[PATCH 3/3] selinux: Remove 'make' dependency

Vit Mojzis vmojzis at redhat.com
Thu Mar 11 11:24:48 UTC 2021 

On 3/10/21 7:50 PM, Neal Gompa wrote:
> On Wed, Mar 10, 2021 at 7:43 AM Nikola Knazekova <nknazeko at redhat.com> wrote:
>> From: Vit Mojzis <vmojzis at redhat.com>
>>
>> Compile the policy using a shell script executed by meson.
>>
>> Signed-off-by: Vit Mojzis <vmojzis at redhat.com>
>> ---
>>   libvirt.spec.in           | 12 ------------
>>   meson.build               | 12 ++++++++++++
>>   selinux/compile_policy.sh | 39 +++++++++++++++++++++++++++++++++++++++
>>   selinux/meson.build       | 23 +++++++++++++++++++++++
>>   4 files changed, 74 insertions(+), 12 deletions(-)
>>   create mode 100755 selinux/compile_policy.sh
>>   create mode 100644 selinux/meson.build
>>
>> diff --git a/libvirt.spec.in b/libvirt.spec.in
>> index db08d91043..de664084fa 100644
>> --- a/libvirt.spec.in
>> +++ b/libvirt.spec.in
>> @@ -1240,14 +1240,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
>>              %{?arg_login_shell}
>>
>>   %meson_build
>> -%if 0%{?with_selinux}
>> -# SELinux policy (originally from selinux-policy-contrib)
>> -# this policy module will override the production module
>> -cd selinux
>> -
>> -make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
>> -bzip2 -9 %{modulename}.pp
>> -%endif
>>
>>   %install
>>   rm -fr %{buildroot}
>> @@ -1332,10 +1324,6 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
>>       %endif
>>   %endif
>>
>> -%if 0%{?with_selinux}
>> -install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
>> -%endif
>> -
>>   %check
>>   # Building on slow archs, like emulated s390x in Fedora copr, requires
>>   # raising the test timeout
>> diff --git a/meson.build b/meson.build
>> index c81c6ab205..d060e441b5 100644
>> --- a/meson.build
>> +++ b/meson.build
>> @@ -2183,6 +2183,18 @@ endif
>>
>>   subdir('build-aux')
>>
>> +os_release = run_command('grep', '^ID=', '/etc/os-release').stdout()
>> +os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=')
>> +if (os_version.length() == 2)
>> +  os_version = os_version[1]
>> +else
>> +  os_version = 0
>> +endif
>> +
>> +if ((os_release.contains('fedora') and os_version.version_compare('>32')) or
>> +    (os_release.contains('rhel') and os_version.version_compare('>7')))
>> +  subdir('selinux')
>> +endif
>>
>>   # install pkgconfig files
>>   pkgconfig_files = [
>> diff --git a/selinux/compile_policy.sh b/selinux/compile_policy.sh
>> new file mode 100755
>> index 0000000000..02780e4aed
>> --- /dev/null
>> +++ b/selinux/compile_policy.sh
>> @@ -0,0 +1,39 @@
>> +#!/bin/sh
>> +set -x
>> +
>> +if [[ $# -ne 5 ]] ; then
>> +    echo "Usage: compile_policy.sh <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
>> +    exit 1
>> +fi
>> +
>> +# checkmodule requires consistent file names
>> +MODULE_NAME=$(basename -- "$1")
>> +MODULE_NAME=${MODULE_NAME%.*}
>> +
>> +M4PARAM="-D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024"
>> +SHAREDIR="/usr/share/selinux"
>> +HEADERDIR="$SHAREDIR/devel/include"
>> +M4SUPPORT=$(echo $HEADERDIR/support/*.spt)
>> +HEADER_LAYERS=$(find "/usr/share/selinux/devel/include"/* -maxdepth 0 -type d | grep -v "/usr/share/selinux/devel/include/support")
>> +HEADER_INTERFACES=""
>> +for LAYER in $HEADER_LAYERS
>> +do
>> +    HEADER_INTERFACES="$HEADER_INTERFACES $(echo $LAYER/*.if)"
>> +done
>> +
>> +# prepare temp folder
>> +mkdir -p $5
>> +# remove old trash from the temp folder
>> +rm -rf "$5/iferror.m4 $5/all_interfaces.conf $5/$MODULE_NAME.*"
>> +# tmp/all_interfaces.conf
>> +echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4
>> +echo "divert(-1)" > $5/all_interfaces.conf
>> +m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf
>> +echo "divert" >> $5/all_interfaces.conf
>> +# tmp/%.mod
>> +m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp
>> +/usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod
>> +# tmp/%.mod.fc
>> +m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc
>> +# %.pp
>> +/usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod -f $5/$MODULE_NAME.mod.fc
>> diff --git a/selinux/meson.build b/selinux/meson.build
>> new file mode 100644
>> index 0000000000..1c76fd40aa
>> --- /dev/null
>> +++ b/selinux/meson.build
>> @@ -0,0 +1,23 @@
>> +selinux_sources = [
>> +  'virt.te',
>> +  'virt.if',
>> +  'virt.fc',
>> +]
>> +
>> +compile_policy_prog = find_program('compile_policy.sh')
>> +
>> +virt_pp = custom_target('virt.pp',
>> +  output : 'virt.pp',
>> +  input : selinux_sources,
>> +  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
>> +  install : false)
>> +
>> +bzip2_prog = find_program('bzip2')
>> +
>> +bzip = custom_target('virt.pp.bz2',
>> +  output : 'virt.pp.bz2',
>> +  input : virt_pp,
>> +  command : [bzip2_prog, '-c', '-9', '@INPUT@'],
>> +  capture : true,
>> +  install : true,
>> +  install_dir : 'share/selinux/packages/targeted')
>> --
>> 2.29.2
>>
> This smells like a bad idea, because we're not relying on the
> framework that SELinux policies are supposed to be built with. I don't
> think we should do this.

Hi,

not sure what you mean. The shell script is almost a 1 to 1 copy of the 
original Makefile from selinux-policy-devel so it should not cause any 
issues.

If you mean the whole idea of moving the policy from selinux-policy 
packages to libvirt, than this has proven to work with a few other 
projects already (mostly the policies are kept in downstream 
distribution repositories, but e.g. freeipa is maintaining it in 
upstream, similarly to this) and we got quite positive feedback.

Could you please elaborate on what you mean by "the framework that 
SELinux policies are supposed to be built with"?

Thank you.

Vit

More information about the libvir-list mailing list