SETools patch for libselinux-2.3

SETools patch for libselinux-2.3

[Sven Vermeulen]

In libselinux-2.3, the interface of the lsetfilecon_raw function has been
changed:

-extern int lsetfilecon_raw(const char *path, security_context_t con);
+extern int lsetfilecon_raw(const char *path, const char * con);

The call to lsetfilecon_raw in setools' secmds/replcon.cc needs to be
updated accordingly, as it otherwise fails during build:

replcon.cc: In function ‘int replcon_lsetfilecon(const char*, security_context_t)’:
replcon.cc:73:25: warning: NULL used in arithmetic [-Wpointer-arith]
replcon.cc:73:25: error: invalid operands of types ‘<unresolved overloaded function type>’ and ‘long int’ to binary ‘operator!=’

The below patch fixes this (but makes the setools version depend on
libselinux-2.3 now).

With thanks to Arfrever Frehtes Taifersar Arahesis for the patch (I worked
around it first by just calling lsetfilecon_raw directly). Something about
weakly linked functions...


Index: secmds/replcon.cc
===================================================================
--- secmds/replcon.cc	(revision 4973)
+++ secmds/replcon.cc	(working copy)
@@ -60,7 +60,7 @@
 	{NULL, 0, NULL, 0}
 };
 
-extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
+extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
 
 /**
  * As that setools must work with older libselinux versions that may

Re: SETools patch for libselinux-2.3

[Christopher J. PeBenito]

On 5/28/2014 1:04 PM, Sven Vermeulen wrote:
> In libselinux-2.3, the interface of the lsetfilecon_raw function has been
> changed:
> 
> -extern int lsetfilecon_raw(const char *path, security_context_t con);
> +extern int lsetfilecon_raw(const char *path, const char * con);
> 
> The call to lsetfilecon_raw in setools' secmds/replcon.cc needs to be
> updated accordingly, as it otherwise fails during build:
> 
> replcon.cc: In function ‘int replcon_lsetfilecon(const char*, security_context_t)’:
> replcon.cc:73:25: warning: NULL used in arithmetic [-Wpointer-arith]
> replcon.cc:73:25: error: invalid operands of types ‘<unresolved overloaded function type>’ and ‘long int’ to binary ‘operator!=’
> 
> The below patch fixes this (but makes the setools version depend on
> libselinux-2.3 now).
> 
> With thanks to Arfrever Frehtes Taifersar Arahesis for the patch (I worked
> around it first by just calling lsetfilecon_raw directly). Something about
> weakly linked functions...
> 
> 
> Index: secmds/replcon.cc
> ===================================================================
> --- secmds/replcon.cc	(revision 4973)
> +++ secmds/replcon.cc	(working copy)
> @@ -60,7 +60,7 @@
>  	{NULL, 0, NULL, 0}
>  };
>  
> -extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
> +extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));

Unfortunately, this breaks it in the same way if you compile with libselinux < 2.3 with this patch.  The preference would be a patch that allows it to compile with any recent libselinux, rather than requiring libselinux 2.3.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

Re: SETools patch for libselinux-2.3

[Nicolas Iooss]

2014-06-10 3:22 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
> On 5/28/2014 1:04 PM, Sven Vermeulen wrote:
>> Index: secmds/replcon.cc
>> ===================================================================
>> --- secmds/replcon.cc (revision 4973)
>> +++ secmds/replcon.cc (working copy)
>> @@ -60,7 +60,7 @@
>>       {NULL, 0, NULL, 0}
>>  };
>>
>> -extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
>> +extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
>
> Unfortunately, this breaks it in the same way if you compile with libselinux < 2.3 with this patch.  The preference would be a patch that allows it to compile with any recent libselinux, rather than requiring libselinux 2.3.

When compiling SETools on ArchLinux I got this error message from gcc
(version 4.9.0):

replcon.cc:73:25: error: invalid operands of types '<unresolved
overloaded function type>' and 'long int' to binary 'operator!='
    if (lsetfilecon_raw != NULL)

I've never used weak functions in C libraries so I don't know the
proper fix to support libselinux versions which don't provide
lsetfilecon_raw, but as in ArchLinux only the most recent stable
version of packages is supported, I simply removed all the code
related to the "weak function trick" to make it works [1]. According
to git log, lsetfilecon_raw existed in 2008 [2]. Is it possible to
replace replcon_lsetfilecon with lsetfilecon_raw in SETools or are
there still supported versions of libselinux without lsetfilecon_raw?

By the way, while speaking about patches, a few days ago I wrote an
amazing bugfix for libsemanage [3]. Where should I send this patch? As
selinux@tycho.nsa.gov has been silent about my latest patch [4] I'm
wondering whether it is the right ML to send patches to.

Nicolas

[1] https://github.com/archlinuxhardened/selinux/blob/master/setools/0001-fix-compile-error.patch
[2] https://github.com/fishilico/selinux/blob/13cd4c8960688af11ad23b4c946149015c80d549/libselinux/src/lsetfilecon.c
[3] https://github.com/fishilico/selinux/commit/b9688372828d8f2609afb68160b100bdffd9ead0
[4] http://marc.info/?l=selinux&m=140086882622086&w=2

Re: SETools patch for libselinux-2.3

[Stephen Smalley]

On 06/11/2014 06:26 PM, Nicolas Iooss wrote:
> 2014-06-10 3:22 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
>> On 5/28/2014 1:04 PM, Sven Vermeulen wrote:
>>> Index: secmds/replcon.cc
>>> ===================================================================
>>> --- secmds/replcon.cc (revision 4973)
>>> +++ secmds/replcon.cc (working copy)
>>> @@ -60,7 +60,7 @@
>>>       {NULL, 0, NULL, 0}
>>>  };
>>>
>>> -extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
>>> +extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
>>
>> Unfortunately, this breaks it in the same way if you compile with libselinux < 2.3 with this patch.  The preference would be a patch that allows it to compile with any recent libselinux, rather than requiring libselinux 2.3.
> 
> When compiling SETools on ArchLinux I got this error message from gcc
> (version 4.9.0):
> 
> replcon.cc:73:25: error: invalid operands of types '<unresolved
> overloaded function type>' and 'long int' to binary 'operator!='
>     if (lsetfilecon_raw != NULL)
> 
> I've never used weak functions in C libraries so I don't know the
> proper fix to support libselinux versions which don't provide
> lsetfilecon_raw, but as in ArchLinux only the most recent stable
> version of packages is supported, I simply removed all the code
> related to the "weak function trick" to make it works [1]. According
> to git log, lsetfilecon_raw existed in 2008 [2]. Is it possible to
> replace replcon_lsetfilecon with lsetfilecon_raw in SETools or are
> there still supported versions of libselinux without lsetfilecon_raw?
> 
> By the way, while speaking about patches, a few days ago I wrote an
> amazing bugfix for libsemanage [3]. Where should I send this patch? As
> selinux@tycho.nsa.gov has been silent about my latest patch [4] I'm
> wondering whether it is the right ML to send patches to.
> 
> Nicolas
> 
> [1] https://github.com/archlinuxhardened/selinux/blob/master/setools/0001-fix-compile-error.patch
> [2] https://github.com/fishilico/selinux/blob/13cd4c8960688af11ad23b4c946149015c80d549/libselinux/src/lsetfilecon.c
> [3] https://github.com/fishilico/selinux/commit/b9688372828d8f2609afb68160b100bdffd9ead0
> [4] http://marc.info/?l=selinux&m=140086882622086&w=2

Yes, it is the right list.  Sorry, applied your libselinux patch to the
#next branch.

Re: SETools patch for libselinux-2.3

[Christopher J. PeBenito]

On 06/11/2014 06:26 PM, Nicolas Iooss wrote:
> 2014-06-10 3:22 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
>> On 5/28/2014 1:04 PM, Sven Vermeulen wrote:
>>> Index: secmds/replcon.cc
>>> ===================================================================
>>> --- secmds/replcon.cc (revision 4973)
>>> +++ secmds/replcon.cc (working copy)
>>> @@ -60,7 +60,7 @@
>>>       {NULL, 0, NULL, 0}
>>>  };
>>>
>>> -extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
>>> +extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
>>
>> Unfortunately, this breaks it in the same way if you compile with libselinux < 2.3 with this patch.  The preference would be a patch that allows it to compile with any recent libselinux, rather than requiring libselinux 2.3.
> 
> When compiling SETools on ArchLinux I got this error message from gcc
> (version 4.9.0):
> 
> replcon.cc:73:25: error: invalid operands of types '<unresolved
> overloaded function type>' and 'long int' to binary 'operator!='
>     if (lsetfilecon_raw != NULL)
> 
> I've never used weak functions in C libraries so I don't know the
> proper fix to support libselinux versions which don't provide
> lsetfilecon_raw, but as in ArchLinux only the most recent stable
> version of packages is supported, I simply removed all the code
> related to the "weak function trick" to make it works [1]. According
> to git log, lsetfilecon_raw existed in 2008 [2]. Is it possible to
> replace replcon_lsetfilecon with lsetfilecon_raw in SETools or are
> there still supported versions of libselinux without lsetfilecon_raw?

Well a weak function just means that the program won't fail to link if lsetfilecon_raw() isn't found.  It's the method we used to support older libselinuxes when the _raw() functions appeared.  I'm not sure if there is a proper C/C++ way to handle the apparent parameter change, otherwise preprocessor #ifdef/#else would be the way.  So if you do #ifdef SECURITY_CONTEXT_T it uses the old version #else it uses the new version, then autoconf would determine if SECURITY_CONTEXT_T needs to be set.  Alternatively it might work to conditionally re-add the security_context_t typedef inside this file.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com