On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> The /etc/os-release file may not even exist on OS and checking specific
> OS names / versions in the build rules duplicates conditions that are
> set in the RPM.
>
> Instead we just look for existance of the tools we need to build the
> policy module. In doing so, we also introduce '-Dselinux_policy'
> feature flag to let it be controlled explicitly.
>
> Since some versions will have an SELinux policy that is too old, we also
> need to do a feature check for the newest interface(s) that we require.
> Currently this is achieved by looking for "systemd_machined_stream_connect".
> The "macro-expander" command can be used to check for SELinux policy
> interfaces, as it will return empty string for any that don't exist.
>
> Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> ---
> libvirt.spec.in | 7 ++++++
> meson.build | 1 +
> meson_options.txt | 1 +
> src/security/meson.build | 13 +---------
> src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> 5 files changed, 46 insertions(+), 19 deletions(-)
[...]
> diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> index dda8730141..af5a5e38cb 100644
> --- a/src/security/selinux/meson.build
> +++ b/src/security/selinux/meson.build
> @@ -1,10 +1,39 @@
> -semod_prog = find_program('semodule_package')
> -checkmod_prog = find_program('checkmodule')
> -bzip2_prog = find_program('bzip2')
> +selinux_policy_opt = get_option('selinux_policy')
> +selinux_policy = false
> +if not selinux_policy_opt.disabled()
> + semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> + checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> + macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> + bzip2_prog = find_program('bzip2')
Here we should use `, required: selinux_policy_opt` as well, otherwise
missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
is `auto`.
Pavel
> + selinux_policy_includes = get_option('selinux_policy_includes')
>
> -selinux_policy_includes = get_option('selinux_policy_includes')
> + if semod_prog.found() and checkmod_prog.found() and \
> + bzip2_prog.found() and macroexpander_prog.found()
> + selinux_policy = true
> + else
> + if selinux_policy_opt.enabled()
> + error('selinux policy requested but required build tools are missing')
> + endif
> + endif
>
> -install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed')
> + if selinux_policy
> + data = run_command(macroexpander_prog,
> + 'systemd_machined_stream_connect').stdout()
> + if data == ''
> + if selinux_policy_opt.enabled()
> + error('selinux policy version is too old, ' +
> + 'missing "systemd_machined_stream_connect"')
> + endif
>
> -subdir('mcs')
> -subdir('mls')
> + selinux_policy = false
> + endif
> + endif
> +
> + if selinux_policy
> + install_data('virt.if',
> + install_dir : 'share/selinux/devel/include/distributed')
> +
> + subdir('mcs')
> + subdir('mls')
> + endif
> +endif
> --
> 2.31.1
>
Attachment:
signature.asc
Description: PGP signature
