On 1/17/20 1:24 PM, Stephen Smalley wrote:
On 1/17/20 12:34 PM, Petr Lautrbach wrote:
Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
The flask.h and av_permissions.h header files were deprecated and
all selinux userspace references to them were removed in
commit 76913d8adb61b5 ("Deprecate use of flask.h and
av_permissions.h.")
back in 2014 and included in the 20150202 / 2.4 release.
All userspace object managers should have been updated
to use the dynamic class/perm mapping support since that time.
Remove these headers finally to ensure that no users remain and
that no future uses are ever introduced.
I've patched libselinux and I'm building all packages which requires
libselinux-devel [1] in Fedora. I'm in the middle of package list and
so far there
are only 3 packages which fails to build without flask.h or
av_permission.h - libuser (the particular file wasn't updated since
2012), ipsec-tools and mesa. When it's finished I'll investigate all
results, but I don't think there will be some blocker.
[1]
https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/
So the complete list of Fedora packages dependent on selinux/flask.h is:
xinetd
usermode
sed
pam
oddjob
libuser
ipsec-tools
Problems are usually in tests or in Fedora specific patches. I'll start
to work on fixes with affected maintainers.
Great, thank you. Hopefully the other patch for libsepol,checkpolicy to
prune its copy of flask.h of all SECCLASS_* definitions and take it
private to libsepol won't break anything. With those two changes, we
should be free of any lingering uses of hardcoded class and permission
definitions. Then all we need is for dbus-daemon to either set up a
POLICYLOAD callback and re-fresh its mapping at that time or switch over
to looking up the class and permissions each time as per the guidance in
the updated libselinux man pages (per my third patch) and userspace
should be safe for class or permission changes.
Just wanted to check: you acked my patch so I assume it is ok to merge
now even before the above packages are all updated but wanted to confirm.
