The /etc/os-release file may not even exist on OS and checking specific OS names / versions in the build rules duplicates conditions that are set in the RPM. Instead we just look for existance of the tools we need to build the policy module. In doing so, we also introduce '-Dselinux_policy' feature flag to let it be controlled explicitly. Since some versions will have an SELinux policy that is too old, we also need to do a feature check for the newest interface(s) that we require. Currently this is achieved by looking for "systemd_machined_stream_connect". The "macro-expander" command can be used to check for SELinux policy interfaces, as it will return empty string for any that don't exist. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- libvirt.spec.in | 7 ++++++ meson.build | 1 + meson_options.txt | 1 + src/security/meson.build | 13 +--------- src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------ 5 files changed, 46 insertions(+), 19 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index bb693b58bf..d86cca7930 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1113,6 +1113,12 @@ exit 1 %define arg_remote_mode -Dremote_default_mode=legacy %endif +%if %{with_selinux_policy} + %define arg_selinux_policy -Dselinux_policy=enabled +%else + %define arg_selinux_policy -Dselinux_policy=disabled +%endif + %define when %(date +"%%F-%%T") %define where %(hostname) %define who %{?packager}%{!?packager:Unknown} @@ -1165,6 +1171,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec) %{?arg_netcf} \ -Dselinux=enabled \ %{?arg_selinux_mount} \ + %{?arg_selinux_policy} \ -Dapparmor=disabled \ -Dapparmor_profiles=disabled \ -Dsecdriver_apparmor=disabled \ diff --git a/meson.build b/meson.build index e25dc17fc8..6ea47fa0d7 100644 --- a/meson.build +++ b/meson.build @@ -2302,6 +2302,7 @@ summary(storagedriver_summary, section: 'Storage Drivers', bool_yn: true) secdriver_summary = { 'SELinux': conf.has('WITH_SECDRIVER_SELINUX'), + 'sVirt policy': selinux_policy, 'AppArmor': conf.has('WITH_SECDRIVER_APPARMOR'), } summary(secdriver_summary, section: 'Security Drivers', bool_yn: true) diff --git a/meson_options.txt b/meson_options.txt index 7287cf1222..5537758f56 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -39,6 +39,7 @@ option('sanlock', type: 'feature', value: 'auto', description: 'sanlock support' option('sasl', type: 'feature', value: 'auto', description: 'sasl support') option('selinux', type: 'feature', value: 'auto', description: 'selinux support') option('selinux_mount', type: 'string', value: '', description: 'set SELinux mount point') +option('selinux_policy', type: 'feature', value: 'auto', description: 'selinux sVirt policy') option('selinux_policy_includes', type: 'string', value: '/usr/share/selinux/devel/include', description: 'SELinux policy include directory') option('udev', type: 'feature', value: 'auto', description: 'udev support') option('wireshark_dissector', type: 'feature', value: 'auto', description: 'wireshark support') diff --git a/src/security/meson.build b/src/security/meson.build index ac360fa37a..b08c4df1cf 100644 --- a/src/security/meson.build +++ b/src/security/meson.build @@ -56,15 +56,4 @@ if conf.has('WITH_APPARMOR_PROFILES') subdir('apparmor') endif -os_release = run_command('grep', '^ID=', '/etc/os-release').stdout() -os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=') -if (os_version.length() == 2) - os_version = os_version[1] -else - os_version = 0 -endif - -if ((os_release.contains('fedora') and os_version.version_compare('>33')) or - (os_release.contains('rhel') and os_version.version_compare('>8'))) - subdir('selinux') -endif +subdir('selinux') diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build index dda8730141..af5a5e38cb 100644 --- a/src/security/selinux/meson.build +++ b/src/security/selinux/meson.build @@ -1,10 +1,39 @@ -semod_prog = find_program('semodule_package') -checkmod_prog = find_program('checkmodule') -bzip2_prog = find_program('bzip2') +selinux_policy_opt = get_option('selinux_policy') +selinux_policy = false +if not selinux_policy_opt.disabled() + semod_prog = find_program('semodule_package', required: selinux_policy_opt) + checkmod_prog = find_program('checkmodule', required: selinux_policy_opt) + macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt) + bzip2_prog = find_program('bzip2') + selinux_policy_includes = get_option('selinux_policy_includes') -selinux_policy_includes = get_option('selinux_policy_includes') + if semod_prog.found() and checkmod_prog.found() and \ + bzip2_prog.found() and macroexpander_prog.found() + selinux_policy = true + else + if selinux_policy_opt.enabled() + error('selinux policy requested but required build tools are missing') + endif + endif -install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed') + if selinux_policy + data = run_command(macroexpander_prog, + 'systemd_machined_stream_connect').stdout() + if data == '' + if selinux_policy_opt.enabled() + error('selinux policy version is too old, ' + + 'missing "systemd_machined_stream_connect"') + endif -subdir('mcs') -subdir('mls') + selinux_policy = false + endif + endif + + if selinux_policy + install_data('virt.if', + install_dir : 'share/selinux/devel/include/distributed') + + subdir('mcs') + subdir('mls') + endif +endif -- 2.31.1