[DSE-Dev] Bug#1095018: Root cause and a solution

Andrey Feofilaktov andarpolis at gmail.com
Tue Aug 12 11:20:02 BST 2025 

Tags: patch

I am 95% sure I know what is happening and a solution for this. I
think the fix applied to libsemanage is better.

So if one looks at the build log at the time when Ruby shipped both
3.1 and 3.3, one would notice that the line that's responsible for
compiling the wrapper is only referenced for Ruby 3.1, but not for
Ruby 3.3:

cc -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2
-Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/libselinux-3.8.1=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -fno-semantic-interposition
-Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND
-DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -DHAVE_STRLCPY
-DHAVE_REALLOCARRAY -Wno-error -Wno-unused-variable
-Wno-unused-but-set-variable -Wno-unused-parameter -Wno-shadow
-Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
-Wno-deprecated-declarations
-I/usr/include/x86_64-linux-gnu/ruby-3.1.0 -I/usr/include/ruby-3.1.0
-fPIC -DSHARED -c -o ruby3.1_selinuxswig_ruby_wrap.lo
selinuxswig_ruby_wrap.c

The reason I started looking into that line is that when running Ruby
under gdb, I noticed that it pulls references from ruby-3.1 libs and
started investigating how ruby-selinux is built.

So I found that the target in the Makefile does not have a ruby
version-specific name, so it gets re-used.

I don't know which solution is the best here. I would say that
cleaning in-between compilation for different version would be an not
so resource-efficient, but bulletproof. However, I went for a simpler
one-liner that just makes the target name ruby-specific in the dumbest
way possible.

After applying the patch and building, we see the line for ruby3.3
appear in the build log:

cc -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2
-Werror=implicit-function-declaration
-ffile-prefix-map=/build/reproducible-path/libselinux-3.8.1=.
-fstack-protector-strong -fstack-clash-protection -Wformat
-Werror=format-security -fcf-protection -fno-semantic-interposition
-Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND
-DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -DHAVE_STRLCPY
-DHAVE_REALLOCARRAY -Wno-error -Wno-unused-variable
-Wno-unused-but-set-variable -Wno-unused-parameter -Wno-shadow
-Wno-uninitialized -Wno-missing-prototypes -Wno-missing-declarations
-Wno-deprecated-declarations
-I/usr/include/x86_64-linux-gnu/ruby-3.3.0 -I/usr/include/ruby-3.3.0
-fPIC -DSHARED -c -o ruby3.3_selinuxswig_ruby_wrap.lo
selinuxswig_ruby_wrap.c

And after installing the new .so, it successfully loads.

While writing this update I looked at
https://codesearch.debian.net/search?q=SWIGRUBYLOBJ&literal=1, and it
seems to suggest that 1) a neighbour package took a much better
approach and 2) that android-platform-external-libselinux would
require the same fix. Keeping the breadcrumbs of the investigation for
whoever needs to debug this again: gdb and debug builds are your
friend (as always).

-- 
Regards,
Andrey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ruby_selinux.diff
Type: text/x-patch
Size: 794 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/selinux-devel/attachments/20250812/b070f7df/attachment.bin>

More information about the SELinux-devel mailing list