| Message ID | 20251017042419.3307354-1-quic_sasikuma@quicinc.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-selinux] refpolicy_common: Skip HLL module processing for monolithic policy builds | expand |
On 10/17/25 12:24, Sasi Kumar Maddineni (QUIC) via lists.yoctoproject.org wrote: > Avoid processing and copying high-level language (.pp) modules during do_install > when MONOLITHIC=y is set. This prevents build failures due to missing files in > /usr/share/selinux/targeted, which are not generated in monolithic mode. > > Fixes error: > cp: cannot stat '/usr/share/selinux/targeted/*.*': No such file or directory > > Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> > --- > .../refpolicy/refpolicy_common.inc | 33 ++++++++++--------- > 1 file changed, 17 insertions(+), 16 deletions(-) > > diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc > index fd41f8a..27aac44 100644 > --- a/recipes-security/refpolicy/refpolicy_common.inc > +++ b/recipes-security/refpolicy/refpolicy_common.inc > @@ -173,22 +173,23 @@ prepare_policy_store() { > # Get hll type from suffix on base policy module > HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') > HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} > - > - for i in ${POL_SRC}/*.${HLL_TYPE}; do > - MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") > - MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} > - mkdir -p ${MOD_DIR} > - echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext > - if ! bzip2 -t $i >/dev/null 2>&1; then > - ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil > - bzip2 -f $i && mv -f $i.bz2 $i > - else > - bunzip2 --stdout $i | \ > - ${HLL_BIN} | \ > - bzip2 --stdout > ${MOD_DIR}/cil > - fi > - cp $i ${MOD_DIR}/hll > - done > + if [ "${POLICY_MONOLITHIC}" != "y" ]; then Please add this change to refpolicy-minimum_git.bb as well, since the prepare_policy_store() function in that recipe is overwritten. //Yi > + for i in ${POL_SRC}/*.${HLL_TYPE}; do > + MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") > + MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} > + mkdir -p ${MOD_DIR} > + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext > + if ! bzip2 -t $i >/dev/null 2>&1; then > + ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil > + bzip2 -f $i && mv -f $i.bz2 $i > + else > + bunzip2 --stdout $i | \ > + ${HLL_BIN} | \ > + bzip2 --stdout > ${MOD_DIR}/cil > + fi > + cp $i ${MOD_DIR}/hll > + done > + fi > } > > rebuild_policy() {
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index fd41f8a..27aac44 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -173,22 +173,23 @@ prepare_policy_store() { # Get hll type from suffix on base policy module HLL_TYPE=$(echo ${POL_SRC}/base.* | awk -F . '{if (NF>1) {print $NF}}') HLL_BIN=${STAGING_DIR_NATIVE}${prefix}/libexec/selinux/hll/${HLL_TYPE} - - for i in ${POL_SRC}/*.${HLL_TYPE}; do - MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") - MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} - mkdir -p ${MOD_DIR} - echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext - if ! bzip2 -t $i >/dev/null 2>&1; then - ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil - bzip2 -f $i && mv -f $i.bz2 $i - else - bunzip2 --stdout $i | \ - ${HLL_BIN} | \ - bzip2 --stdout > ${MOD_DIR}/cil - fi - cp $i ${MOD_DIR}/hll - done + if [ "${POLICY_MONOLITHIC}" != "y" ]; then + for i in ${POL_SRC}/*.${HLL_TYPE}; do + MOD_NAME=$(basename $i | sed "s/\.${HLL_TYPE}$//") + MOD_DIR=${POL_ACTIVE_MODS}/${MOD_NAME} + mkdir -p ${MOD_DIR} + echo -n "${HLL_TYPE}" > ${MOD_DIR}/lang_ext + if ! bzip2 -t $i >/dev/null 2>&1; then + ${HLL_BIN} $i | bzip2 --stdout > ${MOD_DIR}/cil + bzip2 -f $i && mv -f $i.bz2 $i + else + bunzip2 --stdout $i | \ + ${HLL_BIN} | \ + bzip2 --stdout > ${MOD_DIR}/cil + fi + cp $i ${MOD_DIR}/hll + done + fi } rebuild_policy() {
Avoid processing and copying high-level language (.pp) modules during do_install when MONOLITHIC=y is set. This prevents build failures due to missing files in /usr/share/selinux/targeted, which are not generated in monolithic mode. Fixes error: cp: cannot stat '/usr/share/selinux/targeted/*.*': No such file or directory Signed-off-by: Sasi Kumar Maddineni <quic_sasikuma@quicinc.com> --- .../refpolicy/refpolicy_common.inc | 33 ++++++++++--------- 1 file changed, 17 insertions(+), 16 deletions(-)