| Message ID | 20220911153017.1880342-1-carlos@redhat.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] makedb: fix build with libselinux >= 3.1 (Bug 26233) | expand |
On 2022-09-11 11:30, Carlos O'Donell via Libc-alpha wrote: > From: Aurelien Jarno <aurelien@aurel32.net> > > glibc doesn't build with libselinux 3.1 that has been released recently > due to new deprecations introduced in that version and the fact that > glibc is built with -Werror by default: > > | makedb.c: In function ‘set_file_creation_context’: > | makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] > | 849 | security_context_t ctx; > | | ^~~~~~~~~~~~~~~~~~ > | makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] > | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) > | | ^~ > | In file included from makedb.c:50: > | /usr/include/selinux/selinux.h:500:12: note: declared here > | 500 | extern int matchpathcon(const char *path, > | | ^~~~~~~~~~~~ > | cc1: all warnings being treated as errors > > This patch fixes the makedb half of bug 26233 by moving to the new > SELinux APIs and removes the existing compiler pragmas as no longer > required. Upstream API usage feedback gathered by Arjun is integrated > into this version of the fix. > > The built makedb was tested and operates as expected on x86_64 with > SELinu in enforcing mode. > > No regressions on x86_64 with libselinux 3.3. > > Co-authored-by: Arjun Shankar <arjun@redhat.com> > Co-authored-by: Carlos O'Donell <carlos@redhat.com> LGTM. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> > --- > nss/makedb.c | 24 +++++++++++++++--------- > 1 file changed, 15 insertions(+), 9 deletions(-) > > diff --git a/nss/makedb.c b/nss/makedb.c > index d3fc1c5af9..bcfa3c7e02 100644 > --- a/nss/makedb.c > +++ b/nss/makedb.c > @@ -47,6 +47,7 @@ > > /* SELinux support. */ > #ifdef HAVE_SELINUX > +# include <selinux/label.h> > # include <selinux/selinux.h> > #endif > > @@ -855,18 +856,13 @@ print_database (int fd) > > #ifdef HAVE_SELINUX > > -/* security_context_t and matchpathcon (along with several other symbols) were > - marked as deprecated by the SELinux API starting from version 3.1. We use > - them here, but should eventually switch to the newer API. */ > -DIAG_PUSH_NEEDS_COMMENT > -DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations"); > - > static void > set_file_creation_context (const char *outname, mode_t mode) > { > static int enabled; > static int enforcing; > - security_context_t ctx; > + struct selabel_handle *label_hnd = NULL; > + char* ctx; > > /* Check if SELinux is enabled, and remember. */ > if (enabled == 0) > @@ -878,9 +874,17 @@ set_file_creation_context (const char *outname, mode_t mode) > if (enforcing == 0) > enforcing = security_getenforce () ? 1 : -1; > > + /* Open the file contexts backend. */ > + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); > + if (!label_hnd) > + { > + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, > + gettext ("cannot initialize SELinux context")); > + return; > + } > /* Determine the context which the file should have. */ > ctx = NULL; > - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) > + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0) > { > if (setfscreatecon (ctx) != 0) > error (enforcing > 0 ? EXIT_FAILURE : 0, 0, > @@ -889,8 +893,10 @@ set_file_creation_context (const char *outname, mode_t mode) > > freecon (ctx); > } > + > + /* Close the file contexts backend. */ > + selabel_close(label_hnd); > } > -DIAG_POP_NEEDS_COMMENT > > static void > reset_file_creation_context (void)
diff --git a/nss/makedb.c b/nss/makedb.c index d3fc1c5af9..bcfa3c7e02 100644 --- a/nss/makedb.c +++ b/nss/makedb.c @@ -47,6 +47,7 @@ /* SELinux support. */ #ifdef HAVE_SELINUX +# include <selinux/label.h> # include <selinux/selinux.h> #endif @@ -855,18 +856,13 @@ print_database (int fd) #ifdef HAVE_SELINUX -/* security_context_t and matchpathcon (along with several other symbols) were - marked as deprecated by the SELinux API starting from version 3.1. We use - them here, but should eventually switch to the newer API. */ -DIAG_PUSH_NEEDS_COMMENT -DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations"); - static void set_file_creation_context (const char *outname, mode_t mode) { static int enabled; static int enforcing; - security_context_t ctx; + struct selabel_handle *label_hnd = NULL; + char* ctx; /* Check if SELinux is enabled, and remember. */ if (enabled == 0) @@ -878,9 +874,17 @@ set_file_creation_context (const char *outname, mode_t mode) if (enforcing == 0) enforcing = security_getenforce () ? 1 : -1; + /* Open the file contexts backend. */ + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + { + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, + gettext ("cannot initialize SELinux context")); + return; + } /* Determine the context which the file should have. */ ctx = NULL; - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0) { if (setfscreatecon (ctx) != 0) error (enforcing > 0 ? EXIT_FAILURE : 0, 0, @@ -889,8 +893,10 @@ set_file_creation_context (const char *outname, mode_t mode) freecon (ctx); } + + /* Close the file contexts backend. */ + selabel_close(label_hnd); } -DIAG_POP_NEEDS_COMMENT static void reset_file_creation_context (void)
From: Aurelien Jarno <aurelien@aurel32.net> glibc doesn't build with libselinux 3.1 that has been released recently due to new deprecations introduced in that version and the fact that glibc is built with -Werror by default: | makedb.c: In function ‘set_file_creation_context’: | makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] | 849 | security_context_t ctx; | | ^~~~~~~~~~~~~~~~~~ | makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) | | ^~ | In file included from makedb.c:50: | /usr/include/selinux/selinux.h:500:12: note: declared here | 500 | extern int matchpathcon(const char *path, | | ^~~~~~~~~~~~ | cc1: all warnings being treated as errors This patch fixes the makedb half of bug 26233 by moving to the new SELinux APIs and removes the existing compiler pragmas as no longer required. Upstream API usage feedback gathered by Arjun is integrated into this version of the fix. The built makedb was tested and operates as expected on x86_64 with SELinu in enforcing mode. No regressions on x86_64 with libselinux 3.3. Co-authored-by: Arjun Shankar <arjun@redhat.com> Co-authored-by: Carlos O'Donell <carlos@redhat.com> --- nss/makedb.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-)