From nobody Sun Feb  8 20:15:52 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 216.205.24.124 as permitted sender) client-ip=216.205.24.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1628272122; cv=none;
	d=zohomail.com; s=zohoarc;
	b=cNKnn2esVuL9sdQ5I8i9ZEkp+LiqR9EqrcFUyjih2qNDiKmdcQ1WiVvLObPJiPu4F8wdGelZ6CtwfV7iyRrLCrq59JGIGsrv1MKiohpdQIgi/deXuGIETCh6M+JP8/Lte8ziZQ+YTK+UhdyIT6D0mFnULxmvh559c2ye3IGlmq0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1628272122;
 h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=sBV2PLS6+eQA+ksGXhVGg9seDQEuEWIFE69Pt9KVIPs=;
	b=ZB2mYwQlsQpTtdPcHDmM47EYUnEEtwOh6BIsTLziJ0VC8i8R0UuY0amJZLe9M/YPUEODEtkOKFIYtYvX3sWZcZHO37ydDr6irfry7ZAJ43pqUi7lD0+aAdbikmNaEJcmamAYq2Tr3/Tj0oEp5ba3bUws+4ZKTQIFZS4ZSPJW4Zs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<berrange@redhat.com> (p=none dis=none)
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com
	with SMTPS id 1628272122161597.736999434029;
 Fri, 6 Aug 2021 10:48:42 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-551-IEgCvk7TMxevGweKXH-U9g-1; Fri, 06 Aug 2021 13:48:39 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 57352802C9B;
	Fri,  6 Aug 2021 17:48:33 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 334F45D9FC;
	Fri,  6 Aug 2021 17:48:33 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id F275D4A707;
	Fri,  6 Aug 2021 17:48:32 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 176HmS2C000770 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 6 Aug 2021 13:48:28 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 89B316A056; Fri,  6 Aug 2021 17:48:28 +0000 (UTC)
Received: from localhost.localdomain.com (unknown [10.39.193.169])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 89DC260853;
	Fri,  6 Aug 2021 17:48:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1628272121;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=sBV2PLS6+eQA+ksGXhVGg9seDQEuEWIFE69Pt9KVIPs=;
	b=Lc8XshOH1pRzLRt+nA3aBdJS+8P1N+GcEhgoc6nIuQGvRgHXTBdtMqFl2QeFvq2j3Nc3N1
	3buitQnHQ69vCiWlBEqjnZY6y/XZzRqyenVqgFTH+/a1xxORbxkl8f9n9mHcpIOrLJNMcz
	u/mN9J2KgasA0hP46715kPvgTLvOwW8=
X-MC-Unique: IEgCvk7TMxevGweKXH-U9g-1
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH 09/13] selinux: introduce meson option for selinux
	policy install
Date: Fri,  6 Aug 2021 18:48:06 +0100
Message-Id: <20210806174810.3730064-10-berrange@redhat.com>
In-Reply-To: <20210806174810.3730064-1-berrange@redhat.com>
References: <20210806174810.3730064-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Cc: Vit Mojzis <vmojzis@redhat.com>
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
X-ZM-MESSAGEID: 1628272123704100001

The /etc/os-release file may not even exist on OS and checking specific
OS names / versions in the build rules duplicates conditions that are
set in the RPM.

Instead we just look for existance of the tools we need to build the
policy module. In doing so, we also introduce '-Dselinux_policy'
feature flag to let it be controlled explicitly.

Since some versions will have an SELinux policy that is too old, we also
need to do a feature check for the newest interface(s) that we require.
Currently this is achieved by looking for "systemd_machined_stream_connect".
The "macro-expander" command can be used to check for SELinux policy
interfaces, as it will return empty string for any that don't exist.

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 libvirt.spec.in                  |  7 ++++++
 meson.build                      |  1 +
 meson_options.txt                |  1 +
 src/security/meson.build         | 13 +---------
 src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
 5 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/libvirt.spec.in b/libvirt.spec.in
index bb693b58bf..d86cca7930 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1113,6 +1113,12 @@ exit 1
     %define arg_remote_mode -Dremote_default_mode=3Dlegacy
 %endif
=20
+%if %{with_selinux_policy}
+    %define arg_selinux_policy -Dselinux_policy=3Denabled
+%else
+    %define arg_selinux_policy -Dselinux_policy=3Ddisabled
+%endif
+
 %define when  %(date +"%%F-%%T")
 %define where %(hostname)
 %define who   %{?packager}%{!?packager:Unknown}
@@ -1165,6 +1171,7 @@ export SOURCE_DATE_EPOCH=3D$(stat --printf=3D'%Y' %{_=
specdir}/%{name}.spec)
            %{?arg_netcf} \
            -Dselinux=3Denabled \
            %{?arg_selinux_mount} \
+           %{?arg_selinux_policy} \
            -Dapparmor=3Ddisabled \
            -Dapparmor_profiles=3Ddisabled \
            -Dsecdriver_apparmor=3Ddisabled \
diff --git a/meson.build b/meson.build
index e25dc17fc8..6ea47fa0d7 100644
--- a/meson.build
+++ b/meson.build
@@ -2302,6 +2302,7 @@ summary(storagedriver_summary, section: 'Storage Driv=
ers', bool_yn: true)
=20
 secdriver_summary =3D {
   'SELinux': conf.has('WITH_SECDRIVER_SELINUX'),
+  'sVirt policy': selinux_policy,
   'AppArmor': conf.has('WITH_SECDRIVER_APPARMOR'),
 }
 summary(secdriver_summary, section: 'Security Drivers', bool_yn: true)
diff --git a/meson_options.txt b/meson_options.txt
index 7287cf1222..5537758f56 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -39,6 +39,7 @@ option('sanlock', type: 'feature', value: 'auto', descrip=
tion: 'sanlock support'
 option('sasl', type: 'feature', value: 'auto', description: 'sasl support')
 option('selinux', type: 'feature', value: 'auto', description: 'selinux su=
pport')
 option('selinux_mount', type: 'string', value: '', description: 'set SELin=
ux mount point')
+option('selinux_policy', type: 'feature', value: 'auto', description: 'sel=
inux sVirt policy')
 option('selinux_policy_includes', type: 'string', value: '/usr/share/selin=
ux/devel/include', description: 'SELinux policy include directory')
 option('udev', type: 'feature', value: 'auto', description: 'udev support')
 option('wireshark_dissector', type: 'feature', value: 'auto', description:=
 'wireshark support')
diff --git a/src/security/meson.build b/src/security/meson.build
index ac360fa37a..b08c4df1cf 100644
--- a/src/security/meson.build
+++ b/src/security/meson.build
@@ -56,15 +56,4 @@ if conf.has('WITH_APPARMOR_PROFILES')
   subdir('apparmor')
 endif
=20
-os_release =3D run_command('grep', '^ID=3D', '/etc/os-release').stdout()
-os_version =3D run_command('grep', '^VERSION_ID=3D', '/etc/os-release').st=
dout().split('=3D')
-if (os_version.length() =3D=3D 2)
-  os_version =3D os_version[1]
-else
-  os_version =3D 0
-endif
-
-if ((os_release.contains('fedora') and os_version.version_compare('>33')) =
or
-    (os_release.contains('rhel') and os_version.version_compare('>8')))
-  subdir('selinux')
-endif
+subdir('selinux')
diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.=
build
index dda8730141..af5a5e38cb 100644
--- a/src/security/selinux/meson.build
+++ b/src/security/selinux/meson.build
@@ -1,10 +1,39 @@
-semod_prog =3D find_program('semodule_package')
-checkmod_prog =3D find_program('checkmodule')
-bzip2_prog =3D find_program('bzip2')
+selinux_policy_opt =3D get_option('selinux_policy')
+selinux_policy =3D false
+if not selinux_policy_opt.disabled()
+  semod_prog =3D find_program('semodule_package', required: selinux_policy=
_opt)
+  checkmod_prog =3D find_program('checkmodule', required: selinux_policy_o=
pt)
+  macroexpander_prog =3D find_program('macro-expander', required: selinux_=
policy_opt)
+  bzip2_prog =3D find_program('bzip2')
+  selinux_policy_includes =3D get_option('selinux_policy_includes')
=20
-selinux_policy_includes =3D get_option('selinux_policy_includes')
+  if semod_prog.found() and checkmod_prog.found() and \
+     bzip2_prog.found() and macroexpander_prog.found()
+    selinux_policy =3D true
+  else
+    if selinux_policy_opt.enabled()
+      error('selinux policy requested but required build tools are missing=
')
+    endif
+  endif
=20
-install_data('virt.if', install_dir : 'share/selinux/devel/include/distrib=
uted')
+  if selinux_policy
+    data =3D run_command(macroexpander_prog,
+                       'systemd_machined_stream_connect').stdout()
+    if data =3D=3D ''
+      if selinux_policy_opt.enabled()
+        error('selinux policy version is too old, ' +
+              'missing "systemd_machined_stream_connect"')
+      endif
=20
-subdir('mcs')
-subdir('mls')
+      selinux_policy =3D false
+    endif
+  endif
+
+  if selinux_policy
+    install_data('virt.if',
+                 install_dir : 'share/selinux/devel/include/distributed')
+
+    subdir('mcs')
+    subdir('mls')
+  endif
+endif
--=20
2.31.1