From patchwork Tue Jul 21 05:01:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 40139 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id DC99C3860C3D; Tue, 21 Jul 2020 05:02:42 +0000 (GMT) X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from hall.aurel32.net (hall.aurel32.net [IPv6:2001:bc8:30d7:100::1]) by sourceware.org (Postfix) with ESMTPS id 9AEC23857C4C for ; Tue, 21 Jul 2020 05:02:40 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9AEC23857C4C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=aurel32.net Authentication-Results: sourceware.org; spf=none smtp.mailfrom=aurelien@aurel32.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=aurel32.net ; s=202004.hall; h=Content-Transfer-Encoding:Content-Type:MIME-Version: Message-Id:Date:Subject:Cc:To:From:From:Reply-To:Subject:Content-ID: Content-Description:In-Reply-To:References:X-Debbugs-Cc; bh=WeIXW4Ys6iB9JjX1Y/NNFkfAkF9aCsOdk6SitmxR2MU=; b=vWBnH2uo4hZeGGJTs9U889/gmc MFhv8KFvN4HRbQPvGakq+X3IhbUxQ53DgME3NYJi4otM67MbbkpkqImxfF7mdiQlj2tD2fS0dxhTl UtCxXhhv64U4cRm0bAAeTMzYzTpWVnlP6D7Qv+ms8jqLCTs12PPjKGDl4XxjETGRYQNW7c1TlfuRF gTavTZlgXY9NrwLyDE5DIUJETt+6M+2Ll7i+1KlJdfLPIwnS3GNtAtUGqfp60jpV8L0qO7rB1jSIv BGUxUDFBdyJylIKxiNc2OS0O0WQMCXtLGQ6+aLdEC2qTKs2/NTbGjDJQhC1FpcQ9v522YjhuBweb6 QO7hL90w==; Received: from [2a01:e35:2fdd:a4e1:fe91:fc89:bc43:b814] (helo=ohm.rr44.fr) by hall.aurel32.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jxkQJ-0005Nq-8u; Tue, 21 Jul 2020 07:02:39 +0200 Received: from aurel32 by ohm.rr44.fr with local (Exim 4.94) (envelope-from ) id 1jxkQI-000r8I-Lk; Tue, 21 Jul 2020 07:02:38 +0200 From: Aurelien Jarno To: libc-alpha@sourceware.org Subject: [PATCH] makedb: fix build with libselinux >= 3.1 Date: Tue, 21 Jul 2020 07:01:16 +0200 Message-Id: <20200721050115.204181-1-aurelien@aurel32.net> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Spam-Status: No, score=-10.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_NUMSUBJECT, SPF_HELO_PASS, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Aurelien Jarno Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" glibc doesn't build with libselinux 3.1 that has been released recently due to new deprecations introduced in that version and the fact that glibc is built with -Werror by default: | makedb.c: In function ‘set_file_creation_context’: | makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] | 849 | security_context_t ctx; | | ^~~~~~~~~~~~~~~~~~ | makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) | | ^~ | In file included from makedb.c:50: | /usr/include/selinux/selinux.h:500:12: note: declared here | 500 | extern int matchpathcon(const char *path, | | ^~~~~~~~~~~~ | cc1: all warnings being treated as errors This patch is an attempt to fix that. It has only built tested, as I do not have a system nor the knowledge to test that. I have checked that the functions used as replacement are available since at least selinux 2.0.96, released more than 10 years ago, so we probably do not need any version check in the configure script. --- nss/makedb.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) I believe this patch is not acceptable for glibc 2.32, I guess we should just add a #pragma to ignore -Werror=deprecated-declarations in that file. Note: there is the same issue in nscd/selinux.c. I plan to have a look once we settle on a strategy. diff --git a/nss/makedb.c b/nss/makedb.c index 8e389a16837..a5c4b521172 100644 --- a/nss/makedb.c +++ b/nss/makedb.c @@ -47,6 +47,7 @@ /* SELinux support. */ #ifdef HAVE_SELINUX +# include # include #endif @@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode) { static int enabled; static int enforcing; - security_context_t ctx; + struct selabel_handle *label_hnd = NULL; + char* ctx; /* Check if SELinux is enabled, and remember. */ if (enabled == 0) @@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode) if (enforcing == 0) enforcing = security_getenforce () ? 1 : -1; + /* Open the file contexts backend. */ + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + if (setfscreatecon (ctx) != 0) + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, + gettext ("cannot initialize SELinux context")); + /* Determine the context which the file should have. */ ctx = NULL; - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL) { if (setfscreatecon (ctx) != 0) error (enforcing > 0 ? EXIT_FAILURE : 0, 0, @@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode) outname); freecon (ctx); + selabel_close(label_hnd); } + + /* Close the file contexts backend. */ + selabel_close(label_hnd); } static void