Petr Lautrbach <plautrba@xxxxxxxxxx> writes: > Casey Schaufler <casey@xxxxxxxxxxxxxxxx> writes: > >> On 3/20/2024 8:50 AM, Stephen Smalley wrote: >>> On Tue, Mar 19, 2024 at 7:03 PM Casey Schaufler <casey@xxxxxxxxxxxxxxxx> wrote: >>>> It would be very helpful if I could find documentation about, or even a >>>> list of, system services that have been enhanced in support of SELinux. >>>> I'm doing this as part of the LSM stacking effort, looking for things that >>>> may require additional work for the multiple LSM environment. I already >>>> know about systemd, dbus and the pam module. >>> (re-send in plaintext mode, with some additional info appended at the end) >>> >>> There is an old list at >>> https://github.com/SELinuxProject/selinux/wiki/Userspace-Packages >>> >>> But the only way to get an accurate up-to-date list is to use your >>> favorite package manager and ask it for the list of all packages that >>> depend on libselinux. That will be more than just services of course. >>> Technically that might not get all of them since some could just be >>> directly using the xattr system calls, the /proc/pid/attr interface, >>> and/or the /sys/fs/selinux interface without using the libselinux >>> wrappers. >>> >>> Some SELinux-aware services besides the ones you listed above and not >>> in the original list on GitHub include nscd (part of glibc), sssd, >>> Xorg, PostgreSQL, libvirtd, all the modern cron variants, and various >>> container runtimes/daemons. The extent to which they use SELinux APIs >>> varies though, from those that are merely getting/setting SELinux >>> process or file contexts to full-fledged userspace object managers / >>> policy enforcers. >>> >>> Then there is a completely different list for Android, but not sure >>> you care about it. >> >> Thank you, that's been a big help. Turns out Fedora 39 installs 93 >> packages with "selinux" in the title. Yoiks! > > Title could be misleading as there are -selinux packages with custom > policies. > > But there's about 95 packages which require libselinux: > > $ sudo dnf repoquery --disablerepo=\* --enablerepo=fedora --whatrequires='libselinux.so.1()(64bit)' --qf '%{sourcerpm}' | uniq sourcegraph found 103 .spec files with BuildRequires: libselinux-devel https://sourcegraph.com/search?q=context:global+repo:%5Esrc.fedoraproject.org/+BuildRequires:+libselinux-devel&patternType=regexp&sm=0
