[libvirt PATCH 09/13] selinux: introduce meson option for selinux policy install

Daniel P. Berrangé berrange at redhat.com
Fri Aug 6 17:48:06 UTC 2021 

The /etc/os-release file may not even exist on OS and checking specific
OS names / versions in the build rules duplicates conditions that are
set in the RPM.

Instead we just look for existance of the tools we need to build the
policy module. In doing so, we also introduce '-Dselinux_policy'
feature flag to let it be controlled explicitly.

Since some versions will have an SELinux policy that is too old, we also
need to do a feature check for the newest interface(s) that we require.
Currently this is achieved by looking for "systemd_machined_stream_connect".
The "macro-expander" command can be used to check for SELinux policy
interfaces, as it will return empty string for any that don't exist.

Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
 libvirt.spec.in                  |  7 ++++++
 meson.build                      |  1 +
 meson_options.txt                |  1 +
 src/security/meson.build         | 13 +---------
 src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
 5 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index bb693b58bf..d86cca7930 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1113,6 +1113,12 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=legacy
 %endif
 
+%if %{with_selinux_policy}
+    %define arg_selinux_policy -Dselinux_policy=enabled
+%else
+    %define arg_selinux_policy -Dselinux_policy=disabled
+%endif
+
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1165,6 +1171,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
            %{?arg_netcf} \
            -Dselinux=enabled \
            %{?arg_selinux_mount} \
+           %{?arg_selinux_policy} \
            -Dapparmor=disabled \
            -Dapparmor_profiles=disabled \
            -Dsecdriver_apparmor=disabled \
diff --git a/meson.build b/meson.build
index e25dc17fc8..6ea47fa0d7 100644
--- a/meson.build
+++ b/meson.build
@@ -2302,6 +2302,7 @@ summary(storagedriver_summary, section: 'Storage Drivers', bool_yn: true)
 
 secdriver_summary = {
   'SELinux': conf.has('WITH_SECDRIVER_SELINUX'),
+  'sVirt policy': selinux_policy,
   'AppArmor': conf.has('WITH_SECDRIVER_APPARMOR'),
 }
 summary(secdriver_summary, section: 'Security Drivers', bool_yn: true)
diff --git a/meson_options.txt b/meson_options.txt
index 7287cf1222..5537758f56 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -39,6 +39,7 @@ option('sanlock', type: 'feature', value: 'auto', description: 'sanlock support'
 option('sasl', type: 'feature', value: 'auto', description: 'sasl support')
 option('selinux', type: 'feature', value: 'auto', description: 'selinux support')
 option('selinux_mount', type: 'string', value: '', description: 'set SELinux mount point')
+option('selinux_policy', type: 'feature', value: 'auto', description: 'selinux sVirt policy')
 option('selinux_policy_includes', type: 'string', value: '/usr/share/selinux/devel/include', description: 'SELinux policy include directory')
 option('udev', type: 'feature', value: 'auto', description: 'udev support')
 option('wireshark_dissector', type: 'feature', value: 'auto', description: 'wireshark support')
diff --git a/src/security/meson.build b/src/security/meson.build
index ac360fa37a..b08c4df1cf 100644
--- a/src/security/meson.build
+++ b/src/security/meson.build
@@ -56,15 +56,4 @@ if conf.has('WITH_APPARMOR_PROFILES')
   subdir('apparmor')
 endif
 
-os_release = run_command('grep', '^ID=', '/etc/os-release').stdout()
-os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=')
-if (os_version.length() == 2)
-  os_version = os_version[1]
-else
-  os_version = 0
-endif
-
-if ((os_release.contains('fedora') and os_version.version_compare('>33')) or
-    (os_release.contains('rhel') and os_version.version_compare('>8')))
-  subdir('selinux')
-endif
+subdir('selinux')
diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
index dda8730141..af5a5e38cb 100644
--- a/src/security/selinux/meson.build
+++ b/src/security/selinux/meson.build
@@ -1,10 +1,39 @@
-semod_prog = find_program('semodule_package')
-checkmod_prog = find_program('checkmodule')
-bzip2_prog = find_program('bzip2')
+selinux_policy_opt = get_option('selinux_policy')
+selinux_policy = false
+if not selinux_policy_opt.disabled()
+  semod_prog = find_program('semodule_package', required: selinux_policy_opt)
+  checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
+  macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
+  bzip2_prog = find_program('bzip2')
+  selinux_policy_includes = get_option('selinux_policy_includes')
 
-selinux_policy_includes = get_option('selinux_policy_includes')
+  if semod_prog.found() and checkmod_prog.found() and \
+     bzip2_prog.found() and macroexpander_prog.found()
+    selinux_policy = true
+  else
+    if selinux_policy_opt.enabled()
+      error('selinux policy requested but required build tools are missing')
+    endif
+  endif
 
-install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed')
+  if selinux_policy
+    data = run_command(macroexpander_prog,
+                       'systemd_machined_stream_connect').stdout()
+    if data == ''
+      if selinux_policy_opt.enabled()
+        error('selinux policy version is too old, ' +
+              'missing "systemd_machined_stream_connect"')
+      endif
 
-subdir('mcs')
-subdir('mls')
+      selinux_policy = false
+    endif
+  endif
+
+  if selinux_policy
+    install_data('virt.if',
+                 install_dir : 'share/selinux/devel/include/distributed')
+
+    subdir('mcs')
+    subdir('mls')
+  endif
+endif
-- 
2.31.1

More information about the libvir-list mailing list