On 10/01/2026 03:12, Pádraig Brady wrote:
On 10/01/2026 01:53, Bruno Haible via Gnulib discussion list wrote:Hi Michael,This patch has two problems: 1) It very much looks like it has not been tested. If you submit a patch, by default, we assume that we can trust it because you have tested it. You can, alternatively, submit an untested patch, but then _say_so_, that it is untested.The && and in the wrong place yes, but the patch is reviewable.2) The patch confuses two functionalities: - (a) whether to interface with libselinux, - (b) whether to build the chcon, runcon programs. By the GNU Coding Standards [1], (a) should be triggered by a --with-* configure option; whereas (b) should be triggered by a --enable-* configure option. So, instead of changing the meaning of the --with-selinux / --without-selinux options, what we would need is a patch that enables the build of the chcon, runcon programs conditionally based on some --enable-* option. Bruno [1] https://www.gnu.org/prep/standards/html_node/Configuration.htmlruncon and chcon do link with libselinux on my Fedora system, but yes the stubs don't need libselinux. The idea with the coreutils 9.9 change¹ was to not bother building stub chcon and runcon on systems without libselinux, though you could override that default and force building those utils with the --with-selinux option. I didn't think adding another config variable was warranted for this. Also buildilng of those utils can be controlled directly with the ./configure --enable-install-program=runcon,chcon (and vice versa with --enable-no-install-program=PROG_LIST). We just thought this was better default behavior, but we can revert that change if it's problematic. But yes in testing now without libselinux and --with-selinux the stubs are not built because without Michael's change with_selinux is forced to no, which impacts the coreutils configure logic. I'll think a bit more about all this tomorrow. BTW that `test -d /selinux` should be updated to also check for the "/sys/fs/selinux" dir. cheers, Padraig ¹ https://github.com/coreutils/coreutils/commit/8ba47d09a
I've changed this instead to the following 2 patches. The first fixes this issue by only overriding the with_selinux variable in the default case where neither --with-selinux or --without-selinux is provided. This better aligns with what the user requested, and also seems more consistent since there are no other instances of this in gnulib as indicated by git grep -E 'with_[a-z]*=(yes|no) m4 I tested this in coretuils with and without libselinux, with and without selinux.h, and with various ./configure option combinations. The second patch uses the more modern /sys/fs/selinux path so that we now warn if users are building without selinux devel libs on a system that is in fact running selinux. cheers, Padraig
From 2d8f0bb05cce3c76e81e35b31c0ef3f52171b8aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <[email protected]> Date: Sat, 10 Jan 2026 19:12:41 +0000 Subject: [PATCH 1/2] selinux-h: only override default --with-selinux user setting * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): Only override the default with_selinux user setting, leaving explicit --with-selinux untouched. E.g., coreutils uses --with-selinux to force build the runcon and chcon stubs on systems without libselinux. --- ChangeLog | 8 ++++++++ m4/selinux-selinux-h.m4 | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 3a70f44748..e0cccce475 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2026-01-10 Pádraig Brady <[email protected]> + + selinux-h: only override default --with-selinux user setting + * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): Only override the default + with_selinux user setting, leaving explicit --with-selinux untouched. + E.g., coreutils uses --with-selinux to force build the runcon + and chcon stubs on systems without libselinux. + 2026-01-09 Bruno Haible <[email protected]> announce-gen: Fix instructions for verifying the SHA3-256 checksums. diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4 index 5b93446162..89c3c1582b 100644 --- a/m4/selinux-selinux-h.m4 +++ b/m4/selinux-selinux-h.m4 @@ -92,6 +92,8 @@ AC_DEFUN([gl_LIBSELINUX], AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.]) fi - with_selinux=no + if test "$with_selinux" = maybe; then + with_selinux=no + fi fi ]) -- 2.52.0
From 3dfe3ab6c1f07982d8649fbc21078ddd7f010547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <[email protected]> Date: Sat, 10 Jan 2026 19:17:54 +0000 Subject: [PATCH 2/2] selinux-h: warning about missing libselinux on modern systems * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): /sys/fs/selinux is generally used since Linux kernel 2.6, so test that also. --- ChangeLog | 6 ++++++ m4/selinux-selinux-h.m4 | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e0cccce475..9fdc1b301d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2026-01-10 Pádraig Brady <[email protected]> + + selinux-h: warning about missing libselinux on modern systems + * m4/selinux-selinux-h.m4 (gl_LIBSELINUX): /sys/fs/selinux is generally + used since Linux kernel 2.6, so test that also. + 2026-01-10 Pádraig Brady <[email protected]> selinux-h: only override default --with-selinux user setting diff --git a/m4/selinux-selinux-h.m4 b/m4/selinux-selinux-h.m4 index 89c3c1582b..b3fcd2102e 100644 --- a/m4/selinux-selinux-h.m4 +++ b/m4/selinux-selinux-h.m4 @@ -88,7 +88,8 @@ AC_DEFUN([gl_LIBSELINUX], # Warn if SELinux is found but libselinux is absent; if test "$ac_cv_search_setfilecon" = no; then - if test "$host" = "$build" && test -d /selinux; then + if test "$host" = "$build" \ + && { test -d /sys/fs/selinux || test -d /selinux; }; then AC_MSG_WARN([This system supports SELinux but libselinux is missing.]) AC_MSG_WARN([AC_PACKAGE_NAME will be compiled without SELinux support.]) fi -- 2.52.0
