5:35 a.m.
On Wed, Mar 10, 2021 at 01:50:43PM -0500, Neal Gompa wrote:
On Wed, Mar 10, 2021 at 7:43 AM Nikola Knazekova
<nknazeko(a)redhat.com> wrote:
>
> From: Vit Mojzis <vmojzis(a)redhat.com>
>
> Compile the policy using a shell script executed by meson.
>
> Signed-off-by: Vit Mojzis <vmojzis(a)redhat.com>
> ---
> libvirt.spec.in | 12 ------------
> meson.build | 12 ++++++++++++
> selinux/compile_policy.sh | 39 +++++++++++++++++++++++++++++++++++++++
> selinux/meson.build | 23 +++++++++++++++++++++++
> 4 files changed, 74 insertions(+), 12 deletions(-)
> create mode 100755 selinux/compile_policy.sh
> create mode 100644 selinux/meson.build
>
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index db08d91043..de664084fa 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -1240,14 +1240,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y'
%{_specdir}/%{name}.spec)
> %{?arg_login_shell}
>
> %meson_build
> -%if 0%{?with_selinux}
> -# SELinux policy (originally from selinux-policy-contrib)
> -# this policy module will override the production module
> -cd selinux
> -
> -make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
> -bzip2 -9 %{modulename}.pp
> -%endif
>
> %install
> rm -fr %{buildroot}
> @@ -1332,10 +1324,6 @@ mv
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
> %endif
> %endif
>
> -%if 0%{?with_selinux}
> -install -D -m 0644 selinux/%{modulename}.pp.bz2
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
> -%endif
> -
> %check
> # Building on slow archs, like emulated s390x in Fedora copr, requires
> # raising the test timeout
> diff --git a/meson.build b/meson.build
> index c81c6ab205..d060e441b5 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -2183,6 +2183,18 @@ endif
>
> subdir('build-aux')
>
> +os_release = run_command('grep', '^ID=',
'/etc/os-release').stdout()
> +os_version = run_command('grep', '^VERSION_ID=',
'/etc/os-release').stdout().split('=')
> +if (os_version.length() == 2)
> + os_version = os_version[1]
> +else
> + os_version = 0
> +endif
> +
> +if ((os_release.contains('fedora') and
os_version.version_compare('>32')) or
> + (os_release.contains('rhel') and
os_version.version_compare('>7')))
> + subdir('selinux')
> +endif
>
> # install pkgconfig files
> pkgconfig_files = [
> diff --git a/selinux/compile_policy.sh b/selinux/compile_policy.sh
> new file mode 100755
> index 0000000000..02780e4aed
> --- /dev/null
> +++ b/selinux/compile_policy.sh
> @@ -0,0 +1,39 @@
> +#!/bin/sh
> +set -x
> +
> +if [[ $# -ne 5 ]] ; then
> + echo "Usage: compile_policy.sh <policy>.te <policy>.if
<policy>.fc <output>.pp <tmpdir>"
> + exit 1
> +fi
> +
> +# checkmodule requires consistent file names
> +MODULE_NAME=$(basename -- "$1")
> +MODULE_NAME=${MODULE_NAME%.*}
> +
> +M4PARAM="-D enable_mcs -D distro_redhat -D hide_broken_symptoms -D
mls_num_sens=16 -D mls_num_cats=1024 -D mcs_num_cats=1024"
> +SHAREDIR="/usr/share/selinux"
> +HEADERDIR="$SHAREDIR/devel/include"
> +M4SUPPORT=$(echo $HEADERDIR/support/*.spt)
> +HEADER_LAYERS=$(find "/usr/share/selinux/devel/include"/* -maxdepth 0
-type d | grep -v "/usr/share/selinux/devel/include/support")
> +HEADER_INTERFACES=""
> +for LAYER in $HEADER_LAYERS
> +do
> + HEADER_INTERFACES="$HEADER_INTERFACES $(echo $LAYER/*.if)"
> +done
> +
> +# prepare temp folder
> +mkdir -p $5
> +# remove old trash from the temp folder
> +rm -rf "$5/iferror.m4 $5/all_interfaces.conf $5/$MODULE_NAME.*"
> +# tmp/all_interfaces.conf
> +echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4
> +echo "divert(-1)" > $5/all_interfaces.conf
> +m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 | sed -e s/dollarsstar/\$\$\*/g
>> $5/all_interfaces.conf
> +echo "divert" >> $5/all_interfaces.conf
> +# tmp/%.mod
> +m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp
> +/usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod
> +# tmp/%.mod.fc
> +m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc
> +# %.pp
> +/usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod -f $5/$MODULE_NAME.mod.fc
Can you change this to use Python, since our strategy is to eliminate
use of all scripting languages other than Python 3:
https://libvirt.org/strategy.html
> diff --git a/selinux/meson.build b/selinux/meson.build
> new file mode 100644
> index 0000000000..1c76fd40aa
> --- /dev/null
> +++ b/selinux/meson.build
> @@ -0,0 +1,23 @@
> +selinux_sources = [
> + 'virt.te',
> + 'virt.if',
> + 'virt.fc',
> +]
> +
> +compile_policy_prog = find_program('compile_policy.sh')
> +
> +virt_pp = custom_target('virt.pp',
> + output : 'virt.pp',
> + input : selinux_sources,
> + command : [compile_policy_prog, '@INPUT@', '@OUTPUT@',
'selinux/tmp'],
> + install : false)
> +
> +bzip2_prog = find_program('bzip2')
> +
> +bzip = custom_target('virt.pp.bz2',
> + output : 'virt.pp.bz2',
> + input : virt_pp,
> + command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> + capture : true,
> + install : true,
> + install_dir : 'share/selinux/packages/targeted')
> --
> 2.29.2
>
This smells like a bad idea, because we're not relying on the
framework that SELinux policies are supposed to be built with. I don't
think we should do this.
The important part is the use of tools for compiling the policy. The way
you glue them into a build system is a app specific, and it makes no sense
to use SELinux provided Makefiles, when our build system is meson.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|