Re: [PATCH 4/4] libsemanage: Bump libsemanage.so version

[Dominick Grift <dominick.grift@defensec.nl>]

Stephen Smalley <stephen.smalley.work@gmail.com> writes:

> On Wed, Oct 7, 2020 at 5:50 AM Petr Lautrbach <plautrba@redhat.com> wrote:
>> Thanks, I'll prepare another patchset with improved commit messages.
>>
>> In the mean time I'm looking into removing deprecated symbols from libsepol as it's
>> supposed to be required only by selinux components. So far I've found that
>> deprecated sepol_check_context() is used in chkcon utility. As Fedora doesn't ship
>> this tool I incline to remove it from libsepol as well.
>
> Looks like it is also used by setfiles and sefcontext_compile at
> least.  Might have been copied into external packages as well, e.g.
> busybox.  So that one might need to stay.  The reason it was
> deprecated was because it predated the introduction of the use of
> sepol handles and relied on global state set previously via
> sepol_set_policydb_from_file(), so I think the idea was to convert
> over to using sepol_context_check() instead (but this requires a much
> longer sequence of calls, ala h = sepol_handle_create();
> sepol_policy_file_create(&pf); sepol_policy_file_set_fp(pf, fp);
> sepol_policy_file_set_handle(pf, h); sepol_policydb_create(&policydb);
> sepol_policydb_read(policydb, pf); sepol_context_from_string(h,
> string, &ctx); sepol_context_check(h, policydb, ctx);).  Probably not
> worth the trouble now.

BTW Busybox urgently could use some modernization. It might not even
work fully anymore with recent kernels. For example its a user space
object manager (for the passwd class) and it does not use
selinux_check_access()

Theres also just generally a lot old stuff that has been improved since

It still works on Linux 5.4 (I use it with OpenWrt) but compiling it
floods the screen with "deprecation notices". Most notably for
selinux_context_t

If and once OpenWrt moves to Linux 5.9 (new LTS) some functionality may
no longer work

>
>> And there's also
>>
>> /* Deprecated */
>> struct sepol_handle sepol_compat_handle = {
>>         .msg_callback = sepol_msg_default_handler,
>>         .msg_callback_arg = NULL,
>> };
>>
>> void sepol_debug(int on)
>> {
>>         sepol_compat_handle.msg_callback = (on) ?
>>             sepol_msg_default_handler : NULL;
>> }
>>
>> /* End deprecated */
>>
>> which is used on few places internally.
>>
>>
>> Later I'll check whether sssd uses any on deprecated libsemanage symbol and
>> decide what to do.
>
> The main ones in libsepol that I was referencing were the ones in
> libsepol/src/deprecated_funcs.c.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift