[libvirt PATCH 09/13] selinux: introduce meson option for selinux policy install

Pavel Hrdina phrdina at redhat.com
Tue Aug 10 09:10:56 UTC 2021 

On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> The /etc/os-release file may not even exist on OS and checking specific
> OS names / versions in the build rules duplicates conditions that are
> set in the RPM.
> 
> Instead we just look for existance of the tools we need to build the
> policy module. In doing so, we also introduce '-Dselinux_policy'
> feature flag to let it be controlled explicitly.
> 
> Since some versions will have an SELinux policy that is too old, we also
> need to do a feature check for the newest interface(s) that we require.
> Currently this is achieved by looking for "systemd_machined_stream_connect".
> The "macro-expander" command can be used to check for SELinux policy
> interfaces, as it will return empty string for any that don't exist.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  libvirt.spec.in                  |  7 ++++++
>  meson.build                      |  1 +
>  meson_options.txt                |  1 +
>  src/security/meson.build         | 13 +---------
>  src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
>  5 files changed, 46 insertions(+), 19 deletions(-)

[...]

> diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> index dda8730141..af5a5e38cb 100644
> --- a/src/security/selinux/meson.build
> +++ b/src/security/selinux/meson.build
> @@ -1,10 +1,39 @@
> -semod_prog = find_program('semodule_package')
> -checkmod_prog = find_program('checkmodule')
> -bzip2_prog = find_program('bzip2')
> +selinux_policy_opt = get_option('selinux_policy')
> +selinux_policy = false
> +if not selinux_policy_opt.disabled()
> +  semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> +  checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> +  macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> +  bzip2_prog = find_program('bzip2')

Here we should use `, required: selinux_policy_opt` as well, otherwise
missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
is `auto`.

Pavel

> +  selinux_policy_includes = get_option('selinux_policy_includes')
>  
> -selinux_policy_includes = get_option('selinux_policy_includes')
> +  if semod_prog.found() and checkmod_prog.found() and \
> +     bzip2_prog.found() and macroexpander_prog.found()
> +    selinux_policy = true
> +  else
> +    if selinux_policy_opt.enabled()
> +      error('selinux policy requested but required build tools are missing')
> +    endif
> +  endif
>  
> -install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed')
> +  if selinux_policy
> +    data = run_command(macroexpander_prog,
> +                       'systemd_machined_stream_connect').stdout()
> +    if data == ''
> +      if selinux_policy_opt.enabled()
> +        error('selinux policy version is too old, ' +
> +              'missing "systemd_machined_stream_connect"')
> +      endif
>  
> -subdir('mcs')
> -subdir('mls')
> +      selinux_policy = false
> +    endif
> +  endif
> +
> +  if selinux_policy
> +    install_data('virt.if',
> +                 install_dir : 'share/selinux/devel/include/distributed')
> +
> +    subdir('mcs')
> +    subdir('mls')
> +  endif
> +endif
> -- 
> 2.31.1
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20210810/9aa543b2/attachment-0001.sig>

More information about the libvir-list mailing list