makedb: fix build with libselinux >= 3.1
Commit Message
glibc doesn't build with libselinux 3.1 that has been released recently
due to new deprecations introduced in that version and the fact that
glibc is built with -Werror by default:
| makedb.c: In function ‘set_file_creation_context’:
| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
| 849 | security_context_t ctx;
| | ^~~~~~~~~~~~~~~~~~
| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
| 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
| | ^~
| In file included from makedb.c:50:
| /usr/include/selinux/selinux.h:500:12: note: declared here
| 500 | extern int matchpathcon(const char *path,
| | ^~~~~~~~~~~~
| cc1: all warnings being treated as errors
This patch is an attempt to fix that. It has only built tested, as I do
not have a system nor the knowledge to test that. I have checked that
the functions used as replacement are available since at least selinux
2.0.96, released more than 10 years ago, so we probably do not need any
version check in the configure script.
---
nss/makedb.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
I believe this patch is not acceptable for glibc 2.32, I guess we should
just add a #pragma to ignore -Werror=deprecated-declarations in that
file.
Note: there is the same issue in nscd/selinux.c. I plan to have a look
once we settle on a strategy.
Comments
On Tue, Jul 21, 2020 at 07:01:16AM +0200, Aurelien Jarno wrote:
> glibc doesn't build with libselinux 3.1 that has been released recently
> due to new deprecations introduced in that version and the fact that
> glibc is built with -Werror by default:
>
> | makedb.c: In function ???set_file_creation_context???:
> | makedb.c:849:3: error: ???security_context_t??? is deprecated [-Werror=deprecated-declarations]
> | 849 | security_context_t ctx;
> | | ^~~~~~~~~~~~~~~~~~
> | makedb.c:863:3: error: ???matchpathcon??? is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
> | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
> | | ^~
> | In file included from makedb.c:50:
> | /usr/include/selinux/selinux.h:500:12: note: declared here
> | 500 | extern int matchpathcon(const char *path,
> | | ^~~~~~~~~~~~
> | cc1: all warnings being treated as errors
I ran into this a few days ago trying to build master for Fedora rawhide:
I filed this bug, and have a patch that started off quite similarly to
the one you posted. Here's the bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=26233
> This patch is an attempt to fix that. It has only built tested, as I do
> not have a system nor the knowledge to test that. I have checked that
> the functions used as replacement are available since at least selinux
> 2.0.96, released more than 10 years ago, so we probably do not need any
> version check in the configure script.
Unfortunately, it seems like there is more. nscd build also fails because,
e.g., avc_init was deprecated and needs to be replaced with calls to
avc_open and selinux_set_callback. I'm working on that at the moment.
Have you been building with --disable-build-nscd? That does cause build to
succeed with the patch I have so far (very similar to yours because I've
not fixed nscd/selinux.c yet).
Cheers,
Arjun
On 2020-07-21 11:15, Arjun Shankar wrote:
> On Tue, Jul 21, 2020 at 07:01:16AM +0200, Aurelien Jarno wrote:
> > glibc doesn't build with libselinux 3.1 that has been released recently
> > due to new deprecations introduced in that version and the fact that
> > glibc is built with -Werror by default:
> >
> > | makedb.c: In function ???set_file_creation_context???:
> > | makedb.c:849:3: error: ???security_context_t??? is deprecated [-Werror=deprecated-declarations]
> > | 849 | security_context_t ctx;
> > | | ^~~~~~~~~~~~~~~~~~
> > | makedb.c:863:3: error: ???matchpathcon??? is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
> > | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
> > | | ^~
> > | In file included from makedb.c:50:
> > | /usr/include/selinux/selinux.h:500:12: note: declared here
> > | 500 | extern int matchpathcon(const char *path,
> > | | ^~~~~~~~~~~~
> > | cc1: all warnings being treated as errors
>
> I ran into this a few days ago trying to build master for Fedora rawhide:
>
> I filed this bug, and have a patch that started off quite similarly to
> the one you posted. Here's the bug:
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=26233
>
> > This patch is an attempt to fix that. It has only built tested, as I do
> > not have a system nor the knowledge to test that. I have checked that
> > the functions used as replacement are available since at least selinux
> > 2.0.96, released more than 10 years ago, so we probably do not need any
> > version check in the configure script.
>
> Unfortunately, it seems like there is more. nscd build also fails because,
> e.g., avc_init was deprecated and needs to be replaced with calls to
> avc_open and selinux_set_callback. I'm working on that at the moment.
>
> Have you been building with --disable-build-nscd? That does cause build to
> succeed with the patch I have so far (very similar to yours because I've
> not fixed nscd/selinux.c yet).
No, I have found the same issue with nscd/selinux.c, that's just because
I wanted to decide on a strategy before continuing. We need an
additional string in case of SELinux context error, which from what I
understand is forbidden at this stage of the release. Therefore we might
have to use #pragma instead to ignore the warning for the 2.32 release.
Aurelien
* Aurelien Jarno:
> No, I have found the same issue with nscd/selinux.c, that's just because
> I wanted to decide on a strategy before continuing. We need an
> additional string in case of SELinux context error, which from what I
> understand is forbidden at this stage of the release.
Have the strings already been uploaded to the translation project?
I haven't seen a message about that.
Thanks,
Florian
On 7/21/20 9:14 AM, Florian Weimer via Libc-alpha wrote:
> * Aurelien Jarno:
>
>> No, I have found the same issue with nscd/selinux.c, that's just because
>> I wanted to decide on a strategy before continuing. We need an
>> additional string in case of SELinux context error, which from what I
>> understand is forbidden at this stage of the release.
>
> Have the strings already been uploaded to the translation project?
> I haven't seen a message about that.
Not yet. That's my job today.
@@ -47,6 +47,7 @@
/* SELinux support. */
#ifdef HAVE_SELINUX
+# include <selinux/label.h>
# include <selinux/selinux.h>
#endif
@@ -846,7 +847,8 @@ set_file_creation_context (const char *outname, mode_t mode)
{
static int enabled;
static int enforcing;
- security_context_t ctx;
+ struct selabel_handle *label_hnd = NULL;
+ char* ctx;
/* Check if SELinux is enabled, and remember. */
if (enabled == 0)
@@ -858,9 +860,16 @@ set_file_creation_context (const char *outname, mode_t mode)
if (enforcing == 0)
enforcing = security_getenforce () ? 1 : -1;
+ /* Open the file contexts backend. */
+ label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ if (!label_hnd)
+ if (setfscreatecon (ctx) != 0)
+ error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
+ gettext ("cannot initialize SELinux context"));
+
/* Determine the context which the file should have. */
ctx = NULL;
- if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
+ if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL)
{
if (setfscreatecon (ctx) != 0)
error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
@@ -868,7 +877,11 @@ set_file_creation_context (const char *outname, mode_t mode)
outname);
freecon (ctx);
+ selabel_close(label_hnd);
}
+
+ /* Close the file contexts backend. */
+ selabel_close(label_hnd);
}
static void