Message ID | 20191009220641.24605-4-arnout@mind.be |
---|---|
State | Superseded |
Headers | show |
Series | None | expand |
Hello, On Thu, 10 Oct 2019 00:06:41 +0200 "Arnout Vandecappelle (Essensium/Mind)" <arnout@mind.be> wrote: > The selinux-python package has two suboptions, audit2allow and sepolgen. > If neither of them is selected, nothing gets installed, which is not so > nice. Since audit2allow selects sepolgen, sepolgen will always be > installed if anything is installed. Therefore, it makes no sense to have > a separate option for sepolgen. That does not take into account the fact that our Buildroot package does not install everything that selinux-python provides. selinux-python provides: - audit2allow, a bunch of Python tools that use the sepolgen Python module, provided by the same package - chcat, a standalone Python that uses libselinux + semanage (it seems) - semanage, a Python tool that uses sepolicy and provides the seobject module used by chcat - sepolgen, a Python module used by audit2allow - sepolicy, a Python module used by semanage As you can see, there's much more than audit2allow and sepolgen in this package, even though those additional things are not installed today. Therefore, I think it makes sense to keep separate options for the different components, especially because it maps with the top-level directories of selinux-python: $ ls audit2allow chcat COPYING Makefile semanage sepolgen sepolicy VERSION Best regards, Thomas
On 10/10/2019 09:26, Thomas Petazzoni wrote: > Hello, > > On Thu, 10 Oct 2019 00:06:41 +0200 > "Arnout Vandecappelle (Essensium/Mind)" <arnout@mind.be> wrote: > >> The selinux-python package has two suboptions, audit2allow and sepolgen. >> If neither of them is selected, nothing gets installed, which is not so >> nice. Since audit2allow selects sepolgen, sepolgen will always be >> installed if anything is installed. Therefore, it makes no sense to have >> a separate option for sepolgen. > > That does not take into account the fact that our Buildroot package > does not install everything that selinux-python provides. Yes, I wasn't too sure about this patch. I should have marked it as RFC. > selinux-python provides: > > - audit2allow, a bunch of Python tools that use the sepolgen Python > module, provided by the same package > > - chcat, a standalone Python that uses libselinux + semanage (it seems) > > - semanage, a Python tool that uses sepolicy and provides the seobject > module used by chcat > > - sepolgen, a Python module used by audit2allow > > - sepolicy, a Python module used by semanage > > As you can see, there's much more than audit2allow and sepolgen in this > package, even though those additional things are not installed today. On the other hand, the way it is now is a bit stupid too... If we ever add these other options, we could still revert this patch. But nobody felt the need to add them in the 5 years that selinux exists in Buildroot... Maybe we could make sepolgen default y, and perhaps even hide it (but keep the option). Then there would be no need to revert it in the future (just add a prompt again and keep the default y). But anyway, I don't care that much :-) I mainly wanted to remove the redundant depends in the suboptions. Regards, Arnout > > Therefore, I think it makes sense to keep separate options for the > different components, especially because it maps with the top-level > directories of selinux-python: > > $ ls > audit2allow chcat COPYING Makefile semanage sepolgen sepolicy VERSION > > Best regards, > > Thomas >
On Thu, 10 Oct 2019 09:56:52 +0200 Arnout Vandecappelle <arnout@mind.be> wrote: > > As you can see, there's much more than audit2allow and sepolgen in this > > package, even though those additional things are not installed today. > > On the other hand, the way it is now is a bit stupid too... > > If we ever add these other options, we could still revert this patch. But > nobody felt the need to add them in the 5 years that selinux exists in Buildroot... I discovered how this selinux-python package was organized 2 weeks ago, while packaging it for OpenWRT. And just like what I did with this 30 patches patch series, which comes from the work I did packaging SELinux for OpenWRT, it was also on my TODO-list to improve selinux-python in Buildroot. But as you can imagine, this TODO-list is also filled up with plenty of other things, so I don't know when I'll get to it. Thomas
diff --git a/Config.in.legacy b/Config.in.legacy index 4a670f0f0e..feb0a7d819 100644 --- a/Config.in.legacy +++ b/Config.in.legacy @@ -1693,7 +1693,6 @@ config BR2_PACKAGE_SEPOLGEN bool "sepolgen package has been removed" select BR2_LEGACY select BR2_PACKAGE_SELINUX_PYTHON - select BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN help Sepolgen is no longer a individual package, but instead has been moved into the selinux-python package by the SELinux diff --git a/package/selinux-python/Config.in b/package/selinux-python/Config.in index 144dc131e1..0ab4ec848d 100644 --- a/package/selinux-python/Config.in +++ b/package/selinux-python/Config.in @@ -7,8 +7,10 @@ config BR2_PACKAGE_SELINUX_PYTHON select BR2_PACKAGE_PYTHON3 if !BR2_PACKAGE_PYTHON help A set of SELinux tools written in python that help with - managing a system with SELinux enabled. If no packages are - selected nothing will actually be built. + managing a system with SELinux enabled. + + The sepolgen program is always installed. It allows to + generate an initial SELinux policy module template. https://github.com/SELinuxProject/selinux/wiki @@ -18,7 +20,6 @@ config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW bool "audit2allow" depends on !BR2_arc # checkpolicy select BR2_PACKAGE_CHECKPOLICY - select BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN select BR2_PACKAGE_SEMODULE_UTILS help This module installs two programs: @@ -29,13 +30,6 @@ config BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW audit2why - translates SELinux audit messages into a description of why the access was denied (audit2allow -w) -config BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN - bool "sepolgen" - select BR2_PACKAGE_SEMODULE_UTILS - help - This package contains a Python module that allows you to - generate an initial SELinux policy module template. - endif comment "selinux-python packages needs a toolchain w/ wchar, threads, dynamic library" diff --git a/package/selinux-python/selinux-python.mk b/package/selinux-python/selinux-python.mk index 978bee7c88..ebd91d5ab3 100644 --- a/package/selinux-python/selinux-python.mk +++ b/package/selinux-python/selinux-python.mk @@ -24,15 +24,13 @@ SELINUX_PYTHON_MAKE_OPTS += \ PYTHONLIBDIR="usr/lib/python$(PYTHON_VERSION_MAJOR)" endif +SELINUX_PYTHON_MAKE_DIRS = sepolgen/src/sepolgen + ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_AUDIT2ALLOW),y) SELINUX_PYTHON_DEPENDENCIES += checkpolicy SELINUX_PYTHON_MAKE_DIRS += audit2allow endif -ifeq ($(BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN),y) -SELINUX_PYTHON_MAKE_DIRS += sepolgen/src/sepolgen -endif - define SELINUX_PYTHON_BUILD_CMDS $(foreach d,$(SELINUX_PYTHON_MAKE_DIRS), $(MAKE) -C $(@D)/$(d) $(SELINUX_PYTHON_MAKE_OPTS) \
The selinux-python package has two suboptions, audit2allow and sepolgen. If neither of them is selected, nothing gets installed, which is not so nice. Since audit2allow selects sepolgen, sepolgen will always be installed if anything is installed. Therefore, it makes no sense to have a separate option for sepolgen. Remove the BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN and always install sepolgen. With this, it's more logical to move the unconditional addition of sepolgen to SELINUX_PYTHON_MAKE_DIRS before audit2allow. Remove selecting BR2_PACKAGE_SELINUX_PYTHON_SEPOLGEN from the legacy handling of BR2_PACKAGE_SEPOLGEN. It already selects BR2_PACKAGE_SELINUX_PYTHON, so sepolgen is implied. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> --- Config.in.legacy | 1 - package/selinux-python/Config.in | 14 ++++---------- package/selinux-python/selinux-python.mk | 6 ++---- 3 files changed, 6 insertions(+), 15 deletions(-)