Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-21 Thread Richard Haines 
FYI 

The implementation at www.ghostscript.com/doc/jbig2dec/sha1.c
and CryptLib are both from the same original author
Steve Reid 

I've now tested and timed both implementations along with the
Android version + openssl.

openssl and Steve's implementations are about twice as fast
as the Android version.

I'll submit a patch based on the sha1 files extracted from CryptLib
as that is the latest one to be updated.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Joshua Brindle 

Stephen Smalley wrote:

On 10/20/2015 09:42 AM, Joshua Brindle wrote:

Stephen Smalley wrote:



Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety of GPL-licensed
programs. Fedora seems to view this as falling under the system library
exception [3] but not clear that other distributions would view it that
way. On the other hand, using gnutls would be subject to the reverse
problem; it would make libselinux depend on a LGPL library, and that
could create issues for non-GPL programs that statically link
libselinux. We might need to revert this change and revisit how to solve
this in a manner that avoids such issues.


LGPL explicitly allows non-GPL programs to link against an LGPL licensed
library without tainting the non-GPL program, which is the whole point
of the LGPL. Is there some other issue with static linking or something?


Yes, that's the concern.


So, not static linking but a fully static binary that would pull gnutls 
into the binary?


What static binaries exist like that? It is not a great idea to carry 
around system level libraries statically.

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread William Roberts 
On Oct 20, 2015 7:46 AM, "Stephen Smalley"  wrote:
>
> On 10/20/2015 08:27 AM, Richard Haines wrote:
>>
>>
>>
>>
>>
>>> On Monday, 19 October 2015, 19:10, Stephen Smalley 
wrote:

 On 10/18/2015 11:00 AM, Richard Haines wrote:


>   On Sunday, 18 October 2015, 15:07, Dominick Grift
>>>
>>>  wrote:


>>   -BEGIN PGP SIGNED MESSAGE-
>
>   Hash: SHA512
>
>   On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
>>
>> I added openssl to libselinux to support the new
>>>
>>> selabel_digest(3)
>>
>> function.
>>
>> I'm not aware of any issues between openssl and gnutls,
>>>
>>> however as
>>
>>
>> selabel_digest was only added last week I guess not much testing.
>> Well apart from myself as I'm currently adding the
>>>
>>> selinux_restorecon
>>
>> feature that makes use of it.
>>
>
>   Thanks for clarifying, I am not hitting any issues with it just
>   wondering if instead of openssl, gnutls could be used for this and
if


>   so, if this should be somehow supported or not.


   I tried using gnutls after I read your initial email, however I
   could not find a way to generate the same digest as openssl
   (I changed the SHA1 function to gnutls_hmac_fast(3) with various
   algorithms and used the selabel_digest util to compare digests).
   It could be that I should use some other function but I could

   not find any useful info on this (including web searches).
   If anyone knows how to resolve this please let me know.

   I guess what is supported (openssl or gnutls) would be down to
   the maintainers.
>>>
>>>
>>> Wondering if dependency on openssl might be a license issue for Debian
>>> or others.  Apparently openssl license is considered GPL-incompatible
>>> [1] [2], and obviously libselinux is linked by a variety of GPL-licensed
>>> programs.  Fedora seems to view this as falling under the system library
>>> exception [3] but not clear that other distributions would view it that
>>> way.  On the other hand, using gnutls would be subject to the reverse
>>> problem; it would make libselinux depend on a LGPL library, and that
>>> could create issues for non-GPL programs that statically link
>>> libselinux.  We might need to revert this change and revisit how to
>>
>>
>>> solve this in a manner that avoids such issues.
>>
>>
>>
>> Would building with the Android mincrypt SHA functions help regarding the
>> licensing issues ??? I've attached a quick patch that seems to work okay
>> using Android system/core/libmincrypt/sha.c
>
>
> That looks BSD-licensed and thus broadly compatible.  We would need to
amend libselinux/LICENSE to add that license information and we would need
to hide those functions from being exposed outside of the library.  Other
alternative would be to look for a public domain SHA implementation and use
that.
>
>

Will CryptLib work:
http://unlicense.org/

>
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to
selinux-requ...@tycho.nsa.gov.
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Richard Haines 




> On Monday, 19 October 2015, 19:10, Stephen Smalley  wrote:
> > On 10/18/2015 11:00 AM, Richard Haines wrote:
>> 
>> 
>>>  On Sunday, 18 October 2015, 15:07, Dominick Grift 
>  wrote:
>> 
  -BEGIN PGP SIGNED MESSAGE-
>>>  Hash: SHA512
>>> 
>>>  On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
I added openssl to libselinux to support the new 
> selabel_digest(3)
function.
 
I'm not aware of any issues between openssl and gnutls, 
> however as
 
selabel_digest was only added last week I guess not much testing.
Well apart from myself as I'm currently adding the 
> selinux_restorecon
feature that makes use of it.
 
>>> 
>>>  Thanks for clarifying, I am not hitting any issues with it just
>>>  wondering if instead of openssl, gnutls could be used for this and if
>> 
>>>  so, if this should be somehow supported or not.
>> 
>>  I tried using gnutls after I read your initial email, however I
>>  could not find a way to generate the same digest as openssl
>>  (I changed the SHA1 function to gnutls_hmac_fast(3) with various
>>  algorithms and used the selabel_digest util to compare digests).
>>  It could be that I should use some other function but I could
>> 
>>  not find any useful info on this (including web searches).
>>  If anyone knows how to resolve this please let me know.
>> 
>>  I guess what is supported (openssl or gnutls) would be down to
>>  the maintainers.
> 
> Wondering if dependency on openssl might be a license issue for Debian 
> or others.  Apparently openssl license is considered GPL-incompatible 
> [1] [2], and obviously libselinux is linked by a variety of GPL-licensed 
> programs.  Fedora seems to view this as falling under the system library 
> exception [3] but not clear that other distributions would view it that 
> way.  On the other hand, using gnutls would be subject to the reverse 
> problem; it would make libselinux depend on a LGPL library, and that 
> could create issues for non-GPL programs that statically link 
> libselinux.  We might need to revert this change and revisit how to 

> solve this in a manner that avoids such issues.


Would building with the Android mincrypt SHA functions help regarding the
licensing issues ??? I've attached a quick patch that seems to work okay
using Android system/core/libmincrypt/sha.c


> 
> [1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL
> 
> [2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> 
> 
> [3] 
> https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F
> )
> From 624cb4ec0b73c3b34ed0a8f26f9c7c122c44250c Mon Sep 17 00:00:00 2001
From: Richard Haines 
Date: Tue, 20 Oct 2015 13:13:47 +0100
Subject: [PATCH] libselinux: Use Android mincrypt for selabel_digest(3)

Replace the use of openssl with the Android mincrypt SHA
functions. However leave util/selabel_digest still comparing
the result with the openssl command "openssl dgst -sha1 -hex .."

This should resolve any library licensing issues (hopefully).

Signed-off-by: Richard Haines 
---
 libselinux/src/Makefile |   2 +-
 libselinux/src/label_internal.h |   4 +-
 libselinux/src/label_support.c  |   2 +-
 libselinux/src/mincrypt_hash-internal.h |  63 +
 libselinux/src/mincrypt_sha.c   | 155 
 libselinux/src/mincrypt_sha.h   |  52 +++
 libselinux/utils/Makefile   |   2 +-
 7 files changed, 275 insertions(+), 5 deletions(-)
 create mode 100644 libselinux/src/mincrypt_hash-internal.h
 create mode 100644 libselinux/src/mincrypt_sha.c
 create mode 100644 libselinux/src/mincrypt_sha.h

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 8e2223e..feab561 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -112,7 +112,7 @@ $(LIBA): $(OBJS)
 	$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl -lcrypto $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
+	$(CC) $(CFLAGS) -shared -o $@ $^ -lpcre -ldl $(LDFLAGS) -L$(LIBDIR) -Wl,-soname,$(LIBSO),-z,defs,-z,relro
 	ln -sf $@ $(TARGET) 
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libselinux/src/label_internal.h b/libselinux/src/label_internal.h
index 2aa7a7b..51d1afb 100644
--- a/libselinux/src/label_internal.h
+++ b/libselinux/src/label_internal.h
@@ -11,7 +11,7 @@
 #include 
 #include 
 #include 
-#include 
+#include "mincrypt_sha.h"
 #include 
 #include 
 #include "dso.h"
@@ -51,7 +51,7 @@ struct selabel_sub {
  * calculate the hash the hashbuf will hold a concatenation of all the files
  * used. This is released once the value has been calculated.
  */
-#define DIGEST_SPECFILE_SIZE SHA_DIGEST_LENGTH
+#define DIGEST_SPECFILE_SIZE SHA_DIGEST_SIZE
 #define DIGEST_FILES_MAX 8
 struct

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Richard Haines 

On Tuesday, 20 October 2015, 15:00, William Roberts  
wrote:

>
>
>
>On Oct 20, 2015 7:46 AM, "Stephen Smalley"  wrote:
>>
>> On 10/20/2015 08:27 AM, Richard Haines wrote:
>>>
>>>
>>>
>>>
>>>
 On Monday, 19 October 2015, 19:10, Stephen Smalley  
 wrote:
>
> On 10/18/2015 11:00 AM, Richard Haines wrote:
>
>
>>   On Sunday, 18 October 2015, 15:07, Dominick Grift

  wrote:
>
>
>>>   -BEGIN PGP SIGNED MESSAGE-
>>
>>   Hash: SHA512
>>
>>   On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
>>>
>>> I added openssl to libselinux to support the new

 selabel_digest(3)
>>>
>>> function.
>>>
>>> I'm not aware of any issues between openssl and gnutls,

 however as
>>>
>>>
>>> selabel_digest was only added last week I guess not much testing.
>>> Well apart from myself as I'm currently adding the

 selinux_restorecon
>>>
>>> feature that makes use of it.
>>>
>>
>>   Thanks for clarifying, I am not hitting any issues with it just
>>   wondering if instead of openssl, gnutls could be used for this and if
>
>
>>   so, if this should be somehow supported or not.
>
>
>   I tried using gnutls after I read your initial email, however I
>   could not find a way to generate the same digest as openssl
>   (I changed the SHA1 function to gnutls_hmac_fast(3) with various
>   algorithms and used the selabel_digest util to compare digests).
>   It could be that I should use some other function but I could
>
>   not find any useful info on this (including web searches).
>   If anyone knows how to resolve this please let me know.
>
>   I guess what is supported (openssl or gnutls) would be down to
>   the maintainers.


 Wondering if dependency on openssl might be a license issue for Debian
 or others.  Apparently openssl license is considered GPL-incompatible
 [1] [2], and obviously libselinux is linked by a variety of GPL-licensed
 programs.  Fedora seems to view this as falling under the system library
 exception [3] but not clear that other distributions would view it that
 way.  On the other hand, using gnutls would be subject to the reverse
 problem; it would make libselinux depend on a LGPL library, and that
 could create issues for non-GPL programs that statically link
 libselinux.  We might need to revert this change and revisit how to
>>>
>>>
 solve this in a manner that avoids such issues.
>>>
>>>
>>>
>>> Would building with the Android mincrypt SHA functions help regarding the
>>> licensing issues ??? I've attached a quick patch that seems to work okay
>>> using Android system/core/libmincrypt/sha.c
>>
>>
>> That looks BSD-licensed and thus broadly compatible.  We would need to amend 
>> libselinux/LICENSE to add that license information and we would need to hide 
>> those functions from being exposed outside of the library.  Other 
>> alternative would be to look for a public domain SHA implementation and use 
>> that.

>>

I've found a simple implementation at
www.ghostscript.com/doc/jbig2dec/sha1.c

I'll try that first and if fails CryptLib will be next.




>> 
>Will CryptLib work:

>http://unlicense.org/


>
>
>>
>> ___
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov
>.
>
>
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Jason Zaman 
On Tue, Oct 20, 2015 at 09:56:57AM -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On 10/20/2015 09:42 AM, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >> 
> >>>
> >>> Wondering if dependency on openssl might be a license issue for Debian
> >>> or others. Apparently openssl license is considered GPL-incompatible [1]
> >>> [2], and obviously libselinux is linked by a variety of GPL-licensed
> >>> programs. Fedora seems to view this as falling under the system library
> >>> exception [3] but not clear that other distributions would view it that
> >>> way. On the other hand, using gnutls would be subject to the reverse
> >>> problem; it would make libselinux depend on a LGPL library, and that
> >>> could create issues for non-GPL programs that statically link
> >>> libselinux. We might need to revert this change and revisit how to solve
> >>> this in a manner that avoids such issues.
> >>
> >> LGPL explicitly allows non-GPL programs to link against an LGPL licensed
> >> library without tainting the non-GPL program, which is the whole point
> >> of the LGPL. Is there some other issue with static linking or something?
> >
> > Yes, that's the concern.
> 
> So, not static linking but a fully static binary that would pull gnutls 
> into the binary?
> 
> What static binaries exist like that? It is not a great idea to carry 
> around system level libraries statically.

>From a quick look through Gentoo, we have a USE-flag to build busybox
and LVM and a few other core tools statically which requres libselinux.a
too.

-- Jason
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread William Roberts 
FYI you can take just 1 C and H file from crypt lib. You don't need it all.
On Oct 20, 2015 8:42 AM, "Richard Haines" 
wrote:

>
> On Tuesday, 20 October 2015, 15:00, William Roberts <
> bill.c.robe...@gmail.com> wrote:
>
> >
> >
> >
> >On Oct 20, 2015 7:46 AM, "Stephen Smalley"  wrote:
> >>
> >> On 10/20/2015 08:27 AM, Richard Haines wrote:
> >>>
> >>>
> >>>
> >>>
> >>>
>  On Monday, 19 October 2015, 19:10, Stephen Smalley 
> wrote:
> >
> > On 10/18/2015 11:00 AM, Richard Haines wrote:
> >
> >
> >>   On Sunday, 18 October 2015, 15:07, Dominick Grift
> 
>   wrote:
> >
> >
> >>>   -BEGIN PGP SIGNED MESSAGE-
> >>
> >>   Hash: SHA512
> >>
> >>   On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
> >>>
> >>> I added openssl to libselinux to support the new
> 
>  selabel_digest(3)
> >>>
> >>> function.
> >>>
> >>> I'm not aware of any issues between openssl and gnutls,
> 
>  however as
> >>>
> >>>
> >>> selabel_digest was only added last week I guess not much
> testing.
> >>> Well apart from myself as I'm currently adding the
> 
>  selinux_restorecon
> >>>
> >>> feature that makes use of it.
> >>>
> >>
> >>   Thanks for clarifying, I am not hitting any issues with it just
> >>   wondering if instead of openssl, gnutls could be used for this
> and if
> >
> >
> >>   so, if this should be somehow supported or not.
> >
> >
> >   I tried using gnutls after I read your initial email, however I
> >   could not find a way to generate the same digest as openssl
> >   (I changed the SHA1 function to gnutls_hmac_fast(3) with various
> >   algorithms and used the selabel_digest util to compare digests).
> >   It could be that I should use some other function but I could
> >
> >   not find any useful info on this (including web searches).
> >   If anyone knows how to resolve this please let me know.
> >
> >   I guess what is supported (openssl or gnutls) would be down to
> >   the maintainers.
> 
> 
>  Wondering if dependency on openssl might be a license issue for Debian
>  or others.  Apparently openssl license is considered GPL-incompatible
>  [1] [2], and obviously libselinux is linked by a variety of
> GPL-licensed
>  programs.  Fedora seems to view this as falling under the system
> library
>  exception [3] but not clear that other distributions would view it
> that
>  way.  On the other hand, using gnutls would be subject to the reverse
>  problem; it would make libselinux depend on a LGPL library, and that
>  could create issues for non-GPL programs that statically link
>  libselinux.  We might need to revert this change and revisit how to
> >>>
> >>>
>  solve this in a manner that avoids such issues.
> >>>
> >>>
> >>>
> >>> Would building with the Android mincrypt SHA functions help regarding
> the
> >>> licensing issues ??? I've attached a quick patch that seems to work
> okay
> >>> using Android system/core/libmincrypt/sha.c
> >>
> >>
> >> That looks BSD-licensed and thus broadly compatible.  We would need to
> amend libselinux/LICENSE to add that license information and we would need
> to hide those functions from being exposed outside of the library.  Other
> alternative would be to look for a public domain SHA implementation and use
> that.
>
> >>
>
> I've found a simple implementation at
> www.ghostscript.com/doc/jbig2dec/sha1.c
>
> I'll try that first and if fails CryptLib will be next.
>
>
>
>
> >>
> >Will CryptLib work:
>
> >http://unlicense.org/
>
>
> >
> >
> >>
> >> ___
> >> Selinux mailing list
> >> Selinux@tycho.nsa.gov
> >> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> >> To get help, send an email containing "help" to
> selinux-requ...@tycho.nsa.gov
> >.
> >
> >
> >
>
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Stephen Smalley 

On 10/20/2015 09:42 AM, Joshua Brindle wrote:

Stephen Smalley wrote:



Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety of GPL-licensed
programs. Fedora seems to view this as falling under the system library
exception [3] but not clear that other distributions would view it that
way. On the other hand, using gnutls would be subject to the reverse
problem; it would make libselinux depend on a LGPL library, and that
could create issues for non-GPL programs that statically link
libselinux. We might need to revert this change and revisit how to solve
this in a manner that avoids such issues.


LGPL explicitly allows non-GPL programs to link against an LGPL licensed
library without tainting the non-GPL program, which is the whole point
of the LGPL. Is there some other issue with static linking or something?


Yes, that's the concern.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Joshua Brindle 

Stephen Smalley wrote:



Wondering if dependency on openssl might be a license issue for Debian
or others. Apparently openssl license is considered GPL-incompatible [1]
[2], and obviously libselinux is linked by a variety of GPL-licensed
programs. Fedora seems to view this as falling under the system library
exception [3] but not clear that other distributions would view it that
way. On the other hand, using gnutls would be subject to the reverse
problem; it would make libselinux depend on a LGPL library, and that
could create issues for non-GPL programs that statically link
libselinux. We might need to revert this change and revisit how to solve
this in a manner that avoids such issues.


LGPL explicitly allows non-GPL programs to link against an LGPL licensed 
library without tainting the non-GPL program, which is the whole point 
of the LGPL. Is there some other issue with static linking or something?




[1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL

[2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html

[3]
https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F)


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
selinux-requ...@tycho.nsa.gov.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-20 Thread Stephen Smalley 

On 10/20/2015 08:27 AM, Richard Haines wrote:






On Monday, 19 October 2015, 19:10, Stephen Smalley  wrote:

On 10/18/2015 11:00 AM, Richard Haines wrote:



  On Sunday, 18 October 2015, 15:07, Dominick Grift

 wrote:



  -BEGIN PGP SIGNED MESSAGE-

  Hash: SHA512

  On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:

I added openssl to libselinux to support the new

selabel_digest(3)

function.

I'm not aware of any issues between openssl and gnutls,

however as


selabel_digest was only added last week I guess not much testing.
Well apart from myself as I'm currently adding the

selinux_restorecon

feature that makes use of it.



  Thanks for clarifying, I am not hitting any issues with it just
  wondering if instead of openssl, gnutls could be used for this and if



  so, if this should be somehow supported or not.


  I tried using gnutls after I read your initial email, however I
  could not find a way to generate the same digest as openssl
  (I changed the SHA1 function to gnutls_hmac_fast(3) with various
  algorithms and used the selabel_digest util to compare digests).
  It could be that I should use some other function but I could

  not find any useful info on this (including web searches).
  If anyone knows how to resolve this please let me know.

  I guess what is supported (openssl or gnutls) would be down to
  the maintainers.


Wondering if dependency on openssl might be a license issue for Debian
or others.  Apparently openssl license is considered GPL-incompatible
[1] [2], and obviously libselinux is linked by a variety of GPL-licensed
programs.  Fedora seems to view this as falling under the system library
exception [3] but not clear that other distributions would view it that
way.  On the other hand, using gnutls would be subject to the reverse
problem; it would make libselinux depend on a LGPL library, and that
could create issues for non-GPL programs that statically link
libselinux.  We might need to revert this change and revisit how to



solve this in a manner that avoids such issues.



Would building with the Android mincrypt SHA functions help regarding the
licensing issues ??? I've attached a quick patch that seems to work okay
using Android system/core/libmincrypt/sha.c


That looks BSD-licensed and thus broadly compatible.  We would need to 
amend libselinux/LICENSE to add that license information and we would 
need to hide those functions from being exposed outside of the library. 
 Other alternative would be to look for a public domain SHA 
implementation and use that.



___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-19 Thread Stephen Smalley 

On 10/19/2015 02:09 PM, Stephen Smalley wrote:

On 10/18/2015 11:00 AM, Richard Haines wrote:




On Sunday, 18 October 2015, 15:07, Dominick Grift
 wrote:



-BEGIN PGP SIGNED MESSAGE-

Hash: SHA512

On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:

  I added openssl to libselinux to support the new selabel_digest(3)
  function.

  I'm not aware of any issues between openssl and gnutls, however as

  selabel_digest was only added last week I guess not much testing.
  Well apart from myself as I'm currently adding the selinux_restorecon
  feature that makes use of it.



Thanks for clarifying, I am not hitting any issues with it just
wondering if instead of openssl, gnutls could be used for this and if



so, if this should be somehow supported or not.


I tried using gnutls after I read your initial email, however I
could not find a way to generate the same digest as openssl
(I changed the SHA1 function to gnutls_hmac_fast(3) with various
algorithms and used the selabel_digest util to compare digests).
It could be that I should use some other function but I could

not find any useful info on this (including web searches).
If anyone knows how to resolve this please let me know.

I guess what is supported (openssl or gnutls) would be down to
the maintainers.


Wondering if dependency on openssl might be a license issue for Debian
or others.  Apparently openssl license is considered GPL-incompatible
[1] [2], and obviously libselinux is linked by a variety of GPL-licensed
programs.  Fedora seems to view this as falling under the system library
exception [3] but not clear that other distributions would view it that
way.  On the other hand, using gnutls would be subject to the reverse
problem; it would make libselinux depend on a LGPL library, and that
could create issues for non-GPL programs that statically link
libselinux.  We might need to revert this change and revisit how to
solve this in a manner that avoids such issues.

[1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL

[2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html

[3]
https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F)


Also, aside from license issues, we likely ought to dlopen libcrypto.so 
so that we don't bring this dependency to all users of libselinux but 
only those that actually use the digest functionality.






___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-18 Thread Richard Haines 
I added openssl to libselinux to support the new selabel_digest(3)
function.

I'm not aware of any issues between openssl and gnutls, however as

selabel_digest was only added last week I guess not much testing.
Well apart from myself as I'm currently adding the selinux_restorecon
feature that makes use of it.





> On Saturday, 17 October 2015, 11:55, Dominick Grift  
> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> if so, would gnutls be affected in some way?
> 
> - -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788
> Dominick Grift
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+
> BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy
> rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk
> M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB
> ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU
> wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g
> 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p
> DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0
> DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ==
> =mhIs
> -END PGP SIGNATURE-
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to 
> selinux-requ...@tycho.nsa.gov.
> 
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-18 Thread Dominick Grift 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
> I added openssl to libselinux to support the new selabel_digest(3)
> function.
> 
> I'm not aware of any issues between openssl and gnutls, however as
> 
> selabel_digest was only added last week I guess not much testing.
> Well apart from myself as I'm currently adding the selinux_restorecon
> feature that makes use of it.
> 

Thanks for clarifying, I am not hitting any issues with it just
wondering if instead of openssl, gnutls could be used for this and if
so, if this should be somehow supported or not.

> 
> 
> 
> 
> > On Saturday, 17 October 2015, 11:55, Dominick Grift 
> >  wrote:
> > > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA512
> > 
> > if so, would gnutls be affected in some way?
> > 
> > - -- 
> > 02DFF788
> > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> > https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788
> > Dominick Grift
> > -BEGIN PGP SIGNATURE-
> > Version: GnuPG v2
> > 
> > iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+
> > BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy
> > rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk
> > M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB
> > ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU
> > wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g
> > 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p
> > DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0
> > DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ==
> > =mhIs
> > -END PGP SIGNATURE-
> > ___
> > Selinux mailing list
> > Selinux@tycho.nsa.gov
> > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> > To get help, send an email containing "help" to 
> > selinux-requ...@tycho.nsa.gov.
> > 

- -- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788
Dominick Grift
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQGcBAEBCgAGBQJWI6edAAoJENAR6kfG5xmccrgL/i7kT1+kuuBjGBqGAVl3W+ri
Zgx7NnPKslS+dcx9lAMR2nVwG9A7Suh58E/HaUQv4RkFkNiX3Xqv9gRsrw4baWqZ
7at3qy1F/daa9U4hC/SdPwuwpQZYbKhquyfN09YAOb06XR9OtVE1z0DgEqiS5y7f
lWCiYyCUoqu6ifJYEpNVWDgxsdXykfLMsTSWPttEJAkFQHK0/E8/HA3DVxh81mhB
h6vBcFzoAPAyUbWf8n7EfmEVP3JeCoxOyQi61/qVdNyDdYuisZPRM6rAppurR+30
AkGUj7U8YKbaBjhr4u0pOKcUx8/kYRYvkDenvcenuCALH+sGBdIK9ip/i9E5wjxJ
k2HwiZb32t2wKfg3+MSkbfxgCgubErD7ZLMCC1x8TWDLbdonOISufZgal94GpCZf
DyevvV30Ieo3yxwLQj4L8Z0PwfKPTedLhenw1ZjK1tQCgR8KNOaffpW53//Kpcwq
6qN87fA8cB+/fHDIUpaItm3b+vZeI9ElvG/06ruhAw==
=+hHw
-END PGP SIGNATURE-
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

2015-10-18 Thread Richard Haines 


> On Sunday, 18 October 2015, 15:07, Dominick Grift  
> wrote:

> > -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
> 
> On Sun, Oct 18, 2015 at 12:48:12PM +, Richard Haines wrote:
>>  I added openssl to libselinux to support the new selabel_digest(3)
>>  function.
>> 
>>  I'm not aware of any issues between openssl and gnutls, however as
>> 
>>  selabel_digest was only added last week I guess not much testing.
>>  Well apart from myself as I'm currently adding the selinux_restorecon
>>  feature that makes use of it.
>> 
> 
> Thanks for clarifying, I am not hitting any issues with it just
> wondering if instead of openssl, gnutls could be used for this and if

> so, if this should be somehow supported or not.

I tried using gnutls after I read your initial email, however I
could not find a way to generate the same digest as openssl
(I changed the SHA1 function to gnutls_hmac_fast(3) with various
algorithms and used the selabel_digest util to compare digests).
It could be that I should use some other function but I could

not find any useful info on this (including web searches).
If anyone knows how to resolve this please let me know.

I guess what is supported (openssl or gnutls) would be down to
the maintainers.


>> >> 
>> 
>> 
>>  > On Saturday, 17 October 2015, 11:55, Dominick Grift 
>  wrote:
>>  > > -BEGIN PGP SIGNED MESSAGE-
>>  > Hash: SHA512
>>  > 
>>  > if so, would gnutls be affected in some way?
>>  > 
>>  > - -- 
>>  > 02DFF788
>>  > 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
>>  > 
> https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788
>>  > Dominick Grift
>>  > -BEGIN PGP SIGNATURE-
>>  > Version: GnuPG v2
>>  > 
>>  > iQGcBAEBCgAGBQJWIiiTAAoJENAR6kfG5xmcDecL/3X2VRp3dR0UXDQSXAayD9P+
>>  > BEz+hJ9rhZTMoBdiDWvYVpsCVUL6ASIkKocGSvdV5cDfFPOs+wu3t8Xwo+KgNJqy
>>  > rMoPGm4QwkZyw9T3lzSMU6oE7l99FiQMDO3I41iDx52GQr+dvSoTHs5eRlU6ldyk
>>  > M9dSBIa/p9noQu3xCCWh8wVZSCLTC5b4PiCPwenyAecVZ3tJf7EOZssM4j7FPxnB
>>  > ropmU7MGauYUImBbVHFLcBWULIRo8Awwqadcnne4sxugPeFH332HeRcgUKCHGiQU
>>  > wovjWgGAKn/oC3tTTW9Tmo8F9rRC33BzP9P7p25MvMFiXPchid/iJiQG7k++qk/g
>>  > 9+p3vkhqvavff1eDG5pDKOh8hA+pcIzng91/NDGh5+8D+o1uvNxPPyQFHOhnn24p
>>  > DhxRk2uD5oiiB7o85Yh3ZubmWLR6UiI/SiNsm9POSEr0QH+ePdg/fSuKGKHxoeF0
>>  > DfZuIh4ZorjIQU4oGG+zg+kKB3XNwZph2UtshjUPEQ==
>>  > =mhIs
>>  > -END PGP SIGNATURE-
>>  > ___
>>  > Selinux mailing list
>>  > Selinux@tycho.nsa.gov
>>  > To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
>>  > To get help, send an email containing "help" to 
>>  > selinux-requ...@tycho.nsa.gov.
>>  > 
> 
> - -- 
> 02DFF788
> 4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
> https://sks-keyservers.net/pks/lookup?op=get=0x314883A202DFF788
> Dominick Grift
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
> 
> iQGcBAEBCgAGBQJWI6edAAoJENAR6kfG5xmccrgL/i7kT1+kuuBjGBqGAVl3W+ri
> Zgx7NnPKslS+dcx9lAMR2nVwG9A7Suh58E/HaUQv4RkFkNiX3Xqv9gRsrw4baWqZ
> 7at3qy1F/daa9U4hC/SdPwuwpQZYbKhquyfN09YAOb06XR9OtVE1z0DgEqiS5y7f
> lWCiYyCUoqu6ifJYEpNVWDgxsdXykfLMsTSWPttEJAkFQHK0/E8/HA3DVxh81mhB
> h6vBcFzoAPAyUbWf8n7EfmEVP3JeCoxOyQi61/qVdNyDdYuisZPRM6rAppurR+30
> AkGUj7U8YKbaBjhr4u0pOKcUx8/kYRYvkDenvcenuCALH+sGBdIK9ip/i9E5wjxJ
> k2HwiZb32t2wKfg3+MSkbfxgCgubErD7ZLMCC1x8TWDLbdonOISufZgal94GpCZf
> DyevvV30Ieo3yxwLQj4L8Z0PwfKPTedLhenw1ZjK1tQCgR8KNOaffpW53//Kpcwq
> 6qN87fA8cB+/fHDIUpaItm3b+vZeI9ElvG/06ruhAw==
> =+hHw
> 
> -END PGP SIGNATURE-
> 
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.