Red Hat Bugzilla – Bug 1284019
libselinux: Move rpm_execcon to separate library
Last modified: 2015-12-10 13:07:26 EST
Would it be possible to move rpm_execcon and its execve call to a separate library? A linker script could preserve link-time compatibility with build environments of dependencies.
Background: We are investigating if it is possible to remove execve call sites from most processes, and that execve inside libselinux is one very prominent supplier of execve, due to rpm_execcon.
I believe we could build libselinux without rpm_execcon completely:
@@ -106,6 +106,7 @@ needed for developing SELinux applications.
# To support building the Python wrapper against multiple Python runtimes
# Define a function, for how to perform a "build" of the python wrapper against
rpm_execcon is marked as deprecated since 2012 and according to rpm's changelog, it doesn't use it any more:
Author: Guillem Jover <email@example.com>
Date: Thu Jan 15 17:01:48 2015 +0100
Use setexecfilecon() from libselinux instead of ad-hoc code
This function was factored out from rpm_execcon() upstream to make it
easier to use by its users, by making it not call execve() directly. It
is now also used by dpkg since 1.17.11.
Preserve the ad-hoc code for now so that it can be compiled against old
I'm fine with removing it completely. I checked, and there is no downstream ABI impact (at least nominally).