Re: [PATCH] Fix includes for userspace tools and libraries (and possible security issue)

[Guido Trentalancia <guido@trentalancia.com>]

On Tue, 2011-09-13 at 15:25 -0400, Stephen Smalley wrote:
> On Tue, 2011-09-13 at 21:18 +0200, Guido Trentalancia wrote:
> > Hello again.
> > 
> > The security risk associated with the linkage of an old libsepol.a
> > static library is low due to the fact that the tools are usually built
> > from each component separately after all the libraries have been
> > previously built and installed.
> > 
> > On Tue, 2011-09-13 at 14:48 -0400, Stephen Smalley wrote:
> > > On Tue, 2011-09-13 at 20:33 +0200, Guido Trentalancia wrote:
> > > > No, it doesn't currently ! If you want to try reproducing it, then you
> > > > should do so on a system which hasn't got it already installed (or make
> > > > sure you get temporarily rid of
> > > > $(PREFIX)/include/{selinux,sepol,semanage} and
> > > > $(LIBDIR)/lib{selinux,sepol,semanage}.* first).
> > > 
> > > I know it is presently broken, but not sure exactly when/who broke it.
> > > However, as a working example:
> > > $ git clean -fdx
> > > $ rm -rf ~/out
> > > $ git checkout master@{"16 months ago"}
> > > $ make DESTDIR=~/out
> > > 
> > > works just fine for me.
> > 
> > ...
> > make -C src 
> > make[2]: Entering directory
> > `/usr/src/selinux-userspace/git/selinux-13092011-16monthsago/libselinux/src'
> > cc -Werror -Wall -W -Wundef -Wshadow -Wmissing-noreturn
> > -Wmissing-format-attribute -I../include -I/opt/out/usr/include
> > -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64   -c -o load_policy.o load_policy.c
> > load_policy.c:14:25: fatal error: sepol/sepol.h: No such file or
> > directory
> > compilation terminated.
> > make[2]: *** [load_policy.o] Error 1
> > make[2]: Leaving directory
> > `/usr/src/selinux-userspace/git/selinux-13092011-16monthsago/libselinux/src'
> > make[1]: *** [all] Error 2
> > make[1]: Leaving directory
> > `/usr/src/selinux-userspace/git/selinux-13092011-16monthsago/libselinux'
> > make: *** [all] Error 1
> > 
> > The above is what I get. And there is probably more behind that...
> > 
> > The problem is due to the fact that before "make install" is issued,
> > nothing usually exists under DESTDIR whatever DESTDIR is.
> > 
> > So includes from DESTDIR are getting included but unfortunately they are
> > not there (yet). Until you have temporarily removed DESTDIR, you won't
> > be able to reproduce it.
> 
> I did remove it - look again at my message and see the rm -rf ~/out.
> I also removed the system headers and libraries via yum.  Here we go
> again:
> $ ls ~/out
> ls: cannot access /home/sds/out: No such file or directory
> $ ls /usr/include/selinux
> ls: cannot access /usr/include/selinux: No such file or directory
> $ ls /usr/include/sepol
> ls: cannot access /usr/include/sepol: No such file or directory
> $ make DESTDIR=~/out > out
> <completes successfully>
> $ ls ~/out/lib/
> libselinux.so.1  libsepol.so.1
> $ ls ~/out/usr/include/
> selinux  semanage  sepol
> $ ls ~/out/usr/lib
> libselinux.a   libsemanage.a   libsemanage.so.1  libsepol.so  python2.7
> libselinux.so  libsemanage.so  libsepol.a        pkgconfig
> 
> See, from nothing to a complete build.  I can't explain it any more
> clearly, so I'm stopping this thread here.

Black magic ?

It is particularly strange that "make" automatically implies "make
install" (it should never be like that as it would be equivalent to
performing an installation without the user explicitly requiring it).

However in my specific case (above quoted logs), I bet git did not
properly go back in time so I was actually working on current git.

How about the semanage.conf(5) manual page ?

Regards,

Guido


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.