Would it be possible to move rpm_execcon and its execve call to a separate library? A linker script could preserve link-time compatibility with build environments of dependencies. Background: We are investigating if it is possible to remove execve call sites from most processes, and that execve inside libselinux is one very prominent supplier of execve, due to rpm_execcon.
I believe we could build libselinux without rpm_execcon completely: --- a/libselinux.spec +++ b/libselinux.spec @@ -106,6 +106,7 @@ needed for developing SELinux applications. %build export LDFLAGS="%{?__global_ldflags}" +export DISABLE_RPM="y" # To support building the Python wrapper against multiple Python runtimes # Define a function, for how to perform a "build" of the python wrapper against rpm_execcon is marked as deprecated since 2012 and according to rpm's changelog, it doesn't use it any more: commit 148e82833a384b438547c2d3610e3df4a50cf997 Author: Guillem Jover <guillem> Date: Thu Jan 15 17:01:48 2015 +0100 Use setexecfilecon() from libselinux instead of ad-hoc code This function was factored out from rpm_execcon() upstream to make it easier to use by its users, by making it not call execve() directly. It is now also used by dpkg since 1.17.11. Preserve the ad-hoc code for now so that it can be compiled against old libselinux versions.
I'm fine with removing it completely. I checked, and there is no downstream ABI impact (at least nominally).