Deprecated Annotations in libselinux

Deprecated Annotations in libselinux

[William Roberts]

So I am reviving the work to look at annotating deprecated functions.
I was wondering what folks are thinking around the utility program
matchpathcon, since that interface is deprecated, do we want to:

1. link that statically so we can use internal (non-deprecated) functions
2. update it to use selabel_open and friends.
3. Keep it but have it print out "deprecated" and return 1.
4. Some mix of options 3 and 1

Re: Deprecated Annotations in libselinux

[Nicolas Iooss]

On Wed, Apr 15, 2020 at 11:10 PM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> So I am reviving the work to look at annotating deprecated functions.
> I was wondering what folks are thinking around the utility program
> matchpathcon, since that interface is deprecated, do we want to:
>
> 1. link that statically so we can use internal (non-deprecated) functions
> 2. update it to use selabel_open and friends.
> 3. Keep it but have it print out "deprecated" and return 1.
> 4. Some mix of options 3 and 1

Hello,
I did not really follow closely why functions are getting deprecated.
>From the patch series, it appears that matchpathcon_init() is being
deprecated in favor of selabel_open(). That can make sense.

>From a CLI perspective, the interface of selabel_lookup seems to be
more complex to use that matchpathcon:

$ matchpathcon /etc/shadow
/etc/shadow system_u:object_r:shadow_t
$ selabel_lookup -b file -k /etc/shadow
Default context: system_u:object_r:shadow_t

Moreover, looking at selabel_lookup --help, it was not clear that the
file for which I wanted the context needs to be given as a -k option,
because the usage line states "[-f file]" (that means something else).
This increases the difficulty of using selabel_lookup instead of
matchpathcon. Therefore as a SELinux user, I would rather keep
matchpathcon program. Would it be difficult to implement option 2
"update matchpathcon to use selabel_open() and friends"?

That being said, if another option is chosen, I will add "alias
matchpathcon=selabel_lookup -b file -k" to my shell configuration and
be good with it. This would work for me because I never used any
option that matchpathcon provides.

Anyway, thanks for working on this subject!
Nicolas

RE: Deprecated Annotations in libselinux

[Roberts, William C]

> -----Original Message-----
> From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> On Behalf Of Nicolas Iooss
> Sent: Sunday, April 19, 2020 8:37 AM
> To: William Roberts <bill.c.roberts@gmail.com>; SElinux list
> <selinux@vger.kernel.org>
> Cc: Stephen Smalley <sds@tycho.nsa.gov>
> Subject: Re: Deprecated Annotations in libselinux
> 
> On Wed, Apr 15, 2020 at 11:10 PM William Roberts <bill.c.roberts@gmail.com>
> wrote:
> >
> > So I am reviving the work to look at annotating deprecated functions.
> > I was wondering what folks are thinking around the utility program
> > matchpathcon, since that interface is deprecated, do we want to:
> >
> > 1. link that statically so we can use internal (non-deprecated)
> > functions 2. update it to use selabel_open and friends.
> > 3. Keep it but have it print out "deprecated" and return 1.
> > 4. Some mix of options 3 and 1
> 
> Hello,
> I did not really follow closely why functions are getting deprecated.
> >From the patch series, it appears that matchpathcon_init() is being
> deprecated in favor of selabel_open(). That can make sense.

They have been deprecated for a long time, Im just investogatingusing the deprecated
Annotation to encourage folks to move to the new interfaces and suggest the new
Interface in the warning message.

> 
> >From a CLI perspective, the interface of selabel_lookup seems to be
> more complex to use that matchpathcon:
> 
> $ matchpathcon /etc/shadow
> /etc/shadow system_u:object_r:shadow_t
> $ selabel_lookup -b file -k /etc/shadow
> Default context: system_u:object_r:shadow_t
> 
> Moreover, looking at selabel_lookup --help, it was not clear that the file for which
> I wanted the context needs to be given as a -k option, because the usage line
> states "[-f file]" (that means something else).
> This increases the difficulty of using selabel_lookup instead of matchpathcon.
> Therefore as a SELinux user, I would rather keep matchpathcon program. Would
> it be difficult to implement option 2 "update matchpathcon to use selabel_open()
> and friends"?

I'm leaving the interfaces the same in this series, and we can update matchpathcon later.
The only thing I am adding is a deprecated message to stderr for the matchpathcon util,
which we can drop.

> 
> That being said, if another option is chosen, I will add "alias
> matchpathcon=selabel_lookup -b file -k" to my shell configuration and be good
> with it. This would work for me because I never used any option that
> matchpathcon provides.
> 
> Anyway, thanks for working on this subject!
> Nicolas

Re: Deprecated Annotations in libselinux

[William Roberts]

>
>
>
> > -----Original Message-----
> > From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> > On Behalf Of Nicolas Iooss
> > Sent: Sunday, April 19, 2020 8:37 AM
> > To: William Roberts <bill.c.roberts@gmail.com>; SElinux list
> > <selinux@vger.kernel.org>
> > Cc: Stephen Smalley <sds@tycho.nsa.gov>
> > Subject: Re: Deprecated Annotations in libselinux
> >
> > On Wed, Apr 15, 2020 at 11:10 PM William Roberts <bill.c.roberts@gmail.com>
> > wrote:
> > >
> > > So I am reviving the work to look at annotating deprecated functions.
> > > I was wondering what folks are thinking around the utility program
> > > matchpathcon, since that interface is deprecated, do we want to:
> > >
> > > 1. link that statically so we can use internal (non-deprecated)
> > > functions 2. update it to use selabel_open and friends.
> > > 3. Keep it but have it print out "deprecated" and return 1.
> > > 4. Some mix of options 3 and 1
> >
> > Hello,
> > I did not really follow closely why functions are getting deprecated.
> > >From the patch series, it appears that matchpathcon_init() is being
> > deprecated in favor of selabel_open(). That can make sense.
>
> They have been deprecated for a long time, Im just investogatingusing the deprecated
> Annotation to encourage folks to move to the new interfaces and suggest the new
> Interface in the warning message.
>
> >
> > >From a CLI perspective, the interface of selabel_lookup seems to be
> > more complex to use that matchpathcon:
> >
> > $ matchpathcon /etc/shadow
> > /etc/shadow system_u:object_r:shadow_t
> > $ selabel_lookup -b file -k /etc/shadow
> > Default context: system_u:object_r:shadow_t
> >
> > Moreover, looking at selabel_lookup --help, it was not clear that the file for which
> > I wanted the context needs to be given as a -k option, because the usage line
> > states "[-f file]" (that means something else).
> > This increases the difficulty of using selabel_lookup instead of matchpathcon.
> > Therefore as a SELinux user, I would rather keep matchpathcon program. Would
> > it be difficult to implement option 2 "update matchpathcon to use selabel_open()
> > and friends"?
>
> I'm leaving the interfaces the same in this series, and we can update matchpathcon later.
> The only thing I am adding is a deprecated message to stderr for the matchpathcon util,
> which we can drop.
>
> >
> > That being said, if another option is chosen, I will add "alias
> > matchpathcon=selabel_lookup -b file -k" to my shell configuration and be good
> > with it. This would work for me because I never used any option that
> > matchpathcon provides.
> >
> > Anyway, thanks for working on this subject!
> > Nicolas

I will bring them to merge and correct the commit messages. Thanks!

Re: Deprecated Annotations in libselinux

[William Roberts]

On Wed, Apr 29, 2020 at 9:50 AM William Roberts
<bill.c.roberts@gmail.com> wrote:
>
> >
> >
> >
> > > -----Original Message-----
> > > From: selinux-owner@vger.kernel.org [mailto:selinux-owner@vger.kernel.org]
> > > On Behalf Of Nicolas Iooss
> > > Sent: Sunday, April 19, 2020 8:37 AM
> > > To: William Roberts <bill.c.roberts@gmail.com>; SElinux list
> > > <selinux@vger.kernel.org>
> > > Cc: Stephen Smalley <sds@tycho.nsa.gov>
> > > Subject: Re: Deprecated Annotations in libselinux
> > >
> > > On Wed, Apr 15, 2020 at 11:10 PM William Roberts <bill.c.roberts@gmail.com>
> > > wrote:
> > > >
> > > > So I am reviving the work to look at annotating deprecated functions.
> > > > I was wondering what folks are thinking around the utility program
> > > > matchpathcon, since that interface is deprecated, do we want to:
> > > >
> > > > 1. link that statically so we can use internal (non-deprecated)
> > > > functions 2. update it to use selabel_open and friends.
> > > > 3. Keep it but have it print out "deprecated" and return 1.
> > > > 4. Some mix of options 3 and 1
> > >
> > > Hello,
> > > I did not really follow closely why functions are getting deprecated.
> > > >From the patch series, it appears that matchpathcon_init() is being
> > > deprecated in favor of selabel_open(). That can make sense.
> >
> > They have been deprecated for a long time, Im just investogatingusing the deprecated
> > Annotation to encourage folks to move to the new interfaces and suggest the new
> > Interface in the warning message.
> >
> > >
> > > >From a CLI perspective, the interface of selabel_lookup seems to be
> > > more complex to use that matchpathcon:
> > >
> > > $ matchpathcon /etc/shadow
> > > /etc/shadow system_u:object_r:shadow_t
> > > $ selabel_lookup -b file -k /etc/shadow
> > > Default context: system_u:object_r:shadow_t
> > >
> > > Moreover, looking at selabel_lookup --help, it was not clear that the file for which
> > > I wanted the context needs to be given as a -k option, because the usage line
> > > states "[-f file]" (that means something else).
> > > This increases the difficulty of using selabel_lookup instead of matchpathcon.
> > > Therefore as a SELinux user, I would rather keep matchpathcon program. Would
> > > it be difficult to implement option 2 "update matchpathcon to use selabel_open()
> > > and friends"?
> >
> > I'm leaving the interfaces the same in this series, and we can update matchpathcon later.
> > The only thing I am adding is a deprecated message to stderr for the matchpathcon util,
> > which we can drop.
> >
> > >
> > > That being said, if another option is chosen, I will add "alias
> > > matchpathcon=selabel_lookup -b file -k" to my shell configuration and be good
> > > with it. This would work for me because I never used any option that
> > > matchpathcon provides.
> > >
> > > Anyway, thanks for working on this subject!
> > > Nicolas
>
> I will bring them to merge and correct the commit messages. Thanks!

merged: https://github.com/SELinuxProject/selinux/pull/231
Thanks everyone!