How to properly handle optional parameters in file context?

[ffontaine]

Some parameters such as httpd_nutups_cgi_script_t is defined as optional in nut.te but httpd_nutups_cgi_script_exec_t is unconditionally used in nut.fc resulting in the following build failure when validating file context without services/apache:

Validating targeted file_contexts.
env LD_LIBRARY_PATH="/tmp/instance-1/output-1/host/lib:/tmp/instance-1/output-1/host/usr/lib" /tmp/instance-1/output-1/host/sbin/setfiles -q -c /tmp/instance-1/output-1/target/etc/selinux/targeted/policy/policy.33 file_contexts
libsepol.context_from_record: type httpd_nutups_cgi_script_exec_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:httpd_nutups_cgi_script_exec_t to sid
invalid context system_u:object_r:httpd_nutups_cgi_script_exec_t

This issue is raised in nut but also in all packages that can optionally share content through apache such collectd, cvs, git, etc. What is the proper way of fixing this?

[ghost]

i think it is a subjective topic. we've discussed this issue before. I see generally two options.

1. move the httpd dependent policy to httpd module.
2. create separate modules for the various non-default httpd content policies in this case you;d create a nut_httpd module for the nut httpd specific bits, that will then allow you to exclude the nut_httpd module along with the httpd module.

I like option 2 the best for its flexibility/efficiency, but it is not the prettiest option

[ffontaine]

Thanks for your feedback, as a short term solution, we have added apache module to nut and all the other packages.

[github-actions]

This issue has not had any recent activity. It will be closed in 7 days if it makes no further progress.

[github-actions]

Closing stale PR.