On Tue, Jul 21, 2020 at 9:05 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: > > * Stephen Smalley: > > > On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@xxxxxxxxx> wrote: > >> > >> Hi, > >> > >> glibc currently uses several recently deprecated libselinux APIs: > >> > >> 1. makedb uses matchpathcon: > >> > >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD > > > > Should migrate to selabel_open/lookup/close. > > > >> 2. nscd uses avc_init and multiple old style callbacks: > >> > >> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD > > > > Wondering if nscd can migrate to using the higher level > > selinux_check_access() interface instead of direct usage of the > > avc_*() interfaces. > > Somewhat related: > > I do not know the reason *why* we have SELinux-specific code in glibc, > and in this places in particular. What makes nscd and makedb special? > ldconfig also writes a file used across trust boundaries > (/etc/ld.so.cache), and yet we don't label it explicitly. > > (nscd is a daemon that runs under its own user and loads NSS service > modules. makedb is similar to ldconfig.) > > Do you have an idea why we need this code in glibc in the first place? > Could it be that it is simply there to work around an incomplete system > policy? It could be that at the time we didn't have restorecond or support for name-based type transitions and therefore they needed the makedb changes to keep its file in the proper security context. WRT nscd, using SELinux to provide the policy decisions is both more flexible and more robust than a DAC-based scheme, and allows central management of the overall system policy. Dan Walsh and/or prior glibc maintainers might recall more of the specifics.
