Re: [libvirt PATCH 09/13] selinux: introduce meson option for selinux policy install

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Aug 10, 2021 at 05:35:58PM +0100, Daniel P. Berrangé wrote:
> On Tue, Aug 10, 2021 at 11:10:56AM +0200, Pavel Hrdina wrote:
> > On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> > > The /etc/os-release file may not even exist on OS and checking specific
> > > OS names / versions in the build rules duplicates conditions that are
> > > set in the RPM.
> > > 
> > > Instead we just look for existance of the tools we need to build the
> > > policy module. In doing so, we also introduce '-Dselinux_policy'
> > > feature flag to let it be controlled explicitly.
> > > 
> > > Since some versions will have an SELinux policy that is too old, we also
> > > need to do a feature check for the newest interface(s) that we require.
> > > Currently this is achieved by looking for "systemd_machined_stream_connect".
> > > The "macro-expander" command can be used to check for SELinux policy
> > > interfaces, as it will return empty string for any that don't exist.
> > > 
> > > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > > ---
> > >  libvirt.spec.in                  |  7 ++++++
> > >  meson.build                      |  1 +
> > >  meson_options.txt                |  1 +
> > >  src/security/meson.build         | 13 +---------
> > >  src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> > >  5 files changed, 46 insertions(+), 19 deletions(-)
> > 
> > [...]
> > 
> > > diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> > > index dda8730141..af5a5e38cb 100644
> > > --- a/src/security/selinux/meson.build
> > > +++ b/src/security/selinux/meson.build
> > > @@ -1,10 +1,39 @@
> > > -semod_prog = find_program('semodule_package')
> > > -checkmod_prog = find_program('checkmodule')
> > > -bzip2_prog = find_program('bzip2')
> > > +selinux_policy_opt = get_option('selinux_policy')
> > > +selinux_policy = false
> > > +if not selinux_policy_opt.disabled()
> > > +  semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> > > +  checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> > > +  macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> > > +  bzip2_prog = find_program('bzip2')
> > 
> > Here we should use `, required: selinux_policy_opt` as well, otherwise
> > missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
> > is `auto`.
> 
> I wonder if we should also actally check for 'sed' and 'm4' since the
> script we're calling out to will invoke them too.

Good point, we already check for 'sed' or 'gsed' in
'build-aux/meson.build' so we could move it to the main meson.build
file. I was thinking about skipping check for 'm4' if it's already
dependency of the selinux tools but there should be no harm checking
it as well.

Pavel

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux