Hi, glibc currently uses several recently deprecated libselinux APIs: 1. makedb uses matchpathcon: https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD 2. nscd uses avc_init and multiple old style callbacks: https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD We are currently trying to replace these uses with the newer interfaces, with a proposed makedb patch written by Aurelien Jarno attached with this email, and being discussed here: https://sourceware.org/pipermail/libc-alpha/2020-July/116504.html Would you be able to help review this and any follow-ups? Thank you, and Cheers, Arjun
--- Begin Message ---
- To: libc-alpha@xxxxxxxxxxxxxx
- Subject: [PATCH] makedb: fix build with libselinux >= 3.1
- From: Aurelien Jarno <aurelien@xxxxxxxxxxx>
- Date: Tue, 21 Jul 2020 07:01:16 +0200
- Cc: Aurelien Jarno <aurelien@xxxxxxxxxxx>
- Delivered-to: spectre@xxxxxxxxxxxxxxx
- Delivered-to: libc-alpha@xxxxxxxxxxxxxx
glibc doesn't build with libselinux 3.1 that has been released recently due to new deprecations introduced in that version and the fact that glibc is built with -Werror by default: | makedb.c: In function ‘set_file_creation_context’: | makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] | 849 | security_context_t ctx; | | ^~~~~~~~~~~~~~~~~~ | makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) | | ^~ | In file included from makedb.c:50: | /usr/include/selinux/selinux.h:500:12: note: declared here | 500 | extern int matchpathcon(const char *path, | | ^~~~~~~~~~~~ | cc1: all warnings being treated as errors This patch is an attempt to fix that. It has only built tested, as I do not have a system nor the knowledge to test that. I have checked that the functions used as replacement are available since at least selinux 2.0.96, released more than 10 years ago, so we probably do not need any version check in the configure script. --- nss/makedb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) I believe this patch is not acceptable for glibc 2.32, I guess we should just add a #pragma to ignore -Werror=deprecated-declarations in that file. Note: there is the same issue in nscd/selinux.c. I plan to have a look once we settle on a strategy. diff --git a/nss/makedb.c b/nss/makedb.c index 8e389a16837..a5c4b521172 100644 --- a/nss/makedb.c +++ b/nss/makedb.c @@ -47,6 +47,7 @@ /* SELinux support. */ #ifdef HAVE_SELINUX +# include <selinux/label.h> # include <selinux/selinux.h> #endif @@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode) { static int enabled; static int enforcing; - security_context_t ctx; + struct selabel_handle *label_hnd = NULL; + char* ctx; /* Check if SELinux is enabled, and remember. */ if (enabled == 0) @@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode) if (enforcing == 0) enforcing = security_getenforce () ? 1 : -1; + /* Open the file contexts backend. */ + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + if (setfscreatecon (ctx) != 0) + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, + gettext ("cannot initialize SELinux context")); + /* Determine the context which the file should have. */ ctx = NULL; - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL) { if (setfscreatecon (ctx) != 0) error (enforcing > 0 ? EXIT_FAILURE : 0, 0, @@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode) outname); freecon (ctx); + selabel_close(label_hnd); } + + /* Close the file contexts backend. */ + selabel_close(label_hnd); } static void -- 2.27.0
--- End Message ---
