From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.8 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 090B720248 for ; Sun, 7 Apr 2019 06:34:11 +0000 (UTC) Received: from localhost ([127.0.0.1]:35140 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hD1NW-0007bS-C1 for normalperson@yhbt.net; Sun, 07 Apr 2019 02:34:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48215) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1hD1NS-0007bJ-Mu for bug-gnulib@gnu.org; Sun, 07 Apr 2019 02:34:03 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1hD1NR-0006VB-Ft for bug-gnulib@gnu.org; Sun, 07 Apr 2019 02:34:02 -0400 Received: from mail-pg1-x542.google.com ([2607:f8b0:4864:20::542]:34485) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1hD1NR-0006TC-2N for bug-gnulib@gnu.org; Sun, 07 Apr 2019 02:34:01 -0400 Received: by mail-pg1-x542.google.com with SMTP id v12so5440826pgq.1 for ; Sat, 06 Apr 2019 23:34:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language:content-transfer-encoding; bh=8qTd9FcmjzsEtRlFLswh6hmsU5E11pH2Ys2mx4zAcx4=; b=D+/T9DvNnPX1Cq/HVa4Ci4C3XAkQMOgwLZRfNv/6n423F0jBn2yd1zojkCeEmLk1SN Hv6QlppAlosK9QZi+KcmXfXbAXNOuVQyO6moF47lYlTTli80xGja1j8tfD16JVgv3CBe fe77yTNGfLy9x3I8aJ0t8PYPmPftUs4mmKtSSMJiC6J5+oPMlb+4P3HvkZkpCXvZ4SWb Fj/VEryp5tYCw3o49yIoj8e3TUfCV6mqTr7y8dxgiwqMOcBGgMvOkRwp1aSZcFnZJevC dEiYzu/jFs9SLaA0nzCb89M4HEEBX4DOtzt1ebdePnFXp62+04KCXqAj0aJ6TFYKZp+g 9Lpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language:content-transfer-encoding; bh=8qTd9FcmjzsEtRlFLswh6hmsU5E11pH2Ys2mx4zAcx4=; b=SXfkRmjIUiuIgz3DZu/0AZ5cnBEBp4Xb6r3Rt0wXyoW95qoHQjonpuDdRQiLYpe7DU T32NCPup7yoVThJtV7SPmrMWX96VBFEpTIpshv2Z0NHrtartUbLu6eRGc/TA6H1IPBko kmBEUH2Mzs3bohV0IzWxnUx+lgYpKggslMpQG4QMlIEuRU8EgltRLh5IS2cE+QH7PFkb ie98ulhacgFFj9xlaqGRtVD98BuZGOlgNuOneTKaHGO/JNN+Lj6lwgGl7taZDkOydFiR VamE7khbroMGIak6gkPoeG2msKEUlcH+AB4+oTjAz0HReGpi8l/6otEbTSEUS6ZxA8vi +cdw== X-Gm-Message-State: APjAAAUEsai6sTO96uBzBuAh/ObcdNyYttX63e1xaWwhCwbik5xgM00s UIHgfWcK7hVXI9JRNaNzQPQRwMf7 X-Google-Smtp-Source: APXvYqzTH8H42Ydb4v7oofk/G8VBnMRo5C2Jofj5mDc4AIq+3A03GpgEa2HLFZoE/2cL2/zhS2Fa1Q== X-Received: by 2002:a63:5057:: with SMTP id q23mr21789299pgl.30.1554618839354; Sat, 06 Apr 2019 23:33:59 -0700 (PDT) Received: from tomato.housegordon.com (moose.housegordon.com. [184.68.105.38]) by smtp.googlemail.com with ESMTPSA id k65sm46033887pfb.68.2019.04.06.23.33.57 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 06 Apr 2019 23:33:57 -0700 (PDT) To: "bug-gnulib@gnu.org List" From: Assaf Gordon Subject: selinux: insufficient M4 detection with building static binaries Message-ID: <753bc8ec-0bcc-7872-3549-e2ce4d413819@gmail.com> Date: Sun, 7 Apr 2019 00:33:57 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2607:f8b0:4864:20::542 X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: "bug-gnulib" Hi, While exploring build coreutils as static binary ( https://lists.gnu.org/r/coreutils/2019-04/msg00001.html ) I noticed that gnulib's selinux detection is incomplete. Details: The m4/selinux-selinux.m4 files checks for 'setfilecon' function like so: "AC_SEARCH_LIBS([setfilecon], [selinux], ..." https://git.savannah.gnu.org/cgit/gnulib.git/tree/m4/selinux-selinux-h.m4#n56 This function can be linked statically, But cp,mv and install also use "matchpathcon_init_prefix", which can't to be linked statically (unless selinux was built for static linking?), and so linking fails. To reproduce: --- se-good.c --- extern char setfilecon(); int main(){return setfilecon();} --- se-bad.c --- extern char matchpathcon_init_prefix(); int main(){return matchpathcon_init_prefix();} $ gcc -o 1 -static se-good.c -lselinux && echo ok ok $ gcc -o 1 -static se-bad.c -lselinux /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(regex.o): In function `regex_writef': (.text+0x7b): undefined reference to `pcre_fullinfo' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(regex.o): In function `regex_writef': (.text+0xef): undefined reference to `pcre_fullinfo' ... /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(load_policy.o): In function `selinux_mkload_policy': (.text+0x7cc): undefined reference to `sepol_policy_kern_vers_max' /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libselinux.a(load_policy.o): In function `selinux_mkload_policy': (.text+0x7d5): undefined reference to `sepol_policy_kern_vers_min' collect2: error: ld returned 1 exit status And so when building static binaries, SELinux is detected as available, but linking cp/mv/install fails with the above errors. --- I see that coreutil's m4/jm-macros.m4 does contain special checks for "matchpathcon_init_prefix": https://git.savannah.gnu.org/cgit/coreutils.git/tree/m4/jm-macros.m4#n51 Perhaps it used to be that "matchpathcon_init_prefix" was optional when building with selinux? It seems that now it is required. --- tweaking m4/selinux combinations is beyond my comfort zone... the following hack at least avoids the issue by detecting that linking with "matchpathcon_init_prefix" fails, thus automatically disabling SELinux for static builds: --- diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4 index 8bbbf0535..a35ce6cf0 100644 --- a/m4/selinux-selinux-h.m4 +++ b/m4/selinux-selinux-h.m4 @@ -56,12 +56,13 @@ AC_DEFUN([gl_LIBSELINUX], AC_SEARCH_LIBS([setfilecon], [selinux], [test "$ac_cv_search_setfilecon" = "none required" || LIB_SELINUX=$ac_cv_search_setfilecon]) + AC_CHECK_LIB([selinux], [matchpathcon_init_prefix], [], []) LIBS=$gl_save_LIBS fi AC_SUBST([LIB_SELINUX]) # Warn if SELinux is found but libselinux is absent; - if test "$ac_cv_search_setfilecon" = no; then + if test "$ac_cv_search_setfilecon" = no || test "$ac_cv_lib_selinux_matchpathcon_init_prefix" = no ; then if test "$host" = "$build" && test -d /selinux; then AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.]) --- regards, - assaf