From: Stephen Smalley <email@example.com> To: Petr Lautrbach <firstname.lastname@example.org>, email@example.com Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h Date: Fri, 17 Jan 2020 13:24:14 -0500 Message-ID: <firstname.lastname@example.org> (raw) In-Reply-To: <email@example.com> On 1/17/20 12:34 PM, Petr Lautrbach wrote: > > Petr Lautrbach <firstname.lastname@example.org> writes: > >> Stephen Smalley <email@example.com> writes: >> >>> The flask.h and av_permissions.h header files were deprecated and >>> all selinux userspace references to them were removed in >>> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.") >>> back in 2014 and included in the 20150202 / 2.4 release. >>> All userspace object managers should have been updated >>> to use the dynamic class/perm mapping support since that time. >>> Remove these headers finally to ensure that no users remain and >>> that no future uses are ever introduced. >> >> I've patched libselinux and I'm building all packages which requires >> libselinux-devel  in Fedora. I'm in the middle of package list and so far there >> are only 3 packages which fails to build without flask.h or >> av_permission.h - libuser (the particular file wasn't updated since >> 2012), ipsec-tools and mesa. When it's finished I'll investigate all >> results, but I don't think there will be some blocker. >> >>  https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/ >> > > So the complete list of Fedora packages dependent on selinux/flask.h is: > > xinetd > usermode > sed > pam > oddjob > libuser > ipsec-tools > > Problems are usually in tests or in Fedora specific patches. I'll start > to work on fixes with affected maintainers. Great, thank you. Hopefully the other patch for libsepol,checkpolicy to prune its copy of flask.h of all SECCLASS_* definitions and take it private to libsepol won't break anything. With those two changes, we should be free of any lingering uses of hardcoded class and permission definitions. Then all we need is for dbus-daemon to either set up a POLICYLOAD callback and re-fresh its mapping at that time or switch over to looking up the class and permissions each time as per the guidance in the updated libselinux man pages (per my third patch) and userspace should be safe for class or permission changes.
next prev parent reply index Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-01-15 15:55 Stephen Smalley 2020-01-16 19:52 ` Petr Lautrbach 2020-01-17 17:34 ` Petr Lautrbach 2020-01-17 18:24 ` Stephen Smalley [this message] 2020-01-21 19:00 ` Stephen Smalley 2020-01-21 19:26 ` Petr Lautrbach 2020-01-21 19:31 ` Petr Lautrbach 2020-01-21 19:34 ` Stephen Smalley
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
SELinux Archive on lore.kernel.org Archives are clonable: git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \ firstname.lastname@example.org public-inbox-index selinux Example config snippet for mirrors Newsgroup available over NNTP: nntp://nntp.lore.kernel.org/org.kernel.vger.selinux AGPL code for this site: git clone https://public-inbox.org/public-inbox.git