Monday, 19 October 2015, 19:10, Stephen Smalleywrote: > > On 10/18/2015 11:00 AM, Richard Haines wrote: >> >> >>> On Sunday, 18 October 2015, 15:07, Dominick Grift > wrote: >> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA512 >>> >>> On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: I added openssl to libselinux to support the new > selabel_digest(3) function. I'm not aware of any issues between openssl and gnutls, > however as selabel_digest was only added last week I guess not much testing. Well apart from myself as I'm currently adding the > selinux_restorecon feature that makes use of it. >>> >>> Thanks for clarifying, I am not hitting any issues with it just >>> wondering if instead of openssl, gnutls could be used for this and if >> >>> so, if this should be somehow supported or not. >> >> I tried using gnutls after I read your initial email, however I >> could not find a way to generate the same digest as openssl >> (I changed the SHA1 function to gnutls_hmac_fast(3) with various >> algorithms and used the selabel_digest util to compare digests). >> It could be that I should use some other function but I could >> >> not find any useful info on this (including web searches). >> If anyone knows how to resolve this please let me know. >> >> I guess what is supported (openssl or gnutls) would be down to >> the maintainers. > > Wondering if dependency on openssl might be a license issue for Debian > or others. Apparently openssl license is considered GPL-incompatible > [1] [2], and obviously libselinux is linked by a variety of GPL-licensed > programs. Fedora seems to view this as falling under the system library > exception [3] but not clear that other distributions would view it that > way. On the other hand, using gnutls would be subject to the reverse > problem; it would make libselinux depend on a LGPL library, and that > could create issues for non-GPL programs that statically link > libselinux. We might need to revert this change and revisit how to > solve this in a manner that avoids such issues. Would building with the Android mincrypt SHA functions help regarding the licensing issues ??? I've attached a quick patch that seems to work okay using Android system/core/libmincrypt/sha.c > > [1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL > > [2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html > > > [3] > https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F > ) > From 624cb4ec0b73c3b34ed0a8f26f9c7c122c44250c Mon Sep 17 00:00:00 2001 From: Richard Haines Date: Tue, 20 Oct 2015 13:13:47 +0100 Subject: [PATCH] libselinux: Use Android mincrypt for selabel_digest(3) Replace the use of openssl with the Android mincrypt SHA functions. However leave util/selabel_digest still comparing the result with the openssl command "openssl dgst -sha1 -hex .." This should resolve any library licensing issues (hopefully). Signed-off-by: Richard Haines --- libselinux/src/Makefile | 2 +- libselinux/src/label_internal.h | 4 +- libselinux/src/label_support.c | 2 +- libselinux/src/mincrypt_hash-internal.h | 63 + libselinux/src/mincrypt_sha.c | 155 libselinux/src/mincrypt_sha.h | 52 +++ libselinux/utils/Makefile | 2 +- 7 files changed, 275 insertions(+), 5 deletions(-) create mode 100644 libselinux/src/mincrypt_hash-internal.h create mode 100644 libselinux/src/mincrypt_sha.c create mode 100644 libselinux/src/mincrypt_sha.h diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile index 8e2223e..feab561 100644 --- a/libselinux/src/Makefile +++ b/libselinux/src/Makefile @@ -112,7 +112,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl -lcrypto $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro + $(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h index 2aa7a7b..51d1afb 100644 --- a/libselinux/src/label_internal.h +++ b/libselinux/src/label_internal.h @@ -11,7 +11,7 @@ #include #include #include -#include +#include "mincrypt_sha.h" #include #include #include "dso.h" @@ -51,7 +51,7 @@ struct selabel_sub { * calculate the hash the hashbuf will hold a concatenation of all the files * used. This is released once the value has been calculated. */ -#define DIGEST_SPECFILE_SIZE SHA_DIGEST_LENGTH +#define DIGEST_SPECFILE_SIZE SHA_DIGEST_SIZE #define DIGEST_FILES_MAX 8 struct
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On Tuesday, 20 October 2015, 15:00, William Robertswrote: > > > >On Oct 20, 2015 7:46 AM, "Stephen Smalley" wrote: >> >> On 10/20/2015 08:27 AM, Richard Haines wrote: >>> >>> >>> >>> >>> On Monday, 19 October 2015, 19:10, Stephen Smalley wrote: > > On 10/18/2015 11:00 AM, Richard Haines wrote: > > >> On Sunday, 18 October 2015, 15:07, Dominick Grift wrote: > > >>> -BEGIN PGP SIGNED MESSAGE- >> >> Hash: SHA512 >> >> On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: >>> >>> I added openssl to libselinux to support the new selabel_digest(3) >>> >>> function. >>> >>> I'm not aware of any issues between openssl and gnutls, however as >>> >>> >>> selabel_digest was only added last week I guess not much testing. >>> Well apart from myself as I'm currently adding the selinux_restorecon >>> >>> feature that makes use of it. >>> >> >> Thanks for clarifying, I am not hitting any issues with it just >> wondering if instead of openssl, gnutls could be used for this and if > > >> so, if this should be somehow supported or not. > > > I tried using gnutls after I read your initial email, however I > could not find a way to generate the same digest as openssl > (I changed the SHA1 function to gnutls_hmac_fast(3) with various > algorithms and used the selabel_digest util to compare digests). > It could be that I should use some other function but I could > > not find any useful info on this (including web searches). > If anyone knows how to resolve this please let me know. > > I guess what is supported (openssl or gnutls) would be down to > the maintainers. Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to >>> >>> solve this in a manner that avoids such issues. >>> >>> >>> >>> Would building with the Android mincrypt SHA functions help regarding the >>> licensing issues ??? I've attached a quick patch that seems to work okay >>> using Android system/core/libmincrypt/sha.c >> >> >> That looks BSD-licensed and thus broadly compatible. We would need to amend >> libselinux/LICENSE to add that license information and we would need to hide >> those functions from being exposed outside of the library. Other >> alternative would be to look for a public domain SHA implementation and use >> that. >> I've found a simple implementation at www.ghostscript.com/doc/jbig2dec/sha1.c I'll try that first and if fails CryptLib will be next. >> >Will CryptLib work: >http://unlicense.org/ > > >> >> ___ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov >. > > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On Tue, Oct 20, 2015 at 09:56:57AM -0400, Joshua Brindle wrote: > Stephen Smalley wrote: > > On 10/20/2015 09:42 AM, Joshua Brindle wrote: > >> Stephen Smalley wrote: > >> > >>> > >>> Wondering if dependency on openssl might be a license issue for Debian > >>> or others. Apparently openssl license is considered GPL-incompatible [1] > >>> [2], and obviously libselinux is linked by a variety of GPL-licensed > >>> programs. Fedora seems to view this as falling under the system library > >>> exception [3] but not clear that other distributions would view it that > >>> way. On the other hand, using gnutls would be subject to the reverse > >>> problem; it would make libselinux depend on a LGPL library, and that > >>> could create issues for non-GPL programs that statically link > >>> libselinux. We might need to revert this change and revisit how to solve > >>> this in a manner that avoids such issues. > >> > >> LGPL explicitly allows non-GPL programs to link against an LGPL licensed > >> library without tainting the non-GPL program, which is the whole point > >> of the LGPL. Is there some other issue with static linking or something? > > > > Yes, that's the concern. > > So, not static linking but a fully static binary that would pull gnutls > into the binary? > > What static binaries exist like that? It is not a great idea to carry > around system level libraries statically. >From a quick look through Gentoo, we have a USE-flag to build busybox and LVM and a few other core tools statically which requres libselinux.a too. -- Jason ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
FYI you can take just 1 C and H file from crypt lib. You don't need it all. On Oct 20, 2015 8:42 AM, "Richard Haines"wrote: > > On Tuesday, 20 October 2015, 15:00, William Roberts < > bill.c.robe...@gmail.com> wrote: > > > > > > > > >On Oct 20, 2015 7:46 AM, "Stephen Smalley" wrote: > >> > >> On 10/20/2015 08:27 AM, Richard Haines wrote: > >>> > >>> > >>> > >>> > >>> > On Monday, 19 October 2015, 19:10, Stephen Smalley > wrote: > > > > On 10/18/2015 11:00 AM, Richard Haines wrote: > > > > > >> On Sunday, 18 October 2015, 15:07, Dominick Grift > > wrote: > > > > > >>> -BEGIN PGP SIGNED MESSAGE- > >> > >> Hash: SHA512 > >> > >> On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: > >>> > >>> I added openssl to libselinux to support the new > > selabel_digest(3) > >>> > >>> function. > >>> > >>> I'm not aware of any issues between openssl and gnutls, > > however as > >>> > >>> > >>> selabel_digest was only added last week I guess not much > testing. > >>> Well apart from myself as I'm currently adding the > > selinux_restorecon > >>> > >>> feature that makes use of it. > >>> > >> > >> Thanks for clarifying, I am not hitting any issues with it just > >> wondering if instead of openssl, gnutls could be used for this > and if > > > > > >> so, if this should be somehow supported or not. > > > > > > I tried using gnutls after I read your initial email, however I > > could not find a way to generate the same digest as openssl > > (I changed the SHA1 function to gnutls_hmac_fast(3) with various > > algorithms and used the selabel_digest util to compare digests). > > It could be that I should use some other function but I could > > > > not find any useful info on this (including web searches). > > If anyone knows how to resolve this please let me know. > > > > I guess what is supported (openssl or gnutls) would be down to > > the maintainers. > > > Wondering if dependency on openssl might be a license issue for Debian > or others. Apparently openssl license is considered GPL-incompatible > [1] [2], and obviously libselinux is linked by a variety of > GPL-licensed > programs. Fedora seems to view this as falling under the system > library > exception [3] but not clear that other distributions would view it > that > way. On the other hand, using gnutls would be subject to the reverse > problem; it would make libselinux depend on a LGPL library, and that > could create issues for non-GPL programs that statically link > libselinux. We might need to revert this change and revisit how to > >>> > >>> > solve this in a manner that avoids such issues. > >>> > >>> > >>> > >>> Would building with the Android mincrypt SHA functions help regarding > the > >>> licensing issues ??? I've attached a quick patch that seems to work > okay > >>> using Android system/core/libmincrypt/sha.c > >> > >> > >> That looks BSD-licensed and thus broadly compatible. We would need to > amend libselinux/LICENSE to add that license information and we would need > to hide those functions from being exposed outside of the library. Other > alternative would be to look for a public domain SHA implementation and use > that. > > >> > > I've found a simple implementation at > www.ghostscript.com/doc/jbig2dec/sha1.c > > I'll try that first and if fails CryptLib will be next. > > > > > >> > >Will CryptLib work: > > >http://unlicense.org/ > > > > > > > >> > >> ___ > >> Selinux mailing list > >> Selinux@tycho.nsa.gov > >> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > >> To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov > >. > > > > > > > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On 10/20/2015 09:42 AM, Joshua Brindle wrote: Stephen Smalley wrote: Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to solve this in a manner that avoids such issues. LGPL explicitly allows non-GPL programs to link against an LGPL licensed library without tainting the non-GPL program, which is the whole point of the LGPL. Is there some other issue with static linking or something? Yes, that's the concern. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
Stephen Smalley wrote: Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to solve this in a manner that avoids such issues. LGPL explicitly allows non-GPL programs to link against an LGPL licensed library without tainting the non-GPL program, which is the whole point of the LGPL. Is there some other issue with static linking or something? [1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL [2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html [3] https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F) ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On 10/20/2015 08:27 AM, Richard Haines wrote: On Monday, 19 October 2015, 19:10, Stephen Smalleywrote: On 10/18/2015 11:00 AM, Richard Haines wrote: On Sunday, 18 October 2015, 15:07, Dominick Grift wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: I added openssl to libselinux to support the new selabel_digest(3) function. I'm not aware of any issues between openssl and gnutls, however as selabel_digest was only added last week I guess not much testing. Well apart from myself as I'm currently adding the selinux_restorecon feature that makes use of it. Thanks for clarifying, I am not hitting any issues with it just wondering if instead of openssl, gnutls could be used for this and if so, if this should be somehow supported or not. I tried using gnutls after I read your initial email, however I could not find a way to generate the same digest as openssl (I changed the SHA1 function to gnutls_hmac_fast(3) with various algorithms and used the selabel_digest util to compare digests). It could be that I should use some other function but I could not find any useful info on this (including web searches). If anyone knows how to resolve this please let me know. I guess what is supported (openssl or gnutls) would be down to the maintainers. Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to solve this in a manner that avoids such issues. Would building with the Android mincrypt SHA functions help regarding the licensing issues ??? I've attached a quick patch that seems to work okay using Android system/core/libmincrypt/sha.c That looks BSD-licensed and thus broadly compatible. We would need to amend libselinux/LICENSE to add that license information and we would need to hide those functions from being exposed outside of the library. Other alternative would be to look for a public domain SHA implementation and use that. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
On 10/19/2015 02:09 PM, Stephen Smalley wrote: On 10/18/2015 11:00 AM, Richard Haines wrote: On Sunday, 18 October 2015, 15:07, Dominick Griftwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: I added openssl to libselinux to support the new selabel_digest(3) function. I'm not aware of any issues between openssl and gnutls, however as selabel_digest was only added last week I guess not much testing. Well apart from myself as I'm currently adding the selinux_restorecon feature that makes use of it. Thanks for clarifying, I am not hitting any issues with it just wondering if instead of openssl, gnutls could be used for this and if so, if this should be somehow supported or not. I tried using gnutls after I read your initial email, however I could not find a way to generate the same digest as openssl (I changed the SHA1 function to gnutls_hmac_fast(3) with various algorithms and used the selabel_digest util to compare digests). It could be that I should use some other function but I could not find any useful info on this (including web searches). If anyone knows how to resolve this please let me know. I guess what is supported (openssl or gnutls) would be down to the maintainers. Wondering if dependency on openssl might be a license issue for Debian or others. Apparently openssl license is considered GPL-incompatible [1] [2], and obviously libselinux is linked by a variety of GPL-licensed programs. Fedora seems to view this as falling under the system library exception [3] but not clear that other distributions would view it that way. On the other hand, using gnutls would be subject to the reverse problem; it would make libselinux depend on a LGPL library, and that could create issues for non-GPL programs that statically link libselinux. We might need to revert this change and revisit how to solve this in a manner that avoids such issues. [1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL [2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html [3] https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F) Also, aside from license issues, we likely ought to dlopen libcrypto.so so that we don't bring this dependency to all users of libselinux but only those that actually use the digest functionality. ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
I added openssl to libselinux to support the new selabel_digest(3) function. I'm not aware of any issues between openssl and gnutls, however as selabel_digest was only added last week I guess not much testing. Well apart from myself as I'm currently adding the selinux_restorecon feature that makes use of it. > On Saturday, 17 October 2015, 11:55, Dominick Grift> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > if so, would gnutls be affected in some way? > > - -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788 > Dominick Grift > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+ > BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy > rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk > M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB > ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU > wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g > 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p > DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0 > DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ== > =mhIs > -END PGP SIGNATURE- > ___ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: > I added openssl to libselinux to support the new selabel_digest(3) > function. > > I'm not aware of any issues between openssl and gnutls, however as > > selabel_digest was only added last week I guess not much testing. > Well apart from myself as I'm currently adding the selinux_restorecon > feature that makes use of it. > Thanks for clarifying, I am not hitting any issues with it just wondering if instead of openssl, gnutls could be used for this and if so, if this should be somehow supported or not. > > > > > > On Saturday, 17 October 2015, 11:55, Dominick Grift > >wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > if so, would gnutls be affected in some way? > > > > - -- > > 02DFF788 > > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > > https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788 > > Dominick Grift > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v2 > > > > iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+ > > BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy > > rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk > > M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB > > ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU > > wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g > > 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p > > DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0 > > DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ== > > =mhIs > > -END PGP SIGNATURE- > > ___ > > Selinux mailing list > > Selinux@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > selinux-requ...@tycho.nsa.gov. > > - -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788 Dominick Grift -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQGcBAEBCgAGBQJWI6edAAoJENAR6kfG5xmccrgL/i7kT1+kuuBjGBqGAVl3W+ri Zgx7NnPKslS+dcx9lAMR2nVwG9A7Suh58E/HaUQv4RkFkNiX3Xqv9gRsrw4baWqZ 7at3qy1F/daa9U4hC/SdPwuwpQZYbKhquyfN09YAOb06XR9OtVE1z0DgEqiS5y7f lWCiYyCUoqu6ifJYEpNVWDgxsdXykfLMsTSWPttEJAkFQHK0/E8/HA3DVxh81mhB h6vBcFzoAPAyUbWf8n7EfmEVP3JeCoxOyQi61/qVdNyDdYuisZPRM6rAppurR+30 AkGUj7U8YKbaBjhr4u0pOKcUx8/kYRYvkDenvcenuCALH+sGBdIK9ip/i9E5wjxJ k2HwiZb32t2wKfg3+MSkbfxgCgubErD7ZLMCC1x8TWDLbdonOISufZgal94GpCZf DyevvV30Ieo3yxwLQj4L8Z0PwfKPTedLhenw1ZjK1tQCgR8KNOaffpW53//Kpcwq 6qN87fA8cB+/fHDIUpaItm3b+vZeI9ElvG/06ruhAw== =+hHw -END PGP SIGNATURE- ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)
> On Sunday, 18 October 2015, 15:07, Dominick Grift> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote: >> I added openssl to libselinux to support the new selabel_digest(3) >> function. >> >> I'm not aware of any issues between openssl and gnutls, however as >> >> selabel_digest was only added last week I guess not much testing. >> Well apart from myself as I'm currently adding the selinux_restorecon >> feature that makes use of it. >> > > Thanks for clarifying, I am not hitting any issues with it just > wondering if instead of openssl, gnutls could be used for this and if > so, if this should be somehow supported or not. I tried using gnutls after I read your initial email, however I could not find a way to generate the same digest as openssl (I changed the SHA1 function to gnutls_hmac_fast(3) with various algorithms and used the selabel_digest util to compare digests). It could be that I should use some other function but I could not find any useful info on this (including web searches). If anyone knows how to resolve this please let me know. I guess what is supported (openssl or gnutls) would be down to the maintainers. >> >> >> >> >> > On Saturday, 17 October 2015, 11:55, Dominick Grift > wrote: >> > > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA512 >> > >> > if so, would gnutls be affected in some way? >> > >> > - -- >> > 02DFF788 >> > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 >> > > https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788 >> > Dominick Grift >> > -BEGIN PGP SIGNATURE- >> > Version: GnuPG v2 >> > >> > iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+ >> > BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy >> > rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk >> > M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB >> > ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU >> > wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g >> > 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p >> > DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0 >> > DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ== >> > =mhIs >> > -END PGP SIGNATURE- >> > ___ >> > Selinux mailing list >> > Selinux@tycho.nsa.gov >> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >> > To get help, send an email containing "help" to >> > selinux-requ...@tycho.nsa.gov. >> > > > - -- > 02DFF788 > 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 > https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788 > Dominick Grift > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQGcBAEBCgAGBQJWI6edAAoJENAR6kfG5xmccrgL/i7kT1+kuuBjGBqGAVl3W+ri > Zgx7NnPKslS+dcx9lAMR2nVwG9A7Suh58E/HaUQv4RkFkNiX3Xqv9gRsrw4baWqZ > 7at3qy1F/daa9U4hC/SdPwuwpQZYbKhquyfN09YAOb06XR9OtVE1z0DgEqiS5y7f > lWCiYyCUoqu6ifJYEpNVWDgxsdXykfLMsTSWPttEJAkFQHK0/E8/HA3DVxh81mhB > h6vBcFzoAPAyUbWf8n7EfmEVP3JeCoxOyQi61/qVdNyDdYuisZPRM6rAppurR+30 > AkGUj7U8YKbaBjhr4u0pOKcUx8/kYRYvkDenvcenuCALH+sGBdIK9ip/i9E5wjxJ > k2HwiZb32t2wKfg3+MSkbfxgCgubErD7ZLMCC1x8TWDLbdonOISufZgal94GpCZf > DyevvV30Ieo3yxwLQj4L8Z0PwfKPTedLhenw1ZjK1tQCgR8KNOaffpW53//Kpcwq > 6qN87fA8cB+/fHDIUpaItm3b+vZeI9ElvG/06ruhAw== > =+hHw > > -END PGP SIGNATURE- > ___ Selinux mailing list Selinux@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.