Thanks for the clarification. ACK then.
--
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc
irc freenode net: mattock
> I wrote this in the introduction of the patch set.
>
> There are two approaches to detecting dependencies:
>
> 1. Detect all compile time dependences- you detect headers and
> libraries, this is probably the safest way to go, but makes the code
> very complex.
>
> 2. Detect library only - you assume that if library is present, the
> functionality exists, this is what important... no need to check for
> header, most probably this exists as well. This makes the code
> simpler, in the risk of compile failure if header is missing.
>
> In all project I wrote build for (opensc, uswsusp, ntfs3g, ecryptfs)
> we took the 2nd approach, and it is fine.
>
> Alon.
>
> 2012/3/8 Samuli Seppänen <sam...@openvpn.net>:
>> Looks like a cleaner implementation than the earlier one. I take it
>> AC_CHECK_HEADER is not anymore needed to detect selinux.h, but why exactly?
>>
>> Besides that I give this one an ACK.
>>
>> --
>> Samuli Seppänen
>> Community Manager
>> OpenVPN Technologies, Inc
>>
>> irc freenode net: mattock
>>
>>> Signed-off-by: Alon Bar-Lev <alon.bar...@gmail.com>
>>> ---
>>> configure.ac | 35 +++++++++++++++--------------------
>>> src/openvpn/Makefile.am | 1 +
>>> src/openvpn/init.c | 4 ++--
>>> src/openvpn/options.c | 6 +++---
>>> src/openvpn/options.h | 2 +-
>>> src/openvpn/syshead.h | 2 +-
>>> 6 files changed, 23 insertions(+), 27 deletions(-)
>>>
>>> diff --git a/configure.ac b/configure.ac
>>> index 98615c6..2388f17 100644
>>> --- a/configure.ac
>>> +++ b/configure.ac
>>> @@ -215,7 +215,7 @@ AC_ARG_ENABLE(
>>>
>>> AC_ARG_ENABLE(
>>> [selinux],
>>> - [AS_HELP_STRING([--disable-selinux], [disable SELinux support])],
>>> + [AS_HELP_STRING([--enable-selinux], [enable SELinux support])],
>>> ,
>>> [enable_selinux="no"]
>>> )
>>> @@ -619,6 +619,13 @@ AC_CHECK_LIB(
>>> )
>>> AC_SUBST([SOCKETS_LIBS])
>>>
>>> +AC_CHECK_LIB(
>>> + [selinux],
>>> + [setcon],
>>> + [SELINUX_LIBS="-lselinux"]
>>> +)
>>> +AC_SUBST([SELINUX_LIBS])
>>> +
>>> case "${with_mem_check}" in
>>> valgrind)
>>> AC_CHECK_HEADER(
>>> @@ -826,25 +833,6 @@ if test "${enable_crypto}" = "yes"; then
>>> fi
>>> fi
>>>
>>> -dnl
>>> -dnl check for SELinux library and headers
>>> -dnl
>>> -if test "${enable_selinux}" = "yes"; then
>>> - AC_CHECK_HEADER(
>>> - [selinux/selinux.h],
>>> - [AC_CHECK_LIB(
>>> - [selinux],
>>> - [setcon],
>>> - [
>>> - LIBS="${LIBS} -lselinux"
>>> - AC_DEFINE(HAVE_SETCON, 1, [SELinux support])
>>> - ],
>>> - [AC_MSG_RESULT([SELinux library not found.])]
>>> - )],
>>> - [AC_MSG_ERROR([SELinux headers not found.])]
>>> - )
>>> -fi
>>> -
>>> if test -n "${SP_PLATFORM_WINDOWS}"; then
>>> AC_DEFINE_UNQUOTED([PATH_SEPARATOR], ['\\\\'], [Path separator]) #"
>>> AC_DEFINE_UNQUOTED([PATH_SEPARATOR_STR], ["\\\\"], [Path separator])
>>> #"
>>> @@ -896,6 +884,12 @@ else
>>> fi
>>> fi
>>>
>>> +if test "${enable_selinux}" = "yes"; then
>>> + test -z "${SELINUX_LIBS}" && AC_MSG_ERROR([libselinux required but
>>> missing])
>>> + OPTIONAL_SELINUX_LIBS="${SELINUX_LIBS}"
>>> + AC_DEFINE([ENABLE_SELINUX], [1], [SELinux support])
>>> +fi
>>> +
>>> if test "${enable_pedantic}" = "yes"; then
>>> enable_strict="yes"
>>> CFLAGS="${CFLAGS} -ansi -pedantic"
>>> @@ -922,6 +916,7 @@ AC_SUBST([TAP_WIN_MIN_MAJOR])
>>> AC_SUBST([TAP_WIN_MIN_MINOR])
>>>
>>> AC_SUBST([OPTIONAL_DL_LIBS])
>>> +AC_SUBST([OPTIONAL_SELINUX_LIBS])
>>>
>>> AM_CONDITIONAL([WIN32], [test "${WIN32}" = "yes"])
>>>
>>> diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
>>> index 86abd09..a3f8b3a 100644
>>> --- a/src/openvpn/Makefile.am
>>> +++ b/src/openvpn/Makefile.am
>>> @@ -97,6 +97,7 @@ openvpn_SOURCES = \
>>> cryptoapi.h cryptoapi.c
>>> openvpn_LDADD = \
>>> $(SOCKETS_LIBS) \
>>> + $(OPTIONAL_SELINUX_LIBS) \
>>> $(OPTIONAL_DL_LIBS)
>>> if WIN32
>>> openvpn_SOURCES += openvpn_win32_resources.rc
>>> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
>>> index b8f57b2..0c995ff 100644
>>> --- a/src/openvpn/init.c
>>> +++ b/src/openvpn/init.c
>>> @@ -1038,7 +1038,7 @@ do_uid_gid_chroot (struct context *c, bool no_delay)
>>> mstats_open(c->options.memstats_fn);
>>> #endif
>>>
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> /* Apply a SELinux context in order to restrict what OpenVPN can do
>>> * to _only_ what it is supposed to do after initialization is
>>> complete
>>> * (basically just network I/O operations). Doing it after chroot
>>> @@ -2465,7 +2465,7 @@ do_option_warnings (struct context *c)
>>> msg (M_WARN, "WARNING: --ping should normally be used with
>>> --ping-restart or --ping-exit");
>>>
>>> if (o->username || o->groupname || o->chroot_dir
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> || o->selinux_context
>>> #endif
>>> )
>>> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>>> index d7f848e..4e95b83 100644
>>> --- a/src/openvpn/options.c
>>> +++ b/src/openvpn/options.c
>>> @@ -316,7 +316,7 @@ static const char usage_message[] =
>>> "--user user : Set UID to user after initialization.\n"
>>> "--group group : Set GID to group after initialization.\n"
>>> "--chroot dir : Chroot to this directory after initialization.\n"
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> "--setcon context: Apply this SELinux context after initialization.\n"
>>> #endif
>>> "--cd dir : Change to this directory before initialization.\n"
>>> @@ -1477,7 +1477,7 @@ show_settings (const struct options *o)
>>> SHOW_STR (groupname);
>>> SHOW_STR (chroot_dir);
>>> SHOW_STR (cd_dir);
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> SHOW_STR (selinux_context);
>>> #endif
>>> SHOW_STR (writepid);
>>> @@ -4525,7 +4525,7 @@ add_option (struct options *options,
>>> }
>>> options->cd_dir = p[1];
>>> }
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> else if (streq (p[0], "setcon") && p[1])
>>> {
>>> VERIFY_PERMISSION (OPT_P_GENERAL);
>>> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
>>> index 6af4b3a..57b88b7 100644
>>> --- a/src/openvpn/options.h
>>> +++ b/src/openvpn/options.h
>>> @@ -310,7 +310,7 @@ struct options
>>> const char *groupname;
>>> const char *chroot_dir;
>>> const char *cd_dir;
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> char *selinux_context;
>>> #endif
>>> const char *writepid;
>>> diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h
>>> index 1ad81d8..cac4757 100644
>>> --- a/src/openvpn/syshead.h
>>> +++ b/src/openvpn/syshead.h
>>> @@ -176,7 +176,7 @@
>>> #include <sys/epoll.h>
>>> #endif
>>>
>>> -#ifdef HAVE_SETCON
>>> +#ifdef ENABLE_SELINUX
>>> #include <selinux/selinux.h>
>>> #endif
>>>
