makedb: fix build with libselinux >= 3.1

Message ID	20200721050115.204181-1-aurelien@aurel32.net
State	New
Headers	show Return-Path: <libc-alpha-bounces@sourceware.org> DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9AEC23857C4C From: Aurelien Jarno <aurelien@aurel32.net> To: libc-alpha@sourceware.org Subject: [PATCH] makedb: fix build with libselinux >= 3.1 Date: Tue, 21 Jul 2020 07:01:16 +0200 Message-Id: <20200721050115.204181-1-aurelien@aurel32.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: list Cc: Aurelien Jarno <aurelien@aurel32.net> Errors-To: libc-alpha-bounces@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>
Series	makedb: fix build with libselinux >= 3.1 \| expand makedb: fix build with libselinux >= 3.1

Message ID

20200721050115.204181-1-aurelien@aurel32.net

State

New

Headers

DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 9AEC23857C4C
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Subject: [PATCH] makedb: fix build with libselinux >= 3.1
Date: Tue, 21 Jul 2020 07:01:16 +0200
Message-Id: <20200721050115.204181-1-aurelien@aurel32.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: list
Cc: Aurelien Jarno <aurelien@aurel32.net>
Errors-To: libc-alpha-bounces@sourceware.org
Sender: "Libc-alpha" <libc-alpha-bounces@sourceware.org>

Series

makedb: fix build with libselinux >= 3.1 | expand

Commit Message

Aurelien Jarno July 21, 2020, 5:01 a.m. UTC

glibc doesn't build with libselinux 3.1 that has been released recently
due to new deprecations introduced in that version and the fact that
glibc is built with -Werror by default:

| makedb.c: In function ‘set_file_creation_context’:
| makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations]
|   849 |   security_context_t ctx;
|       |   ^~~~~~~~~~~~~~~~~~
| makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
|   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
|       |   ^~
| In file included from makedb.c:50:
| /usr/include/selinux/selinux.h:500:12: note: declared here
|   500 | extern int matchpathcon(const char *path,
|       |            ^~~~~~~~~~~~
| cc1: all warnings being treated as errors

This patch is an attempt to fix that. It has only built tested, as I do
not have a system nor the knowledge to test that. I have checked that
the functions used as replacement are available since at least selinux
2.0.96, released more than 10 years ago, so we probably do not need any
version check in the configure script.
---
 nss/makedb.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

I believe this patch is not acceptable for glibc 2.32, I guess we should
just add a #pragma to ignore -Werror=deprecated-declarations in that
file.

Note: there is the same issue in nscd/selinux.c. I plan to have a look
once we settle on a strategy.

Comments

Arjun Shankar July 21, 2020, 11:15 a.m. UTC | #1

On Tue, Jul 21, 2020 at 07:01:16AM +0200, Aurelien Jarno wrote:
> glibc doesn't build with libselinux 3.1 that has been released recently
> due to new deprecations introduced in that version and the fact that
> glibc is built with -Werror by default:
> 
> | makedb.c: In function ???set_file_creation_context???:
> | makedb.c:849:3: error: ???security_context_t??? is deprecated [-Werror=deprecated-declarations]
> |   849 |   security_context_t ctx;
> |       |   ^~~~~~~~~~~~~~~~~~
> | makedb.c:863:3: error: ???matchpathcon??? is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
> |   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
> |       |   ^~
> | In file included from makedb.c:50:
> | /usr/include/selinux/selinux.h:500:12: note: declared here
> |   500 | extern int matchpathcon(const char *path,
> |       |            ^~~~~~~~~~~~
> | cc1: all warnings being treated as errors

I ran into this a few days ago trying to build master for Fedora rawhide:

I filed this bug, and have a patch that started off quite similarly to
the one you posted. Here's the bug:

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

> This patch is an attempt to fix that. It has only built tested, as I do
> not have a system nor the knowledge to test that. I have checked that
> the functions used as replacement are available since at least selinux
> 2.0.96, released more than 10 years ago, so we probably do not need any
> version check in the configure script.

Unfortunately, it seems like there is more. nscd build also fails because,
e.g., avc_init was deprecated and needs to be replaced with calls to
avc_open and selinux_set_callback. I'm working on that at the moment.

Have you been building with --disable-build-nscd? That does cause build to
succeed with the patch I have so far (very similar to yours because I've
not fixed nscd/selinux.c yet).

Cheers,
Arjun

Aurelien Jarno July 21, 2020, 12:07 p.m. UTC | #2

On 2020-07-21 11:15, Arjun Shankar wrote:
> On Tue, Jul 21, 2020 at 07:01:16AM +0200, Aurelien Jarno wrote:
> > glibc doesn't build with libselinux 3.1 that has been released recently
> > due to new deprecations introduced in that version and the fact that
> > glibc is built with -Werror by default:
> > 
> > | makedb.c: In function ???set_file_creation_context???:
> > | makedb.c:849:3: error: ???security_context_t??? is deprecated [-Werror=deprecated-declarations]
> > |   849 |   security_context_t ctx;
> > |       |   ^~~~~~~~~~~~~~~~~~
> > | makedb.c:863:3: error: ???matchpathcon??? is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations]
> > |   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
> > |       |   ^~
> > | In file included from makedb.c:50:
> > | /usr/include/selinux/selinux.h:500:12: note: declared here
> > |   500 | extern int matchpathcon(const char *path,
> > |       |            ^~~~~~~~~~~~
> > | cc1: all warnings being treated as errors
> 
> I ran into this a few days ago trying to build master for Fedora rawhide:
> 
> I filed this bug, and have a patch that started off quite similarly to
> the one you posted. Here's the bug:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=26233
> 
> > This patch is an attempt to fix that. It has only built tested, as I do
> > not have a system nor the knowledge to test that. I have checked that
> > the functions used as replacement are available since at least selinux
> > 2.0.96, released more than 10 years ago, so we probably do not need any
> > version check in the configure script.
> 
> Unfortunately, it seems like there is more. nscd build also fails because,
> e.g., avc_init was deprecated and needs to be replaced with calls to
> avc_open and selinux_set_callback. I'm working on that at the moment.
> 
> Have you been building with --disable-build-nscd? That does cause build to
> succeed with the patch I have so far (very similar to yours because I've
> not fixed nscd/selinux.c yet).

No, I have found the same issue with nscd/selinux.c, that's just because
I wanted to decide on a strategy before continuing. We need an
additional string in case of SELinux context error, which from what I
understand is forbidden at this stage of the release. Therefore we might
have to use #pragma instead to ignore the warning for the 2.32 release.

Aurelien

Florian Weimer July 21, 2020, 1:14 p.m. UTC | #3

* Aurelien Jarno:

> No, I have found the same issue with nscd/selinux.c, that's just because
> I wanted to decide on a strategy before continuing. We need an
> additional string in case of SELinux context error, which from what I
> understand is forbidden at this stage of the release.

Have the strings already been uploaded to the translation project?
I haven't seen a message about that.

Thanks,
Florian

Carlos O'Donell July 22, 2020, 3:23 p.m. UTC | #4

On 7/21/20 9:14 AM, Florian Weimer via Libc-alpha wrote:
> * Aurelien Jarno:
> 
>> No, I have found the same issue with nscd/selinux.c, that's just because
>> I wanted to decide on a strategy before continuing. We need an
>> additional string in case of SELinux context error, which from what I
>> understand is forbidden at this stage of the release.
> 
> Have the strings already been uploaded to the translation project?
> I haven't seen a message about that.

Not yet. That's my job today.

diff --git a/nss/makedb.c b/nss/makedb.c
index 8e389a16837..a5c4b521172 100644
--- a/nss/makedb.c
+++ b/nss/makedb.c
@@ -47,6 +47,7 @@ 
 
 /* SELinux support.  */
 #ifdef HAVE_SELINUX
+# include <selinux/label.h>
 # include <selinux/selinux.h>
 #endif
 
@@ -846,7 +847,8 @@  set_file_creation_context (const char *outname, mode_t mode)
 {
   static int enabled;
   static int enforcing;
-  security_context_t ctx;
+  struct selabel_handle *label_hnd = NULL;
+  char* ctx;
 
   /* Check if SELinux is enabled, and remember. */
   if (enabled == 0)
@@ -858,9 +860,16 @@  set_file_creation_context (const char *outname, mode_t mode)
   if (enforcing == 0)
     enforcing = security_getenforce () ? 1 : -1;
 
+  /* Open the file contexts backend. */
+  label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+  if (!label_hnd)
+    if (setfscreatecon (ctx) != 0)
+      error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
+	     gettext ("cannot initialize SELinux context"));
+
   /* Determine the context which the file should have. */
   ctx = NULL;
-  if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
+  if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0 && ctx != NULL)
     {
       if (setfscreatecon (ctx) != 0)
 	error (enforcing > 0 ? EXIT_FAILURE : 0, 0,
@@ -868,7 +877,11 @@  set_file_creation_context (const char *outname, mode_t mode)
 	       outname);
 
       freecon (ctx);
+      selabel_close(label_hnd);
     }
+
+  /* Close the file contexts backend. */
+  selabel_close(label_hnd);
 }
 
 static void

makedb: fix build with libselinux >= 3.1

Commit Message

Comments

Patch