Re: [PATCH v3] Support static-only builds - unconditional `-laudit -lbz2` in non-static policycoreutils build

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Petr Lautrbach <lautrbach@redhat.com>
To: Alyssa Ross <hi@alyssa.is>, selinux@vger.kernel.org
Subject: Re: [PATCH v3] Support static-only builds - unconditional `-laudit -lbz2` in non-static policycoreutils build
Date: Mon, 23 Jun 2025 14:34:29 +0200	[thread overview]
Message-ID: <87bjqebpre.fsf@redhat.com> (raw)
In-Reply-To: <20250211211651.1297357-3-hi@alyssa.is>

Alyssa Ross <hi@alyssa.is> writes:

> Sometimes it's useful to have a static-only toolchain.  This can be
> due to targetting some weird embedded platform, or it can be because
> it ensures that no dynamic libraries are sneaking into a system that's
> supposed to be 100% static due to non-cooperative build systems.  Most
> build systems support static-only builds, e.g. autoconf provides a
> --disable-shared configure option.
>
> selinux's custom make-based build system did not support such an
> option, so here I've added one.  Apart from the obvious changes, I had
> to make the utilities that use external libraries link against them
> manually, because that can't be inferred from the static selinux
> libraries.  For downstream users of libselinux using pkg-config, this
> shouldn't be a problem, because libselinux.pc already includes the
> Requires.private line that specifies libpcre should be linked against
> as well.
>
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 32ad0201..7acd51dd 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -1,5 +1,10 @@
>  SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>  
> +PKG_CONFIG ?= pkg-config
> +
> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> +export LIBSELINUX_LDLIBS
> +
>  all install relabel clean indent:
>  	@for subdir in $(SUBDIRS); do \
>  		(cd $$subdir && $(MAKE) $@) || exit 1; \
> diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
> index ad80d500..37c0111b 100644
> --- a/policycoreutils/load_policy/Makefile
> +++ b/policycoreutils/load_policy/Makefile
> @@ -7,7 +7,7 @@ LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lsepol -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol
>  
>  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
>  
> diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> index 4b8145d3..6e95e79f 100644
> --- a/policycoreutils/newrole/Makefile
> +++ b/policycoreutils/newrole/Makefile
> @@ -25,7 +25,7 @@ VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= -Werror -Wall -W
>  EXTRA_OBJS =
>  override CFLAGS += -DVERSION=\"$(VERSION)\" -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>  	override CFLAGS += -DUSE_PAM
>  	EXTRA_OBJS += hashtab.o
> diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
> index 619ebc1d..a5002587 100644
> --- a/policycoreutils/run_init/Makefile
> +++ b/policycoreutils/run_init/Makefile
> @@ -11,7 +11,7 @@ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>  	override CFLAGS += -DUSE_PAM
>  	override LDLIBS += -lpam -lpam_misc
> diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
> index 440503a1..daa3e10e 100644
> --- a/policycoreutils/secon/Makefile
> +++ b/policycoreutils/secon/Makefile
> @@ -8,7 +8,7 @@ WARNS=-Werror -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wca
>  VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= $(WARNS) -O1
>  override CFLAGS += -DVERSION=\"$(VERSION)\"
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  all: secon
>  
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 9fbf99d6..3855f95e 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -5,11 +5,12 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR = $(PREFIX)/share/man
>  
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lsepol -lselinux -lsemanage
> +override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
>  SEMODULE_OBJS = semodule.o
>  
>  all: semodule genhomedircon
>  
> +semodule: LDLIBS += -laudit -lbz2

This change requires libaudit.so and and libbz2.so to be installed
during policycoreutils build. This had not been necessary before this
change.

While it can be changed in build system, e.g. in Fedora use
BuildRequires in policycoreutils.spec, neither semodule nor setseboot
does not use those 2 libraries directly.

I have not tested it yet but the following check could fix it:


ifneq ($(DISABLE_SHARED),y)
      semodule: LDLIBS += -laudit -lbz2
endif



>  semodule: $(SEMODULE_OBJS)
>  
>  genhomedircon:
> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> index aebf050c..b0df6d28 100644
> --- a/policycoreutils/sestatus/Makefile
> +++ b/policycoreutils/sestatus/Makefile
> @@ -8,7 +8,7 @@ ETCDIR ?= /etc
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -D_FILE_OFFSET_BITS=64
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  all: sestatus
>  
> diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
> index 84ffb08b..0b27e934 100644
> --- a/policycoreutils/setfiles/Makefile
> +++ b/policycoreutils/setfiles/Makefile
> @@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
>  AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>  
>  CFLAGS ?= -g -Werror -Wall -W
> -override LDLIBS += -lselinux -lsepol -lpthread
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol -lpthread
>  
>  ifeq ($(AUDITH), y)
>  	override CFLAGS += -DUSE_AUDIT
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index fc5b4ff6..12b6315d 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -6,13 +6,14 @@ MANDIR = $(PREFIX)/share/man
>  BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
>  
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lselinux -lsemanage
> +override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
>  SETSEBOOL_OBJS = setsebool.o
>  
>  BASHCOMPLETIONS=setsebool-bash-completion.sh 
>  
>  all: setsebool
>  
> +setsebool: LDLIBS += -laudit -lbz2
>  setsebool: $(SETSEBOOL_OBJS)
>  
>  install: all
> diff --git a/policycoreutils/unsetfiles/Makefile b/policycoreutils/unsetfiles/Makefile
> index 9e5edc04..bdc1b9de 100644
> --- a/policycoreutils/unsetfiles/Makefile
> +++ b/policycoreutils/unsetfiles/Makefile
> @@ -3,7 +3,7 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR ?= $(PREFIX)/share/man
>  
>  override CFLAGS += -D_GNU_SOURCE
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  
>  all: unsetfiles
>
> base-commit: 71aec30d068789e856e7cc429b620ae1cfa890f1
> -- 
> 2.47.0

next prev parent reply	other threads:[~2025-06-23 12:34 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-11 21:16 [PATCH v3] Support static-only builds Alyssa Ross
2025-02-11 22:11 ` Daniel Burgener
2025-02-12  9:16   ` Alyssa Ross
2025-02-12 15:11     ` Daniel Burgener
2025-02-12 16:11       ` Daniel Burgener
2025-02-13 11:48         ` Alyssa Ross
2025-03-31 15:38 ` James Carter
2025-04-07 18:04   ` James Carter
2025-06-23 12:34 ` Petr Lautrbach [this message]
2025-06-25 10:41   ` [PATCH 1/2] libsemanage: add missing libaudit private library Alyssa Ross
2025-06-25 10:41     ` [PATCH 2/2] policycoreutils: use pkg-config for libsemanage Alyssa Ross
2025-06-26 16:54       ` James Carter
2025-06-27 15:04         ` Alyssa Ross
2025-06-27 18:07           ` James Carter
2025-06-28  8:37             ` Alyssa Ross
2025-07-01 15:12       ` James Carter
2025-07-01 15:12     ` [PATCH 1/2] libsemanage: add missing libaudit private library James Carter
2025-07-02 17:34       ` James Carter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bjqebpre.fsf@redhat.com \
    --to=lautrbach@redhat.com \
    --cc=hi@alyssa.is \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.