Bug 1284019

Summary: libselinux: Move rpm_execcon to separate library
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: libselinuxAssignee: Petr Lautrbach <plautrba>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mgrepl, plautrba
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libselinux-2.4-6.fc24 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-10 18:07:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Weimer 2015-11-20 14:57:01 UTC 
Would it be possible to move rpm_execcon and its execve call to a separate library?  A linker script could preserve link-time compatibility with build environments of dependencies.

Background: We are investigating if it is possible to remove execve call sites from most processes, and that execve inside libselinux is one very prominent supplier of execve, due to rpm_execcon.
Comment 1 Petr Lautrbach 2015-11-20 16:46:57 UTC 
I believe we could build libselinux without rpm_execcon completely:

--- a/libselinux.spec
+++ b/libselinux.spec
@@ -106,6 +106,7 @@ needed for developing SELinux applications.
 
 %build
 export LDFLAGS="%{?__global_ldflags}"
+export DISABLE_RPM="y"
 
 # To support building the Python wrapper against multiple Python runtimes
 # Define a function, for how to perform a "build" of the python wrapper against



rpm_execcon is marked as deprecated since 2012 and according to rpm's changelog, it doesn't use it any more:

commit 148e82833a384b438547c2d3610e3df4a50cf997
Author: Guillem Jover <guillem>
Date:   Thu Jan 15 17:01:48 2015 +0100

    Use setexecfilecon() from libselinux instead of ad-hoc code
    
    This function was factored out from rpm_execcon() upstream to make it
    easier to use by its users, by making it not call execve() directly. It
    is now also used by dpkg since 1.17.11.
    
    Preserve the ad-hoc code for now so that it can be compiled against old
    libselinux versions.
Comment 2 Florian Weimer 2015-11-20 19:58:55 UTC 
I'm fine with removing it completely.  I checked, and there is no downstream ABI impact (at least nominally).