On Wed, Apr 29, 2020 at 9:50 AM William Roberts <bill.c.roberts@xxxxxxxxx> wrote: > > > > > > > > > > -----Original Message----- > > > From: selinux-owner@xxxxxxxxxxxxxxx [mailto:selinux-owner@xxxxxxxxxxxxxxx] > > > On Behalf Of Nicolas Iooss > > > Sent: Sunday, April 19, 2020 8:37 AM > > > To: William Roberts <bill.c.roberts@xxxxxxxxx>; SElinux list > > > <selinux@xxxxxxxxxxxxxxx> > > > Cc: Stephen Smalley <sds@xxxxxxxxxxxxx> > > > Subject: Re: Deprecated Annotations in libselinux > > > > > > On Wed, Apr 15, 2020 at 11:10 PM William Roberts <bill.c.roberts@xxxxxxxxx> > > > wrote: > > > > > > > > So I am reviving the work to look at annotating deprecated functions. > > > > I was wondering what folks are thinking around the utility program > > > > matchpathcon, since that interface is deprecated, do we want to: > > > > > > > > 1. link that statically so we can use internal (non-deprecated) > > > > functions 2. update it to use selabel_open and friends. > > > > 3. Keep it but have it print out "deprecated" and return 1. > > > > 4. Some mix of options 3 and 1 > > > > > > Hello, > > > I did not really follow closely why functions are getting deprecated. > > > >From the patch series, it appears that matchpathcon_init() is being > > > deprecated in favor of selabel_open(). That can make sense. > > > > They have been deprecated for a long time, Im just investogatingusing the deprecated > > Annotation to encourage folks to move to the new interfaces and suggest the new > > Interface in the warning message. > > > > > > > > >From a CLI perspective, the interface of selabel_lookup seems to be > > > more complex to use that matchpathcon: > > > > > > $ matchpathcon /etc/shadow > > > /etc/shadow system_u:object_r:shadow_t > > > $ selabel_lookup -b file -k /etc/shadow > > > Default context: system_u:object_r:shadow_t > > > > > > Moreover, looking at selabel_lookup --help, it was not clear that the file for which > > > I wanted the context needs to be given as a -k option, because the usage line > > > states "[-f file]" (that means something else). > > > This increases the difficulty of using selabel_lookup instead of matchpathcon. > > > Therefore as a SELinux user, I would rather keep matchpathcon program. Would > > > it be difficult to implement option 2 "update matchpathcon to use selabel_open() > > > and friends"? > > > > I'm leaving the interfaces the same in this series, and we can update matchpathcon later. > > The only thing I am adding is a deprecated message to stderr for the matchpathcon util, > > which we can drop. > > > > > > > > That being said, if another option is chosen, I will add "alias > > > matchpathcon=selabel_lookup -b file -k" to my shell configuration and be good > > > with it. This would work for me because I never used any option that > > > matchpathcon provides. > > > > > > Anyway, thanks for working on this subject! > > > Nicolas > > I will bring them to merge and correct the commit messages. Thanks! merged: https://github.com/SELinuxProject/selinux/pull/231 Thanks everyone!
