* Stephen Smalley: > On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@xxxxxxxxx> wrote: >> >> Hi, >> >> glibc currently uses several recently deprecated libselinux APIs: >> >> 1. makedb uses matchpathcon: >> >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD > > Should migrate to selabel_open/lookup/close. > >> 2. nscd uses avc_init and multiple old style callbacks: >> >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD > > Wondering if nscd can migrate to using the higher level > selinux_check_access() interface instead of direct usage of the > avc_*() interfaces. Somewhat related: I do not know the reason *why* we have SELinux-specific code in glibc, and in this places in particular. What makes nscd and makedb special? ldconfig also writes a file used across trust boundaries (/etc/ld.so.cache), and yet we don't label it explicitly. (nscd is a daemon that runs under its own user and loads NSS service modules. makedb is similar to ldconfig.) Do you have an idea why we need this code in glibc in the first place? Could it be that it is simply there to work around an incomplete system policy? Thanks, Florian
