[PATCH 3/3] selinux: Remove 'make' dependency

[Andrea Bolognani]

On Thu, 2021-03-11 at 12:33 +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 11, 2021 at 07:29:03AM -0500, Neal Gompa wrote:
> > On Thu, Mar 11, 2021 at 6:35 AM Daniel P. Berrangé <berrange at redhat.com> wrote:
> > > On Wed, Mar 10, 2021 at 01:50:43PM -0500, Neal Gompa wrote:
> > > > On Wed, Mar 10, 2021 at 7:43 AM Nikola Knazekova <nknazeko at redhat.com> wrote:
> > > > > Compile the policy using a shell script executed by meson.
> > > > 
> > > > This smells like a bad idea, because we're not relying on the
> > > > framework that SELinux policies are supposed to be built with. I don't
> > > > think we should do this.
> > > 
> > > The important part is the use of tools for compiling the policy. The way
> > > you glue them into a build system is a app specific, and it makes no sense
> > > to use SELinux provided Makefiles, when our build system is meson.
> > 
> > Let's say I buy that argument (I don't). Even with that argument, this
> > patch is wrong because it makes assumptions about how SELinux policies
> > are structured on-disk. For example, the install directory is wrong,
> > since it should be share/selinux/packages, not
> > share/selinux/packages/targeted. If I were to accept that I might be
> > wrong about the directory in the previous statement, that means that
> > we're still wrong, because we don't have builds for mls and minimal
> > policy targets. Finally, we're missing the policy interface file.
> 
> Well if there are bugs like these, that's what this review is intended
> to catch, and they'll need to be addressed before this can merge.
> 
> > This sounds like you need to work with Meson and selinux-policy
> > upstream to add support for natively building policy modules with
> > Meson itself.
> 
> Sure it would be nice if there was a meson extension that dealt
> with SELinux, but we need to implement something that works with
> the meson releases that exist today.  If meson gains selinux
> support in future may be we can consider it then.

We still need make for syntax-check though, so rewriting the SELinux
bits to Meson doesn't allow us to drop the dependency. And,
considering how complex and widely used the syntax-check logic is, I
don't see that being reimplemented anytime soon.

So perhaps we could file a bug against the SELinux package asking for
native Meson support, hope that it will be implemented by the time we
get around to rewrite syntax-check, and just use make in the
meantime.

-- 
Andrea Bolognani / Red Hat / Virtualization