Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

init: optionally load the system SELinux policy #400

Open
wants to merge 69 commits into
base: master
Choose a base branch
from
Open

init: optionally load the system SELinux policy #400

Show file tree
Hide file tree
Changes from 11 commits
Commits
Show all changes
69 commits
Select commit Hold shift + click to select a range
69d80f4
init: optionally load the system SELinux policy
WavyEbuilder Oct 15, 2024
0a5f876
mark selinux_transition as static
WavyEbuilder Oct 19, 2024
c465b81
BUILD_MESON: add selinux option documentation
WavyEbuilder Oct 19, 2024
6063686
init: selinux: add --disable-selinux
WavyEbuilder Oct 19, 2024
57b94a2
doc: manpages: mention --disable-selinux flag
WavyEbuilder Oct 19, 2024
6910b6d
init: selinux: fix header guards
WavyEbuilder Oct 19, 2024
67c3d8b
build: docs: add SUPPORT_SELINUX info
WavyEbuilder Oct 23, 2024
55b82d8
init: rename --disable-selinux option to --disable-selinux-policy
WavyEbuilder Oct 23, 2024
15e2f6e
selinux: add explanatory comments for selinux related functions
WavyEbuilder Oct 26, 2024
ca63b57
configure: update help text for selinux options
WavyEbuilder Oct 26, 2024
159ffac
printVersion: add selinux information to output
WavyEbuilder Oct 26, 2024
0e959a7
selinux: update comments
WavyEbuilder Oct 27, 2024
a40f43a
meson.build: clean up selinux related options
WavyEbuilder Oct 27, 2024
7d88201
meson.build: rename libselinux dependency to libselinux_dep
WavyEbuilder Oct 27, 2024
157a78a
meson: refractor mconfig logic for selinux
WavyEbuilder Oct 27, 2024
01640d8
configure: update --enable-selinux help text
WavyEbuilder Oct 31, 2024
a8ecd7d
doc: manpages: update --disable-selinux flag to --disable-selinux-policy
WavyEbuilder Oct 31, 2024
10c8198
dinit.cc: fix line wrapping for comments per CODE-STYLE
WavyEbuilder Oct 31, 2024
e4b5b3e
dinit.cc: selinux_transition: clarify comment regarding the log
WavyEbuilder Oct 31, 2024
02b93a8
selinux_transition: clean up comment per CODE-STYLE
WavyEbuilder Nov 2, 2024
66be73d
selinux_transition: log error and return early for permissive
WavyEbuilder Nov 2, 2024
e06e054
selinux_transition: check that getcon_raw(3) doesn't return nullptr
WavyEbuilder Nov 8, 2024
4bf712a
selinux_transition: clarify kernel context in comment
WavyEbuilder Nov 8, 2024
eadc90c
selinux_transition: be more specific in comment
WavyEbuilder Nov 8, 2024
86a9f0c
selinux_transition: fix line wrapping for comments
WavyEbuilder Nov 8, 2024
8737eef
selinux_transition: correct check for getcon_raw(3) return value
WavyEbuilder Nov 11, 2024
f093426
selinux_transition: don't exit if we are unable to transition
WavyEbuilder Nov 11, 2024
e40b38e
selinux_transition: always error exit if we fail to load the policy
WavyEbuilder Nov 11, 2024
a6af309
selinux_transition: update comments to reflect the current control flow
WavyEbuilder Nov 11, 2024
25eb167
selinux_transition: fix grammar in comment
WavyEbuilder Nov 11, 2024
d90b013
selinux_transition: improve wording for comment
WavyEbuilder Nov 11, 2024
1f2f7cf
selinux_transition: document the mounting of /sys
WavyEbuilder Nov 11, 2024
ab15586
selinux_transition: reformat if statement per CODE-STYLE
WavyEbuilder Nov 11, 2024
90b789b
selinux_transition: clarify policy choice for inital domain in comment
WavyEbuilder Nov 11, 2024
c0cef53
selinux_transition: reword comment about pitfalls of getcon_raw(3)
WavyEbuilder Dec 18, 2024
2a6af9d
selinux_transition: cleanroom rewrite of getcon_raw(3) comment
WavyEbuilder Dec 18, 2024
ef2c41f
selinux_transition: use correct variable naming in comments
WavyEbuilder Dec 18, 2024
8f1ac95
selinux_transition: add attribution to getcon_raw(3) comment
WavyEbuilder Dec 18, 2024
64ec986
selinux: new documentation
WavyEbuilder Dec 18, 2024
266cc8c
selinux: correct flowchart in documentation
WavyEbuilder Dec 18, 2024
cec70a6
selinux_transition: fix formatting by placing opening { on a new line
WavyEbuilder Dec 18, 2024
4774421
selinux: document flag to disable policy loading
WavyEbuilder Dec 18, 2024
38fdef4
selinux: document mounting of /sys
WavyEbuilder Dec 18, 2024
b7ef63a
Merge branch 'master' into master
WavyEbuilder Dec 18, 2024
7d5ac36
meson.build: fix dependencies for libselinux_dep
WavyEbuilder Dec 18, 2024
c502a07
dinit.cc: add missing #endif directive for SUPPORT_SELINUX #ifdef
WavyEbuilder Dec 18, 2024
6f3f5cd
meson.build: remove old cgroup-related changes
WavyEbuilder Dec 18, 2024
4a5d7c1
meson.build: force SUPPORT_SELINUX mconfig variable for support-selinux
WavyEbuilder Dec 18, 2024
350fed8
configure: remove deprecated arguments
WavyEbuilder Dec 18, 2024
376c1cc
configure: fix to align with current upstream/master
WavyEbuilder Dec 18, 2024
5d143f4
feature_count: bump on SUPPORT_SELINUX
WavyEbuilder Dec 18, 2024
cc8bcb7
selinux_transition: add base for mounting /proc
WavyEbuilder Dec 18, 2024
653ecf4
selinux_transition: don't use type inference for errno_str
WavyEbuilder Dec 18, 2024
46ac998
selinux_transition: remove TODO for relabeling /proc
WavyEbuilder Jan 10, 2025
1a79e2f
doc: add SELinux related support to manpages
WavyEbuilder Jan 10, 2025
46331bf
doc: update SELinux flowchart to include mounting of /proc
WavyEbuilder Jan 10, 2025
26c1855
configure: sync to latest in davmac314/dinit
WavyEbuilder Jan 10, 2025
c2cf2f9
dinit: fix formatting in manpages
WavyEbuilder Jan 17, 2025
f360aff
manpages: fix typo
WavyEbuilder Jan 17, 2025
9260c20
docs: SELinux: refer to Dinit the project with a capital D
WavyEbuilder Jan 31, 2025
0f114a6
docs: SELinux: link to SELinux notebook
WavyEbuilder Jan 31, 2025
c5b6aae
docs: SELinux: link to build documentation
WavyEbuilder Jan 31, 2025
6be8175
selinux_transition: update comment wording to note relevant manpage
WavyEbuilder Jan 31, 2025
a3062d7
selinux_transition: mention SELinux in log output
WavyEbuilder Jan 31, 2025
3b674b3
selinux_transition: fix formatting
WavyEbuilder Jan 31, 2025
7e52501
selinux_transition: only bail early if enforcing mode requested
WavyEbuilder Jan 31, 2025
ed2a166
selinux_transition: stop attempting to create /proc if it doesn't exist
WavyEbuilder Feb 1, 2025
7a843a0
selinux_transition: clarify mounting behaviour in comment
WavyEbuilder Feb 1, 2025
622790e
[EXPERIMENTAL] dinit: use the log for selinux error messages
WavyEbuilder Feb 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions BUILD
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,9 @@ DEFAULT_STOP_TIMEOUT=XXX
this, its process group is sent a SIGKILL signal which should cause it to terminate immediately.
The default if unspecified is 10 seconds. (The value can be overridden for individual services
via the service description).
SUPPORT_SELINUX=1|0
Whether to build support for SELinux awareness in dinit, such as loading the system SELinux policy
at boot.
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved


Running the test suite
Expand Down
4 changes: 4 additions & 0 deletions BUILD_MESON
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,10 @@ Custom options:
build-shutdown : Whether to build the shutdown/reboot/halt utilities.
Available values : enabled, disabled, auto
Default value : auto

support-selinux : Enable SELinux support.
Available values : enabled, disabled, auto
Default value : auto


Running the test suite
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTORS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,3 +16,4 @@ The following people (in alphabetical order) have contributed:
* Oliver Amann - Code, testing, documentation
* Locria Cyber - Code, documentation
* q66 - Code, testing, documentation.
* Rahul Sandhu - Code
3 changes: 2 additions & 1 deletion build/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
DEFAULT_STOP_TIMEOUT=$(DEFAULT_STOP_TIMEOUT) \
$(if $(SUPPORT_CGROUPS),SUPPORT_CGROUPS=$(SUPPORT_CGROUPS),) \
$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) \
$(if $(SUPPORT_SELINUX),SUPPORT_SELINUX=$(SUPPORT_SELINUX),) > includes/mconfig.h

clean:
rm -f includes/mconfig.h
Expand Down
1 change: 1 addition & 0 deletions build/mconfig.mesontemplate
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
#mesondefine USE_UTMPX
#mesondefine USE_INITGROUPS
#mesondefine SUPPORT_CGROUPS
#mesondefine SUPPORT_SELINUX
#mesondefine DEFAULT_AUTO_RESTART
#mesondefine DEFAULT_START_TIMEOUT
#mesondefine DEFAULT_STOP_TIMEOUT
Expand Down
3 changes: 3 additions & 0 deletions build/tools/mconfig-gen.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,9 @@ int main(int argc, char **argv)
if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
}
if (vars.find("SUPPORT_SELINUX") != vars.end()) {
cout << "#define SUPPORT_SELINUX " << vars["SUPPORT_SELINUX"] << "\n";
}

cout << "\n// Constants\n";
cout << "\nconstexpr static char DINIT_VERSION[] = " << stringify(vars["VERSION"]) << ";\n";
Expand Down
10 changes: 10 additions & 0 deletions configure
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,8 @@ Optional options:
--disable-utmpx Disable manipulating the utmp/utmpx database via the related POSIX functions
--enable-initgroups Enable initialization of supplementary groups for run-as [Enabled]
--disable-initgroups Disable initialization of supplementary groups for run-as
--enable-selinux Enable SELinux support [Only avilable on Linux based systems with SELinux support]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As was mentioned:

Defaults for the options are specified in brackets.

Now it is:

[Only avilable on Linux based systems with SELinux support]

That is not specifying the default, it's just a statement of availability.

Also "avilable" has a typo.

--disable-selinux Disable SELinux support
--enable-auto-restart Enable auto-restart for services by default [Deprecated]
--disable-auto-restart Disable auto-restart for services by default [Deprecated]
--default-start-timeout=sec Default start-timeout for services [60]
Expand Down Expand Up @@ -210,6 +212,7 @@ for var in PREFIX \
SUPPORT_CGROUPS \
USE_UTMPX \
USE_INITGROUPS \
SUPPORT_SELINUX \
SYSCONTROLSOCKET \
STRIPOPTS
do
Expand Down Expand Up @@ -243,6 +246,8 @@ for arg in "$@"; do
--disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
--enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
--disable-initgroups|--enable-initgroups=no) USE_INITGROUPS=0 ;;
--enable-selinux|--enable-selinux=yes) SUPPORT_SELINUX=1 ;;
--disable-selinux|--enable-selinux=no) SUPPORT_SELINUX=0 ;;
--enable-auto-restart|--enable-auto-restart=yes) DEFAULT_AUTO_RESTART=ALWAYS ;; # Deprecated
--disable-auto-restart|--enable-auto-restart=no) DEFAULT_AUTO_RESTART=NEVER ;; # Deprecated
--enable-strip|--enable-strip=yes) STRIPOPTS="-s" ;;
Expand Down Expand Up @@ -275,6 +280,7 @@ done
: "${DEFAULT_START_TIMEOUT:="60"}"
: "${DEFAULT_STOP_TIMEOUT:="10"}"
: "${USE_INITGROUPS:="1"}"
: "${SUPPORT_SELINUX:="0"}"
if [ "$PLATFORM" = "Linux" ]; then
: "${BUILD_SHUTDOWN:="yes"}"
: "${SUPPORT_CGROUPS:="1"}"
Expand Down Expand Up @@ -380,6 +386,9 @@ fi
if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$PLATFORM" = FreeBSD ]; then
try_ld_argument LDFLAGS_BASE -lrt
fi
if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$SUPPORT_SELINUX" = "1" ]; then
try_ld_argument LDFLAGS_BASE -lselinux
fi
if [ "$AUTO_TEST_LDFLAGS_BASE" = true ]; then
TEST_LDFLAGS_BASE="\$(LDFLAGS_BASE)"
established_TEST_LDFLAGS="$LDFLAGS_BASE"
Expand Down Expand Up @@ -467,6 +476,7 @@ STRIPOPTS=$STRIPOPTS
# Feature settings
SUPPORT_CGROUPS=$SUPPORT_CGROUPS
USE_INITGROUPS=$USE_INITGROUPS
SUPPORT_SELINUX=$SUPPORT_SELINUX

# Optional settings
SHUTDOWN_PREFIX=${SHUTDOWN_PREFIX:-}
Expand Down
4 changes: 4 additions & 0 deletions doc/manpages/dinit.8.m4
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,10 @@ If service description settings contain relative cgroup paths, they will be reso
this path.
This option is only available if \fBdinit\fR is built with cgroups support.
.TP
\fB\-\-disable\-selinux\fR
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The option was changed to --disable-selinux-policy, you need to update the documentation to match.

Disable loading of the system SELinux policy.
This option is only available if \fBdinit\fR is built with SELinux support.
.TP
\fB\-\-help\fR
Display brief help text and then exit.
.TP
Expand Down
2 changes: 2 additions & 0 deletions meson.build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ man_pages = get_option('man-pages')
support_cgroups = get_option('support-cgroups')
use_utmpx = get_option('use-utmpx')
use_initgroups = get_option('use-initgroups')
libselinux = dependency('libselinux', version : '>= 2.1.9', required : get_option('selinux'))
mobin-2008 marked this conversation as resolved.
Show resolved Hide resolved
default_auto_restart = get_option('default-auto-restart')
default_start_timeout = get_option('default-start-timeout').to_string()
default_stop_timeout = get_option('default-stop-timeout').to_string()
Expand Down Expand Up @@ -65,6 +66,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
mconfig_data.set10('USE_INITGROUPS', use_initgroups)
mconfig_data.set10('SUPPORT_SELINUX', libselinux.found())
if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
mconfig_data.set('SUPPORT_CGROUPS', '1')
endif
Expand Down
6 changes: 6 additions & 0 deletions meson_options.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,3 +91,9 @@ option(
value : 'auto',
description : 'Building shutdown/reboot/soft-reboot/halt or not.'
)
option(
'selinux',
type : 'feature',
value : 'auto',
description : 'SELinux support'
)
109 changes: 109 additions & 0 deletions src/dinit.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,12 @@

#include "mconfig.h"

#if SUPPORT_SELINUX
#include <selinux/avc.h>
#include <selinux/label.h>
#include <selinux/selinux.h>
#endif

/*
* When running as the system init process, Dinit processes the following signals:
*
Expand Down Expand Up @@ -210,6 +216,10 @@ struct options {

// list of services to start
std::list<const char *> services_to_start;

#ifdef SUPPORT_SELINUX
bool load_selinux_policy = true;
#endif
};

// Process a command line argument (and possibly its follow-up value)
Expand Down Expand Up @@ -365,6 +375,11 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
}
}
#endif
#ifdef SUPPORT_SELINUX
else if (strcmp(argv[i], "--disable-selinux-policy") == 0) {
opts.load_selinux_policy = false;
}
#endif
else if (strcmp(argv[i], "--service") == 0 || strcmp(argv[i], "-t") == 0) {
if (++i < argc && argv[i][0] != '\0') {
services_to_start.push_back(argv[i]);
Expand Down Expand Up @@ -399,6 +414,9 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
" --cgroup-path <path>, -b <path>\n"
" cgroup base path (for resolving relative paths)\n"
#endif
#ifdef SUPPORT_SELINUX
" --disable-selinux-policy don't load the system SELinux policy\n"
#endif
" --log-file <file>, -l <file> log to the specified file\n"
" --quiet, -q disable output to standard output\n"
" <service-name>, --service <service-name>, -t <service-name>\n"
Expand Down Expand Up @@ -453,6 +471,89 @@ static int process_commandline_arg(char **argv, int argc, int &i, options &opts)
return 0;
}

#if SUPPORT_SELINUX
// Load the system SELinux policy and transition ourselves to it.
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
// First, load the policy with selinux_init_load_policy(3). We don't
// need to worry about the enforcing=0 kernel cmdline option or parsing
// /etc/selinux/config, selinux_init_load_policy(3) will handle all cases
// for us.
//
// This should be done as early as possible. We want to transition the init
// system to the domain specified by the policy as early as possible for security
// reasons. On top of this, we need to ensure we don't have open fd's lying about
// before we transition, as they'll get stuck effectively having the old context
// dinit initally started with before loading the policy.
//
// We take a parameter, const char *exe, which is argv[0], i.e. the path that
// we are invoked with, to calculate our new security context to tranition
// into.
//
// If we fail to load the system SELinux policy, return false, otherwise,
// return true.
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
static bool selinux_transition(const char *exe) {
davmac314 marked this conversation as resolved.
Show resolved Hide resolved
// Let's use std::cerr instead of the log for logging messages here.
// If we output anything, we return failure, which indicates dinit should
// terminate before the log is initalised and flushed.
davmac314 marked this conversation as resolved.
Show resolved Hide resolved
using std::cerr;
using std::endl;

davmac314 marked this conversation as resolved.
Show resolved Hide resolved
char *current_context = nullptr;
char *file_context = nullptr;
security_class_t security_class;
char *new_context = nullptr;

if (is_selinux_enabled() == 1) {
return true;
}

int enforce = 0;
if (selinux_init_load_policy(&enforce) != 0) {
if (enforce > 0) {
cerr << "Failed to load SELinux policy." << endl;
return false;
}
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
}

bool ret = true;
if (getcon_raw(&current_context) < 0) {
ret = false;
cerr << "Failed to get current context: " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (getfilecon_raw(exe, &file_context) < 0) {
ret = false;
cerr << "Failed to get file context for " << exe << ": " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

security_class = string_to_security_class("process");
if (security_class == 0) {
ret = false;
cerr << "Failed to get security class for process" << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (security_compute_create_raw(current_context, file_context, security_class, &new_context) < 0) {
ret = false;
cerr << "Failed to compute create context: " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

if (setcon_raw(new_context) < 0) {
ret = false;
cerr << "Failed to set transition context to " << new_context << ": " << strerror(errno) << endl;
WavyEbuilder marked this conversation as resolved.
Show resolved Hide resolved
goto cleanup;
}

cleanup:
if (current_context) freecon(current_context);
if (file_context) freecon(file_context);
if (new_context) freecon(new_context);
return ret;
}
#endif

// Main entry point
int dinit_main(int argc, char **argv)
{
Expand Down Expand Up @@ -486,6 +587,11 @@ int dinit_main(int argc, char **argv)
}
}

#if SUPPORT_SELINUX
// error exit if we are PID 1 and fail to load the selinux policy and transition
if (am_system_mgr && am_system_init && opts.load_selinux_policy && !selinux_transition(argv[0])) return 1;
davmac314 marked this conversation as resolved.
Show resolved Hide resolved
#endif

if (am_system_mgr) {
// setup STDIN, STDOUT, STDERR so that we can use them
int onefd = open("/dev/console", O_RDONLY, 0);
Expand Down Expand Up @@ -1207,6 +1313,9 @@ static void printVersion()
#endif
#if USE_INITGROUPS
" supplemental-groups"
#endif
#if SUPPORT_SELINUX
" selinux"
#endif
"\n";
}
Expand Down
9 changes: 8 additions & 1 deletion src/meson.build
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ dinit_source_files = [
'dinit-env.cc',
'settings.cc'
]
dinit_dependencies = []

if libselinux.found()
dinit_dependencies += libselinux
endif


## src/'s Defines
shutdown_built = false
Expand All @@ -40,7 +46,8 @@ endif
executable(
'dinit',
dinit_source_files,
kwargs: misc_args
kwargs: misc_args,
dependencies: dinit_dependencies
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a simple [libselinux] instead of a variable, because we don't many dependencies right now.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no harm having a variable if it makes things clearer - putting [libselinux] here makes it seem like the library is always a dependency. Does this actually work correctly if libselinux isn't found? (I guess it does because the CI build passed). Anyway I guess it can stay as is it now is.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually. Build output shows:

Run-time dependency libselinux found: NO (tried pkgconfig and cmake)

... why is libselinux considered a "run-time dependency"? Is it because of this? Then I think it needs to be changed back.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

libselinux is a "run-time dependency" in the sense that it is being searched for in order to use it when compiling installable executables.

It would be a

Build-time dependency libselinux found: NO

if it was searched for using dependency('libselinux', native: true) and its purpose was during a cross-compile to compile native executables that required libselinux and could be used as e.g. code generator programs.

Copy link

@eli-schwartz eli-schwartz Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no harm having a variable if it makes things clearer - putting [libselinux] here makes it seem like the library is always a dependency. Does this actually work correctly if libselinux isn't found? (I guess it does because the CI build passed). Anyway I guess it can stay as is it now is.

Dependencies can be looked up only optionally, in this case:

libselinux_dep = dependency('libselinux', version : '>= 2.1.9', required : support_selinux)

it will only be looked up when the "support-selinux={enabled|disabled|auto}" build option permits it. (In the enabled case, the configuration will fatally error out when libselinux is not found -- it is required, so you cannot proceed without it. The default is "auto" and the CI build doesn't have a selinux system so it configures without selinux. In the "disabled" case, even if libselinux is installed and available, meson ignores it because you disabled support and will return "Dependency libselinux skipped: feature support-selinux disabled".) The return value can be checked to see if it was indeed found -- and either way, you can use it anywhere a dependency is a valid parameter type.

  • If libselinux was found, it expands to the correct compile/link arguments for libselinux.
  • If libselinux was NOT found, it expands to nothing, and is a no-op.

So it is always safe to pass it even if it isn't used, greatly reducing the amount of control flow necessary for converting build configuration intents into compilation commands.

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@eli-schwartz

libselinux is a "run-time dependency" in the sense that it is being searched for in order to use it when compiling installable executables.

I think maybe I understand what you are saying, but it seems very much at odds with what I would normally think of as a run-time vs build-time dependency. To me a dependency that is used when compiling the final executable(s), or at any stage in the lead-up to that, is a build-time dependency; i.e. a build-time dependency is something that is required when the application is built, and a run-time dependency is required when the application is run.

Anyway, I guess that means this is fine as is, and that the "run-time" message is correct as far as meson is concerned - thanks for clarifying.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a bit of weird wording -- I certainly didn't choose it lol. :)

I went and looked up where it was introduced in the git history -- @Ericson2314 introduced it in mesonbuild/meson@07777e1 as part of a refactor that shouldn't actually have affected this at all and I do not know why! Before that commit, it would list "Dependency libselinux found: NO" except in a cross build, when it would say "Cross dependency libselinux found: NO".

)
executable(
'dinitctl',
Expand Down