On 2/12/2025 10:11 AM, Daniel Burgener wrote:
On 2/12/2025 4:16 AM, Alyssa Ross wrote:
Daniel Burgener <dburgener@xxxxxxxxxxxxxxxxxxx> writes:
On 2/11/2025 4:16 PM, Alyssa Ross wrote:
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
index 32ad0201..7acd51dd 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,5 +1,10 @@
SUBDIRS = setfiles load_policy newrole run_init secon sestatus
semodule setsebool scripts po man hll unsetfiles
+PKG_CONFIG ?= pkg-config
+
+LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
+export LIBSELINUX_LDLIBS
+
I think that in the DISABLE_SHARED case, the pkg-config command needs
--static as well. I tried your patch, and I get errors that the
downstream users of libselinux have undefined references to libpcre2,
and they are being build without -lpcre2-8. Based on the pkg-config man
page, it looks like Requires.private libraries are only included if the
--static flag is passed.
I think it's generally expected that the user set
PKG_CONFIG="pkg-config --static" when they want static linking. See
e.g. <https://bugs.freedesktop.org/show_bug.cgi?id=19541#c3>.
Thanks for clarifying. Yes, this command builds everything for me:
make DESTDIR=~/obj PKG_CONFIG="pkg-config --static" DISABLE_SHARED=y
install
However, the binaries still appear dynamically linked when I investigate
them with the "file" command. Am I missing some other step?
It occurs to me that I've possibly misunderstood the point of your
patch. This is just about not building the shared libraries,
independent of whether the binaries are statically linked?
I'm noticing that with the above command, restorecond is still
dynamically linking with a libselinux. Since no shared libselinux was
built, it's linking with the one that happens to be installed on my
system. That is different than the policycoreutils/* like newrole for
example, that was dynamically linked with libselinux without this patch,
but now is not. That seems like surprising behavior to me. Is it the
expected behavior?
-Daniel
I also see that restorecond is not including -lpcre2-8. It probably
needs the same treatment as policycoreutils/*.
Does it fail to build for you? It builds DISABLE_SHARED=y for me
Now that I added PKG_CONFIG="pkg-config --static", restorecond is
building. However, as above, it appears dynamically linked.
Finally, I was unable to get the install-rubywrap and install-pywrap
targets to build with DISABLE_SHARED=y. I wasn't able to figure out the
ultimate issue there.
I think Ruby and Python bindings need to be shared libraries, so it
doesn't make sense to build them with DISABLE_SHARED=y.
Fair enough. I think it would be helpful if these caveats could all get
documented. I just tried following the README.md instructions and
adding "DISABLE_SHARED=y", which as mentioned, didn't work. If
"DISABLE_SHARED" requires other options to work, it seems like that
should at a minimum be documented.
-Daniel
