On Tue, Aug 10, 2021 at 05:35:58PM +0100, Daniel P. Berrangé wrote:
On Tue, Aug 10, 2021 at 11:10:56AM +0200, Pavel Hrdina wrote:
> On Fri, Aug 06, 2021 at 06:48:06PM +0100, Daniel P. Berrangé wrote:
> > The /etc/os-release file may not even exist on OS and checking specific
> > OS names / versions in the build rules duplicates conditions that are
> > set in the RPM.
> >
> > Instead we just look for existance of the tools we need to build the
> > policy module. In doing so, we also introduce '-Dselinux_policy'
> > feature flag to let it be controlled explicitly.
> >
> > Since some versions will have an SELinux policy that is too old, we also
> > need to do a feature check for the newest interface(s) that we require.
> > Currently this is achieved by looking for
"systemd_machined_stream_connect".
> > The "macro-expander" command can be used to check for SELinux policy
> > interfaces, as it will return empty string for any that don't exist.
> >
> > Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
> > ---
> > libvirt.spec.in | 7 ++++++
> > meson.build | 1 +
> > meson_options.txt | 1 +
> > src/security/meson.build | 13 +---------
> > src/security/selinux/meson.build | 43 ++++++++++++++++++++++++++------
> > 5 files changed, 46 insertions(+), 19 deletions(-)
>
> [...]
>
> > diff --git a/src/security/selinux/meson.build
b/src/security/selinux/meson.build
> > index dda8730141..af5a5e38cb 100644
> > --- a/src/security/selinux/meson.build
> > +++ b/src/security/selinux/meson.build
> > @@ -1,10 +1,39 @@
> > -semod_prog = find_program('semodule_package')
> > -checkmod_prog = find_program('checkmodule')
> > -bzip2_prog = find_program('bzip2')
> > +selinux_policy_opt = get_option('selinux_policy')
> > +selinux_policy = false
> > +if not selinux_policy_opt.disabled()
> > + semod_prog = find_program('semodule_package', required:
selinux_policy_opt)
> > + checkmod_prog = find_program('checkmodule', required:
selinux_policy_opt)
> > + macroexpander_prog = find_program('macro-expander', required:
selinux_policy_opt)
> > + bzip2_prog = find_program('bzip2')
>
> Here we should use `, required: selinux_policy_opt` as well, otherwise
> missing bzip2 would fail the `meson setup` phase if `selinux_policy_opt`
> is `auto`.
I wonder if we should also actally check for 'sed' and 'm4' since the
script we're calling out to will invoke them too.
Good point, we already check for 'sed' or 'gsed' in
'build-aux/meson.build' so we could move it to the main meson.build
file. I was thinking about skipping check for 'm4' if it's already
dependency of the selinux tools but there should be no harm checking
it as well.
Pavel