makefile: Make SELinux support configurable

SELinux support requires libselinux to be available, but that's not the only factor: for example, Fedora 31 has libselinux but not a version of selinux-policy that knows about Kata containers, so enabling SELinux support by default in that case causes usability issues. Another issue with the current implementation is that, when libselinux is absent, SELinux support will be quietly disabled, which might not be what the user (or packager) intended. To solve both problems, introduce the new FEATURE_SELINUX user variable. This variable takes one of three values: * check (default): keep the current behavior; * yes: enable SELinux support, erroring out if libselinux is not present on the system; * no: disable SELinux support. In the future we might want to formalize support for optional build-time features, but for now this will do. Fixes: #2623 Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2025-04-30 12:44:39 +00:00 · 2020-04-17 11:03:14 +02:00 · 2020-04-17 11:03:14 +02:00 · d78ffd653d
commit d78ffd653d
parent 018348064e
1 changed files with 24 additions and 2 deletions
--- a/26
+++ b/26
@ -193,6 +193,9 @@ DEFPCIEROOTPORT := 0
 # Default cgroup model
 DEFSANDBOXCGROUPONLY ?= false

+# Features
+FEATURE_SELINUX ?= check
+
 SED = sed

 CLI_DIR = cli
@ -452,6 +455,7 @@ USER_VARS += DEFHOTPLUGVFIOONROOTBUS
 USER_VARS += DEFPCIEROOTPORT
 USER_VARS += DEFENTROPYSOURCE
 USER_VARS += DEFSANDBOXCGROUPONLY
+USER_VARS += FEATURE_SELINUX
 USER_VARS += BUILDFLAGS


@ -464,8 +468,22 @@ QUIET_GENERATE = $(Q:@=@echo    '     GENERATE '$@;)
 QUIET_INST     = $(Q:@=@echo    '     INSTALL  '$@;)
 QUIET_TEST     = $(Q:@=@echo    '     TEST     '$@;)

-SELINUXTAG := $(shell ./hack/selinux_tag.sh)
-BUILDTAGS := --tags "$(SELINUXTAG)"
+BUILDTAGS :=
+
+ifneq ($(FEATURE_SELINUX),no)
+    SELINUXTAG := $(shell ./hack/selinux_tag.sh)
+
+    ifneq ($(SELINUXTAG),)
+        override FEATURE_SELINUX = yes
+        BUILDTAGS += --tags "$(SELINUXTAG)"
+    else
+        ifeq ($(FEATURE_SELINUX),yes)
+            $(error "ERROR: SELinux support requested, but libselinux is not available")
+        endif
+
+        override FEATURE_SELINUX = no
+    endif
+endif

 # go build common flags
 BUILDFLAGS := -buildmode=pie ${BUILDTAGS}
@ -640,6 +658,7 @@ $(GENERATED_FILES): %: %.in $(MAKEFILE_LIST) VERSION .git-commit
 		-e "s|@DEFPCIEROOTPORT@|$(DEFPCIEROOTPORT)|g" \
 		-e "s|@DEFENTROPYSOURCE@|$(DEFENTROPYSOURCE)|g" \
 		-e "s|@DEFSANDBOXCGROUPONLY@|$(DEFSANDBOXCGROUPONLY)|g" \
+		-e "s|@FEATURE_SELINUX@|$(FEATURE_SELINUX)|g" \
 		$< > $@

 generate-config: $(CONFIGS)
@ -757,6 +776,9 @@ endif
 	@printf "\tKnown: $(sort $(HYPERVISORS))\n"
 	@printf "\tAvailable for this architecture: $(sort $(KNOWN_HYPERVISORS))\n"
 	@printf "\n"
+	@printf "• Features:\n"
+	@printf "\tSELinux (FEATURE_SELINUX): $(FEATURE_SELINUX)\n"
+	@printf "\n"
 	@printf "• Summary:\n"
 	@printf "\n"
 	@printf "\tdestination install path (DESTDIR) : %s\n" $(abspath $(DESTDIR))