SELinux Archive on lore.kernel.org
 help / color / Atom feed
From: Stephen Smalley <sds@tycho.nsa.gov>
To: Petr Lautrbach <plautrba@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h
Date: Fri, 17 Jan 2020 13:24:14 -0500
Message-ID: <5d7eb243-1dbe-9c54-9cf6-b3e7cdfba7c7@tycho.nsa.gov> (raw)
In-Reply-To: <pjdd0biq95r.fsf@redhat.com>

On 1/17/20 12:34 PM, Petr Lautrbach wrote:
> 
> Petr Lautrbach <plautrba@redhat.com> writes:
> 
>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>
>>> The flask.h and av_permissions.h header files were deprecated and
>>> all selinux userspace references to them were removed in
>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
>>> back in 2014 and included in the 20150202 / 2.4 release.
>>> All userspace object managers should have been updated
>>> to use the dynamic class/perm mapping support since that time.
>>> Remove these headers finally to ensure that no users remain and
>>> that no future uses are ever introduced.
>>
>> I've patched libselinux and I'm building all packages which requires
>> libselinux-devel [1] in Fedora. I'm in the middle of package list and so far there
>> are only 3 packages which fails to build without flask.h or
>> av_permission.h - libuser (the particular file wasn't updated since
>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>> results, but I don't think there will be some blocker.
>>
>> [1] https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/
>>
> 
> So the complete list of Fedora packages dependent on selinux/flask.h is:
> 
> xinetd
> usermode
> sed
> pam
> oddjob
> libuser
> ipsec-tools
> 
> Problems are usually in tests or in Fedora specific patches. I'll start
> to work on fixes with affected maintainers.

Great, thank you.  Hopefully the other patch for libsepol,checkpolicy to 
prune its copy of flask.h of all SECCLASS_* definitions and take it 
private to libsepol won't break anything.  With those two changes, we 
should be free of any lingering uses of hardcoded class and permission 
definitions.  Then all we need is for dbus-daemon to either set up a 
POLICYLOAD callback and re-fresh its mapping at that time or switch over 
to looking up the class and permissions each time as per the guidance in 
the updated libselinux man pages (per my third patch) and userspace 
should be safe for class or permission changes.



  reply index

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-15 15:55 Stephen Smalley
2020-01-16 19:52 ` Petr Lautrbach
2020-01-17 17:34   ` Petr Lautrbach
2020-01-17 18:24     ` Stephen Smalley [this message]
2020-01-21 19:00       ` Stephen Smalley
2020-01-21 19:26         ` Petr Lautrbach
2020-01-21 19:31           ` Petr Lautrbach
2020-01-21 19:34             ` Stephen Smalley

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5d7eb243-1dbe-9c54-9cf6-b3e7cdfba7c7@tycho.nsa.gov \
    --to=sds@tycho.nsa.gov \
    --cc=plautrba@redhat.com \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git