On 1/21/20 2:31 PM, Petr Lautrbach wrote:
Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
On 1/17/20 1:24 PM, Stephen Smalley wrote:
On 1/17/20 12:34 PM, Petr Lautrbach wrote:
Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
Stephen Smalley <sds@xxxxxxxxxxxxx> writes:
The flask.h and av_permissions.h header files were deprecated and
all selinux userspace references to them were removed in
commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
back in 2014 and included in the 20150202 / 2.4 release.
All userspace object managers should have been updated
to use the dynamic class/perm mapping support since that time.
Remove these headers finally to ensure that no users remain and
that no future uses are ever introduced.
I've patched libselinux and I'm building all packages which requires
libselinux-devel [1] in Fedora. I'm in the middle of package list and so far
there
are only 3 packages which fails to build without flask.h or
av_permission.h - libuser (the particular file wasn't updated since
2012), ipsec-tools and mesa. When it's finished I'll investigate all
results, but I don't think there will be some blocker.
[1]
https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/
So the complete list of Fedora packages dependent on selinux/flask.h is:
xinetd
usermode
sed
pam
oddjob
libuser
ipsec-tools
Problems are usually in tests or in Fedora specific patches. I'll start
to work on fixes with affected maintainers.
Great, thank you. Hopefully the other patch for libsepol,checkpolicy to prune
its copy of flask.h of all SECCLASS_* definitions and take it private to
libsepol won't break anything. With those two changes, we should be free of
any lingering uses of hardcoded class and permission definitions. Then all we
need is for dbus-daemon to either set up a POLICYLOAD callback and re-fresh
its mapping at that time or switch over to looking up the class and
permissions each time as per the guidance in the updated libselinux man pages
(per my third patch) and userspace should be safe for class or permission
changes.
Just wanted to check: you acked my patch so I assume it is ok to merge now even
before the above packages are all updated but wanted to confirm.
It's ok to merge it. It's better as a reference when it's merged, and pushed.
I just wasn't sure if it's nor related to your other patches, but I
haven't time to check them yet..
And note that I have checked only Fedora (RHEL). OTOH if it's a problem
in other distribution, selinux/flask.h can be patched into a distro package.
Ok, I've merged this patch now on selinux/master along with the man page
patch. I'll wait a bit on the libsepol,checkpolicy patch for removing
its copy of {flask.h,av_permissions.h} to see if there are any comments
on it.