On Wed, Oct 7, 2020 at 5:50 AM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > Thanks, I'll prepare another patchset with improved commit messages. > > In the mean time I'm looking into removing deprecated symbols from libsepol as it's > supposed to be required only by selinux components. So far I've found that > deprecated sepol_check_context() is used in chkcon utility. As Fedora doesn't ship > this tool I incline to remove it from libsepol as well. Looks like it is also used by setfiles and sefcontext_compile at least. Might have been copied into external packages as well, e.g. busybox. So that one might need to stay. The reason it was deprecated was because it predated the introduction of the use of sepol handles and relied on global state set previously via sepol_set_policydb_from_file(), so I think the idea was to convert over to using sepol_context_check() instead (but this requires a much longer sequence of calls, ala h = sepol_handle_create(); sepol_policy_file_create(&pf); sepol_policy_file_set_fp(pf, fp); sepol_policy_file_set_handle(pf, h); sepol_policydb_create(&policydb); sepol_policydb_read(policydb, pf); sepol_context_from_string(h, string, &ctx); sepol_context_check(h, policydb, ctx);). Probably not worth the trouble now. > And there's also > > /* Deprecated */ > struct sepol_handle sepol_compat_handle = { > .msg_callback = sepol_msg_default_handler, > .msg_callback_arg = NULL, > }; > > void sepol_debug(int on) > { > sepol_compat_handle.msg_callback = (on) ? > sepol_msg_default_handler : NULL; > } > > /* End deprecated */ > > which is used on few places internally. > > > Later I'll check whether sssd uses any on deprecated libsemanage symbol and > decide what to do. The main ones in libsepol that I was referencing were the ones in libsepol/src/deprecated_funcs.c.