Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

selinux: 2.7 -> 2.8 #56965

Closed
wants to merge 6 commits into from
Closed

selinux: 2.7 -> 2.8 #56965

wants to merge 6 commits into from

Conversation

outergod
Copy link
Contributor

@outergod outergod commented Mar 6, 2019
edited

Motivation for this change

Update checkpolicy, policycoreutils, semodule-utils, libsemanage, libselinux and libsepol to 2.8, required to fix NixOS/nix#2374.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@outergod outergod mentioned this pull request Mar 6, 2019
Closed
@veprbl
Copy link
Member

veprbl commented Mar 6, 2019

Because this is a mass-rebuild this needs to be rebased to staging. Also I think you can close those extra PR's.

@outergod outergod changed the base branch from master to staging March 7, 2019 10:07
@outergod
Copy link
Contributor Author

outergod commented Mar 7, 2019

@veprbl there are six related PRs, #56960 through #56965, would you like me to stuff all of them into one?

@veprbl
Copy link
Member

veprbl commented Mar 7, 2019

If these updates are interdependent and need to be merged together, it would make a lot of sense to review and merge them in a single PR.

@infinisil
Copy link
Member

@e-user I agree with @veprbl, it makes sense for all of them to be in a single PR

This was referenced Mar 10, 2019
Closed
Closed
Closed
Closed
Closed
@outergod outergod changed the title policycoreutils: 2.7 -> 2.8 selinux: 2.7 -> 2.8 Mar 10, 2019
@infinisil
Copy link
Member

Ping @Phreedom

I'm not familiar with SELinux, is there something important we should test before we can merge this?

@veprbl
Copy link
Member

veprbl commented Apr 16, 2019

@GrahamcOfBorg eval
@GrahamcOfBorg build checkpolicy libsemanage libselinux libsepol policycoreutils semodule-utils

@aanderse
Copy link
Member

@veprbl Good to go?

@veprbl
Copy link
Member

veprbl commented Jul 13, 2019

@aanderse I don't know. It used to compile back in April. Since NixOS doesn't have a support for SELinux yet this shouldn't break anything at runtime, in theory.

@GrahamcOfBorg build checkpolicy libsemanage libselinux libsepol policycoreutils semodule-utils

@aanderse
Copy link
Member

aanderse commented Jul 14, 2019
edited

@veprbl In that case I think a merge is in order. Please do so if you agree.

veprbl
veprbl reviewed Jul 14, 2019
View reviewed changes
pkgs/os-specific/linux/libsemanage/default.nix
};

nativeBuildInputs = [ bison flex pkgconfig ];
buildInputs = [ libsepol libselinux bzip2 audit ]
++ optionals enablePython [ swig python ];

preBuild = ''
makeFlagsArray+=("PREFIX=$out")
makeFlagsArray+=("PREFIX=/")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do this? Can this backfire on systems without sandboxing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The build files where changed in 2.8 so that makeFlagsArray+=("DESTDIR=$out") below is (correctly) prepended to PREFIX, thus with PREFIX=$out you get the same path, twice.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then we should actually set PREFIX=$out and DESTDIR=/. This is because PREFIX is the hardcoded path, DESTDIR is just an offset:
https://github.com/SELinuxProject/selinux/blob/ee8f7a870c625de139aa271eae0c40578488c2f6/libsemanage/src/Makefile#L95

Copy link
Member

@veprbl veprbl Jul 25, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might as well migrate to use an attribute:

{
  makeFlagsArray = [
    "PREFIX=${placeholder "out"}"
    "PYTHONLIBDIR=lib/${python.libPrefix}/site-packages"
  ];
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc #65718

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, I already did that in libselinux: af9f765#diff-025612052707a295d6f7424b3dba06bc It should be done here as well.

@veprbl veprbl mentioned this pull request Aug 17, 2019
Merged
10 tasks
@lblasc
Copy link
Contributor

lblasc commented Aug 31, 2019

This can be closed, #66748 got merged into staging.

@aanderse aanderse closed this Aug 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@veprbl veprbl veprbl left review comments

@jtojnar jtojnar jtojnar left review comments

@Phreedom Phreedom Awaiting requested review from Phreedom

Assignees
No one assigned
Labels
8.has: package (update) 10.rebuild-darwin: 1-10 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+ 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@outergod @veprbl @infinisil @aanderse @lblasc @jtojnar @GrahamcOfBorg