On Tue, Aug 10, 2021 at 11:10:56AM +0200, Pavel Hrdina wrote:
On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> The /etc/os-release file may not even exist on OS and checking specific
> OS names / versions in the build rules duplicates conditions that are
> set in the RPM.
>
> Instead we just look for existance of the tools we need to build the
> policy module. In doing so, we also introduce '-Dselinux_policy'
> feature flag to let it be controlled explicitly.
>
> Since some versions will have an SELinux policy that is too old, we also
> need to do a feature check for the newest interface(s) that we require.
> Currently this is achieved by looking for
"systemd_machined_stream_connect".
> The "macro-expander" command can be used to check for SELinux policy
> interfaces, as it will return empty string for any that don't exist.
>
> Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
> ---
> libvirt.spec.in | 7 ++++++
> meson.build | 1 +
> meson_options.txt | 1 +
> src/security/meson.build | 13 +---------
> src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> 5 files changed, 46 insertions(+), 19 deletions(-)
[...]
> diff --git a/src/security/selinux/meson.build b/src/security/selinux/meson.build
> index dda8730141..af5a5e38cb 100644
> --- a/src/security/selinux/meson.build
> +++ b/src/security/selinux/meson.build
> @@ -1,10 +1,39 @@
> -semod_prog = find_program('semodule_package')
> -checkmod_prog = find_program('checkmodule')
> -bzip2_prog = find_program('bzip2')
> +selinux_policy_opt = get_option('selinux_policy')
> +selinux_policy = false
> +if not selinux_policy_opt.disabled()
> + semod_prog = find_program('semodule_package', required:
selinux_policy_opt)
> + checkmod_prog = find_program('checkmodule', required:
selinux_policy_opt)
> + macroexpander_prog = find_program('macro-expander', required:
selinux_policy_opt)
> + bzip2_prog = find_program('bzip2')
Here we should use `, required: selinux_policy_opt` as well, otherwise
missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
is `auto`.
I wonder if we should also actally check for 'sed' and 'm4' since the
script we're calling out to will invoke them too.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|