On Wed, Mar 10, 2021 at 7:43 AM Nikola Knazekova <nknazeko(a)redhat.com> wrote:
From: Vit Mojzis <vmojzis(a)redhat.com>
Compile the policy using a shell script executed by meson.
Signed-off-by: Vit Mojzis <vmojzis(a)redhat.com>
---
libvirt.spec.in | 12 ------------
meson.build | 12 ++++++++++++
selinux/compile_policy.sh | 39 +++++++++++++++++++++++++++++++++++++++
selinux/meson.build | 23 +++++++++++++++++++++++
4 files changed, 74 insertions(+), 12 deletions(-)
create mode 100755 selinux/compile_policy.sh
create mode 100644 selinux/meson.build
diff --git a/libvirt.spec.in b/libvirt.spec.in
index db08d91043..de664084fa 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1240,14 +1240,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y'
%{_specdir}/%{name}.spec)
%{?arg_login_shell}
%meson_build
-%if 0%{?with_selinux}
-# SELinux policy (originally from selinux-policy-contrib)
-# this policy module will override the production module
-cd selinux
-
-make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
-bzip2 -9 %{modulename}.pp
-%endif
%install
rm -fr %{buildroot}
@@ -1332,10 +1324,6 @@ mv
$RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
%endif
%endif
-%if 0%{?with_selinux}
-install -D -m 0644 selinux/%{modulename}.pp.bz2
%{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
-%endif
-
%check
# Building on slow archs, like emulated s390x in Fedora copr, requires
# raising the test timeout
diff --git a/meson.build b/meson.build
index c81c6ab205..d060e441b5 100644
--- a/meson.build
+++ b/meson.build
@@ -2183,6 +2183,18 @@ endif
subdir('build-aux')
+os_release = run_command('grep', '^ID=',
'/etc/os-release').stdout()
+os_version = run_command('grep', '^VERSION_ID=',
'/etc/os-release').stdout().split('=')
+if (os_version.length() == 2)
+ os_version = os_version[1]
+else
+ os_version = 0
+endif
+
+if ((os_release.contains('fedora') and
os_version.version_compare('>32')) or
+ (os_release.contains('rhel') and
os_version.version_compare('>7')))
+ subdir('selinux')
+endif
# install pkgconfig files
pkgconfig_files = [
diff --git a/selinux/compile_policy.sh b/selinux/compile_policy.sh
new file mode 100755
index 0000000000..02780e4aed
--- /dev/null
+++ b/selinux/compile_policy.sh
@@ -0,0 +1,39 @@
+#!/bin/sh
+set -x
+
+if [[ $# -ne 5 ]] ; then
+ echo "Usage: compile_policy.sh <policy>.te <policy>.if
<policy>.fc <output>.pp <tmpdir>"
+ exit 1
+fi
+
+# checkmodule requires consistent file names
+MODULE_NAME=$(basename -- "$1")
+MODULE_NAME=${MODULE_NAME%.*}
+
+M4PARAM="-D enable_mcs -D distro_redhat -D hide_broken_symptoms -D mls_num_sens=16
-D mls_num_cats=1024 -D mcs_num_cats=1024"
+SHAREDIR="/usr/share/selinux"
+HEADERDIR="$SHAREDIR/devel/include"
+M4SUPPORT=$(echo $HEADERDIR/support/*.spt)
+HEADER_LAYERS=$(find "/usr/share/selinux/devel/include"/* -maxdepth 0 -type d
| grep -v "/usr/share/selinux/devel/include/support")
+HEADER_INTERFACES=""
+for LAYER in $HEADER_LAYERS
+do
+ HEADER_INTERFACES="$HEADER_INTERFACES $(echo $LAYER/*.if)"
+done
+
+# prepare temp folder
+mkdir -p $5
+# remove old trash from the temp folder
+rm -rf "$5/iferror.m4 $5/all_interfaces.conf $5/$MODULE_NAME.*"
+# tmp/all_interfaces.conf
+echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4
+echo "divert(-1)" > $5/all_interfaces.conf
+m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4 | sed -e s/dollarsstar/\$\$\*/g
>> $5/all_interfaces.conf
+echo "divert" >> $5/all_interfaces.conf
+# tmp/%.mod
+m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp
+/usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod
+# tmp/%.mod.fc
+m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc
+# %.pp
+/usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod -f $5/$MODULE_NAME.mod.fc
diff --git a/selinux/meson.build b/selinux/meson.build
new file mode 100644
index 0000000000..1c76fd40aa
--- /dev/null
+++ b/selinux/meson.build
@@ -0,0 +1,23 @@
+selinux_sources = [
+ 'virt.te',
+ 'virt.if',
+ 'virt.fc',
+]
+
+compile_policy_prog = find_program('compile_policy.sh')
+
+virt_pp = custom_target('virt.pp',
+ output : 'virt.pp',
+ input : selinux_sources,
+ command : [compile_policy_prog, '@INPUT@', '@OUTPUT@',
'selinux/tmp'],
+ install : false)
+
+bzip2_prog = find_program('bzip2')
+
+bzip = custom_target('virt.pp.bz2',
+ output : 'virt.pp.bz2',
+ input : virt_pp,
+ command : [bzip2_prog, '-c', '-9', '@INPUT@'],
+ capture : true,
+ install : true,
+ install_dir : 'share/selinux/packages/targeted')
--
2.29.2
This smells like a bad idea, because we're not relying on the
framework that SELinux policies are supposed to be built with. I don't
think we should do this.
--
真実はいつも一つ!/ Always, there's only one truth!