[PATCH v3] Support static-only builds

[PATCH v3] Support static-only builds

[Alyssa Ross]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 11337 bytes --]

Sometimes it's useful to have a static-only toolchain.  This can be
due to targetting some weird embedded platform, or it can be because
it ensures that no dynamic libraries are sneaking into a system that's
supposed to be 100% static due to non-cooperative build systems.  Most
build systems support static-only builds, e.g. autoconf provides a
--disable-shared configure option.

selinux's custom make-based build system did not support such an
option, so here I've added one.  Apart from the obvious changes, I had
to make the utilities that use external libraries link against them
manually, because that can't be inferred from the static selinux
libraries.  For downstream users of libselinux using pkg-config, this
shouldn't be a problem, because libselinux.pc already includes the
Requires.private line that specifies libpcre should be linked against
as well.

Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
Changes since v3:

 • Resolve conflicts.
 • Add selabel_compare to PCRE_USERS.
 • Use pkg-config for libselinux in policycoreutils, so PCRE is linked.

v2: https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is

 libselinux/src/Makefile              | 11 ++++++++---
 libselinux/utils/Makefile            |  8 +++++++-
 libsemanage/src/Makefile             |  9 +++++++--
 libsepol/src/Makefile                | 11 ++++++++---
 policycoreutils/Makefile             |  5 +++++
 policycoreutils/load_policy/Makefile |  2 +-
 policycoreutils/newrole/Makefile     |  2 +-
 policycoreutils/run_init/Makefile    |  2 +-
 policycoreutils/secon/Makefile       |  2 +-
 policycoreutils/semodule/Makefile    |  3 ++-
 policycoreutils/sestatus/Makefile    |  2 +-
 policycoreutils/setfiles/Makefile    |  2 +-
 policycoreutils/setsebool/Makefile   |  3 ++-
 policycoreutils/unsetfiles/Makefile  |  2 +-
 14 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
index 213c7d34..261c22d4 100644
--- a/libselinux/src/Makefile
+++ b/libselinux/src/Makefile
@@ -147,7 +147,10 @@ endif
 
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
 
-all: $(LIBA) $(LIBSO) $(LIBPC)
+all: $(LIBA) $(LIBPC)
+ifneq ($(DISABLE_SHARED),y)
+all: $(LIBSO)
+endif
 
 pywrap: all selinuxswig_python_exception.i
 	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext
@@ -186,11 +189,13 @@ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
 install: all 
 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
-	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
-	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
 	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
 	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
+ifneq ($(DISABLE_SHARED),y)
+	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
+	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
 	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+endif
 
 install-pywrap: pywrap
 	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
index 0d7095b1..6b1dc7c9 100644
--- a/libselinux/utils/Makefile
+++ b/libselinux/utils/Makefile
@@ -53,7 +53,13 @@ else
 TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 endif
 
-sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
+sefcontext_compile: LDLIBS += ../src/libselinux.a -lsepol
+
+PCRE_USERS = matchpathcon sefcontext_compile selabel_compare \
+	selabel_digest selabel_get_digests_all_partial_matches \
+	selabel_lookup selabel_lookup_best_match \
+	selabel_partial_match
+$(PCRE_USERS): LDLIBS += $(PCRE_LDLIBS)
 
 all: $(TARGETS)
 
diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index 8dfbd762..7d60b1e9 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -67,7 +67,10 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
 
 SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
 
-all: $(LIBA) $(LIBSO) $(LIBPC)
+all: $(LIBA) $(LIBPC)
+ifneq ($(DISABLE_SHARED),y)
+all: $(LIBSO)
+endif
 
 pywrap: all $(SWIGSO)
 
@@ -137,11 +140,13 @@ swigify: $(SWIGIF)
 install: all
 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
-	install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
 	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
 	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
 	test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION)
+ifneq ($(DISABLE_SHARED),y)
+	install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
 	cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
+endif
 
 install-pywrap: pywrap
 	test -d $(DESTDIR)$(PYTHONLIBDIR) || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)
diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
index 71fa3ed7..a1aed072 100644
--- a/libsepol/src/Makefile
+++ b/libsepol/src/Makefile
@@ -45,7 +45,10 @@ LDFLAGS += -undefined dynamic_lookup
 LN=gln
 endif
 
-all: $(LIBA) $(LIBSO) $(LIBPC)
+all: $(LIBA) $(LIBPC)
+ifneq ($(DISABLE_SHARED),y)
+all: $(LIBSO)
+endif
 
 
 $(LIBA):  $(OBJS)
@@ -87,11 +90,13 @@ endif
 install: all
 	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
 	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
-	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
-	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
 	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
 	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
+ifneq ($(DISABLE_SHARED),y)
+	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
+	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
 	$(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
+endif
 
 relabel:
 	/sbin/restorecon $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
index 32ad0201..7acd51dd 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -1,5 +1,10 @@
 SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
 
+PKG_CONFIG ?= pkg-config
+
+LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
+export LIBSELINUX_LDLIBS
+
 all install relabel clean indent:
 	@for subdir in $(SUBDIRS); do \
 		(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
index ad80d500..37c0111b 100644
--- a/policycoreutils/load_policy/Makefile
+++ b/policycoreutils/load_policy/Makefile
@@ -7,7 +7,7 @@ LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
 
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-override LDLIBS += -lsepol -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol
 
 TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
 
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 4b8145d3..6e95e79f 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -25,7 +25,7 @@ VERSION = $(shell cat ../VERSION)
 CFLAGS ?= -Werror -Wall -W
 EXTRA_OBJS =
 override CFLAGS += -DVERSION=\"$(VERSION)\" -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-override LDLIBS += -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS)
 ifeq ($(PAMH), y)
 	override CFLAGS += -DUSE_PAM
 	EXTRA_OBJS += hashtab.o
diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
index 619ebc1d..a5002587 100644
--- a/policycoreutils/run_init/Makefile
+++ b/policycoreutils/run_init/Makefile
@@ -11,7 +11,7 @@ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
 
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-override LDLIBS += -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS)
 ifeq ($(PAMH), y)
 	override CFLAGS += -DUSE_PAM
 	override LDLIBS += -lpam -lpam_misc
diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
index 440503a1..daa3e10e 100644
--- a/policycoreutils/secon/Makefile
+++ b/policycoreutils/secon/Makefile
@@ -8,7 +8,7 @@ WARNS=-Werror -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wca
 VERSION = $(shell cat ../VERSION)
 CFLAGS ?= $(WARNS) -O1
 override CFLAGS += -DVERSION=\"$(VERSION)\"
-override LDLIBS += -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS)
 
 all: secon
 
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 9fbf99d6..3855f95e 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -5,11 +5,12 @@ SBINDIR ?= $(PREFIX)/sbin
 MANDIR = $(PREFIX)/share/man
 
 CFLAGS ?= -Werror -Wall -W
-override LDLIBS += -lsepol -lselinux -lsemanage
+override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
 SEMODULE_OBJS = semodule.o
 
 all: semodule genhomedircon
 
+semodule: LDLIBS += -laudit -lbz2
 semodule: $(SEMODULE_OBJS)
 
 genhomedircon:
diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
index aebf050c..b0df6d28 100644
--- a/policycoreutils/sestatus/Makefile
+++ b/policycoreutils/sestatus/Makefile
@@ -8,7 +8,7 @@ ETCDIR ?= /etc
 
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -D_FILE_OFFSET_BITS=64
-override LDLIBS += -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS)
 
 all: sestatus
 
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index 84ffb08b..0b27e934 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
 AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
 
 CFLAGS ?= -g -Werror -Wall -W
-override LDLIBS += -lselinux -lsepol -lpthread
+override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol -lpthread
 
 ifeq ($(AUDITH), y)
 	override CFLAGS += -DUSE_AUDIT
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
index fc5b4ff6..12b6315d 100644
--- a/policycoreutils/setsebool/Makefile
+++ b/policycoreutils/setsebool/Makefile
@@ -6,13 +6,14 @@ MANDIR = $(PREFIX)/share/man
 BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
 
 CFLAGS ?= -Werror -Wall -W
-override LDLIBS += -lselinux -lsemanage
+override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
 SETSEBOOL_OBJS = setsebool.o
 
 BASHCOMPLETIONS=setsebool-bash-completion.sh 
 
 all: setsebool
 
+setsebool: LDLIBS += -laudit -lbz2
 setsebool: $(SETSEBOOL_OBJS)
 
 install: all
diff --git a/policycoreutils/unsetfiles/Makefile b/policycoreutils/unsetfiles/Makefile
index 9e5edc04..bdc1b9de 100644
--- a/policycoreutils/unsetfiles/Makefile
+++ b/policycoreutils/unsetfiles/Makefile
@@ -3,7 +3,7 @@ SBINDIR ?= $(PREFIX)/sbin
 MANDIR ?= $(PREFIX)/share/man
 
 override CFLAGS += -D_GNU_SOURCE
-override LDLIBS += -lselinux
+override LDLIBS += $(LIBSELINUX_LDLIBS)
 
 
 all: unsetfiles

base-commit: 71aec30d068789e856e7cc429b620ae1cfa890f1
-- 
2.47.0

Re: [PATCH v3] Support static-only builds

[Daniel Burgener]

On 2/11/2025 4:16 PM, Alyssa Ross wrote:
> Sometimes it's useful to have a static-only toolchain.  This can be
> due to targetting some weird embedded platform, or it can be because
> it ensures that no dynamic libraries are sneaking into a system that's
> supposed to be 100% static due to non-cooperative build systems.  Most
> build systems support static-only builds, e.g. autoconf provides a
> --disable-shared configure option.
> 
> selinux's custom make-based build system did not support such an
> option, so here I've added one.  Apart from the obvious changes, I had
> to make the utilities that use external libraries link against them
> manually, because that can't be inferred from the static selinux
> libraries.  For downstream users of libselinux using pkg-config, this
> shouldn't be a problem, because libselinux.pc already includes the
> Requires.private line that specifies libpcre should be linked against
> as well.
> 
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
> Changes since v3:
> 
>   • Resolve conflicts.
>   • Add selabel_compare to PCRE_USERS.
>   • Use pkg-config for libselinux in policycoreutils, so PCRE is linked.
> 
> v2: https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is
> 
>   libselinux/src/Makefile              | 11 ++++++++---
>   libselinux/utils/Makefile            |  8 +++++++-
>   libsemanage/src/Makefile             |  9 +++++++--
>   libsepol/src/Makefile                | 11 ++++++++---
>   policycoreutils/Makefile             |  5 +++++
>   policycoreutils/load_policy/Makefile |  2 +-
>   policycoreutils/newrole/Makefile     |  2 +-
>   policycoreutils/run_init/Makefile    |  2 +-
>   policycoreutils/secon/Makefile       |  2 +-
>   policycoreutils/semodule/Makefile    |  3 ++-
>   policycoreutils/sestatus/Makefile    |  2 +-
>   policycoreutils/setfiles/Makefile    |  2 +-
>   policycoreutils/setsebool/Makefile   |  3 ++-
>   policycoreutils/unsetfiles/Makefile  |  2 +-
>   14 files changed, 46 insertions(+), 18 deletions(-)
> 
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 213c7d34..261c22d4 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -147,7 +147,10 @@ endif
>   
>   SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
>   
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>   
>   pywrap: all selinuxswig_python_exception.i
>   	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext
> @@ -186,11 +189,13 @@ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
>   install: all
>   	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>   	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> -	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>   	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>   	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> +ifneq ($(DISABLE_SHARED),y)
> +	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> +	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>   	ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> +endif
>   
>   install-pywrap: pywrap
>   	CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
> diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> index 0d7095b1..6b1dc7c9 100644
> --- a/libselinux/utils/Makefile
> +++ b/libselinux/utils/Makefile
> @@ -53,7 +53,13 @@ else
>   TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
>   endif
>   
> -sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
> +sefcontext_compile: LDLIBS += ../src/libselinux.a -lsepol
> +
> +PCRE_USERS = matchpathcon sefcontext_compile selabel_compare \
> +	selabel_digest selabel_get_digests_all_partial_matches \
> +	selabel_lookup selabel_lookup_best_match \
> +	selabel_partial_match
> +$(PCRE_USERS): LDLIBS += $(PCRE_LDLIBS)
>   
>   all: $(TARGETS)
>   
> diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
> index 8dfbd762..7d60b1e9 100644
> --- a/libsemanage/src/Makefile
> +++ b/libsemanage/src/Makefile
> @@ -67,7 +67,10 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
>   
>   SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
>   
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>   
>   pywrap: all $(SWIGSO)
>   
> @@ -137,11 +140,13 @@ swigify: $(SWIGIF)
>   install: all
>   	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>   	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -	install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
>   	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>   	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
>   	test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION)
> +ifneq ($(DISABLE_SHARED),y)
> +	install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
>   	cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
> +endif
>   
>   install-pywrap: pywrap
>   	test -d $(DESTDIR)$(PYTHONLIBDIR) || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)
> diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
> index 71fa3ed7..a1aed072 100644
> --- a/libsepol/src/Makefile
> +++ b/libsepol/src/Makefile
> @@ -45,7 +45,10 @@ LDFLAGS += -undefined dynamic_lookup
>   LN=gln
>   endif
>   
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>   
>   
>   $(LIBA):  $(OBJS)
> @@ -87,11 +90,13 @@ endif
>   install: all
>   	test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>   	install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> -	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>   	test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>   	install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> +ifneq ($(DISABLE_SHARED),y)
> +	test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> +	install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>   	$(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> +endif
>   
>   relabel:
>   	/sbin/restorecon $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 32ad0201..7acd51dd 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -1,5 +1,10 @@
>   SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>   
> +PKG_CONFIG ?= pkg-config
> +
> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> +export LIBSELINUX_LDLIBS
> +

I think that in the DISABLE_SHARED case, the pkg-config command needs 
--static as well.  I tried your patch, and I get errors that the 
downstream users of libselinux have undefined references to libpcre2, 
and they are being build without -lpcre2-8.  Based on the pkg-config man 
page, it looks like Requires.private libraries are only included if the 
--static flag is passed.

I also see that restorecond is not including -lpcre2-8.  It probably 
needs the same treatment as policycoreutils/*.

Finally, I was unable to get the install-rubywrap and install-pywrap 
targets to build with DISABLE_SHARED=y.  I wasn't able to figure out the 
ultimate issue there.

-Daniel

Re: [PATCH v3] Support static-only builds

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

Daniel Burgener <dburgener@linux.microsoft.com> writes:

> On 2/11/2025 4:16 PM, Alyssa Ross wrote:
>> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>> index 32ad0201..7acd51dd 100644
>> --- a/policycoreutils/Makefile
>> +++ b/policycoreutils/Makefile
>> @@ -1,5 +1,10 @@
>>   SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>>   
>> +PKG_CONFIG ?= pkg-config
>> +
>> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>> +export LIBSELINUX_LDLIBS
>> +
>
> I think that in the DISABLE_SHARED case, the pkg-config command needs 
> --static as well.  I tried your patch, and I get errors that the 
> downstream users of libselinux have undefined references to libpcre2, 
> and they are being build without -lpcre2-8.  Based on the pkg-config man 
> page, it looks like Requires.private libraries are only included if the 
> --static flag is passed.

I think it's generally expected that the user set
PKG_CONFIG="pkg-config --static" when they want static linking.  See
e.g. <https://bugs.freedesktop.org/show_bug.cgi?id=19541#c3>.

> I also see that restorecond is not including -lpcre2-8.  It probably 
> needs the same treatment as policycoreutils/*.

Does it fail to build for you?  It builds DISABLE_SHARED=y for me

> Finally, I was unable to get the install-rubywrap and install-pywrap 
> targets to build with DISABLE_SHARED=y.  I wasn't able to figure out the 
> ultimate issue there.

I think Ruby and Python bindings need to be shared libraries, so it
doesn't make sense to build them with DISABLE_SHARED=y.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH v3] Support static-only builds

[Daniel Burgener]

On 2/12/2025 4:16 AM, Alyssa Ross wrote:
> Daniel Burgener <dburgener@linux.microsoft.com> writes:
> 
>> On 2/11/2025 4:16 PM, Alyssa Ross wrote:
>>> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>>> index 32ad0201..7acd51dd 100644
>>> --- a/policycoreutils/Makefile
>>> +++ b/policycoreutils/Makefile
>>> @@ -1,5 +1,10 @@
>>>    SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>>>    
>>> +PKG_CONFIG ?= pkg-config
>>> +
>>> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>>> +export LIBSELINUX_LDLIBS
>>> +
>>
>> I think that in the DISABLE_SHARED case, the pkg-config command needs
>> --static as well.  I tried your patch, and I get errors that the
>> downstream users of libselinux have undefined references to libpcre2,
>> and they are being build without -lpcre2-8.  Based on the pkg-config man
>> page, it looks like Requires.private libraries are only included if the
>> --static flag is passed.
> 
> I think it's generally expected that the user set
> PKG_CONFIG="pkg-config --static" when they want static linking.  See
> e.g. <https://bugs.freedesktop.org/show_bug.cgi?id=19541#c3>.

Thanks for clarifying.  Yes, this command builds everything for me:

make DESTDIR=~/obj PKG_CONFIG="pkg-config --static" DISABLE_SHARED=y install

However, the binaries still appear dynamically linked when I investigate 
them with the "file" command.  Am I missing some other step?

> 
>> I also see that restorecond is not including -lpcre2-8.  It probably
>> needs the same treatment as policycoreutils/*.
> 
> Does it fail to build for you?  It builds DISABLE_SHARED=y for me

Now that I added PKG_CONFIG="pkg-config --static", restorecond is 
building.  However, as above, it appears dynamically linked.

> 
>> Finally, I was unable to get the install-rubywrap and install-pywrap
>> targets to build with DISABLE_SHARED=y.  I wasn't able to figure out the
>> ultimate issue there.
> 
> I think Ruby and Python bindings need to be shared libraries, so it
> doesn't make sense to build them with DISABLE_SHARED=y.

Fair enough. I think it would be helpful if these caveats could all get 
documented.  I just tried following the README.md instructions and 
adding "DISABLE_SHARED=y", which as mentioned, didn't work.  If 
"DISABLE_SHARED" requires other options to work, it seems like that 
should at a minimum be documented.

-Daniel

Re: [PATCH v3] Support static-only builds

[Daniel Burgener]

On 2/12/2025 10:11 AM, Daniel Burgener wrote:
> On 2/12/2025 4:16 AM, Alyssa Ross wrote:
>> Daniel Burgener <dburgener@linux.microsoft.com> writes:
>>
>>> On 2/11/2025 4:16 PM, Alyssa Ross wrote:
>>>> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>>>> index 32ad0201..7acd51dd 100644
>>>> --- a/policycoreutils/Makefile
>>>> +++ b/policycoreutils/Makefile
>>>> @@ -1,5 +1,10 @@
>>>>    SUBDIRS = setfiles load_policy newrole run_init secon sestatus 
>>>> semodule setsebool scripts po man hll unsetfiles
>>>> +PKG_CONFIG ?= pkg-config
>>>> +
>>>> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>>>> +export LIBSELINUX_LDLIBS
>>>> +
>>>
>>> I think that in the DISABLE_SHARED case, the pkg-config command needs
>>> --static as well.  I tried your patch, and I get errors that the
>>> downstream users of libselinux have undefined references to libpcre2,
>>> and they are being build without -lpcre2-8.  Based on the pkg-config man
>>> page, it looks like Requires.private libraries are only included if the
>>> --static flag is passed.
>>
>> I think it's generally expected that the user set
>> PKG_CONFIG="pkg-config --static" when they want static linking.  See
>> e.g. <https://bugs.freedesktop.org/show_bug.cgi?id=19541#c3>.
> 
> Thanks for clarifying.  Yes, this command builds everything for me:
> 
> make DESTDIR=~/obj PKG_CONFIG="pkg-config --static" DISABLE_SHARED=y 
> install
> 
> However, the binaries still appear dynamically linked when I investigate 
> them with the "file" command.  Am I missing some other step?

It occurs to me that I've possibly misunderstood the point of your 
patch.  This is just about not building the shared libraries, 
independent of whether the binaries are statically linked?

I'm noticing that with the above command, restorecond is still 
dynamically linking with a libselinux.  Since no shared libselinux was 
built, it's linking with the one that happens to be installed on my 
system.  That is different than the policycoreutils/* like newrole for 
example, that was dynamically linked with libselinux without this patch, 
but now is not. That seems like surprising behavior to me.  Is it the 
expected behavior?

-Daniel

> 
>>
>>> I also see that restorecond is not including -lpcre2-8.  It probably
>>> needs the same treatment as policycoreutils/*.
>>
>> Does it fail to build for you?  It builds DISABLE_SHARED=y for me
> 
> Now that I added PKG_CONFIG="pkg-config --static", restorecond is 
> building.  However, as above, it appears dynamically linked.
> 
>>
>>> Finally, I was unable to get the install-rubywrap and install-pywrap
>>> targets to build with DISABLE_SHARED=y.  I wasn't able to figure out the
>>> ultimate issue there.
>>
>> I think Ruby and Python bindings need to be shared libraries, so it
>> doesn't make sense to build them with DISABLE_SHARED=y.
> 
> Fair enough. I think it would be helpful if these caveats could all get 
> documented.  I just tried following the README.md instructions and 
> adding "DISABLE_SHARED=y", which as mentioned, didn't work.  If 
> "DISABLE_SHARED" requires other options to work, it seems like that 
> should at a minimum be documented.
> 
> -Daniel
> 

Re: [PATCH v3] Support static-only builds

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]

Daniel Burgener <dburgener@linux.microsoft.com> writes:

> On 2/12/2025 10:11 AM, Daniel Burgener wrote:
>> On 2/12/2025 4:16 AM, Alyssa Ross wrote:
>>> Daniel Burgener <dburgener@linux.microsoft.com> writes:
>>>
>>>> On 2/11/2025 4:16 PM, Alyssa Ross wrote:
>>>>> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>>>>> index 32ad0201..7acd51dd 100644
>>>>> --- a/policycoreutils/Makefile
>>>>> +++ b/policycoreutils/Makefile
>>>>> @@ -1,5 +1,10 @@
>>>>>    SUBDIRS = setfiles load_policy newrole run_init secon sestatus 
>>>>> semodule setsebool scripts po man hll unsetfiles
>>>>> +PKG_CONFIG ?= pkg-config
>>>>> +
>>>>> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>>>>> +export LIBSELINUX_LDLIBS
>>>>> +
>>>>
>>>> I think that in the DISABLE_SHARED case, the pkg-config command needs
>>>> --static as well.  I tried your patch, and I get errors that the
>>>> downstream users of libselinux have undefined references to libpcre2,
>>>> and they are being build without -lpcre2-8.  Based on the pkg-config man
>>>> page, it looks like Requires.private libraries are only included if the
>>>> --static flag is passed.
>>>
>>> I think it's generally expected that the user set
>>> PKG_CONFIG="pkg-config --static" when they want static linking.  See
>>> e.g. <https://bugs.freedesktop.org/show_bug.cgi?id=19541#c3>.
>> 
>> Thanks for clarifying.  Yes, this command builds everything for me:
>> 
>> make DESTDIR=~/obj PKG_CONFIG="pkg-config --static" DISABLE_SHARED=y 
>> install
>> 
>> However, the binaries still appear dynamically linked when I investigate 
>> them with the "file" command.  Am I missing some other step?
>
> It occurs to me that I've possibly misunderstood the point of your 
> patch.  This is just about not building the shared libraries, 
> independent of whether the binaries are statically linked?

Yes.  The purpose of this is to make it possible to build using a
compiler that only supports static linking.  In Nixpkgs, we have a
special mode where a package and all its dependencies can be built
statically, and my intention here is to be able to build packages that
depend on libselinux in that mode.

Would it maybe make more sense if I split this patch up, so one patch
just makes it possible to disable building shared libraries, and another
fixes building using only static libraries?  Originally this patch was
only the former, but then it grew…

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH v3] Support static-only builds

[James Carter]

On Tue, Feb 11, 2025 at 4:20 PM Alyssa Ross <hi@alyssa.is> wrote:
>
> Sometimes it's useful to have a static-only toolchain.  This can be
> due to targetting some weird embedded platform, or it can be because
> it ensures that no dynamic libraries are sneaking into a system that's
> supposed to be 100% static due to non-cooperative build systems.  Most
> build systems support static-only builds, e.g. autoconf provides a
> --disable-shared configure option.
>
> selinux's custom make-based build system did not support such an
> option, so here I've added one.  Apart from the obvious changes, I had
> to make the utilities that use external libraries link against them
> manually, because that can't be inferred from the static selinux
> libraries.  For downstream users of libselinux using pkg-config, this
> shouldn't be a problem, because libselinux.pc already includes the
> Requires.private line that specifies libpcre should be linked against
> as well.
>
> Signed-off-by: Alyssa Ross <hi@alyssa.is>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
> Changes since v3:
>
>  • Resolve conflicts.
>  • Add selabel_compare to PCRE_USERS.
>  • Use pkg-config for libselinux in policycoreutils, so PCRE is linked.
>
> v2: https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is
>
>  libselinux/src/Makefile              | 11 ++++++++---
>  libselinux/utils/Makefile            |  8 +++++++-
>  libsemanage/src/Makefile             |  9 +++++++--
>  libsepol/src/Makefile                | 11 ++++++++---
>  policycoreutils/Makefile             |  5 +++++
>  policycoreutils/load_policy/Makefile |  2 +-
>  policycoreutils/newrole/Makefile     |  2 +-
>  policycoreutils/run_init/Makefile    |  2 +-
>  policycoreutils/secon/Makefile       |  2 +-
>  policycoreutils/semodule/Makefile    |  3 ++-
>  policycoreutils/sestatus/Makefile    |  2 +-
>  policycoreutils/setfiles/Makefile    |  2 +-
>  policycoreutils/setsebool/Makefile   |  3 ++-
>  policycoreutils/unsetfiles/Makefile  |  2 +-
>  14 files changed, 46 insertions(+), 18 deletions(-)
>
> diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> index 213c7d34..261c22d4 100644
> --- a/libselinux/src/Makefile
> +++ b/libselinux/src/Makefile
> @@ -147,7 +147,10 @@ endif
>
>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
>
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>
>  pywrap: all selinuxswig_python_exception.i
>         CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext
> @@ -186,11 +189,13 @@ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
>  install: all
>         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> -       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> +ifneq ($(DISABLE_SHARED),y)
> +       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> +       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>         ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> +endif
>
>  install-pywrap: pywrap
>         CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
> diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> index 0d7095b1..6b1dc7c9 100644
> --- a/libselinux/utils/Makefile
> +++ b/libselinux/utils/Makefile
> @@ -53,7 +53,13 @@ else
>  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
>  endif
>
> -sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
> +sefcontext_compile: LDLIBS += ../src/libselinux.a -lsepol
> +
> +PCRE_USERS = matchpathcon sefcontext_compile selabel_compare \
> +       selabel_digest selabel_get_digests_all_partial_matches \
> +       selabel_lookup selabel_lookup_best_match \
> +       selabel_partial_match
> +$(PCRE_USERS): LDLIBS += $(PCRE_LDLIBS)
>
>  all: $(TARGETS)
>
> diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
> index 8dfbd762..7d60b1e9 100644
> --- a/libsemanage/src/Makefile
> +++ b/libsemanage/src/Makefile
> @@ -67,7 +67,10 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
>
>  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
>
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>
>  pywrap: all $(SWIGSO)
>
> @@ -137,11 +140,13 @@ swigify: $(SWIGIF)
>  install: all
>         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -       install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
>         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
>         test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION)
> +ifneq ($(DISABLE_SHARED),y)
> +       install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
>         cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
> +endif
>
>  install-pywrap: pywrap
>         test -d $(DESTDIR)$(PYTHONLIBDIR) || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)
> diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
> index 71fa3ed7..a1aed072 100644
> --- a/libsepol/src/Makefile
> +++ b/libsepol/src/Makefile
> @@ -45,7 +45,10 @@ LDFLAGS += -undefined dynamic_lookup
>  LN=gln
>  endif
>
> -all: $(LIBA) $(LIBSO) $(LIBPC)
> +all: $(LIBA) $(LIBPC)
> +ifneq ($(DISABLE_SHARED),y)
> +all: $(LIBSO)
> +endif
>
>
>  $(LIBA):  $(OBJS)
> @@ -87,11 +90,13 @@ endif
>  install: all
>         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
>         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> -       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> -       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
>         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> +ifneq ($(DISABLE_SHARED),y)
> +       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> +       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
>         $(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> +endif
>
>  relabel:
>         /sbin/restorecon $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 32ad0201..7acd51dd 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -1,5 +1,10 @@
>  SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>
> +PKG_CONFIG ?= pkg-config
> +
> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> +export LIBSELINUX_LDLIBS
> +
>  all install relabel clean indent:
>         @for subdir in $(SUBDIRS); do \
>                 (cd $$subdir && $(MAKE) $@) || exit 1; \
> diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
> index ad80d500..37c0111b 100644
> --- a/policycoreutils/load_policy/Makefile
> +++ b/policycoreutils/load_policy/Makefile
> @@ -7,7 +7,7 @@ LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
>
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lsepol -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol
>
>  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
>
> diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> index 4b8145d3..6e95e79f 100644
> --- a/policycoreutils/newrole/Makefile
> +++ b/policycoreutils/newrole/Makefile
> @@ -25,7 +25,7 @@ VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= -Werror -Wall -W
>  EXTRA_OBJS =
>  override CFLAGS += -DVERSION=\"$(VERSION)\" -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>         override CFLAGS += -DUSE_PAM
>         EXTRA_OBJS += hashtab.o
> diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
> index 619ebc1d..a5002587 100644
> --- a/policycoreutils/run_init/Makefile
> +++ b/policycoreutils/run_init/Makefile
> @@ -11,7 +11,7 @@ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>         override CFLAGS += -DUSE_PAM
>         override LDLIBS += -lpam -lpam_misc
> diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
> index 440503a1..daa3e10e 100644
> --- a/policycoreutils/secon/Makefile
> +++ b/policycoreutils/secon/Makefile
> @@ -8,7 +8,7 @@ WARNS=-Werror -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wca
>  VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= $(WARNS) -O1
>  override CFLAGS += -DVERSION=\"$(VERSION)\"
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>
>  all: secon
>
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 9fbf99d6..3855f95e 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -5,11 +5,12 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR = $(PREFIX)/share/man
>
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lsepol -lselinux -lsemanage
> +override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
>  SEMODULE_OBJS = semodule.o
>
>  all: semodule genhomedircon
>
> +semodule: LDLIBS += -laudit -lbz2
>  semodule: $(SEMODULE_OBJS)
>
>  genhomedircon:
> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> index aebf050c..b0df6d28 100644
> --- a/policycoreutils/sestatus/Makefile
> +++ b/policycoreutils/sestatus/Makefile
> @@ -8,7 +8,7 @@ ETCDIR ?= /etc
>
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -D_FILE_OFFSET_BITS=64
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>
>  all: sestatus
>
> diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
> index 84ffb08b..0b27e934 100644
> --- a/policycoreutils/setfiles/Makefile
> +++ b/policycoreutils/setfiles/Makefile
> @@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
>  AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>
>  CFLAGS ?= -g -Werror -Wall -W
> -override LDLIBS += -lselinux -lsepol -lpthread
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol -lpthread
>
>  ifeq ($(AUDITH), y)
>         override CFLAGS += -DUSE_AUDIT
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index fc5b4ff6..12b6315d 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -6,13 +6,14 @@ MANDIR = $(PREFIX)/share/man
>  BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
>
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lselinux -lsemanage
> +override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
>  SETSEBOOL_OBJS = setsebool.o
>
>  BASHCOMPLETIONS=setsebool-bash-completion.sh
>
>  all: setsebool
>
> +setsebool: LDLIBS += -laudit -lbz2
>  setsebool: $(SETSEBOOL_OBJS)
>
>  install: all
> diff --git a/policycoreutils/unsetfiles/Makefile b/policycoreutils/unsetfiles/Makefile
> index 9e5edc04..bdc1b9de 100644
> --- a/policycoreutils/unsetfiles/Makefile
> +++ b/policycoreutils/unsetfiles/Makefile
> @@ -3,7 +3,7 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR ?= $(PREFIX)/share/man
>
>  override CFLAGS += -D_GNU_SOURCE
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>
>
>  all: unsetfiles
>
> base-commit: 71aec30d068789e856e7cc429b620ae1cfa890f1
> --
> 2.47.0
>
>

Re: [PATCH v3] Support static-only builds

[James Carter]

On Mon, Mar 31, 2025 at 11:38 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Feb 11, 2025 at 4:20 PM Alyssa Ross <hi@alyssa.is> wrote:
> >
> > Sometimes it's useful to have a static-only toolchain.  This can be
> > due to targetting some weird embedded platform, or it can be because
> > it ensures that no dynamic libraries are sneaking into a system that's
> > supposed to be 100% static due to non-cooperative build systems.  Most
> > build systems support static-only builds, e.g. autoconf provides a
> > --disable-shared configure option.
> >
> > selinux's custom make-based build system did not support such an
> > option, so here I've added one.  Apart from the obvious changes, I had
> > to make the utilities that use external libraries link against them
> > manually, because that can't be inferred from the static selinux
> > libraries.  For downstream users of libselinux using pkg-config, this
> > shouldn't be a problem, because libselinux.pc already includes the
> > Requires.private line that specifies libpcre should be linked against
> > as well.
> >
> > Signed-off-by: Alyssa Ross <hi@alyssa.is>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>

Merged.
Thanks,
Jim

> > ---
> > Changes since v3:
> >
> >  • Resolve conflicts.
> >  • Add selabel_compare to PCRE_USERS.
> >  • Use pkg-config for libselinux in policycoreutils, so PCRE is linked.
> >
> > v2: https://lore.kernel.org/selinux/20211113141616.361640-1-hi@alyssa.is
> >
> >  libselinux/src/Makefile              | 11 ++++++++---
> >  libselinux/utils/Makefile            |  8 +++++++-
> >  libsemanage/src/Makefile             |  9 +++++++--
> >  libsepol/src/Makefile                | 11 ++++++++---
> >  policycoreutils/Makefile             |  5 +++++
> >  policycoreutils/load_policy/Makefile |  2 +-
> >  policycoreutils/newrole/Makefile     |  2 +-
> >  policycoreutils/run_init/Makefile    |  2 +-
> >  policycoreutils/secon/Makefile       |  2 +-
> >  policycoreutils/semodule/Makefile    |  3 ++-
> >  policycoreutils/sestatus/Makefile    |  2 +-
> >  policycoreutils/setfiles/Makefile    |  2 +-
> >  policycoreutils/setsebool/Makefile   |  3 ++-
> >  policycoreutils/unsetfiles/Makefile  |  2 +-
> >  14 files changed, 46 insertions(+), 18 deletions(-)
> >
> > diff --git a/libselinux/src/Makefile b/libselinux/src/Makefile
> > index 213c7d34..261c22d4 100644
> > --- a/libselinux/src/Makefile
> > +++ b/libselinux/src/Makefile
> > @@ -147,7 +147,10 @@ endif
> >
> >  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./ $(DISABLE_FLAGS)
> >
> > -all: $(LIBA) $(LIBSO) $(LIBPC)
> > +all: $(LIBA) $(LIBPC)
> > +ifneq ($(DISABLE_SHARED),y)
> > +all: $(LIBSO)
> > +endif
> >
> >  pywrap: all selinuxswig_python_exception.i
> >         CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) setup.py build_ext
> > @@ -186,11 +189,13 @@ $(SWIGRUBYCOUT): $(SWIGRUBYIF)
> >  install: all
> >         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
> >         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> > -       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> > -       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
> >         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
> >         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> > +ifneq ($(DISABLE_SHARED),y)
> > +       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> > +       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
> >         ln -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> > +endif
> >
> >  install-pywrap: pywrap
> >         CFLAGS="$(CPPFLAGS) $(CFLAGS) $(SWIG_CFLAGS)" $(PYTHON) -m pip install --prefix=$(PREFIX) `test -n "$(DESTDIR)" && echo --root $(DESTDIR) --ignore-installed --no-deps` $(PYTHON_SETUP_ARGS) .
> > diff --git a/libselinux/utils/Makefile b/libselinux/utils/Makefile
> > index 0d7095b1..6b1dc7c9 100644
> > --- a/libselinux/utils/Makefile
> > +++ b/libselinux/utils/Makefile
> > @@ -53,7 +53,13 @@ else
> >  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
> >  endif
> >
> > -sefcontext_compile: LDLIBS += ../src/libselinux.a $(PCRE_LDLIBS) -lsepol
> > +sefcontext_compile: LDLIBS += ../src/libselinux.a -lsepol
> > +
> > +PCRE_USERS = matchpathcon sefcontext_compile selabel_compare \
> > +       selabel_digest selabel_get_digests_all_partial_matches \
> > +       selabel_lookup selabel_lookup_best_match \
> > +       selabel_partial_match
> > +$(PCRE_USERS): LDLIBS += $(PCRE_LDLIBS)
> >
> >  all: $(TARGETS)
> >
> > diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
> > index 8dfbd762..7d60b1e9 100644
> > --- a/libsemanage/src/Makefile
> > +++ b/libsemanage/src/Makefile
> > @@ -67,7 +67,10 @@ SWIG = swig -Wall -python -o $(SWIGCOUT) -outdir ./
> >
> >  SWIGRUBY = swig -Wall -ruby -o $(SWIGRUBYCOUT) -outdir ./
> >
> > -all: $(LIBA) $(LIBSO) $(LIBPC)
> > +all: $(LIBA) $(LIBPC)
> > +ifneq ($(DISABLE_SHARED),y)
> > +all: $(LIBSO)
> > +endif
> >
> >  pywrap: all $(SWIGSO)
> >
> > @@ -137,11 +140,13 @@ swigify: $(SWIGIF)
> >  install: all
> >         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
> >         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> > -       install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
> >         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
> >         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> >         test -f $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION) || install -m 644 -D semanage.conf $(DESTDIR)$(DEFAULT_SEMANAGE_CONF_LOCATION)
> > +ifneq ($(DISABLE_SHARED),y)
> > +       install -m 755 $(LIBSO) $(DESTDIR)$(LIBDIR)
> >         cd $(DESTDIR)$(LIBDIR) && ln -sf $(LIBSO) $(TARGET)
> > +endif
> >
> >  install-pywrap: pywrap
> >         test -d $(DESTDIR)$(PYTHONLIBDIR) || install -m 755 -d $(DESTDIR)$(PYTHONLIBDIR)
> > diff --git a/libsepol/src/Makefile b/libsepol/src/Makefile
> > index 71fa3ed7..a1aed072 100644
> > --- a/libsepol/src/Makefile
> > +++ b/libsepol/src/Makefile
> > @@ -45,7 +45,10 @@ LDFLAGS += -undefined dynamic_lookup
> >  LN=gln
> >  endif
> >
> > -all: $(LIBA) $(LIBSO) $(LIBPC)
> > +all: $(LIBA) $(LIBPC)
> > +ifneq ($(DISABLE_SHARED),y)
> > +all: $(LIBSO)
> > +endif
> >
> >
> >  $(LIBA):  $(OBJS)
> > @@ -87,11 +90,13 @@ endif
> >  install: all
> >         test -d $(DESTDIR)$(LIBDIR) || install -m 755 -d $(DESTDIR)$(LIBDIR)
> >         install -m 644 $(LIBA) $(DESTDIR)$(LIBDIR)
> > -       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> > -       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
> >         test -d $(DESTDIR)$(LIBDIR)/pkgconfig || install -m 755 -d $(DESTDIR)$(LIBDIR)/pkgconfig
> >         install -m 644 $(LIBPC) $(DESTDIR)$(LIBDIR)/pkgconfig
> > +ifneq ($(DISABLE_SHARED),y)
> > +       test -d $(DESTDIR)$(SHLIBDIR) || install -m 755 -d $(DESTDIR)$(SHLIBDIR)
> > +       install -m 755 $(LIBSO) $(DESTDIR)$(SHLIBDIR)
> >         $(LN) -sf --relative $(DESTDIR)$(SHLIBDIR)/$(LIBSO) $(DESTDIR)$(LIBDIR)/$(TARGET)
> > +endif
> >
> >  relabel:
> >         /sbin/restorecon $(DESTDIR)$(SHLIBDIR)/$(LIBSO)
> > diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> > index 32ad0201..7acd51dd 100644
> > --- a/policycoreutils/Makefile
> > +++ b/policycoreutils/Makefile
> > @@ -1,5 +1,10 @@
> >  SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
> >
> > +PKG_CONFIG ?= pkg-config
> > +
> > +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> > +export LIBSELINUX_LDLIBS
> > +
> >  all install relabel clean indent:
> >         @for subdir in $(SUBDIRS); do \
> >                 (cd $$subdir && $(MAKE) $@) || exit 1; \
> > diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
> > index ad80d500..37c0111b 100644
> > --- a/policycoreutils/load_policy/Makefile
> > +++ b/policycoreutils/load_policy/Makefile
> > @@ -7,7 +7,7 @@ LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
> >
> >  CFLAGS ?= -Werror -Wall -W
> >  override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> > -override LDLIBS += -lsepol -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol
> >
> >  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
> >
> > diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> > index 4b8145d3..6e95e79f 100644
> > --- a/policycoreutils/newrole/Makefile
> > +++ b/policycoreutils/newrole/Makefile
> > @@ -25,7 +25,7 @@ VERSION = $(shell cat ../VERSION)
> >  CFLAGS ?= -Werror -Wall -W
> >  EXTRA_OBJS =
> >  override CFLAGS += -DVERSION=\"$(VERSION)\" -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> > -override LDLIBS += -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS)
> >  ifeq ($(PAMH), y)
> >         override CFLAGS += -DUSE_PAM
> >         EXTRA_OBJS += hashtab.o
> > diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
> > index 619ebc1d..a5002587 100644
> > --- a/policycoreutils/run_init/Makefile
> > +++ b/policycoreutils/run_init/Makefile
> > @@ -11,7 +11,7 @@ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
> >
> >  CFLAGS ?= -Werror -Wall -W
> >  override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> > -override LDLIBS += -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS)
> >  ifeq ($(PAMH), y)
> >         override CFLAGS += -DUSE_PAM
> >         override LDLIBS += -lpam -lpam_misc
> > diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
> > index 440503a1..daa3e10e 100644
> > --- a/policycoreutils/secon/Makefile
> > +++ b/policycoreutils/secon/Makefile
> > @@ -8,7 +8,7 @@ WARNS=-Werror -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wca
> >  VERSION = $(shell cat ../VERSION)
> >  CFLAGS ?= $(WARNS) -O1
> >  override CFLAGS += -DVERSION=\"$(VERSION)\"
> > -override LDLIBS += -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS)
> >
> >  all: secon
> >
> > diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> > index 9fbf99d6..3855f95e 100644
> > --- a/policycoreutils/semodule/Makefile
> > +++ b/policycoreutils/semodule/Makefile
> > @@ -5,11 +5,12 @@ SBINDIR ?= $(PREFIX)/sbin
> >  MANDIR = $(PREFIX)/share/man
> >
> >  CFLAGS ?= -Werror -Wall -W
> > -override LDLIBS += -lsepol -lselinux -lsemanage
> > +override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
> >  SEMODULE_OBJS = semodule.o
> >
> >  all: semodule genhomedircon
> >
> > +semodule: LDLIBS += -laudit -lbz2
> >  semodule: $(SEMODULE_OBJS)
> >
> >  genhomedircon:
> > diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> > index aebf050c..b0df6d28 100644
> > --- a/policycoreutils/sestatus/Makefile
> > +++ b/policycoreutils/sestatus/Makefile
> > @@ -8,7 +8,7 @@ ETCDIR ?= /etc
> >
> >  CFLAGS ?= -Werror -Wall -W
> >  override CFLAGS += -D_FILE_OFFSET_BITS=64
> > -override LDLIBS += -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS)
> >
> >  all: sestatus
> >
> > diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
> > index 84ffb08b..0b27e934 100644
> > --- a/policycoreutils/setfiles/Makefile
> > +++ b/policycoreutils/setfiles/Makefile
> > @@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
> >  AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
> >
> >  CFLAGS ?= -g -Werror -Wall -W
> > -override LDLIBS += -lselinux -lsepol -lpthread
> > +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol -lpthread
> >
> >  ifeq ($(AUDITH), y)
> >         override CFLAGS += -DUSE_AUDIT
> > diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> > index fc5b4ff6..12b6315d 100644
> > --- a/policycoreutils/setsebool/Makefile
> > +++ b/policycoreutils/setsebool/Makefile
> > @@ -6,13 +6,14 @@ MANDIR = $(PREFIX)/share/man
> >  BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
> >
> >  CFLAGS ?= -Werror -Wall -W
> > -override LDLIBS += -lselinux -lsemanage
> > +override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
> >  SETSEBOOL_OBJS = setsebool.o
> >
> >  BASHCOMPLETIONS=setsebool-bash-completion.sh
> >
> >  all: setsebool
> >
> > +setsebool: LDLIBS += -laudit -lbz2
> >  setsebool: $(SETSEBOOL_OBJS)
> >
> >  install: all
> > diff --git a/policycoreutils/unsetfiles/Makefile b/policycoreutils/unsetfiles/Makefile
> > index 9e5edc04..bdc1b9de 100644
> > --- a/policycoreutils/unsetfiles/Makefile
> > +++ b/policycoreutils/unsetfiles/Makefile
> > @@ -3,7 +3,7 @@ SBINDIR ?= $(PREFIX)/sbin
> >  MANDIR ?= $(PREFIX)/share/man
> >
> >  override CFLAGS += -D_GNU_SOURCE
> > -override LDLIBS += -lselinux
> > +override LDLIBS += $(LIBSELINUX_LDLIBS)
> >
> >
> >  all: unsetfiles
> >
> > base-commit: 71aec30d068789e856e7cc429b620ae1cfa890f1
> > --
> > 2.47.0
> >
> >

Re: [PATCH v3] Support static-only builds - unconditional `-laudit -lbz2` in non-static policycoreutils build

[Petr Lautrbach]

Alyssa Ross <hi@alyssa.is> writes:

> Sometimes it's useful to have a static-only toolchain.  This can be
> due to targetting some weird embedded platform, or it can be because
> it ensures that no dynamic libraries are sneaking into a system that's
> supposed to be 100% static due to non-cooperative build systems.  Most
> build systems support static-only builds, e.g. autoconf provides a
> --disable-shared configure option.
>
> selinux's custom make-based build system did not support such an
> option, so here I've added one.  Apart from the obvious changes, I had
> to make the utilities that use external libraries link against them
> manually, because that can't be inferred from the static selinux
> libraries.  For downstream users of libselinux using pkg-config, this
> shouldn't be a problem, because libselinux.pc already includes the
> Requires.private line that specifies libpcre should be linked against
> as well.
>
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 32ad0201..7acd51dd 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -1,5 +1,10 @@
>  SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setsebool scripts po man hll unsetfiles
>  
> +PKG_CONFIG ?= pkg-config
> +
> +LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> +export LIBSELINUX_LDLIBS
> +
>  all install relabel clean indent:
>  	@for subdir in $(SUBDIRS); do \
>  		(cd $$subdir && $(MAKE) $@) || exit 1; \
> diff --git a/policycoreutils/load_policy/Makefile b/policycoreutils/load_policy/Makefile
> index ad80d500..37c0111b 100644
> --- a/policycoreutils/load_policy/Makefile
> +++ b/policycoreutils/load_policy/Makefile
> @@ -7,7 +7,7 @@ LOCALEDIR ?= $(DESTDIR)$(PREFIX)/share/locale
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += $(LDFLAGS) -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lsepol -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol
>  
>  TARGETS=$(patsubst %.c,%,$(sort $(wildcard *.c)))
>  
> diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
> index 4b8145d3..6e95e79f 100644
> --- a/policycoreutils/newrole/Makefile
> +++ b/policycoreutils/newrole/Makefile
> @@ -25,7 +25,7 @@ VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= -Werror -Wall -W
>  EXTRA_OBJS =
>  override CFLAGS += -DVERSION=\"$(VERSION)\" -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>  	override CFLAGS += -DUSE_PAM
>  	EXTRA_OBJS += hashtab.o
> diff --git a/policycoreutils/run_init/Makefile b/policycoreutils/run_init/Makefile
> index 619ebc1d..a5002587 100644
> --- a/policycoreutils/run_init/Makefile
> +++ b/policycoreutils/run_init/Makefile
> @@ -11,7 +11,7 @@ AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  ifeq ($(PAMH), y)
>  	override CFLAGS += -DUSE_PAM
>  	override LDLIBS += -lpam -lpam_misc
> diff --git a/policycoreutils/secon/Makefile b/policycoreutils/secon/Makefile
> index 440503a1..daa3e10e 100644
> --- a/policycoreutils/secon/Makefile
> +++ b/policycoreutils/secon/Makefile
> @@ -8,7 +8,7 @@ WARNS=-Werror -W -Wall -Wundef -Wshadow -Wpointer-arith -Wbad-function-cast -Wca
>  VERSION = $(shell cat ../VERSION)
>  CFLAGS ?= $(WARNS) -O1
>  override CFLAGS += -DVERSION=\"$(VERSION)\"
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  all: secon
>  
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 9fbf99d6..3855f95e 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -5,11 +5,12 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR = $(PREFIX)/share/man
>  
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lsepol -lselinux -lsemanage
> +override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
>  SEMODULE_OBJS = semodule.o
>  
>  all: semodule genhomedircon
>  
> +semodule: LDLIBS += -laudit -lbz2

This change requires libaudit.so and and libbz2.so to be installed
during policycoreutils build. This had not been necessary before this
change.

While it can be changed in build system, e.g. in Fedora use
BuildRequires in policycoreutils.spec, neither semodule nor setseboot
does not use those 2 libraries directly.

I have not tested it yet but the following check could fix it:


ifneq ($(DISABLE_SHARED),y)
      semodule: LDLIBS += -laudit -lbz2
endif



>  semodule: $(SEMODULE_OBJS)
>  
>  genhomedircon:
> diff --git a/policycoreutils/sestatus/Makefile b/policycoreutils/sestatus/Makefile
> index aebf050c..b0df6d28 100644
> --- a/policycoreutils/sestatus/Makefile
> +++ b/policycoreutils/sestatus/Makefile
> @@ -8,7 +8,7 @@ ETCDIR ?= /etc
>  
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -D_FILE_OFFSET_BITS=64
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  all: sestatus
>  
> diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
> index 84ffb08b..0b27e934 100644
> --- a/policycoreutils/setfiles/Makefile
> +++ b/policycoreutils/setfiles/Makefile
> @@ -6,7 +6,7 @@ MANDIR = $(PREFIX)/share/man
>  AUDITH ?= $(shell test -f /usr/include/libaudit.h && echo y)
>  
>  CFLAGS ?= -g -Werror -Wall -W
> -override LDLIBS += -lselinux -lsepol -lpthread
> +override LDLIBS += $(LIBSELINUX_LDLIBS) -lsepol -lpthread
>  
>  ifeq ($(AUDITH), y)
>  	override CFLAGS += -DUSE_AUDIT
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index fc5b4ff6..12b6315d 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -6,13 +6,14 @@ MANDIR = $(PREFIX)/share/man
>  BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
>  
>  CFLAGS ?= -Werror -Wall -W
> -override LDLIBS += -lselinux -lsemanage
> +override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
>  SETSEBOOL_OBJS = setsebool.o
>  
>  BASHCOMPLETIONS=setsebool-bash-completion.sh 
>  
>  all: setsebool
>  
> +setsebool: LDLIBS += -laudit -lbz2
>  setsebool: $(SETSEBOOL_OBJS)
>  
>  install: all
> diff --git a/policycoreutils/unsetfiles/Makefile b/policycoreutils/unsetfiles/Makefile
> index 9e5edc04..bdc1b9de 100644
> --- a/policycoreutils/unsetfiles/Makefile
> +++ b/policycoreutils/unsetfiles/Makefile
> @@ -3,7 +3,7 @@ SBINDIR ?= $(PREFIX)/sbin
>  MANDIR ?= $(PREFIX)/share/man
>  
>  override CFLAGS += -D_GNU_SOURCE
> -override LDLIBS += -lselinux
> +override LDLIBS += $(LIBSELINUX_LDLIBS)
>  
>  
>  all: unsetfiles
>
> base-commit: 71aec30d068789e856e7cc429b620ae1cfa890f1
> -- 
> 2.47.0

[PATCH 1/2] libsemanage: add missing libaudit private library

[Alyssa Ross]

libsemanage always uses libaudit functions, so we need to make sure
that consumers of libsemanage.a know to link against libaudit too.

Fixes: 56d9d20a ("Pull auditing into libsemanage.")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 libsemanage/src/libsemanage.pc.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsemanage/src/libsemanage.pc.in b/libsemanage/src/libsemanage.pc.in
index 303f8069..8b7c55a9 100644
--- a/libsemanage/src/libsemanage.pc.in
+++ b/libsemanage/src/libsemanage.pc.in
@@ -9,5 +9,5 @@ Version: @VERSION@
 URL: https://github.com/selinuxproject/selinux/wiki/Releases
 Requires.private: libselinux libsepol
 Libs: -L${libdir} -lsemanage
-Libs.private: -lbz2
+Libs.private: -laudit -lbz2
 Cflags: -I${includedir}

base-commit: 2304becd8154eeab084a7ef31b29048c0a780e84
-- 
2.49.0

[PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[Alyssa Ross]

libaudit and libbz2 are only required to be in the linker path for
static builds.  For dynamic builds, they'll be discovered through ELF
metadata.  pkg-config knows how to do the right thing in both cases,
so just use it rather than listing libsemanage's dependencies
manually.

Fixes: da6cd3d8 ("Support static-only builds")
Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
Signed-off-by: Alyssa Ross <hi@alyssa.is>
---
 policycoreutils/Makefile           | 3 ++-
 policycoreutils/semodule/Makefile  | 3 +--
 policycoreutils/setsebool/Makefile | 3 +--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
index 7acd51dd..0f3d62f2 100644
--- a/policycoreutils/Makefile
+++ b/policycoreutils/Makefile
@@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
 PKG_CONFIG ?= pkg-config
 
 LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
-export LIBSELINUX_LDLIBS
+LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
+export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
 
 all install relabel clean indent:
 	@for subdir in $(SUBDIRS); do \
diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
index 7c45831f..018ee2ca 100644
--- a/policycoreutils/semodule/Makefile
+++ b/policycoreutils/semodule/Makefile
@@ -7,12 +7,11 @@ MANDIR = $(PREFIX)/share/man
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
 override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
-override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
+override LDLIBS += $(LIBSEMANAGE_LDLIBS) -lsepol $(LIBSELINUX_LDLIBS)
 SEMODULE_OBJS = semodule.o
 
 all: semodule genhomedircon
 
-semodule: LDLIBS += -laudit -lbz2
 semodule: $(SEMODULE_OBJS)
 
 genhomedircon:
diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
index 1d514846..87494c55 100644
--- a/policycoreutils/setsebool/Makefile
+++ b/policycoreutils/setsebool/Makefile
@@ -8,14 +8,13 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
 CFLAGS ?= -Werror -Wall -W
 override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
 override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
-override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
+override LDLIBS += $(LIBSEMANAGE_LDLIBS) $(LIBSELINUX_LDLIBS)
 SETSEBOOL_OBJS = setsebool.o
 
 BASHCOMPLETIONS=setsebool-bash-completion.sh 
 
 all: setsebool
 
-setsebool: LDLIBS += -laudit -lbz2
 setsebool: $(SETSEBOOL_OBJS)
 
 install: all
-- 
2.49.0

Re: [PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[James Carter]

On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
>
> libaudit and libbz2 are only required to be in the linker path for
> static builds.  For dynamic builds, they'll be discovered through ELF
> metadata.  pkg-config knows how to do the right thing in both cases,
> so just use it rather than listing libsemanage's dependencies
> manually.
>
> Fixes: da6cd3d8 ("Support static-only builds")
> Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> ---
>  policycoreutils/Makefile           | 3 ++-
>  policycoreutils/semodule/Makefile  | 3 +--
>  policycoreutils/setsebool/Makefile | 3 +--
>  3 files changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 7acd51dd..0f3d62f2 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
>  PKG_CONFIG ?= pkg-config
>
>  LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> -export LIBSELINUX_LDLIBS
> +LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
> +export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
>

I think that we actually want something like:
ifeq ($(DISABLE_SHARED),y)
    LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
$(PKG_CONFIG) --libs libselinux --static)
    LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
$(PKG_CONFIG) --libs libsemanage --static)
else
    LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
$(PKG_CONFIG) --libs libselinux)
    LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
$(PKG_CONFIG) --libs libsemanage)
endif

As originally written, it is going to find the installed libselinux.pc
and libsemanage.pc files which are not going to reflect any changes
made to these files in the current build (I noticed this because your
patch does make changes).
Also, I believe that "--static" is needed to generate the right libs
for a static build.

With my changes above, using DISABLE_SHARED=y results in:
LIBSELINUX_LDLIBS = -L/usr/lib -lselinux -lsepol -lpcre2-8
LIBSEMANAGE_LDLIBS = -L/usr/lib -lsemanage -laudit -lbz2 -lselinux
-lpcre2-8 -lsepol

while a normal build results in:
LIBSELINUX_LDLIBS = -L/usr/lib -lselinux
LIBSEMANAGE_LDLIBS = -L/usr/lib -lsemanage

Does this work for everyone?

Thanks,
Jim

>  all install relabel clean indent:
>         @for subdir in $(SUBDIRS); do \
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 7c45831f..018ee2ca 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -7,12 +7,11 @@ MANDIR = $(PREFIX)/share/man
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
>  override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
> -override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
> +override LDLIBS += $(LIBSEMANAGE_LDLIBS) -lsepol $(LIBSELINUX_LDLIBS)
>  SEMODULE_OBJS = semodule.o
>
>  all: semodule genhomedircon
>
> -semodule: LDLIBS += -laudit -lbz2
>  semodule: $(SEMODULE_OBJS)
>
>  genhomedircon:
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index 1d514846..87494c55 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -8,14 +8,13 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
>  override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
> -override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
> +override LDLIBS += $(LIBSEMANAGE_LDLIBS) $(LIBSELINUX_LDLIBS)
>  SETSEBOOL_OBJS = setsebool.o
>
>  BASHCOMPLETIONS=setsebool-bash-completion.sh
>
>  all: setsebool
>
> -setsebool: LDLIBS += -laudit -lbz2
>  setsebool: $(SETSEBOOL_OBJS)
>
>  install: all
> --
> 2.49.0
>

Re: [PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3068 bytes --]

James Carter <jwcart2@gmail.com> writes:

> On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
>>
>> libaudit and libbz2 are only required to be in the linker path for
>> static builds.  For dynamic builds, they'll be discovered through ELF
>> metadata.  pkg-config knows how to do the right thing in both cases,
>> so just use it rather than listing libsemanage's dependencies
>> manually.
>>
>> Fixes: da6cd3d8 ("Support static-only builds")
>> Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
>> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> ---
>>  policycoreutils/Makefile           | 3 ++-
>>  policycoreutils/semodule/Makefile  | 3 +--
>>  policycoreutils/setsebool/Makefile | 3 +--
>>  3 files changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>> index 7acd51dd..0f3d62f2 100644
>> --- a/policycoreutils/Makefile
>> +++ b/policycoreutils/Makefile
>> @@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
>>  PKG_CONFIG ?= pkg-config
>>
>>  LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>> -export LIBSELINUX_LDLIBS
>> +LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
>> +export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
>>
>
> I think that we actually want something like:
> ifeq ($(DISABLE_SHARED),y)
>     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
> $(PKG_CONFIG) --libs libselinux --static)
>     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
> $(PKG_CONFIG) --libs libsemanage --static)
> else
>     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
> $(PKG_CONFIG) --libs libselinux)
>     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
> $(PKG_CONFIG) --libs libsemanage)
> endif

> As originally written, it is going to find the installed libselinux.pc
> and libsemanage.pc files which are not going to reflect any changes
> made to these files in the current build (I noticed this because your
> patch does make changes).

I see.  It hadn't occurred to me that selinux userspace supported being
built all at once like this; I'd only seen all the components built
individually, which is evidently also what Petr is doing.  Your proposed
solution wouldn't be compatible with different components being
installed to different prefixes, which is how we do it in Nixpkgs, where
every package is installed to a unique prefix.

> Also, I believe that "--static" is needed to generate the right libs
> for a static build.

I /think/ it's generally expected that if you want static builds you set
e.g. PKG_CONFIG="pkg-config --static".  For example, a quick look at the
pkg-config autoconf macros tells me that they don't try to detect
whether to pass it or not, and in Nixpkgs we inject --static for static
builds.  Your proposal would also be a change in the meaning of
DISABLE_SHARED, which until now hasn't changed how anything is built,
just disabled things.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[James Carter]

On Fri, Jun 27, 2025 at 11:04 AM Alyssa Ross <hi@alyssa.is> wrote:
>
> James Carter <jwcart2@gmail.com> writes:
>
> > On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
> >>
> >> libaudit and libbz2 are only required to be in the linker path for
> >> static builds.  For dynamic builds, they'll be discovered through ELF
> >> metadata.  pkg-config knows how to do the right thing in both cases,
> >> so just use it rather than listing libsemanage's dependencies
> >> manually.
> >>
> >> Fixes: da6cd3d8 ("Support static-only builds")
> >> Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
> >> Signed-off-by: Alyssa Ross <hi@alyssa.is>
> >> ---
> >>  policycoreutils/Makefile           | 3 ++-
> >>  policycoreutils/semodule/Makefile  | 3 +--
> >>  policycoreutils/setsebool/Makefile | 3 +--
> >>  3 files changed, 4 insertions(+), 5 deletions(-)
> >>
> >> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> >> index 7acd51dd..0f3d62f2 100644
> >> --- a/policycoreutils/Makefile
> >> +++ b/policycoreutils/Makefile
> >> @@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
> >>  PKG_CONFIG ?= pkg-config
> >>
> >>  LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> >> -export LIBSELINUX_LDLIBS
> >> +LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
> >> +export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
> >>
> >
> > I think that we actually want something like:
> > ifeq ($(DISABLE_SHARED),y)
> >     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
> > $(PKG_CONFIG) --libs libselinux --static)
> >     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
> > $(PKG_CONFIG) --libs libsemanage --static)
> > else
> >     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
> > $(PKG_CONFIG) --libs libselinux)
> >     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
> > $(PKG_CONFIG) --libs libsemanage)
> > endif
>
> > As originally written, it is going to find the installed libselinux.pc
> > and libsemanage.pc files which are not going to reflect any changes
> > made to these files in the current build (I noticed this because your
> > patch does make changes).
>
> I see.  It hadn't occurred to me that selinux userspace supported being
> built all at once like this; I'd only seen all the components built
> individually, which is evidently also what Petr is doing.  Your proposed
> solution wouldn't be compatible with different components being
> installed to different prefixes, which is how we do it in Nixpkgs, where
> every package is installed to a unique prefix.
>

Obviously we want to support building everything separately as well as
everything together.

I think that this should work:
LIBSELINUX_LDLIBS := $(shell
PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libselinux/src" $(PKG_CONFIG)
--libs libselinux)
LIBSEMANAGE_LDLIBS := $(shell
PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libsemanage/src" $(PKG_CONFIG)
--libs libsemanage)

Based on my testing:
1) If PKG_CONFIG_PATH is set, that will be searched first
2) If the pc files are not found, then "../libsemange/src" or
"../libselinux/src" will be searched
3) If the pc files are still not found, then pkg-config will search
using its defaults

This seems like it should work regardless.

BTW, I also tried using PKG_CONFIG_LIBDIR, but if that is set, then
only that directory will be searched.

> > Also, I believe that "--static" is needed to generate the right libs
> > for a static build.
>
> I /think/ it's generally expected that if you want static builds you set
> e.g. PKG_CONFIG="pkg-config --static".  For example, a quick look at the
> pkg-config autoconf macros tells me that they don't try to detect
> whether to pass it or not, and in Nixpkgs we inject --static for static
> builds.  Your proposal would also be a change in the meaning of
> DISABLE_SHARED, which until now hasn't changed how anything is built,
> just disabled things.

I see. I should just set PKG_CONFIG="pkg-config --static" if I want to
build static. That works for me.

Thanks,
Jim

Re: [PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[Alyssa Ross]

[-- Attachment #1: Type: text/plain, Size: 3679 bytes --]

James Carter <jwcart2@gmail.com> writes:

> On Fri, Jun 27, 2025 at 11:04 AM Alyssa Ross <hi@alyssa.is> wrote:
>>
>> James Carter <jwcart2@gmail.com> writes:
>>
>> > On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
>> >>
>> >> libaudit and libbz2 are only required to be in the linker path for
>> >> static builds.  For dynamic builds, they'll be discovered through ELF
>> >> metadata.  pkg-config knows how to do the right thing in both cases,
>> >> so just use it rather than listing libsemanage's dependencies
>> >> manually.
>> >>
>> >> Fixes: da6cd3d8 ("Support static-only builds")
>> >> Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
>> >> Signed-off-by: Alyssa Ross <hi@alyssa.is>
>> >> ---
>> >>  policycoreutils/Makefile           | 3 ++-
>> >>  policycoreutils/semodule/Makefile  | 3 +--
>> >>  policycoreutils/setsebool/Makefile | 3 +--
>> >>  3 files changed, 4 insertions(+), 5 deletions(-)
>> >>
>> >> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
>> >> index 7acd51dd..0f3d62f2 100644
>> >> --- a/policycoreutils/Makefile
>> >> +++ b/policycoreutils/Makefile
>> >> @@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
>> >>  PKG_CONFIG ?= pkg-config
>> >>
>> >>  LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
>> >> -export LIBSELINUX_LDLIBS
>> >> +LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
>> >> +export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
>> >>
>> >
>> > I think that we actually want something like:
>> > ifeq ($(DISABLE_SHARED),y)
>> >     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
>> > $(PKG_CONFIG) --libs libselinux --static)
>> >     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
>> > $(PKG_CONFIG) --libs libsemanage --static)
>> > else
>> >     LIBSELINUX_LDLIBS := $(shell PKG_CONFIG_PATH=../libselinux/src
>> > $(PKG_CONFIG) --libs libselinux)
>> >     LIBSEMANAGE_LDLIBS := $(shell PKG_CONFIG_PATH=../libsemanage/src
>> > $(PKG_CONFIG) --libs libsemanage)
>> > endif
>>
>> > As originally written, it is going to find the installed libselinux.pc
>> > and libsemanage.pc files which are not going to reflect any changes
>> > made to these files in the current build (I noticed this because your
>> > patch does make changes).
>>
>> I see.  It hadn't occurred to me that selinux userspace supported being
>> built all at once like this; I'd only seen all the components built
>> individually, which is evidently also what Petr is doing.  Your proposed
>> solution wouldn't be compatible with different components being
>> installed to different prefixes, which is how we do it in Nixpkgs, where
>> every package is installed to a unique prefix.
>>
>
> Obviously we want to support building everything separately as well as
> everything together.
>
> I think that this should work:
> LIBSELINUX_LDLIBS := $(shell
> PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libselinux/src" $(PKG_CONFIG)
> --libs libselinux)
> LIBSEMANAGE_LDLIBS := $(shell
> PKG_CONFIG_PATH="$(PKG_CONFIG_PATH):../libsemanage/src" $(PKG_CONFIG)
> --libs libsemanage)
>
> Based on my testing:
> 1) If PKG_CONFIG_PATH is set, that will be searched first
> 2) If the pc files are not found, then "../libsemange/src" or
> "../libselinux/src" will be searched
> 3) If the pc files are still not found, then pkg-config will search
> using its defaults
>
> This seems like it should work regardless.
>
> BTW, I also tried using PKG_CONFIG_LIBDIR, but if that is set, then
> only that directory will be searched.

Looks sensible to me.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

Re: [PATCH 1/2] libsemanage: add missing libaudit private library

[James Carter]

On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
>
> libsemanage always uses libaudit functions, so we need to make sure
> that consumers of libsemanage.a know to link against libaudit too.
>
> Fixes: 56d9d20a ("Pull auditing into libsemanage.")
> Signed-off-by: Alyssa Ross <hi@alyssa.is>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libsemanage/src/libsemanage.pc.in | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libsemanage/src/libsemanage.pc.in b/libsemanage/src/libsemanage.pc.in
> index 303f8069..8b7c55a9 100644
> --- a/libsemanage/src/libsemanage.pc.in
> +++ b/libsemanage/src/libsemanage.pc.in
> @@ -9,5 +9,5 @@ Version: @VERSION@
>  URL: https://github.com/selinuxproject/selinux/wiki/Releases
>  Requires.private: libselinux libsepol
>  Libs: -L${libdir} -lsemanage
> -Libs.private: -lbz2
> +Libs.private: -laudit -lbz2
>  Cflags: -I${includedir}
>
> base-commit: 2304becd8154eeab084a7ef31b29048c0a780e84
> --
> 2.49.0
>

Re: [PATCH 2/2] policycoreutils: use pkg-config for libsemanage

[James Carter]

On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
>
> libaudit and libbz2 are only required to be in the linker path for
> static builds.  For dynamic builds, they'll be discovered through ELF
> metadata.  pkg-config knows how to do the right thing in both cases,
> so just use it rather than listing libsemanage's dependencies
> manually.
>
> Fixes: da6cd3d8 ("Support static-only builds")
> Closes: https://lore.kernel.org/r/87bjqebpre.fsf@redhat.com
> Signed-off-by: Alyssa Ross <hi@alyssa.is>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  policycoreutils/Makefile           | 3 ++-
>  policycoreutils/semodule/Makefile  | 3 +--
>  policycoreutils/setsebool/Makefile | 3 +--
>  3 files changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/policycoreutils/Makefile b/policycoreutils/Makefile
> index 7acd51dd..0f3d62f2 100644
> --- a/policycoreutils/Makefile
> +++ b/policycoreutils/Makefile
> @@ -3,7 +3,8 @@ SUBDIRS = setfiles load_policy newrole run_init secon sestatus semodule setseboo
>  PKG_CONFIG ?= pkg-config
>
>  LIBSELINUX_LDLIBS := $(shell $(PKG_CONFIG) --libs libselinux)
> -export LIBSELINUX_LDLIBS
> +LIBSEMANAGE_LDLIBS := $(shell $(PKG_CONFIG) --libs libsemanage)
> +export LIBSELINUX_LDLIBS LIBSEMANAGE_LDLIBS
>
>  all install relabel clean indent:
>         @for subdir in $(SUBDIRS); do \
> diff --git a/policycoreutils/semodule/Makefile b/policycoreutils/semodule/Makefile
> index 7c45831f..018ee2ca 100644
> --- a/policycoreutils/semodule/Makefile
> +++ b/policycoreutils/semodule/Makefile
> @@ -7,12 +7,11 @@ MANDIR = $(PREFIX)/share/man
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
>  override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
> -override LDLIBS += -lsemanage -lsepol $(LIBSELINUX_LDLIBS)
> +override LDLIBS += $(LIBSEMANAGE_LDLIBS) -lsepol $(LIBSELINUX_LDLIBS)
>  SEMODULE_OBJS = semodule.o
>
>  all: semodule genhomedircon
>
> -semodule: LDLIBS += -laudit -lbz2
>  semodule: $(SEMODULE_OBJS)
>
>  genhomedircon:
> diff --git a/policycoreutils/setsebool/Makefile b/policycoreutils/setsebool/Makefile
> index 1d514846..87494c55 100644
> --- a/policycoreutils/setsebool/Makefile
> +++ b/policycoreutils/setsebool/Makefile
> @@ -8,14 +8,13 @@ BASHCOMPLETIONDIR ?= $(PREFIX)/share/bash-completion/completions
>  CFLAGS ?= -Werror -Wall -W
>  override CFLAGS += -I../../libselinux/include -I../../libsemanage/include
>  override LDFLAGS+= -L../../libselinux/src     -L../../libsemanage/src
> -override LDLIBS += -lsemanage $(LIBSELINUX_LDLIBS)
> +override LDLIBS += $(LIBSEMANAGE_LDLIBS) $(LIBSELINUX_LDLIBS)
>  SETSEBOOL_OBJS = setsebool.o
>
>  BASHCOMPLETIONS=setsebool-bash-completion.sh
>
>  all: setsebool
>
> -setsebool: LDLIBS += -laudit -lbz2
>  setsebool: $(SETSEBOOL_OBJS)
>
>  install: all
> --
> 2.49.0
>

Re: [PATCH 1/2] libsemanage: add missing libaudit private library

[James Carter]

On Tue, Jul 1, 2025 at 11:12 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, Jun 25, 2025 at 6:41 AM Alyssa Ross <hi@alyssa.is> wrote:
> >
> > libsemanage always uses libaudit functions, so we need to make sure
> > that consumers of libsemanage.a know to link against libaudit too.
> >
> > Fixes: 56d9d20a ("Pull auditing into libsemanage.")
> > Signed-off-by: Alyssa Ross <hi@alyssa.is>
>
> Acked-by: James Carter <jwcart2@gmail.com>

These two patches have been merged.
Thanks,
Jim

>
> > ---
> >  libsemanage/src/libsemanage.pc.in | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/libsemanage/src/libsemanage.pc.in b/libsemanage/src/libsemanage.pc.in
> > index 303f8069..8b7c55a9 100644
> > --- a/libsemanage/src/libsemanage.pc.in
> > +++ b/libsemanage/src/libsemanage.pc.in
> > @@ -9,5 +9,5 @@ Version: @VERSION@
> >  URL: https://github.com/selinuxproject/selinux/wiki/Releases
> >  Requires.private: libselinux libsepol
> >  Libs: -L${libdir} -lsemanage
> > -Libs.private: -lbz2
> > +Libs.private: -laudit -lbz2
> >  Cflags: -I${includedir}
> >
> > base-commit: 2304becd8154eeab084a7ef31b29048c0a780e84
> > --
> > 2.49.0
> >