Re: [PATCH] warn on missing selinux files

From: Jim Meyering
Subject: Re: [PATCH] warn on missing selinux files
Date: Sat, 27 Jun 2009 14:26:00 +0200

Paolo Bonzini wrote:
> Compiling a package without SELinux support can be a security
> problem. On some distributions devel packages for libselinux have to
> be downloaded separately, and it can go unnoticed that packages have
> been configured without SELinux support.
> The attached patch will warn if it finds libselinux but not
> selinux/selinux.h, or when not cross-compiling if it finds
> /selinux/enforce but not libselinux.
> I'd like to include this check in sed 4.2.1 to warn packagers about
> the additional dependency.

Good idea.

That all looks fine, except the comment for your new function,
gl_LIBSELINUX belongs in the .m4 file, and not just in the log.
For the log, this would then be fine:

        (gl_LIBSELINUX): New function.  Extracted from...

> Ok?  Should I test /selinux instead of /selinux/enforce?

That would be better, since a system for which $(getenforce) reports
"Permissive", that /selinux/enforce won't exist.
It might be better still simply to see if getenforce can be run.

> 2009-06-27  Paolo Bonzini  <address@hidden>
>       * m4/selinux-context-h (gl_HEADERS_SELINUX_CONTEXT_H): Remove
>       self-explaining comment.
>       * m4/selinux-selinux-h: Update serial.
>        (gl_LIBSELINUX): Warn if SELinux is found but libselinux is absent;
>       extracted from...
>       (gl_HEADERS_SELINUX_SELINUX_H): ... this one.  Require gl_LIBSELINUX.
>       Add warning for missing development packages here, too.

