[Bug nss/26233] New: matchpathcon and security_context_t are deprecated by libselinux API

[Bug nss/26233] New: matchpathcon and security_context_t are deprecated by libselinux API

[arjun.is at lostca dot se]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

            Bug ID: 26233
           Summary: matchpathcon and security_context_t are deprecated by
                    libselinux API
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: nss
          Assignee: unassigned at sourceware dot org
          Reporter: arjun.is at lostca dot se
  Target Milestone: ---

Found this while building master into a Fedora Rawhide package:

matchpathcon was deprecated:
https://github.com/SELinuxProject/selinux/commit/c7020954caea

security_context_t was removed from usage:
https://github.com/SELinuxProject/selinux/commit/9eb9c9327563
then deprecated:
https://github.com/SELinuxProject/selinux/commit/7a124ca27581

These are used in nss and nscd and the uses now need to be replaced.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[arjun.is at lostca dot se]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

Arjun Shankar <arjun.is at lostca dot se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned at sourceware dot org   |arjun.is at lostca dot se

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[jsegitz at suse dot de]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

jsegitz at suse dot de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jsegitz at suse dot de

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security-
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[glaubitz at physik dot fu-berlin.de]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

John Paul Adrian Glaubitz <glaubitz at physik dot fu-berlin.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |glaubitz at physik dot fu-berlin.d
                   |                            |e

--- Comment #1 from John Paul Adrian Glaubitz <glaubitz at physik dot fu-berlin.de> ---
This actually makes the build fail on m68k when building with -Werror:

makedb.c: In function 'set_file_creation_context':
makedb.c:849:3: error: 'security_context_t' is deprecated
[-Werror=deprecated-declarations]
  849 |   security_context_t ctx;
      |   ^~~~~~~~~~~~~~~~~~
makedb.c:863:3: error: 'matchpathcon' is deprecated: Use selabel_lookup instead
[-Werror=deprecated-declarations]
  863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx != NULL)
      |   ^~
In file included from makedb.c:50:
/usr/include/selinux/selinux.h:500:12: note: declared here
  500 | extern int matchpathcon(const char *path,
      |            ^~~~~~~~~~~~
cc1: all warnings being treated as errors

See:
https://buildd.debian.org/status/fetch.php?pkg=glibc&arch=m68k&ver=2.31-1&stamp=1595330718&raw=0

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[glaubitz at physik dot fu-berlin.de]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

John Paul Adrian Glaubitz <glaubitz at physik dot fu-berlin.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aurelien at aurel32 dot net,
                   |                            |schwab@linux-m68k.org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|schwab@linux-m68k.org       |

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[arjun.is at lostca dot se]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

--- Comment #2 from Arjun Shankar <arjun.is at lostca dot se> ---
> This actually makes the build fail on m68k when building with -Werror:

Right. It already failed when building glibc for Fedora rawhide as well. There
is one additional problem area: nscd/selinux.c also uses some deprecated
symbols.

As of now, it appears that for 2.32, we will end up disabling these via a
compiler pragma to disable the warning, and work on porting to newer API once
2.32 is released.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[arjun.is at lostca dot se]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

--- Comment #3 from Arjun Shankar <arjun.is at lostca dot se> ---
The warnings due to these deprecated symbols have been suppressed leading up to
2.32:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=04726be814c6

This doesn't fix the actual bug but will let us build glibc-2.32 with -Werror
on systems with libselinux >= 3.1.

We should port to the new API before 2.33. There should be some ideas in this
selinux development mailing list tread:
https://lore.kernel.org/selinux/39f23208-c9df-c16d-6513-49b3fd234fc7@redhat.com/T/#t

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Carlos O'Donell <carlos@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f278835f594740f5913001430641cf1da4878670

commit f278835f594740f5913001430641cf1da4878670
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Sep 11 11:30:17 2022 -0400

    makedb: fix build with libselinux >= 3.1 (Bug 26233)

    glibc doesn't build with libselinux 3.1 that has been released recently
    due to new deprecations introduced in that version and the fact that
    glibc is built with -Werror by default:

    | makedb.c: In function âset_file_creation_contextâ:
    | makedb.c:849:3: error: âsecurity_context_tâ is deprecated
[-Werror=deprecated-declarations]
    |   849 |   security_context_t ctx;
    |       |   ^~~~~~~~~~~~~~~~~~
    | makedb.c:863:3: error: âmatchpathconâ is deprecated: Use
selabel_lookup instead [-Werror=deprecated-declarations]
    |   863 |   if (matchpathcon (outname, S_IFREG | mode, &ctx) == 0 && ctx !=
NULL)
    |       |   ^~
    | In file included from makedb.c:50:
    | /usr/include/selinux/selinux.h:500:12: note: declared here
    |   500 | extern int matchpathcon(const char *path,
    |       |            ^~~~~~~~~~~~
    | cc1: all warnings being treated as errors

    This patch fixes the makedb half of bug 26233 by moving to the new
    SELinux APIs and removes the existing compiler pragmas as no longer
    required. Upstream API usage feedback gathered by Arjun is integrated
    into this version of the fix.

    The built makedb was tested and operates as expected on x86_64 with
    SELinu in enforcing mode.

    No regressions on x86_64 with libselinux 3.3.

    Co-authored-by: Arjun Shankar <arjun@redhat.com>
    Co-authored-by: Carlos O'Donell <carlos@redhat.com>
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/26233] matchpathcon and security_context_t are deprecated by libselinux API

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26233

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |carlos at redhat dot com

--- Comment #5 from Carlos O'Donell <carlos at redhat dot com> ---
The makedb half of this bug is now fixed.

The nscd side of the fixes still need to be made.

-- 
You are receiving this mail because:
You are on the CC list for the bug.