On Thu, 2004-11-04 at 06:04, John Logsdon wrote: > I specifically *don't* want to use selinux and in particular I don't want > to depend on libselinux.so.1 that I can't remove. > > [root@pan pan]# rpm -e libselinux > error: Failed dependencies: > libselinux.so.1 is needed by (installed) device-mapper-1.00.14-3 > libselinux.so.1 is needed by (installed) psmisc-21.4-2 > libselinux.so.1 is needed by (installed) shadow-utils-4.0.3-21 > libselinux.so.1 is needed by (installed) vim-minimal-6.2.457-1 > libselinux.so.1 is needed by (installed) findutils-4.1.7-25 > libselinux.so.1 is needed by (installed) coreutils-5.2.1-7 > libselinux.so.1 is needed by (installed) lvm2-2.00.15-2 > libselinux.so.1 is needed by (installed) rpm-4.3.1-0.3 > libselinux.so.1 is needed by (installed) pam-0.77-40 > libselinux.so.1 is needed by (installed) policycoreutils-1.11-2 > libselinux.so.1 is needed by (installed) SysVinit-2.85-25 > libselinux.so.1 is needed by (installed) util-linux-2.12-18 > libselinux.so.1 is needed by (installed) prelink-0.3.2-1 > libselinux.so.1 is needed by (installed) passwd-0.68-8.1 > libselinux.so.1 is needed by (installed) usermode-1.70-2 > libselinux.so.1 is needed by (installed) logrotate-3.7-4.1 > libselinux.so.1 is needed by (installed) star-1.5a25-5 > libselinux.so.1 is needed by (installed) at-3.1.8-53 > libselinux.so.1 is needed by (installed) sudo-1.6.7p5-26 > libselinux.so.1 is needed by (installed) vixie-cron-3.0.1-87 > libselinux.so.1 is needed by (installed) net-snmp-5.1.1-2 > libselinux.so.1 is needed by (installed) fam-2.6.10-9 > libselinux.so.1 is needed by (installed) usermode-gtk-1.70-2 > libselinux.so.1 is needed by (installed) vim-enhanced-6.2.457-1 > libselinux.so.1 is needed by (installed) gdm-2.6.0.0-3 > libselinux.so.1 is needed by (installed) kdelibs-3.2.2-4 > libselinux.so.1 is needed by (installed) kdebase-3.2.2-4 > libselinux.so.1 is needed by (installed) kdepim-3.2.2-2 > libselinux.so.1 is needed by (installed) kdemultimedia-3.2.2-2 > libselinux.so.1 is needed by (installed) rpm-build-4.3.1-0.3 > libselinux.so.1 is needed by (installed) rpm-devel-4.3.1-0.3 > libselinux.so.1 is needed by (installed) kdeutils-3.2.2-3 > libselinux.so.1 is needed by (installed) kdesdk-3.2.2-2 > libselinux >= 1.11.3-1 is needed by (installed) SysVinit-2.85-25 > libselinux is needed by (installed) vixie-cron-3.0.1-87 > > Would I need to compile all the programs that depend on libselinux against > another library before removing? It does seem to me to be against the > fundamental tenents of security to fork these programs. You'd have to rewrite the SELinux patches to these programs to use dlopen() and friends for accessing the libselinux functions and gracefully handle the case where it is not present (not too hard, as the SELinux userland patches already have logic for the !is_selinux_enabled() case to deal with a non-SELinux or SELinux-disabled kernel). This was suggested on the selinux mailing list in May by someone looking into Debian SELinux integration. In the end, I think they concluded it was better to just promote libselinux to base and required status as with libattr/libacl. While it would be possible to rewrite the SELinux patches in this manner (except for statically linked programs, but they seem very rare in Fedora, even /sbin/init is dynamically linked), it would obviously require someone to invest the time to do so, and the benefit of doing so is not clear. I suspect that there are larger libraries on your system that you would have a hard time removing as well... -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
