Bug 1284019 - libselinux: Move rpm_execcon to separate library
libselinux: Move rpm_execcon to separate library
Product: Fedora
Classification: Fedora
Component: libselinux (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2015-11-20 09:57 EST by Florian Weimer
Modified: 2015-12-10 13:07 EST (History)
3 users (show)

See Also:
Fixed In Version: libselinux-2.4-6.fc24
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-10 13:07:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2015-11-20 09:57:01 EST
Would it be possible to move rpm_execcon and its execve call to a separate library?  A linker script could preserve link-time compatibility with build environments of dependencies.

Background: We are investigating if it is possible to remove execve call sites from most processes, and that execve inside libselinux is one very prominent supplier of execve, due to rpm_execcon.
Comment 1 Petr Lautrbach 2015-11-20 11:46:57 EST
I believe we could build libselinux without rpm_execcon completely:

--- a/libselinux.spec
+++ b/libselinux.spec
@@ -106,6 +106,7 @@ needed for developing SELinux applications.
 export LDFLAGS="%{?__global_ldflags}"
+export DISABLE_RPM="y"
 # To support building the Python wrapper against multiple Python runtimes
 # Define a function, for how to perform a "build" of the python wrapper against

rpm_execcon is marked as deprecated since 2012 and according to rpm's changelog, it doesn't use it any more:

commit 148e82833a384b438547c2d3610e3df4a50cf997
Author: Guillem Jover <guillem@hadrons.org>
Date:   Thu Jan 15 17:01:48 2015 +0100

    Use setexecfilecon() from libselinux instead of ad-hoc code
    This function was factored out from rpm_execcon() upstream to make it
    easier to use by its users, by making it not call execve() directly. It
    is now also used by dpkg since 1.17.11.
    Preserve the ad-hoc code for now so that it can be compiled against old
    libselinux versions.
Comment 2 Florian Weimer 2015-11-20 14:58:55 EST
I'm fine with removing it completely.  I checked, and there is no downstream ABI impact (at least nominally).

Note You need to log in before you can comment on or make changes to this bug.