On Wed, Apr 15, 2020 at 11:10 PM William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > So I am reviving the work to look at annotating deprecated functions. > I was wondering what folks are thinking around the utility program > matchpathcon, since that interface is deprecated, do we want to: > > 1. link that statically so we can use internal (non-deprecated) functions > 2. update it to use selabel_open and friends. > 3. Keep it but have it print out "deprecated" and return 1. > 4. Some mix of options 3 and 1 Hello, I did not really follow closely why functions are getting deprecated. >From the patch series, it appears that matchpathcon_init() is being deprecated in favor of selabel_open(). That can make sense. >From a CLI perspective, the interface of selabel_lookup seems to be more complex to use that matchpathcon: $ matchpathcon /etc/shadow /etc/shadow system_u:object_r:shadow_t $ selabel_lookup -b file -k /etc/shadow Default context: system_u:object_r:shadow_t Moreover, looking at selabel_lookup --help, it was not clear that the file for which I wanted the context needs to be given as a -k option, because the usage line states "[-f file]" (that means something else). This increases the difficulty of using selabel_lookup instead of matchpathcon. Therefore as a SELinux user, I would rather keep matchpathcon program. Would it be difficult to implement option 2 "update matchpathcon to use selabel_open() and friends"? That being said, if another option is chosen, I will add "alias matchpathcon=selabel_lookup -b file -k" to my shell configuration and be good with it. This would work for me because I never used any option that matchpathcon provides. Anyway, thanks for working on this subject! Nicolas
