From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: Nicolas Iooss <nicolas.iooss@m4x.org>,
Sven Vermeulen <sven.vermeulen@siphos.be>,
selinux <selinux@tycho.nsa.gov>
Subject: Re: SETools patch for libselinux-2.3
Date: Thu, 12 Jun 2014 11:42:33 -0400 [thread overview]
Message-ID: <5399CA69.7070901@tresys.com> (raw)
In-Reply-To: <CAJfZ7==jjeVo-g82L9=VOv92QF6=akK+5e+-VVmsf+wdvWR-yQ@mail.gmail.com>
On 06/11/2014 06:26 PM, Nicolas Iooss wrote:
> 2014-06-10 3:22 GMT+02:00 Christopher J. PeBenito <cpebenito@tresys.com>:
>> On 5/28/2014 1:04 PM, Sven Vermeulen wrote:
>>> Index: secmds/replcon.cc
>>> ===================================================================
>>> --- secmds/replcon.cc (revision 4973)
>>> +++ secmds/replcon.cc (working copy)
>>> @@ -60,7 +60,7 @@
>>> {NULL, 0, NULL, 0}
>>> };
>>>
>>> -extern int lsetfilecon_raw(const char *, security_context_t) __attribute__ ((weak));
>>> +extern int lsetfilecon_raw(const char *, const char *) __attribute__ ((weak));
>>
>> Unfortunately, this breaks it in the same way if you compile with libselinux < 2.3 with this patch. The preference would be a patch that allows it to compile with any recent libselinux, rather than requiring libselinux 2.3.
>
> When compiling SETools on ArchLinux I got this error message from gcc
> (version 4.9.0):
>
> replcon.cc:73:25: error: invalid operands of types '<unresolved
> overloaded function type>' and 'long int' to binary 'operator!='
> if (lsetfilecon_raw != NULL)
>
> I've never used weak functions in C libraries so I don't know the
> proper fix to support libselinux versions which don't provide
> lsetfilecon_raw, but as in ArchLinux only the most recent stable
> version of packages is supported, I simply removed all the code
> related to the "weak function trick" to make it works [1]. According
> to git log, lsetfilecon_raw existed in 2008 [2]. Is it possible to
> replace replcon_lsetfilecon with lsetfilecon_raw in SETools or are
> there still supported versions of libselinux without lsetfilecon_raw?
Well a weak function just means that the program won't fail to link if lsetfilecon_raw() isn't found. It's the method we used to support older libselinuxes when the _raw() functions appeared. I'm not sure if there is a proper C/C++ way to handle the apparent parameter change, otherwise preprocessor #ifdef/#else would be the way. So if you do #ifdef SECURITY_CONTEXT_T it uses the old version #else it uses the new version, then autoconf would determine if SECURITY_CONTEXT_T needs to be set. Alternatively it might work to conditionally re-add the security_context_t typedef inside this file.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2014-06-12 15:41 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-28 17:04 SETools patch for libselinux-2.3 Sven Vermeulen
2014-06-10 1:22 ` Christopher J. PeBenito
2014-06-11 22:26 ` Nicolas Iooss
2014-06-12 12:27 ` Stephen Smalley
2014-06-12 15:42 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5399CA69.7070901@tresys.com \
--to=cpebenito@tresys.com \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.