bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] warn on missing selinux files


From: Paolo Bonzini
Subject: [PATCH] warn on missing selinux files
Date: Sat, 27 Jun 2009 13:01:42 +0200
User-agent: Thunderbird 2.0.0.17 (X11/20081009)

Compiling a package without SELinux support can be a security problem. On some distributions devel packages for libselinux have to be downloaded separately, and it can go unnoticed that packages have been configured without SELinux support.

The attached patch will warn if it finds libselinux but not selinux/selinux.h, or when not cross-compiling if it finds /selinux/enforce but not libselinux.

I'd like to include this check in sed 4.2.1 to warn packagers about the additional dependency.

Ok?  Should I test /selinux instead of /selinux/enforce?

Paolo
2009-06-27  Paolo Bonzini  <address@hidden>

        * m4/selinux-context-h (gl_HEADERS_SELINUX_CONTEXT_H): Remove
        self-explaining comment.
        * m4/selinux-selinux-h: Update serial.
         (gl_LIBSELINUX): Warn if SELinux is found but libselinux is absent;
        extracted from...
        (gl_HEADERS_SELINUX_SELINUX_H): ... this one.  Require gl_LIBSELINUX.
        Add warning for missing development packages here, too.

diff --git a/m4/selinux-context-h.m4 b/m4/selinux-context-h.m4
index 269c152..226b2cf 100644
--- a/m4/selinux-context-h.m4
+++ b/m4/selinux-context-h.m4
@@ -9,7 +9,6 @@
 
 AC_DEFUN([gl_HEADERS_SELINUX_CONTEXT_H],
 [
-  # Check for <selinux/context.h>,
   AC_CHECK_HEADERS([selinux/context.h],
                   [SELINUX_CONTEXT_H=],
                   [SELINUX_CONTEXT_H=selinux/context.h])
diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4
index c6e735c..50479fd 100644
--- a/m4/selinux-selinux-h.m4
+++ b/m4/selinux-selinux-h.m4
@@ -1,4 +1,4 @@
-# serial 2   -*- Autoconf -*-
+# serial 3   -*- Autoconf -*-
 # Copyright (C) 2006, 2007, 2009 Free Software Foundation, Inc.
 # This file is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -9,12 +9,23 @@
 
 AC_DEFUN([gl_HEADERS_SELINUX_SELINUX_H],
 [
-  # Check for <selinux/selinux.h>,
+  AC_REQUIRE([gl_LIBSELINUX])
   AC_CHECK_HEADERS([selinux/selinux.h],
                   [SELINUX_SELINUX_H=],
                   [SELINUX_SELINUX_H=selinux/selinux.h])
   AC_SUBST([SELINUX_SELINUX_H])
 
+  case "$ac_cv_search_setfilecon:$ac_cv_header_selinux_selinux_h" in
+    no:*) # already warned
+      ;;
+    *:no)
+      AC_MSG_WARN([libselinux found but selinux/selinux.h missing.])
+      AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.])
+  esac
+])
+
+AC_DEFUN([gl_LIBSELINUX],
+[
   LIB_SELINUX=
   gl_save_LIBS=$LIBS
   AC_SEARCH_LIBS([setfilecon], [selinux],
@@ -22,4 +33,10 @@ AC_DEFUN([gl_HEADERS_SELINUX_SELINUX_H],
                   LIB_SELINUX=$ac_cv_search_setfilecon])
   AC_SUBST([LIB_SELINUX])
   LIBS=$gl_save_LIBS
+
+  if test "$ac_cv_search_setfilecon" = no &&
+     test "$host" = "$build" && test -f /selinux/enforce; then
+    AC_MSG_WARN([SELinux active but libselinux missing.])
+    AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.])
+  fi
 ])

reply via email to

[Prev in Thread] Current Thread [Next in Thread]