On Wed, Oct 7, 2020 at 5:50 AM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
> Thanks, I'll prepare another patchset with improved commit messages.
>
> In the mean time I'm looking into removing deprecated symbols from libsepol as it's
> supposed to be required only by selinux components. So far I've found that
> deprecated sepol_check_context() is used in chkcon utility. As Fedora doesn't ship
> this tool I incline to remove it from libsepol as well.
Looks like it is also used by setfiles and sefcontext_compile at
least. Might have been copied into external packages as well, e.g.
busybox. So that one might need to stay. The reason it was
deprecated was because it predated the introduction of the use of
sepol handles and relied on global state set previously via
sepol_set_policydb_from_file(), so I think the idea was to convert
over to using sepol_context_check() instead (but this requires a much
longer sequence of calls, ala h = sepol_handle_create();
sepol_policy_file_create(&pf); sepol_policy_file_set_fp(pf, fp);
sepol_policy_file_set_handle(pf, h); sepol_policydb_create(&policydb);
sepol_policydb_read(policydb, pf); sepol_context_from_string(h,
string, &ctx); sepol_context_check(h, policydb, ctx);). Probably not
worth the trouble now.
> And there's also
>
> /* Deprecated */
> struct sepol_handle sepol_compat_handle = {
> .msg_callback = sepol_msg_default_handler,
> .msg_callback_arg = NULL,
> };
>
> void sepol_debug(int on)
> {
> sepol_compat_handle.msg_callback = (on) ?
> sepol_msg_default_handler : NULL;
> }
>
> /* End deprecated */
>
> which is used on few places internally.
>
>
> Later I'll check whether sssd uses any on deprecated libsemanage symbol and
> decide what to do.
The main ones in libsepol that I was referencing were the ones in
libsepol/src/deprecated_funcs.c.
