[libvirt] [PATCH v2] build: fix build with libselinux 2.3
Several function signatures changed in libselinux 2.3, now taking a 'const char *' instead of 'security_context_t'. The latter is defined in selinux/selinux.h as typedef char *security_context_t; --- m4/virt-selinux.m4 | 18 ++++++++++++++++++ tests/securityselinuxhelper.c | 16 ++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4 index 003c2a8..c299793 100644 --- a/m4/virt-selinux.m4 +++ b/m4/virt-selinux.m4 @@ -28,6 +28,24 @@ AC_DEFUN([LIBVIRT_CHECK_SELINUX],[ [with_selinux_mount=check]) if test "$with_selinux" = "yes"; then + AC_CACHE_CHECK([for selinux setcon parameter type], [gt_cv_setcon_param], + [AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ +#include <selinux/selinux.h> + +int setcon(const security_context_t context) { + return 0; +} + ]], + [[]])], + [gt_cv_setcon_param='security_context'], + [gt_cv_setcon_param='const char*'])]) + if test "$gt_cv_setcon_param" = 'const char*'; then + AC_DEFINE_UNQUOTED([SELINUX_CTX_CHAR_PTR], 1, + [SELinux uses char * for security context]) + fi + AC_MSG_CHECKING([SELinux mount point]) if test "$with_selinux_mount" = "check" || test -z "$with_selinux_mount"; then if test -d /sys/fs/selinux ; then diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c index dbc4c29..af4fae4 100644 --- a/tests/securityselinuxhelper.c +++ b/tests/securityselinuxhelper.c @@ -156,7 +156,11 @@ int getpidcon(pid_t pid, security_context_t *context) return getpidcon_raw(pid, context); } +#ifdef SELINUX_CTX_CHAR_PTR +int setcon_raw(const char *context) +#else int setcon_raw(security_context_t context) +#endif { if (!is_selinux_enabled()) { errno = EINVAL; @@ -165,13 +169,21 @@ int setcon_raw(security_context_t context) return setenv("FAKE_SELINUX_CONTEXT", context, 1); } +#ifdef SELINUX_CTX_CHAR_PTR +int setcon(const char *context) +#else int setcon(security_context_t context) +#endif { return setcon_raw(context); } +#ifdef SELINUX_CTX_CHAR_PTR +int setfilecon_raw(const char *path, const char *con) +#else int setfilecon_raw(const char *path, security_context_t con) +#endif { const char *constr = con; if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) { @@ -182,7 +194,11 @@ int setfilecon_raw(const char *path, security_context_t con) constr, strlen(constr), 0); } +#ifdef SELINUX_CTX_CHAR_PTR +int setfilecon(const char *path, const char *con) +#else int setfilecon(const char *path, security_context_t con) +#endif { return setfilecon_raw(path, con); } -- 1.8.4.5
Cédric Bosdonnat wrote:
Several function signatures changed in libselinux 2.3, now taking a 'const char *' instead of 'security_context_t'. The latter is defined in selinux/selinux.h as
typedef char *security_context_t; --- m4/virt-selinux.m4 | 18 ++++++++++++++++++ tests/securityselinuxhelper.c | 16 ++++++++++++++++ 2 files changed, 34 insertions(+)
diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4 index 003c2a8..c299793 100644 --- a/m4/virt-selinux.m4 +++ b/m4/virt-selinux.m4 @@ -28,6 +28,24 @@ AC_DEFUN([LIBVIRT_CHECK_SELINUX],[ [with_selinux_mount=check])
if test "$with_selinux" = "yes"; then + AC_CACHE_CHECK([for selinux setcon parameter type], [gt_cv_setcon_param], + [AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ +#include <selinux/selinux.h> + +int setcon(const security_context_t context) { + return 0; +} + ]], + [[]])], + [gt_cv_setcon_param='security_context'], + [gt_cv_setcon_param='const char*'])]) + if test "$gt_cv_setcon_param" = 'const char*'; then + AC_DEFINE_UNQUOTED([SELINUX_CTX_CHAR_PTR], 1, + [SELinux uses char * for security context]) + fi +
As Eric suggested, this is much better than the version check. But I'll defer review of this fun code to him :-).
AC_MSG_CHECKING([SELinux mount point]) if test "$with_selinux_mount" = "check" || test -z "$with_selinux_mount"; then if test -d /sys/fs/selinux ; then diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c index dbc4c29..af4fae4 100644 --- a/tests/securityselinuxhelper.c +++ b/tests/securityselinuxhelper.c @@ -156,7 +156,11 @@ int getpidcon(pid_t pid, security_context_t *context) return getpidcon_raw(pid, context); }
+#ifdef SELINUX_CTX_CHAR_PTR +int setcon_raw(const char *context) +#else int setcon_raw(security_context_t context) +#endif
I tried Eric's alternative of defining a VIR_SELINUX_CTX_CONST to either '' or 'const', but couldn't get that to work. Deferring to Eric as well... Nonetheless, this patch works for me and is a good improvement over V1. Regards, Jim
{ if (!is_selinux_enabled()) { errno = EINVAL; @@ -165,13 +169,21 @@ int setcon_raw(security_context_t context) return setenv("FAKE_SELINUX_CONTEXT", context, 1); }
+#ifdef SELINUX_CTX_CHAR_PTR +int setcon(const char *context) +#else int setcon(security_context_t context) +#endif { return setcon_raw(context); }
+#ifdef SELINUX_CTX_CHAR_PTR +int setfilecon_raw(const char *path, const char *con) +#else int setfilecon_raw(const char *path, security_context_t con) +#endif { const char *constr = con; if (STRPREFIX(path, abs_builddir "/securityselinuxlabeldata/nfs/")) { @@ -182,7 +194,11 @@ int setfilecon_raw(const char *path, security_context_t con) constr, strlen(constr), 0); }
+#ifdef SELINUX_CTX_CHAR_PTR +int setfilecon(const char *path, const char *con) +#else int setfilecon(const char *path, security_context_t con) +#endif { return setfilecon_raw(path, con); }
On 05/28/2014 06:44 AM, Cédric Bosdonnat wrote:
Several function signatures changed in libselinux 2.3, now taking a 'const char *' instead of 'security_context_t'. The latter is defined in selinux/selinux.h as
typedef char *security_context_t; --- m4/virt-selinux.m4 | 18 ++++++++++++++++++ tests/securityselinuxhelper.c | 16 ++++++++++++++++ 2 files changed, 34 insertions(+)
diff --git a/m4/virt-selinux.m4 b/m4/virt-selinux.m4 index 003c2a8..c299793 100644 --- a/m4/virt-selinux.m4 +++ b/m4/virt-selinux.m4 @@ -28,6 +28,24 @@ AC_DEFUN([LIBVIRT_CHECK_SELINUX],[ [with_selinux_mount=check])
if test "$with_selinux" = "yes"; then + AC_CACHE_CHECK([for selinux setcon parameter type], [gt_cv_setcon_param], + [AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ +#include <selinux/selinux.h> + +int setcon(const security_context_t context) {
So this tests if we are compatible with the old signature...
+ return 0; +} + ]], + [[]])], + [gt_cv_setcon_param='security_context'],
...if so, we set the param to one value,... Typo - there is no 'security_context'.
+ [gt_cv_setcon_param='const char*'])])
...if not, we assume const char* works instead. I wonder if it ias better to check for the new signature, and if it fails assume the old; but unless a third signature ever appears in the future, it probably doesn't matter.
+ if test "$gt_cv_setcon_param" = 'const char*'; then + AC_DEFINE_UNQUOTED([SELINUX_CTX_CHAR_PTR], 1, + [SELinux uses char * for security context])
I'll still like to try and do a slicker macro that is either '' or 'const', because then...
+ fi + AC_MSG_CHECKING([SELinux mount point]) if test "$with_selinux_mount" = "check" || test -z "$with_selinux_mount"; then if test -d /sys/fs/selinux ; then diff --git a/tests/securityselinuxhelper.c b/tests/securityselinuxhelper.c index dbc4c29..af4fae4 100644 --- a/tests/securityselinuxhelper.c +++ b/tests/securityselinuxhelper.c @@ -156,7 +156,11 @@ int getpidcon(pid_t pid, security_context_t *context) return getpidcon_raw(pid, context); }
+#ifdef SELINUX_CTX_CHAR_PTR +int setcon_raw(const char *context) +#else int setcon_raw(security_context_t context) +#endif
...here you would just need: int setcon_raw(POSSIBLY_CONST char *context) instead of #ifdefs. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 05/28/2014 11:38 AM, Eric Blake wrote:
On 05/28/2014 06:44 AM, Cédric Bosdonnat wrote:
Several function signatures changed in libselinux 2.3, now taking a 'const char *' instead of 'security_context_t'. The latter is defined in selinux/selinux.h as
typedef char *security_context_t; ---
ACK to your version, after all.
+ [gt_cv_setcon_param='security_context'],
Typo - there is no 'security_context'.
I fixed that, and pushed your version.
I'll still like to try and do a slicker macro that is either '' or 'const', because then...
...here you would just need:
int setcon_raw(POSSIBLY_CONST char *context)
instead of #ifdefs.
My attempts to tweak this weren't panning out quickly enough, and yours definitely fixes a build-breaker, while still working for me with libselinux 2.2. Thanks for stepping in and helping :) -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Eric Blake wrote:
My attempts to tweak this weren't panning out quickly enough, and yours definitely fixes a build-breaker, while still working for me with libselinux 2.2. Thanks for stepping in and helping :)
I managed to get your idea working and sent a cleanup patch. Regards, Jim
participants (3)
-
Cédric Bosdonnat -
Eric Blake -
Jim Fehlig