Re: [PATCH] libselinux: remove flask.h and av_permissions.h

From: Petr Lautrbach <plautrba@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Petr Lautrbach <plautrba@redhat.com>, selinux@vger.kernel.org
Subject: Re: [PATCH] libselinux: remove flask.h and av_permissions.h
Date: Tue, 21 Jan 2020 20:26:06 +0100	[thread overview]
Message-ID: <pjd7e1kr4q9.fsf@redhat.com> (raw)
In-Reply-To: <3bf86683-05fd-e7fe-8808-5336b49b5932@tycho.nsa.gov>

Stephen Smalley <sds@tycho.nsa.gov> writes:

> On 1/17/20 1:24 PM, Stephen Smalley wrote:
>> On 1/17/20 12:34 PM, Petr Lautrbach wrote:
>>>
>>> Petr Lautrbach <plautrba@redhat.com> writes:
>>>
>>>> Stephen Smalley <sds@tycho.nsa.gov> writes:
>>>>
>>>>> The flask.h and av_permissions.h header files were deprecated and
>>>>> all selinux userspace references to them were removed in
>>>>> commit 76913d8adb61b5 ("Deprecate use of flask.h and av_permissions.h.")
>>>>> back in 2014 and included in the 20150202 / 2.4 release.
>>>>> All userspace object managers should have been updated
>>>>> to use the dynamic class/perm mapping support since that time.
>>>>> Remove these headers finally to ensure that no users remain and
>>>>> that no future uses are ever introduced.
>>>>
>>>> I've patched libselinux and I'm building all packages which requires
>>>> libselinux-devel [1] in Fedora. I'm in the middle of package list and so far
>>>> there
>>>> are only 3 packages which fails to build without flask.h or
>>>> av_permission.h - libuser (the particular file wasn't updated since
>>>> 2012), ipsec-tools and mesa. When it's finished I'll investigate all
>>>> results, but I don't think there will be some blocker.
>>>>
>>>> [1]
>>>> https://copr.fedorainfracloud.org/coprs/plautrba/libselinux-without-flask.h/builds/ 
>>>>
>>>>
>>>
>>> So the complete list of Fedora packages dependent on selinux/flask.h is:
>>>
>>> xinetd
>>> usermode
>>> sed
>>> pam
>>> oddjob
>>> libuser
>>> ipsec-tools
>>>
>>> Problems are usually in tests or in Fedora specific patches. I'll start
>>> to work on fixes with affected maintainers.
>>
>> Great, thank you.  Hopefully the other patch for libsepol,checkpolicy to prune
>> its copy of flask.h of all SECCLASS_* definitions and take it private to
>> libsepol won't break anything.  With those two changes, we should be free of
>> any lingering uses of hardcoded class and permission definitions.  Then all we
>> need is for dbus-daemon to either set up a POLICYLOAD callback and re-fresh
>> its mapping at that time or switch over to looking up the class and
>> permissions each time as per the guidance in the updated libselinux man pages
>> (per my third patch) and userspace should be safe for class or permission
>> changes.
>
> Just wanted to check: you acked my patch so I assume it is ok to merge now even
> before the above packages are all updated but wanted to confirm.

It's ok to merge it. It's better as a reference when it's merged, and pushed.

I just wasn't sure if it's nor related to your other patches, but I
haven't time to check them yet..

-- 
()  ascii ribbon campaign - against html e-mail 
/\  www.asciiribbon.org   - against proprietary attachments