selinux lib removal

Thu Nov 4 14:07:12 UTC 2004

On Thu, 2004-11-04 at 06:04, John Logsdon wrote:
> I specifically *don't* want to use selinux and in particular I don't want
> to depend on libselinux.so.1 that I can't remove.
> 
> [root at pan pan]# rpm -e libselinux
> error: Failed dependencies:
>         libselinux.so.1 is needed by (installed) device-mapper-1.00.14-3
>         libselinux.so.1 is needed by (installed) psmisc-21.4-2
>         libselinux.so.1 is needed by (installed) shadow-utils-4.0.3-21
>         libselinux.so.1 is needed by (installed) vim-minimal-6.2.457-1
>         libselinux.so.1 is needed by (installed) findutils-4.1.7-25
>         libselinux.so.1 is needed by (installed) coreutils-5.2.1-7
>         libselinux.so.1 is needed by (installed) lvm2-2.00.15-2
>         libselinux.so.1 is needed by (installed) rpm-4.3.1-0.3
>         libselinux.so.1 is needed by (installed) pam-0.77-40
>         libselinux.so.1 is needed by (installed) policycoreutils-1.11-2
>         libselinux.so.1 is needed by (installed) SysVinit-2.85-25
>         libselinux.so.1 is needed by (installed) util-linux-2.12-18
>         libselinux.so.1 is needed by (installed) prelink-0.3.2-1
>         libselinux.so.1 is needed by (installed) passwd-0.68-8.1
>         libselinux.so.1 is needed by (installed) usermode-1.70-2
>         libselinux.so.1 is needed by (installed) logrotate-3.7-4.1
>         libselinux.so.1 is needed by (installed) star-1.5a25-5
>         libselinux.so.1 is needed by (installed) at-3.1.8-53
>         libselinux.so.1 is needed by (installed) sudo-1.6.7p5-26
>         libselinux.so.1 is needed by (installed) vixie-cron-3.0.1-87
>         libselinux.so.1 is needed by (installed) net-snmp-5.1.1-2
>         libselinux.so.1 is needed by (installed) fam-2.6.10-9
>         libselinux.so.1 is needed by (installed) usermode-gtk-1.70-2
>         libselinux.so.1 is needed by (installed) vim-enhanced-6.2.457-1
>         libselinux.so.1 is needed by (installed) gdm-2.6.0.0-3
>         libselinux.so.1 is needed by (installed) kdelibs-3.2.2-4
>         libselinux.so.1 is needed by (installed) kdebase-3.2.2-4
>         libselinux.so.1 is needed by (installed) kdepim-3.2.2-2
>         libselinux.so.1 is needed by (installed) kdemultimedia-3.2.2-2
>         libselinux.so.1 is needed by (installed) rpm-build-4.3.1-0.3
>         libselinux.so.1 is needed by (installed) rpm-devel-4.3.1-0.3
>         libselinux.so.1 is needed by (installed) kdeutils-3.2.2-3
>         libselinux.so.1 is needed by (installed) kdesdk-3.2.2-2
>         libselinux >= 1.11.3-1 is needed by (installed) SysVinit-2.85-25
>         libselinux is needed by (installed) vixie-cron-3.0.1-87
> 
> Would I need to compile all the programs that depend on libselinux against
> another library before removing?  It does seem to me to be against the
> fundamental tenents of security to fork these programs.

You'd have to rewrite the SELinux patches to these programs to use
dlopen() and friends for accessing the libselinux functions and
gracefully handle the case where it is not present (not too hard, as the
SELinux userland patches already have logic for the
!is_selinux_enabled() case to deal with a non-SELinux or
SELinux-disabled kernel).  This was suggested on the selinux mailing
list in May by someone looking into Debian SELinux integration.  In the
end, I think they concluded it was better to just promote libselinux to
base and required status as with libattr/libacl.

While it would be possible to rewrite the SELinux patches in this manner
(except for statically linked programs, but they seem very rare in
Fedora, even /sbin/init is dynamically linked), it would obviously
require someone to invest the time to do so, and the benefit of doing so
is not clear.  I suspect that there are larger libraries on your system
that you would have a hard time removing as well...

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency