The /etc/os-release file may not even exist on OS and checking specific
OS names / versions in the build rules duplicates conditions that are
set in the RPM.
Instead we just look for existance of the tools we need to build the
policy module. In doing so, we also introduce '-Dselinux_policy'
feature flag to let it be controlled explicitly.
Since some versions will have an SELinux policy that is too old, we also
need to do a feature check for the newest interface(s) that we require.
Currently this is achieved by looking for "systemd_machined_stream_connect".
The "macro-expander" command can be used to check for SELinux policy
interfaces, as it will return empty string for any that don't exist.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
libvirt.spec.in | 7 ++++++
meson.build | 1 +
meson_options.txt | 1 +
src/security/meson.build | 13 +---------
src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
5 files changed, 46 insertions(+), 19 deletions(-)
diff --git a/libvirt.spec.in b/libvirt.spec.in
index bb693b58bf..d86cca7930 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1113,6 +1113,12 @@ exit 1
%define arg_remote_mode -Dremote_default_mode=legacy
%endif
+%if %{with_selinux_policy}
+ %define arg_selinux_policy -Dselinux_policy=enabled
+%else
+ %define arg_selinux_policy -Dselinux_policy=disabled
+%endif
+
%define when %(date +"%%F-%%T")
%define where %(hostname)
%define who %{?packager}%{!?packager:Unknown}
@@ -1165,6 +1171,7 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
%{?arg_netcf} \
-Dselinux=enabled \
%{?arg_selinux_mount} \
+ %{?arg_selinux_policy} \
-Dapparmor=disabled \
-Dapparmor_profiles=disabled \
-Dsecdriver_apparmor=disabled \
diff --git a/meson.build b/meson.build
index e25dc17fc8..6ea47fa0d7 100644
--- a/meson.build
+++ b/meson.build
@@ -2302,6 +2302,7 @@ summary(storagedriver_summary, section: 'Storage Drivers', bool_yn: true)
secdriver_summary = {
'SELinux': conf.has('WITH_SECDRIVER_SELINUX'),
+ 'sVirt policy': selinux_policy,
'AppArmor': conf.has('WITH_SECDRIVER_APPARMOR'),
}
summary(secdriver_summary, section: 'Security Drivers', bool_yn: true)
diff --git a/meson_options.txt b/meson_options.txt
index 7287cf1222..5537758f56 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -39,6 +39,7 @@ option('sanlock', type: 'feature', value: 'auto', description: 'sanlock support'
option('sasl', type: 'feature', value: 'auto', description: 'sasl support')
option('selinux', type: 'feature', value: 'auto', description: 'selinux support')
option('selinux_mount', type: 'string', value: '', description: 'set SELinux mount point')
+option('selinux_policy', type: 'feature', value: 'auto', description: 'selinux sVirt policy')
option('selinux_policy_includes', type: 'string', value: '/usr/share/selinux/devel/include', description: 'SELinux policy include directory')
option('udev', type: 'feature', value: 'auto', description: 'udev support')
option('wireshark_dissector', type: 'feature', value: 'auto', description: 'wireshark support')
diff --git a/src/security/meson.build b/src/security/meson.build
index ac360fa37a..b08c4df1cf 100644
--- a/src/security/meson.build
+++ b/src/security/meson.build
@@ -56,15 +56,4 @@ if conf.has('WITH_APPARMOR_PROFILES')
subdir('apparmor')
endif
-os_release = run_command('grep', '^ID=', '/etc/os-release').stdout()
-os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=')
-if (os_version.length() == 2)
- os_version = os_version[1]
-else
- os_version = 0
-endif
-
-if ((os_release.contains('fedora') and os_version.version_compare('>33')) or
- (os_release.contains('rhel') and os_version.version_compare('>8')))
- subdir('selinux')
-endif
+subdir('selinux')
diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
index dda8730141..af5a5e38cb 100644
--- a/src/security/selinux/meson.build
+++ b/src/security/selinux/meson.build
@@ -1,10 +1,39 @@
-semod_prog = find_program('semodule_package')
-checkmod_prog = find_program('checkmodule')
-bzip2_prog = find_program('bzip2')
+selinux_policy_opt = get_option('selinux_policy')
+selinux_policy = false
+if not selinux_policy_opt.disabled()
+ semod_prog = find_program('semodule_package', required: selinux_policy_opt)
+ checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
+ macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
+ bzip2_prog = find_program('bzip2')
+ selinux_policy_includes = get_option('selinux_policy_includes')
-selinux_policy_includes = get_option('selinux_policy_includes')
+ if semod_prog.found() and checkmod_prog.found() and \
+ bzip2_prog.found() and macroexpander_prog.found()
+ selinux_policy = true
+ else
+ if selinux_policy_opt.enabled()
+ error('selinux policy requested but required build tools are missing')
+ endif
+ endif
-install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed')
+ if selinux_policy
+ data = run_command(macroexpander_prog,
+ 'systemd_machined_stream_connect').stdout()
+ if data == ''
+ if selinux_policy_opt.enabled()
+ error('selinux policy version is too old, ' +
+ 'missing "systemd_machined_stream_connect"')
+ endif
-subdir('mcs')
-subdir('mls')
+ selinux_policy = false
+ endif
+ endif
+
+ if selinux_policy
+ install_data('virt.if',
+ install_dir : 'share/selinux/devel/include/distributed')
+
+ subdir('mcs')
+ subdir('mls')
+ endif
+endif
--
2.31.1
On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> The /etc/os-release file may not even exist on OS and checking specific
> OS names / versions in the build rules duplicates conditions that are
> set in the RPM.
>
> Instead we just look for existance of the tools we need to build the
> policy module. In doing so, we also introduce '-Dselinux_policy'
> feature flag to let it be controlled explicitly.
>
> Since some versions will have an SELinux policy that is too old, we also
> need to do a feature check for the newest interface(s) that we require.
> Currently this is achieved by looking for "systemd_machined_stream_connect".
> The "macro-expander" command can be used to check for SELinux policy
> interfaces, as it will return empty string for any that don't exist.
>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> libvirt.spec.in | 7 ++++++
> meson.build | 1 +
> meson_options.txt | 1 +
> src/security/meson.build | 13 +---------
> src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> 5 files changed, 46 insertions(+), 19 deletions(-)
[...]
> diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> index dda8730141..af5a5e38cb 100644
> --- a/src/security/selinux/meson.build
> +++ b/src/security/selinux/meson.build
> @@ -1,10 +1,39 @@
> -semod_prog = find_program('semodule_package')
> -checkmod_prog = find_program('checkmodule')
> -bzip2_prog = find_program('bzip2')
> +selinux_policy_opt = get_option('selinux_policy')
> +selinux_policy = false
> +if not selinux_policy_opt.disabled()
> + semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> + checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> + macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> + bzip2_prog = find_program('bzip2')
Here we should use `, required: selinux_policy_opt` as well, otherwise
missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
is `auto`.
Pavel
> + selinux_policy_includes = get_option('selinux_policy_includes')
>
> -selinux_policy_includes = get_option('selinux_policy_includes')
> + if semod_prog.found() and checkmod_prog.found() and \
> + bzip2_prog.found() and macroexpander_prog.found()
> + selinux_policy = true
> + else
> + if selinux_policy_opt.enabled()
> + error('selinux policy requested but required build tools are missing')
> + endif
> + endif
>
> -install_data('virt.if', install_dir : 'share/selinux/devel/include/distributed')
> + if selinux_policy
> + data = run_command(macroexpander_prog,
> + 'systemd_machined_stream_connect').stdout()
> + if data == ''
> + if selinux_policy_opt.enabled()
> + error('selinux policy version is too old, ' +
> + 'missing "systemd_machined_stream_connect"')
> + endif
>
> -subdir('mcs')
> -subdir('mls')
> + selinux_policy = false
> + endif
> + endif
> +
> + if selinux_policy
> + install_data('virt.if',
> + install_dir : 'share/selinux/devel/include/distributed')
> +
> + subdir('mcs')
> + subdir('mls')
> + endif
> +endif
> --
> 2.31.1
>
On Tue, Aug 10, 2021 at 11:10:56AM +0200, Pavel Hrdina wrote:
> On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> > The /etc/os-release file may not even exist on OS and checking specific
> > OS names / versions in the build rules duplicates conditions that are
> > set in the RPM.
> >
> > Instead we just look for existance of the tools we need to build the
> > policy module. In doing so, we also introduce '-Dselinux_policy'
> > feature flag to let it be controlled explicitly.
> >
> > Since some versions will have an SELinux policy that is too old, we also
> > need to do a feature check for the newest interface(s) that we require.
> > Currently this is achieved by looking for "systemd_machined_stream_connect".
> > The "macro-expander" command can be used to check for SELinux policy
> > interfaces, as it will return empty string for any that don't exist.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> > ---
> > libvirt.spec.in | 7 ++++++
> > meson.build | 1 +
> > meson_options.txt | 1 +
> > src/security/meson.build | 13 +---------
> > src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> > 5 files changed, 46 insertions(+), 19 deletions(-)
>
> [...]
>
> > diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> > index dda8730141..af5a5e38cb 100644
> > --- a/src/security/selinux/meson.build
> > +++ b/src/security/selinux/meson.build
> > @@ -1,10 +1,39 @@
> > -semod_prog = find_program('semodule_package')
> > -checkmod_prog = find_program('checkmodule')
> > -bzip2_prog = find_program('bzip2')
> > +selinux_policy_opt = get_option('selinux_policy')
> > +selinux_policy = false
> > +if not selinux_policy_opt.disabled()
> > + semod_prog = find_program('semodule_package', required: selinux_policy_opt)
> > + checkmod_prog = find_program('checkmodule', required: selinux_policy_opt)
> > + macroexpander_prog = find_program('macro-expander', required: selinux_policy_opt)
> > + bzip2_prog = find_program('bzip2')
>
> Here we should use `, required: selinux_policy_opt` as well, otherwise
> missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
> is `auto`.
I wonder if we should also actally check for 'sed' and 'm4' since the
script we're calling out to will invoke them too.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
© 2016 - 2025 Red Hat, Inc.