Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
On 1/10/19 12:57 PM, Petr Lautrbach wrote:
I used abi-compliance-checker [1] and compared the latest
sources with 2.8
release [2].
It looks like there's one symbol added to audit2why.so.
audit2why.so needs a .map file or equivalent; it shouldn't be
exporting all of
the libsepol.a symbols. We don't guarantee ABI or API
compatibility for
anything not in libsepol.map.
I'll prepare a patch for that.
Then I tried the same thing with 2.7 [3] and 2.6 [4] and
noticed that
there were added new symbols even to LIBSEMANAGE_1.0 while
since 2.3
there's already LIBSEMANAGE_1.1.
It's a bug which breaks automatic dependency checking. So I
propose
to fix symbol version mappings in order to be in relation with
the
release where they was introduced, e.g. for libsemanage:
diff --git a/libsemanage/src/libsemanage.map
b/libsemanage/src/libsemanage.map
index 02036696..45e90215 100644
--- a/libsemanage/src/libsemanage.map
+++ b/libsemanage/src/libsemanage.map
@@ -18,8 +18,6 @@ LIBSEMANAGE_1.0 {
semanage_root;
semanage_user_*; semanage_bool_*; semanage_seuser_*;
semanage_iface_*; semanage_port_*; semanage_context_*;
- semanage_ibpkey_*;
- semanage_ibendport_*;
semanage_node_*;
semanage_fcontext_*; semanage_access_check;
semanage_set_create_store;
semanage_is_connected; semanage_get_disable_dontaudit;
semanage_set_disable_dontaudit;
@@ -63,3 +61,19 @@ LIBSEMANAGE_1.1 {
semanage_module_remove_key;
semanage_set_store_root;
} LIBSEMANAGE_1.0;
+
+LIBSEMANAGE_2.5 {
+ global:
+ semanage_module_extract;
+} LIBSEMANAGE_1.1;
+
+LIBSEMANAGE_2.7 {
+ global:
+ semanage_ibpkey_*;
+ semanage_ibendport_*;
+} LIBSEMANAGE_2.5;
+
+LIBSEMANAGE_2.8 {
+ global:
+ semanage_fcontext_list_homedirs;
+} LIBSEMANAGE_2.7;
If this is acceptable, I would prepare a patch with symbol
versions
starting with 2.5 as LIBSEMANAGE_1.1 was introduced in 2.4.
Will this break compatibility for binaries built against earlier
versions?
I was under impression that is should be enough to list symbols in
different versions but it looks like a symbol is assigned only to
one/the latest version.
# semodule -B
semodule: relocation error: /lib64/libsemanage.so.1: symbol
sepol_ibendport_modify version LIBSEPOL_1.0 not defined in file
libsepol.so.1 with link time reference
I'm still investigating this but given that there's only one
reported
change between the latest and 2.8 and it should be covered by
audit2why
map file, it probably doesn't make sense to do this change
retroactively now.
Just for the future we need to keep in mind that new symbols needs
new versions
in .map files.
[1] http://lvc.github.io/abi-compliance-checker/
[2]
https://plautrba.fedorapeople.org/selinux/compat_reports/2.8_to_2.9-rc0/compat_report.html
[3]
https://plautrba.fedorapeople.org/selinux/compat_reports/2.7_to_2.9-rc0/compat_report.html
[4]
https://plautrba.fedorapeople.org/selinux/compat_reports/2.6_to_2.9-rc0/compat_report.html
Petr
