[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
selinux: insufficient M4 detection with building static binaries
|
From: |
Assaf Gordon |
|
Subject: |
selinux: insufficient M4 detection with building static binaries |
|
Date: |
Sun, 7 Apr 2019 00:33:57 -0600 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 |
Hi,
While exploring build coreutils as static binary
( https://lists.gnu.org/r/coreutils/2019-04/msg00001.html )
I noticed that gnulib's selinux detection is incomplete.
Details:
The m4/selinux-selinux.m4 files checks for 'setfilecon' function like
so: "AC_SEARCH_LIBS([setfilecon], [selinux], ..."
https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/selinux-selinux-h.m4#n56
This function can be linked statically,
But cp,mv and install also use "matchpathcon_init_prefix",
which can't to be linked statically (unless selinux was built
for static linking?), and so linking fails.
To reproduce:
--- se-good.c ---
extern char setfilecon();
int main(){return setfilecon();}
--- se-bad.c ---
extern char matchpathcon_init_prefix();
int main(){return matchpathcon_init_prefix();}
$ gcc -o 1 -static se-good.c -lselinux && echo ok
ok
$ gcc -o 1 -static se-bad.c -lselinux
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(regex.o):
In function `regex_writef':
(.text+0x7b): undefined reference to `pcre_fullinfo'
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(regex.o):
In function `regex_writef':
(.text+0xef): undefined reference to `pcre_fullinfo'
...
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(load_policy.o):
In function `selinux_mkload_policy':
(.text+0x7cc): undefined reference to `sepol_policy_kern_vers_max'
/usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(load_policy.o):
In function `selinux_mkload_policy':
(.text+0x7d5): undefined reference to `sepol_policy_kern_vers_min'
collect2: error: ld returned 1 exit status
And so when building static binaries, SELinux is detected as available,
but linking cp/mv/install fails with the above errors.
---
I see that coreutil's m4/jm-macros.m4 does contain special
checks for "matchpathcon_init_prefix":
https://git.savannah.gnu.org/cgit/coreutils.git/tree/m4/jm-macros.m4#n51
Perhaps it used to be that "matchpathcon_init_prefix" was optional
when building with selinux?
It seems that now it is required.
---
tweaking m4/selinux combinations is beyond my comfort zone...
the following hack at least avoids the issue by detecting that
linking with "matchpathcon_init_prefix" fails, thus automatically
disabling SELinux for static builds:
---
diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4
index 8bbbf0535..a35ce6cf0 100644
--- a/m4/selinux-selinux-h.m4
+++ b/m4/selinux-selinux-h.m4
@@ -56,12 +56,13 @@ AC_DEFUN([gl_LIBSELINUX],
AC_SEARCH_LIBS([setfilecon], [selinux],
[test "$ac_cv_search_setfilecon" = "none required" ||
LIB_SELINUX=$ac_cv_search_setfilecon])
+ AC_CHECK_LIB([selinux], [matchpathcon_init_prefix], [], [])
LIBS=$gl_save_LIBS
fi
AC_SUBST([LIB_SELINUX])
# Warn if SELinux is found but libselinux is absent;
- if test "$ac_cv_search_setfilecon" = no; then
+ if test "$ac_cv_search_setfilecon" = no || test
"$ac_cv_lib_selinux_matchpathcon_init_prefix" = no ; then
if test "$host" = "$build" && test -d /selinux; then
AC_MSG_WARN([This system supports SELinux but libselinux is
missing.])
AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux
support.])
---
regards,
- assaf
- selinux: insufficient M4 detection with building static binaries,
Assaf Gordon <=