Re: Error compiling sepgsql in PG9.1

I had the following error during compile of sepgsqk contrib:

root(at)postgresql:~/postgresql-9.1beta1/contrib/sepgsql# make
sed 's,MODULE_PATHNAME,$libdir/sepgsql,g' sepgsql.sql.in >sepgsql.sql
gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -Wformat-security
-fno-strict-aliasing -fwrapv -fpic -I. -I. -I../../src/include
-D_GNU_SOURCE -I/usr/include/libxml2 -c -o hooks.o hooks.c
gcc -O2 -Wall -Wmissing-prototypes -Wpointer-arith
-Wdeclaration-after-statement -Wendif-labels -Wformat-security
-fno-strict-aliasing -fwrapv -fpic -I. -I. -I../../src/include
-D_GNU_SOURCE -I/usr/include/libxml2 -c -o selinux.o selinux.c
selinux.c: In function 'sepgsql_compute_avd':
selinux.c:735: warning: implicit declaration of function 'security_deny_unknown'
selinux.c:755: error: 'struct av_decision' has no member named 'flags'
selinux.c:764: warning: implicit declaration of function
'security_compute_av_flags_raw'
selinux.c: In function 'sepgsql_check_perms':
selinux.c:917: error: 'struct av_decision' has no member named 'flags'
selinux.c:917: error: 'SELINUX_AVD_FLAGS_PERMISSIVE' undeclared (first
use in this function)
selinux.c:917: error: (Each undeclared identifier is reported only once
selinux.c:917: error: for each function it appears in.)
make: *** [selinux.o] Error 1

The selinux version is:

root(at)postgresql:~/postgresql-9.1beta1/contrib/sepgsql# dpkg -l | grep seli
ii libselinux1 2.0.55-0ubuntu4
SELinux policy enforcement, run-time librari
ii libselinux1-dev 2.0.55-0ubuntu4
SELinux policy enforcement, development file

--
--
              Emanuel Calvo
              Helpame.com

On Fri, 2011-05-20 at 11:02 +0200, Emanuel Calvo wrote:
> I had the following error during compile of sepgsqk contrib:

Apparently we need to specify the minimum SELinux version that we can
compile sepgsql against. It builds fine on my Fedora 14 box, where I
have libselinux 2.0.96.

Regards,
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org Twitter: http://twitter.com/devrimgunduz

As documentation said, it needs libselinux 2.0.93 or higher.
This version supports selabel_lookup(3) for database object classes.

Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Devrim GÜNDÜZ [mailto:devrim(at)gunduz(dot)org]
> Sent: 20. Mai 2011 19:05
> To: Emanuel Calvo
> Cc: postgresql Forums; KaiGai Kohei
> Subject: Re: [GENERAL] Error compiling sepgsql in PG9.1
>
> On Fri, 2011-05-20 at 11:02 +0200, Emanuel Calvo wrote:
> > I had the following error during compile of sepgsqk contrib:
>
> Apparently we need to specify the minimum SELinux version that we can compile sepgsql against. It builds
> fine on my Fedora 14 box, where I have libselinux 2.0.96.
>
> Regards,
> --
> Devrim GÜNDÜZ
> Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com PostgreSQL
> Danışmanı/Consultant, Red Hat Certified Engineer
> Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr http://www.gunduz.org Twitter:
> http://twitter.com/devrimgunduz

On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> As documentation said, it needs libselinux 2.0.93 or higher.
> This version supports selabel_lookup(3) for database object classes.

AFAICS, we are not checking it during configure. It might be worth to
add libselinux version check in the configure phase.
--
Devrim GÜNDÜZ
Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org Twitter: http://twitter.com/devrimgunduz

2011/5/21 Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>:
> On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
>> As documentation said, it needs libselinux 2.0.93 or higher.
>> This version supports selabel_lookup(3) for database object classes.
>
> AFAICS, we are not checking it during configure. It might be worth to
> add libselinux version check in the configure phase.
> --

So it could be added into the configure the check and I think
a patch in the doc could complete this issue. That's rigth?

--
--
              Emanuel Calvo
              Helpame.com

> 2011/5/21 Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>:
> > On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> >> As documentation said, it needs libselinux 2.0.93 or higher.
> >> This version supports selabel_lookup(3) for database object classes.
> >
> > AFAICS, we are not checking it during configure. It might be worth to
> > add libselinux version check in the configure phase.
> > --
>
> So it could be added into the configure the check and I think
> a patch in the doc could complete this issue. That's rigth?
>
Correct.

Now, configure script checks existence of libselinux using AC_CHECK_LIB(),
but getpeercon(3) has been supported for a long time, thus, an older version
of libselinux can also pass this test.

What I want to check here is an existence of SELABEL_CTX_DB definition in
selinux/label.h header file; supported on 2.0.93 or later.

Do you have any good idea to check existence of a particular definition in
a particular header file.

-- in selinux/label.h
/*
* Available backends.
*/

/* file contexts */
#define SELABEL_CTX_FILE 0
/* media contexts */
#define SELABEL_CTX_MEDIA 1
/* x contexts */
#define SELABEL_CTX_X 2
/* db objects */
#define SELABEL_CTX_DB 3 <-- not exist libselinux older than 2.0.93

Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Emanuel Calvo [mailto:postgres(dot)arg(at)gmail(dot)com]
> Sent: 24. Mai 2011 12:30
> To: Devrim GÜNDÜZ
> Cc: Kohei Kaigai; postgresql Forums; KaiGai Kohei
> Subject: Re: [GENERAL] Error compiling sepgsql in PG9.1
>
> 2011/5/21 Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>:
> > On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> >> As documentation said, it needs libselinux 2.0.93 or higher.
> >> This version supports selabel_lookup(3) for database object classes.
> >
> > AFAICS, we are not checking it during configure. It might be worth to
> > add libselinux version check in the configure phase.
> > --
>
> So it could be added into the configure the check and I think
> a patch in the doc could complete this issue. That's rigth?
>
>
>
> --
> --
>               Emanuel Calvo
>               Helpame.com

I noticed that selinux_sepgsql_context_path(3) was also got merged at libselinux-2.0.83.
So, we could check correctness of library versions using existence of this function.

Does this patch expectedly abort the configure script on older libselinux installation?
I'm not available to setup Ubuntu environment immediately.

Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Kohei Kaigai [mailto:Kohei(dot)Kaigai(at)EMEA(dot)NEC(dot)COM]
> Sent: 24. Mai 2011 12:44
> To: Emanuel Calvo; Devrim GÜNDÜZ
> Cc: postgresql Forums; KaiGai Kohei
> Subject: RE: [GENERAL] Error compiling sepgsql in PG9.1
>
> > 2011/5/21 Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>:
> > > On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> > >> As documentation said, it needs libselinux 2.0.93 or higher.
> > >> This version supports selabel_lookup(3) for database object classes.
> > >
> > > AFAICS, we are not checking it during configure. It might be worth to
> > > add libselinux version check in the configure phase.
> > > --
> >
> > So it could be added into the configure the check and I think
> > a patch in the doc could complete this issue. That's rigth?
> >
> Correct.
>
> Now, configure script checks existence of libselinux using AC_CHECK_LIB(),
> but getpeercon(3) has been supported for a long time, thus, an older version
> of libselinux can also pass this test.
>
> What I want to check here is an existence of SELABEL_CTX_DB definition in
> selinux/label.h header file; supported on 2.0.93 or later.
>
> Do you have any good idea to check existence of a particular definition in
> a particular header file.
>
> -- in selinux/label.h
> /*
> * Available backends.
> */
>
> /* file contexts */
> #define SELABEL_CTX_FILE 0
> /* media contexts */
> #define SELABEL_CTX_MEDIA 1
> /* x contexts */
> #define SELABEL_CTX_X 2
> /* db objects */
> #define SELABEL_CTX_DB 3 <-- not exist libselinux older than 2.0.93
>
> Thanks,
> --
> NEC Europe Ltd, SAP Global Competence Center
> KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>
>
>
> > -----Original Message-----
> > From: Emanuel Calvo [mailto:postgres(dot)arg(at)gmail(dot)com]
> > Sent: 24. Mai 2011 12:30
> > To: Devrim GÜNDÜZ
> > Cc: Kohei Kaigai; postgresql Forums; KaiGai Kohei
> > Subject: Re: [GENERAL] Error compiling sepgsql in PG9.1
> >
> > 2011/5/21 Devrim GÜNDÜZ <devrim(at)gunduz(dot)org>:
> > > On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> > >> As documentation said, it needs libselinux 2.0.93 or higher.
> > >> This version supports selabel_lookup(3) for database object classes.
> > >
> > > AFAICS, we are not checking it during configure. It might be worth to
> > > add libselinux version check in the configure phase.
> > > --
> >
> > So it could be added into the configure the check and I think
> > a patch in the doc could complete this issue. That's rigth?
> >
> >
> >
> > --
> > --
> >               Emanuel Calvo
> >               Helpame.com

2011/5/24 Kohei Kaigai <Kohei(dot)Kaigai(at)emea(dot)nec(dot)com>:
> I noticed that selinux_sepgsql_context_path(3) was also got merged at libselinux-2.0.83.
> So, we could check correctness of library versions using existence of this function.
>
> Does this patch expectedly abort the configure script on older libselinux installation?
> I'm not available to setup Ubuntu environment immediately.
>

I tried to apply your patch, and reject some lines:

ecalvo-laptop(at)dell-desktop:~/postgresql-9.1beta1$ cat configure.rej
--- configure.in
+++ configure.in
@@ -960,7 +960,7 @@

# for contrib/sepgsql
if test "$with_selinux" = yes; then
- AC_CHECK_LIB(selinux, getpeercon_raw, [],
+ AC_CHECK_LIB(selinux, selinux_sepgsql_context_path, [],
[AC_MSG_ERROR([library 'libselinux' is required for
SELinux support])])
fi

I'm not with CVS version, I'm using beta download. I need to update my CVS
version. at least I will apply these lines manually to test now.

--
--
              Emanuel Calvo
              Helpame.com

The attached patch enables to abort configure script when we run it with '--with-selinux'
option, but libselinux is older than minimum requirement to SE-PostgreSQL.

As the documentation said, it needs libselinux-2.0.93 at least, because this or later
version support selabel_lookup(3) for database object classes; used to initial labeling.

The current configure script checks existence of libselinux, but no version checks.
(getpeercon_raw(3) has been a supported API for a long term.)
The selinux_sepgsql_context_path(3) is a good watermark of libselinux-2.0.93 instead.

Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Devrim GÜNDÜZ [mailto:devrim(at)gunduz(dot)org]
> Sent: 21. Mai 2011 07:46
> To: Kohei Kaigai
> Cc: Emanuel Calvo; postgresql Forums; KaiGai Kohei
> Subject: Re: [GENERAL] Error compiling sepgsql in PG9.1
>
> On Sat, 2011-05-21 at 02:50 +0100, Kohei Kaigai wrote:
> > As documentation said, it needs libselinux 2.0.93 or higher.
> > This version supports selabel_lookup(3) for database object classes.
>
> AFAICS, we are not checking it during configure. It might be worth to add libselinux version check
> in the configure phase.
> --
> Devrim GÜNDÜZ
> Principal Systems Engineer @ EnterpriseDB: http://www.enterprisedb.com PostgreSQL
> Danışmanı/Consultant, Red Hat Certified Engineer
> Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr http://www.gunduz.org Twitter:
> http://twitter.com/devrimgunduz

2011/5/24 Kohei Kaigai <Kohei(dot)Kaigai(at)emea(dot)nec(dot)com>:
> The attached patch enables to abort configure script when we run it with '--with-selinux'
> option, but libselinux is older than minimum requirement to SE-PostgreSQL.
>
> As the documentation said, it needs libselinux-2.0.93 at least, because this or later
> version support selabel_lookup(3) for database object classes; used to initial labeling.
>
> The current configure script checks existence of libselinux, but no version checks.
> (getpeercon_raw(3) has been a supported API for a long term.)
> The selinux_sepgsql_context_path(3) is a good watermark of libselinux-2.0.93 instead.

Looks to me like you need to adjust the wording of the error message.

Maybe "libselinux version 2.0.93 or newer is required", or something like that.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> 2011/5/24 Kohei Kaigai <Kohei(dot)Kaigai(at)emea(dot)nec(dot)com>:
>> The attached patch enables to abort configure script when we run it with '--with-selinux'
>> option, but libselinux is older than minimum requirement to SE-PostgreSQL.

> Looks to me like you need to adjust the wording of the error message.
> Maybe "libselinux version 2.0.93 or newer is required", or something like that.

Yeah. Applied with that change.

BTW, it's not helpful to include the diff of the generated configure
script in such patches. The committer will run autoconf for himself,
and from a readability standpoint the generated file is quite useless.

regards, tom lane