From: Daan De Meyer Date: Fri, 12 Jan 2024 09:15:53 +0000 (+0100) Subject: Improve SELinux binary policy selection X-Git-Tag: v20.1~4^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3cc5079198f116f87e072aeebefd7978b711e30;p=thirdparty%2Fmkosi.git Improve SELinux binary policy selection Let's deal with the possibility that there might be more than one policy in the binary policy directory. Let's also make sure that we consider other files in the directory that might not be policies. --- diff --git a/mkosi/config.py b/mkosi/config.py index b06bc0aa8..81d290eec 100644 --- a/mkosi/config.py +++ b/mkosi/config.py @@ -19,6 +19,7 @@ import platform import re import shlex import shutil +import string import subprocess import tempfile import textwrap @@ -3605,13 +3606,15 @@ def want_selinux_relabel(config: Config, root: Path, fatal: bool = True) -> Opti binpolicydir = root / "etc/selinux" / policy / "policy" - try: - # The policy file is named policy.XX where XX is the policy version that indicates what features are - # available. It's not expected for there to be more than one file in this directory. - binpolicy = next(binpolicydir.glob("*")) - except StopIteration: + # The policy file is named policy.XX where XX is the policy version that indicates what features are + # available. We check for string.digits instead of using isdecimal() as the latter checks for more than just + # digits. + policies = [p for p in binpolicydir.glob("*") if p.suffix and all(c in string.digits for c in p.suffix[1:])] + if not policies: if fatal and config.selinux_relabel == ConfigFeature.enabled: die(f"SELinux relabel is requested but SELinux binary policy not found in {binpolicydir}") return None + binpolicy = sorted(policies, key=lambda p: GenericVersion(p.name), reverse=True)[0] + return policy, fc, binpolicy