Re: [PATCH] libselinux: remove flask.h and av_permissions.h

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Petr Lautrbach <plautrba@redhat.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h
Date: Tue, 21 Jan 2020 14:34:56 -0500	[thread overview]
Message-ID: <8ae1bcf5-4728-8b88-d403-25081936fc7c@tycho.nsa.gov> (raw)
In-Reply-To: <pjd5zh4r4i2.fsf@redhat.com>

On 1/21/20 2:31 PM, Petr Lautrbach wrote:
> 
> Petr Lautrbach <plautrba@redhat.com> writes:
> 
>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>
>>> On 1/17/20 1:24 PM, Stephen Smalley wrote:
>>>> On 1/17/20 12:34 PM, Petr Lautrbach wrote:
>>>>>
>>>>> Petr Lautrbach <plautrba@redhat.com> writes:
>>>>>
>>>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>>>
>>>>>>> The flask.h and av_permissions.h header files were deprecated and
>>>>>>> all selinux userspace references to them were removed in
>>>>>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
>>>>>>> back in 2014 and included in the 20150202 / 2.4 release.
>>>>>>> All userspace object managers should have been updated
>>>>>>> to use the dynamic class/perm mapping support since that time.
>>>>>>> Remove these headers finally to ensure that no users remain and
>>>>>>> that no future uses are ever introduced.
>>>>>>
>>>>>> I've patched libselinux and I'm building all packages which requires
>>>>>> libselinux-devel [1] in Fedora. I'm in the middle of package list and so far
>>>>>> there
>>>>>> are only 3 packages which fails to build without flask.h or
>>>>>> av_permission.h - libuser (the particular file wasn't updated since
>>>>>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>>>>>> results, but I don't think there will be some blocker.
>>>>>>
>>>>>> [1]
>>>>>> https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/
>>>>>>
>>>>>>
>>>>>
>>>>> So the complete list of Fedora packages dependent on selinux/flask.h is:
>>>>>
>>>>> xinetd
>>>>> usermode
>>>>> sed
>>>>> pam
>>>>> oddjob
>>>>> libuser
>>>>> ipsec-tools
>>>>>
>>>>> Problems are usually in tests or in Fedora specific patches. I'll start
>>>>> to work on fixes with affected maintainers.
>>>>
>>>> Great, thank you.  Hopefully the other patch for libsepol,checkpolicy to prune
>>>> its copy of flask.h of all SECCLASS_* definitions and take it private to
>>>> libsepol won't break anything.  With those two changes, we should be free of
>>>> any lingering uses of hardcoded class and permission definitions.  Then all we
>>>> need is for dbus-daemon to either set up a POLICYLOAD callback and re-fresh
>>>> its mapping at that time or switch over to looking up the class and
>>>> permissions each time as per the guidance in the updated libselinux man pages
>>>> (per my third patch) and userspace should be safe for class or permission
>>>> changes.
>>>
>>> Just wanted to check: you acked my patch so I assume it is ok to merge now even
>>> before the above packages are all updated but wanted to confirm.
>>
>> It's ok to merge it. It's better as a reference when it's merged, and pushed.
>>
>> I just wasn't sure if it's nor related to your other patches, but I
>> haven't time to check them yet..
> 
> And note that I have checked only Fedora (RHEL). OTOH if it's a problem
> in other distribution, selinux/flask.h can be patched into a distro package.

Ok, I've merged this patch now on selinux/master along with the man page 
patch.  I'll wait a bit on the libsepol,checkpolicy patch for removing 
its copy of {flask.h,av_permissions.h} to see if there are any comments 
on it.