SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Petr Lautrbach <plautrba@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h
Date: Tue, 21 Jan 2020 14:00:01 -0500
Message-ID: <3bf86683-05fd-e7fe-8808-5336b49b5932@tycho.nsa.gov> (raw)
In-Reply-To: <5d7eb243-1dbe-9c54-9cf6-b3e7cdfba7c7@tycho.nsa.gov>

On 1/17/20 1:24 PM, Stephen Smalley wrote:
> On 1/17/20 12:34 PM, Petr Lautrbach wrote:
>>
>> Petr Lautrbach <plautrba@redhat.com> writes:
>>
>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>
>>>> The flask.h and av_permissions.h header files were deprecated and
>>>> all selinux userspace references to them were removed in
>>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and 
>>>> av_permissions.h.")
>>>> back in 2014 and included in the 20150202 / 2.4 release.
>>>> All userspace object managers should have been updated
>>>> to use the dynamic class/perm mapping support since that time.
>>>> Remove these headers finally to ensure that no users remain and
>>>> that no future uses are ever introduced.
>>>
>>> I've patched libselinux and I'm building all packages which requires
>>> libselinux-devel [1] in Fedora. I'm in the middle of package list and 
>>> so far there
>>> are only 3 packages which fails to build without flask.h or
>>> av_permission.h - libuser (the particular file wasn't updated since
>>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>>> results, but I don't think there will be some blocker.
>>>
>>> [1] 
>>> https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/ 
>>>
>>>
>>
>> So the complete list of Fedora packages dependent on selinux/flask.h is:
>>
>> xinetd
>> usermode
>> sed
>> pam
>> oddjob
>> libuser
>> ipsec-tools
>>
>> Problems are usually in tests or in Fedora specific patches. I'll start
>> to work on fixes with affected maintainers.
> 
> Great, thank you.  Hopefully the other patch for libsepol,checkpolicy to 
> prune its copy of flask.h of all SECCLASS_* definitions and take it 
> private to libsepol won't break anything.  With those two changes, we 
> should be free of any lingering uses of hardcoded class and permission 
> definitions.  Then all we need is for dbus-daemon to either set up a 
> POLICYLOAD callback and re-fresh its mapping at that time or switch over 
> to looking up the class and permissions each time as per the guidance in 
> the updated libselinux man pages (per my third patch) and userspace 
> should be safe for class or permission changes.

Just wanted to check: you acked my patch so I assume it is ok to merge 
now even before the above packages are all updated but wanted to confirm.

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-15 15:55 Stephen Smalley
2020-01-16 19:52 ` Petr Lautrbach
2020-01-17 17:34   ` Petr Lautrbach
2020-01-17 18:24     ` Stephen Smalley
2020-01-21 19:00       ` Stephen Smalley [this message]
2020-01-21 19:26         ` Petr Lautrbach
2020-01-21 19:31           ` Petr Lautrbach
2020-01-21 19:34             ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3bf86683-05fd-e7fe-8808-5336b49b5932@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=plautrba@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git