On Tue, Aug 10, 2021 at 05:35:58PM +0100, Daniel P. Berrangé wrote:
> On Tue, Aug 10, 2021 at 11:10:56AM +0200, Pavel Hrdina wrote:
> > On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> > > The /etc/os-release file may not even exist on OS and checking specific
> > > OS names / versions in the build rules duplicates conditions that are
> > > set in the RPM.
> > >
> > > Instead we just look for existance of the tools we need to build the
> > > policy module. In doing so, we also introduce '-Dselinux_policy'
> > > feature flag to let it be controlled explicitly.
> > >
> > > Since some versions will have an SELinux policy that is too old, we also
> > > need to do a feature check for the newest interface(s) that we require.
> > > Currently this is achieved by looking for "systemd_machined_stream_connect".
> > > The "macro-expander" command can be used to check for SELinux policy
> > > interfaces, as it will return empty string for any that don't exist.
> > >
> > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > > ---
> > > libvirt.spec.in | 7 ++++++
> > > meson.build | 1 +
> > > meson_options.txt | 1 +
> > > src/security/meson.build | 13 +---------
> > > src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> > > 5 files changed, 46 insertions(+), 19 deletions(-)
> >
> > [...]
> >
> > > diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> > > index dda8730141..af5a5e38cb 100644
> > > --- a/src/security/selinux/meson.build
> > > +++ b/src/security/selinux/meson.build
> > > @@ -1,10 +1,39 @@
> > > -semod_prog = find_program('semodule_package')
> > > -checkmod_prog = find_program('checkmodule')
> > > -bzip2_prog = find_program('bzip2')
> > > +selinux_policy_opt = get_option('selinux_policy')
> > > +selinux_policy = false
> > > +if not selinux_policy_opt.disabled()
> > > + semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> > > + checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> > > + macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> > > + bzip2_prog = find_program('bzip2')
> >
> > Here we should use `, required: selinux_policy_opt` as well, otherwise
> > missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
> > is `auto`.
>
> I wonder if we should also actally check for 'sed' and 'm4' since the
> script we're calling out to will invoke them too.
Good point, we already check for 'sed' or 'gsed' in
'build-aux/meson.build' so we could move it to the main meson.build
file. I was thinking about skipping check for 'm4' if it's already
dependency of the selinux tools but there should be no harm checking
it as well.
Pavel
Attachment:
signature.asc
Description: PGP signature
