[Rpm-maint] [PATCH 3/6] Use selabel interfaces instead of matchpathcon

[Panu Matilainen]

On Wed, 14 Jul 2010, Steve Lawrence wrote:

> This replaces the old matchpathcon interfaces with the new selabel
> interfaces for relabeling files, storing an selabel handle in the
> transaction set.
>
> With this change, also comes an added distinction between --nocontexts
> being specified and a failure to read the load file contexts.
> Previously, there was no distinction, and both cases used the
> RPMTRANS_FLAG_NOCONTEXTS flag.
>
> However, with the new policy plugin, it is necessary to make such a
> distinction. This is because matchpathcon_init (now selabel interfaces)
> can fail at the beginning of the transaction, but succeed later after
> new policy is installed. Because of this, we may need to enable/disable
> RPMTRANS_FLAG_NOCONTEXTS multiple times. However, because this flag
> could also mean --nocontexts, we cannot do that. By storing the selabel
> handle in the rpmts, we can easily keep track if the handle has been
> successfully created, rather than overloading RPMTRANS_FLAG_NOCONTEXTS
> with two meanings.

[...]
> diff --git a/lib/rpmts.h b/lib/rpmts.h
> index 9b7c306..5c4840c 100644
> --- a/lib/rpmts.h
> +++ b/lib/rpmts.h
> @@ -397,6 +397,27 @@ void rpmtsSetScriptFd(rpmts ts, FD_t scriptFd);
> int rpmtsSELinuxEnabled(rpmts ts);
>
> /** \ingroup rpmts
> + * Get the selabel handle from the transaction set
> + * @param ts		transaction set
> + * @return		selabel handle, or NULL if it hasn't been initialized yet
> + */
> +struct selabel_handle * rpmtsSELabelHandle(rpmts ts);

NAK. This causes public API to depend on SELinux which is a compile-time 
optional feature. Please use a void pointer, or wrap it behind an 
rpm-specific typedef which can hide missing selinux as necessary, eg 
something like

#ifdef <some suitable selinux define>
typedef struct selable_handle * rpm_sehandle_t;
#else
typedef void * rpm_sehandle_t;
#endif

rpm_sehandle_t rpmtsSELabelHandle(rpmts ts);

 	- Panu -