SELinux Archive on
 help / color / Atom feed
From: Stephen Smalley <>
To: Petr Lautrbach <>,
Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h
Date: Tue, 21 Jan 2020 14:00:01 -0500
Message-ID: <> (raw)
In-Reply-To: <>

On 1/17/20 1:24 PM, Stephen Smalley wrote:
> On 1/17/20 12:34 PM, Petr Lautrbach wrote:
>> Petr Lautrbach <> writes:
>>> Stephen Smalley <> writes:
>>>> The flask.h and av_permissions.h header files were deprecated and
>>>> all selinux userspace references to them were removed in
>>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and 
>>>> av_permissions.h.")
>>>> back in 2014 and included in the 20150202 / 2.4 release.
>>>> All userspace object managers should have been updated
>>>> to use the dynamic class/perm mapping support since that time.
>>>> Remove these headers finally to ensure that no users remain and
>>>> that no future uses are ever introduced.
>>> I've patched libselinux and I'm building all packages which requires
>>> libselinux-devel [1] in Fedora. I'm in the middle of package list and 
>>> so far there
>>> are only 3 packages which fails to build without flask.h or
>>> av_permission.h - libuser (the particular file wasn't updated since
>>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>>> results, but I don't think there will be some blocker.
>>> [1] 
>> So the complete list of Fedora packages dependent on selinux/flask.h is:
>> xinetd
>> usermode
>> sed
>> pam
>> oddjob
>> libuser
>> ipsec-tools
>> Problems are usually in tests or in Fedora specific patches. I'll start
>> to work on fixes with affected maintainers.
> Great, thank you.  Hopefully the other patch for libsepol,checkpolicy to 
> prune its copy of flask.h of all SECCLASS_* definitions and take it 
> private to libsepol won't break anything.  With those two changes, we 
> should be free of any lingering uses of hardcoded class and permission 
> definitions.  Then all we need is for dbus-daemon to either set up a 
> POLICYLOAD callback and re-fresh its mapping at that time or switch over 
> to looking up the class and permissions each time as per the guidance in 
> the updated libselinux man pages (per my third patch) and userspace 
> should be safe for class or permission changes.

Just wanted to check: you acked my patch so I assume it is ok to merge 
now even before the above packages are all updated but wanted to confirm.

  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-15 15:55 Stephen Smalley
2020-01-16 19:52 ` Petr Lautrbach
2020-01-17 17:34   ` Petr Lautrbach
2020-01-17 18:24     ` Stephen Smalley
2020-01-21 19:00       ` Stephen Smalley [this message]
2020-01-21 19:26         ` Petr Lautrbach
2020-01-21 19:31           ` Petr Lautrbach
2020-01-21 19:34             ` Stephen Smalley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone