Improve SELinux binary policy selection

Let's deal with the possibility that there might be more than one
policy in the binary policy directory. Let's also make sure that we
consider other files in the directory that might not be policies.

diff --git a/mkosi/config.py b/mkosi/config.py
index b06bc0aa827cb88a24434aa46add86e86c1e2663..81d290eecc2093207628750be0e6529ff388795b 100644 (file)
--- a/mkosi/config.py
+++ b/mkosi/config.py
@@ -19,6 +19,7 @@ import platform
 import re
 import shlex
 import shutil
+import string
 import subprocess
 import tempfile
 import textwrap
@@ -3605,13 +3606,15 @@ def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Opti
 
     binpolicydir = root / "etc/selinux" / policy / "policy"
 
-    try:
-        # The policy file is named policy.XX where XX is the policy version that indicates what features are
-        # available. It's not expected for there to be more than one file in this directory.
-        binpolicy = next(binpolicydir.glob("*"))
-    except StopIteration:
+    # The policy file is named policy.XX where XX is the policy version that indicates what features are
+    # available. We check for string.digits instead of using isdecimal() as the latter checks for more than just
+    # digits.
+    policies = [p for p in binpolicydir.glob("*") if p.suffix and all(c in string.digits for c in p.suffix[1:])]
+    if not policies:
         if fatal and config.selinux_relabel == ConfigFeature.enabled:
             die(f"SELinux relabel is requested but SELinux binary policy not found in {binpolicydir}")
         return None
 
+    binpolicy = sorted(policies, key=lambda p: GenericVersion(p.name), reverse=True)[0]
+
     return policy, fc, binpolicy