From d78ffd653d051948218e8b8ba21a551ad15c2b45 Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Fri, 17 Apr 2020 11:03:14 +0200 Subject: [PATCH] makefile: Make SELinux support configurable SELinux support requires libselinux to be available, but that's not the only factor: for example, Fedora 31 has libselinux but not a version of selinux-policy that knows about Kata containers, so enabling SELinux support by default in that case causes usability issues. Another issue with the current implementation is that, when libselinux is absent, SELinux support will be quietly disabled, which might not be what the user (or packager) intended. To solve both problems, introduce the new FEATURE_SELINUX user variable. This variable takes one of three values: * check (default): keep the current behavior; * yes: enable SELinux support, erroring out if libselinux is not present on the system; * no: disable SELinux support. In the future we might want to formalize support for optional build-time features, but for now this will do. Fixes: #2623 Signed-off-by: Andrea Bolognani --- Makefile | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 377ed94dc5..14a0ea4799 100644 --- a/Makefile +++ b/Makefile @@ -193,6 +193,9 @@ DEFPCIEROOTPORT := 0 # Default cgroup model DEFSANDBOXCGROUPONLY ?= false +# Features +FEATURE_SELINUX ?= check + SED = sed CLI_DIR = cli @@ -452,6 +455,7 @@ USER_VARS += DEFHOTPLUGVFIOONROOTBUS USER_VARS += DEFPCIEROOTPORT USER_VARS += DEFENTROPYSOURCE USER_VARS += DEFSANDBOXCGROUPONLY +USER_VARS += FEATURE_SELINUX USER_VARS += BUILDFLAGS @@ -464,8 +468,22 @@ QUIET_GENERATE = $(Q:@=@echo ' GENERATE '$@;) QUIET_INST = $(Q:@=@echo ' INSTALL '$@;) QUIET_TEST = $(Q:@=@echo ' TEST '$@;) -SELINUXTAG := $(shell ./hack/selinux_tag.sh) -BUILDTAGS := --tags "$(SELINUXTAG)" +BUILDTAGS := + +ifneq ($(FEATURE_SELINUX),no) + SELINUXTAG := $(shell ./hack/selinux_tag.sh) + + ifneq ($(SELINUXTAG),) + override FEATURE_SELINUX = yes + BUILDTAGS += --tags "$(SELINUXTAG)" + else + ifeq ($(FEATURE_SELINUX),yes) + $(error "ERROR: SELinux support requested, but libselinux is not available") + endif + + override FEATURE_SELINUX = no + endif +endif # go build common flags BUILDFLAGS := -buildmode=pie ${BUILDTAGS} @@ -640,6 +658,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit -e "s|@DEFPCIEROOTPORT@|$(DEFPCIEROOTPORT)|g" \ -e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \ -e "s|@DEFSANDBOXCGROUPONLY@|$(DEFSANDBOXCGROUPONLY)|g" \ + -e "s|@FEATURE_SELINUX@|$(FEATURE_SELINUX)|g" \ $< > $@ generate-config: $(CONFIGS) @@ -757,6 +776,9 @@ endif @printf "\tKnown: $(sort $(HYPERVISORS))\n" @printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n" @printf "\n" + @printf "• Features:\n" + @printf "\tSELinux (FEATURE_SELINUX): $(FEATURE_SELINUX)\n" + @printf "\n" @printf "• Summary:\n" @printf "\n" @printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR))