On 7/21/20 09:13, Stephen Smalley wrote: > On Tue, Jul 21, 2020 at 9:05 AM Florian Weimer <fweimer@xxxxxxxxxx> wrote: >> * Stephen Smalley: >> >>> On Tue, Jul 21, 2020 at 8:07 AM Arjun Shankar <arjun.is@xxxxxxxxx> wrote: >>>> Hi, >>>> >>>> glibc currently uses several recently deprecated libselinux APIs: >>>> >>>> 1. makedb uses matchpathcon: >>>> >>>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/makedb.c;h=8e389a1683747cf1047f4de8fe603f2b5ccc5f3f;hb=HEAD >>> Should migrate to selabel_open/lookup/close. >>> >>>> 2. nscd uses avc_init and multiple old style callbacks: >>>> >>>> https://sourceware.org/git/?p=glibc.git;a=blob;f=nscd/selinux.c;h=a4ea8008e201b9397aa4274bb558de471b0573af;hb=HEAD >>> Wondering if nscd can migrate to using the higher level >>> selinux_check_access() interface instead of direct usage of the >>> avc_*() interfaces. >> Somewhat related: >> >> I do not know the reason *why* we have SELinux-specific code in glibc, >> and in this places in particular. What makes nscd and makedb special? >> ldconfig also writes a file used across trust boundaries >> (/etc/ld.so.cache), and yet we don't label it explicitly. >> >> (nscd is a daemon that runs under its own user and loads NSS service >> modules. makedb is similar to ldconfig.) >> >> Do you have an idea why we need this code in glibc in the first place? >> Could it be that it is simply there to work around an incomplete system >> policy? > It could be that at the time we didn't have restorecond or support for > name-based type transitions and therefore they needed the makedb > changes to keep its file in the proper security context. WRT nscd, > using SELinux to provide the policy decisions is both more flexible > and more robust than a DAC-based scheme, and allows central management > of the overall system policy. Dan Walsh and/or prior glibc > maintainers might recall more of the specifics. > Going way back, this was added I recall by Uli Drepper, for speed of some httpd transactions?
