Paolo Bonzini wrote:
> Compiling a package without SELinux support can be a security
> problem. On some distributions devel packages for libselinux have to
> be downloaded separately, and it can go unnoticed that packages have
> been configured without SELinux support.
>
> The attached patch will warn if it finds libselinux but not
> selinux/selinux.h, or when not cross-compiling if it finds
> /selinux/enforce but not libselinux.
>
> I'd like to include this check in sed 4.2.1 to warn packagers about
> the additional dependency.
Good idea.
That all looks fine, except the comment for your new function,
gl_LIBSELINUX belongs in the .m4 file, and not just in the log.
For the log, this would then be fine:
(gl_LIBSELINUX): New function. Extracted from...
> Ok? Should I test /selinux instead of /selinux/enforce?
That would be better, since a system for which $(getenforce) reports
"Permissive", that /selinux/enforce won't exist.
It might be better still simply to see if getenforce can be run.
> 2009-06-27 Paolo Bonzini <bonz...@gnu.org>
>
> * m4/selinux-context-h (gl_HEADERS_SELINUX_CONTEXT_H): Remove
> self-explaining comment.
> * m4/selinux-selinux-h: Update serial.
> (gl_LIBSELINUX): Warn if SELinux is found but libselinux is absent;
> extracted from...
> (gl_HEADERS_SELINUX_SELINUX_H): ... this one. Require gl_LIBSELINUX.
> Add warning for missing development packages here, too.
