From patchwork Sun Sep 11 15:30:17 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Carlos O'Donell X-Patchwork-Id: 1676535 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=2620:52:3:1:0:246e:9693:128c; helo=sourceware.org; envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=DQuxQb6e; dkim-atps=neutral Received: from sourceware.org (server2.sourceware.org [IPv6:2620:52:3:1:0:246e:9693:128c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MQYb864Lsz1ynm for ; Mon, 12 Sep 2022 01:30:44 +1000 (AEST) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 705523851AA3 for ; Sun, 11 Sep 2022 15:30:39 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 705523851AA3 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1662910239; bh=K6y6D+PbcnOrQ1tLF4s8OPUBNcCEZ2hhSwMCh+ul99s=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=DQuxQb6e/lCpt7pzHAEY1BaW5ArIlEzS9vzVGbXISEdHnRQ7MSjQkLgHnVdTHzTqQ AKtKd7OLUVBNSRtf7XIFzPUj0LVdCVmmulFbZGeI+/q8wFBQqy+IBIvRLQpzU1X1Z4 OmI062YgehHS0apDQ5Yf9oV2q8y6PsoSFy67YHfg= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id C3DB23851C32 for ; Sun, 11 Sep 2022 15:30:24 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org C3DB23851C32 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_128_GCM_SHA256) id us-mta-161-c7dtyoEzMDir-vUFyLzS_w-1; Sun, 11 Sep 2022 11:30:23 -0400 X-MC-Unique: c7dtyoEzMDir-vUFyLzS_w-1 Received: by mail-wm1-f71.google.com with SMTP id r128-20020a1c4486000000b003b3f017f259so3409339wma.3 for ; Sun, 11 Sep 2022 08:30:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=K6y6D+PbcnOrQ1tLF4s8OPUBNcCEZ2hhSwMCh+ul99s=; b=0UV0ZiKT8qtyfYoa1KrRhzRLP7ITjxFqviVOqu0v/xnHrRuIRBTJ0rWXNsRls2HpMC FGfBY5JiYnlOg8vVEPsOqFw1W2BMPSNah1BRp2m9p6YfyuamWcTlGsHlTSQfljfO6SjA bZjvK88tXYP+VEGLQ6vrhvwfBeiuZzIchu9ana/yV60Hbua1WakmbUX1VJRG97VG0HBH vqRSBDbVuGPC4rINdf1YDCofAsD2Xsf5Mdr85mmZHdcLb/TP7jq9txD7brdZ0xGg1rxI Bdjuo/gaXWZ4UCwrSvKD4+YgbKuo9wegALNfjYiyQUO78vawNHnRvasQWEe72Liyh8we u2AA== X-Gm-Message-State: ACgBeo28lDnQaw8Mfpo7B12jiTPuMUhj3MFnlg9fl76vAa3VeEdiiwUQ 8rWokS+q5UH0Kf3M1mcsIqUd3hWF3s7OW84noxsnsSdpK5cDTWuk6GRGVlT/kh5HT/zup9uCKez +WWa9mfBez7KmvIzoCV5SK2GyoVabuyFFKdD4mnHLnUAzCWY/b2fsgc0Ur+w9LKFGqFIW6g== X-Received: by 2002:a05:600c:23ca:b0:3b4:6199:8ab9 with SMTP id p10-20020a05600c23ca00b003b461998ab9mr6746362wmb.20.1662910221413; Sun, 11 Sep 2022 08:30:21 -0700 (PDT) X-Google-Smtp-Source: AA6agR65oV+sN7NtqTZ8NIiS54NCrgnph+8u7tqya0sSDYhSSXEwDCe07Plq4zFWSrHqgYw9poZyKA== X-Received: by 2002:a05:600c:23ca:b0:3b4:6199:8ab9 with SMTP id p10-20020a05600c23ca00b003b461998ab9mr6746339wmb.20.1662910221086; Sun, 11 Sep 2022 08:30:21 -0700 (PDT) Received: from fedora.access.network ([185.122.133.20]) by smtp.gmail.com with ESMTPSA id z12-20020a5d654c000000b00228e1e90822sm5010806wrv.112.2022.09.11.08.30.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 11 Sep 2022 08:30:20 -0700 (PDT) To: libc-alpha@sourceware.org, aurelien@aurel32.net, arjun@redhat.com Subject: [PATCH v2] makedb: fix build with libselinux >= 3.1 (Bug 26233) Date: Sun, 11 Sep 2022 11:30:17 -0400 Message-Id: <20220911153017.1880342-1-carlos@redhat.com> X-Mailer: git-send-email 2.37.3 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-13.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Carlos O'Donell via Libc-alpha From: Carlos O'Donell Reply-To: Carlos O'Donell Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org Sender: "Libc-alpha" From: Aurelien Jarno glibc doesn't build with libselinux 3.1 that has been released recently due to new deprecations introduced in that version and the fact that glibc is built with -Werror by default: | makedb.c: In function ‘set_file_creation_context’: | makedb.c:849:3: error: ‘security_context_t’ is deprecated [-Werror=deprecated-declarations] | 849 | security_context_t ctx; | | ^~~~~~~~~~~~~~~~~~ | makedb.c:863:3: error: ‘matchpathcon’ is deprecated: Use selabel_lookup instead [-Werror=deprecated-declarations] | 863 | if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) | | ^~ | In file included from makedb.c:50: | /usr/include/selinux/selinux.h:500:12: note: declared here | 500 | extern int matchpathcon(const char *path, | | ^~~~~~~~~~~~ | cc1: all warnings being treated as errors This patch fixes the makedb half of bug 26233 by moving to the new SELinux APIs and removes the existing compiler pragmas as no longer required. Upstream API usage feedback gathered by Arjun is integrated into this version of the fix. The built makedb was tested and operates as expected on x86_64 with SELinu in enforcing mode. No regressions on x86_64 with libselinux 3.3. Co-authored-by: Arjun Shankar Co-authored-by: Carlos O'Donell Reviewed-by: Siddhesh Poyarekar --- nss/makedb.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/nss/makedb.c b/nss/makedb.c index d3fc1c5af9..bcfa3c7e02 100644 --- a/nss/makedb.c +++ b/nss/makedb.c @@ -47,6 +47,7 @@ /* SELinux support. */ #ifdef HAVE_SELINUX +# include # include #endif @@ -855,18 +856,13 @@ print_database (int fd) #ifdef HAVE_SELINUX -/* security_context_t and matchpathcon (along with several other symbols) were - marked as deprecated by the SELinux API starting from version 3.1. We use - them here, but should eventually switch to the newer API. */ -DIAG_PUSH_NEEDS_COMMENT -DIAG_IGNORE_NEEDS_COMMENT (10, "-Wdeprecated-declarations"); - static void set_file_creation_context (const char *outname, mode_t mode) { static int enabled; static int enforcing; - security_context_t ctx; + struct selabel_handle *label_hnd = NULL; + char* ctx; /* Check if SELinux is enabled, and remember. */ if (enabled == 0) @@ -878,9 +874,17 @@ set_file_creation_context (const char *outname, mode_t mode) if (enforcing == 0) enforcing = security_getenforce () ? 1 : -1; + /* Open the file contexts backend. */ + label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (!label_hnd) + { + error (enforcing > 0 ? EXIT_FAILURE : 0, 0, + gettext ("cannot initialize SELinux context")); + return; + } /* Determine the context which the file should have. */ ctx = NULL; - if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL) + if (selabel_lookup(label_hnd, &ctx, outname, S_IFREG | mode) == 0) { if (setfscreatecon (ctx) != 0) error (enforcing > 0 ? EXIT_FAILURE : 0, 0, @@ -889,8 +893,10 @@ set_file_creation_context (const char *outname, mode_t mode) freecon (ctx); } + + /* Close the file contexts backend. */ + selabel_close(label_hnd); } -DIAG_POP_NEEDS_COMMENT static void reset_file_creation_context (void)