Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
> Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
>
>> On 1/17/20 1:24 PM, Stephen Smalley wrote:
>>> On 1/17/20 12:34 PM, Petr Lautrbach wrote:
>>>>
>>>> Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
>>>>
>>>>> Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
>>>>>
>>>>>> The flask.h and av_permissions.h header files were deprecated and
>>>>>> all selinux userspace references to them were removed in
>>>>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
>>>>>> back in 2014 and included in the 20150202 / 2.4 release.
>>>>>> All userspace object managers should have been updated
>>>>>> to use the dynamic class/perm mapping support since that time.
>>>>>> Remove these headers finally to ensure that no users remain and
>>>>>> that no future uses are ever introduced.
>>>>>
>>>>> I've patched libselinux and I'm building all packages which requires
>>>>> libselinux-devel [1] in Fedora. I'm in the middle of package list and so far
>>>>> there
>>>>> are only 3 packages which fails to build without flask.h or
>>>>> av_permission.h - libuser (the particular file wasn't updated since
>>>>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>>>>> results, but I don't think there will be some blocker.
>>>>>
>>>>> [1]
>>>>> https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/
>>>>>
>>>>>
>>>>
>>>> So the complete list of Fedora packages dependent on selinux/flask.h is:
>>>>
>>>> xinetd
>>>> usermode
>>>> sed
>>>> pam
>>>> oddjob
>>>> libuser
>>>> ipsec-tools
>>>>
>>>> Problems are usually in tests or in Fedora specific patches. I'll start
>>>> to work on fixes with affected maintainers.
>>>
>>> Great, thank you. Hopefully the other patch for libsepol,checkpolicy to prune
>>> its copy of flask.h of all SECCLASS_* definitions and take it private to
>>> libsepol won't break anything. With those two changes, we should be free of
>>> any lingering uses of hardcoded class and permission definitions. Then all we
>>> need is for dbus-daemon to either set up a POLICYLOAD callback and re-fresh
>>> its mapping at that time or switch over to looking up the class and
>>> permissions each time as per the guidance in the updated libselinux man pages
>>> (per my third patch) and userspace should be safe for class or permission
>>> changes.
>>
>> Just wanted to check: you acked my patch so I assume it is ok to merge now even
>> before the above packages are all updated but wanted to confirm.
>
> It's ok to merge it. It's better as a reference when it's merged, and pushed.
>
> I just wasn't sure if it's nor related to your other patches, but I
> haven't time to check them yet..
And note that I have checked only Fedora (RHEL). OTOH if it's a problem
in other distribution, selinux/flask.h can be patched into a distro package.
--
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments
