Allow to enable or disable SELinux policy checking #7367
Conversation
According to the online manual of autoconf[1]: Be aware that, like most Autoconf macros, they test a feature of the host machine, and therefore, they die when cross-compiling. This uses the macro AS_IF[2] instead of AC_CHECK_FILE[1] to avoid to die if the file is not found and if cross-compiling. [1]: https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.72/html_node/Files.html [2]: https://www.gnu.org/savannah-checkouts/gnu/autoconf/manual/autoconf-2.72/html_node/Common-Shell-Constructs.html#index-AS_005fIF-1 Fixes: checking for /usr/share/selinux/devel/Makefile... configure: error: cannot check for file existence when cross compiling Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
This produces the output below if SELinux policy is built: build SELinux policy: yes Or the output below if it is not built: build SELinux policy: no Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
|
This is a workaround as the configure script checks for an host-file to detect if the SELinux policy is to be built or not, whatever if doing native-or-cross-compiling. IMO, a What is your opinion? |
gportay
changed the title
|
Thanks. Yes, making an enable option is preferred. We can default to enable but you can disable in your cross-compilation build. |
The file /usr/share/selinux/devel/Makefile is used to guess if the
SELinux is to be built or not.
This adds the option --enable-selinux to enable or disable explicitly
the build of the SELlinux policy without the need to check for the file.
Note: If SELinux is not explicitly enabled or disabled, the configure
script still autoguesses if the SELinux policy is to be built by testing
the file existence.
Tested:
gportay@archlinux ~/src/freeipa $ ./configure --disable-server --with-ipaplatform=base --disable-selinux
(...)
build SELinux policy: no
gportay@archlinux ~/src/freeipa $ ./configure --disable-server --with-ipaplatform=base --enable-selinux
(...)
build SELinux policy: yes
gportay@archlinux ~/src/freeipa $ ls -1 /usr/share/selinux/devel/Makefile
ls: cannot access '/usr/share/selinux/devel/Makefile': No such file or directory
gportay@archlinux ~/src/freeipa $ ./configure --disable-server --with-ipaplatform=base
(...)
build SELinux policy: no
gportay@archlinux ~/src/freeipa $ ls -1 /usr/share/selinux/devel/Makefile
/usr/share/selinux/devel/Makefile
gportay@archlinux ~/src/freeipa $ ./configure --disable-server --with-ipaplatform=base
build SELinux policy: yes
Signed-off-by: Gaël PORTAY <gael.portay@rtone.fr>
|
Hello @abbra, is that the change you requested? ^ |
|
Yes, this looks good. I launched full CI run. |
gportay
changed the title
|
@abbra Thanks! I have a question. Do you mind if I make a change to not create it if SELinux is disabled? (The directory is empty, I guess). It could be conditioned in the top Makefile maybe? |
|
I think it is a side-effect of how automake works with If you want to avoid installing even a directory, then the whole should be put inside the |
That is why I asked, to not break the world. I can tackle that later if you want. |
Dear Maintainers,
I am trying to cross-compile (the client) and the
./configurefails because the host machine does not have the file/usr/share/selinux/devel/Makefileinstalled.Note: It fails because the macro AC_CHECK_FILE dies if the file is not found and if cross-compiling. The
./configuredoes not fail if doing native-compiling.The first patch replaces the use of AC_CHECK_FILE by AS_IF, as in that change in that PR.
The second patch outputs for if the SELinux policy is used or not.
Regards,
Gaël
Fixes: