Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.gentoo.dev > #70409

Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item

From Kenton Groombridge <concord@gentoo.org>
Newsgroups linux.gentoo.dev
Subject Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item
Date 2026-04-08 16:10 +0200
Message-ID <MHBLr-dCgD-1@gated-at.bofh.it> (permalink)
References <MHmt3-drTN-3@gated-at.bofh.it> <MHolb-dtb6-1@gated-at.bofh.it> <MHx57-dzbl-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

On 26/04/08 09:08AM, Rahul Sandhu wrote:
> It's necessary for any policy packages that have _not_ been migrated to EAPI 8.
> Granted, the scope of this problem should be... very limited. This series is
> moving over all the ::gentoo policy packages to EAPI 8, and even ::guru does
> not seem to have any consumers of selinux-policy-2.eclass. So this is _mostly_
> a catch-all for any weird overlays or whatever that have some custom policy
> package.
> 
> As for why it's needed, say that a user sets SELINUX_POLICY_TYPES as follows:
> 
> SELINUX_POLICY_TYPES="mcs mls"
> 
> And let's for the sake of argument say they _don't_ have POLICY_TYPES set and
> in sync with the current value of SELINUX_POLICY_TYPES. This means that, due to
> the profile and EAPI 7 eclass logic, POLICY_TYPES will default to building all
> policy types, so its value can be treated as follows:
> 
> POLICY_TYPES="targeted strict mcs mls"
> 
> Now, let's say the user attemps to build an EAPI 7 policy package, let's say
> sec-policy/selinux-foo::supercooloverlay. It's dependencies, which will be at a
> _minimum_ sec-policy/selinux-base{,-policy} will not have support for targeted
> and strict as SELINUX_POLICY_TYPES was set to only support mcs and mls above.
> 
> As such, sec-policy/selinux-foo will now fail to build.
> 
> I do agree the wording is a bit... iffy on this one. Suggestions for rewording
> very much welcome. :)

Thanks for clearing that up. :)

What if we wrote this part to be something like this (factoring in what
sam suggested):

"""
POLICY_TYPES, which used to be an environment variable, is now a USE
expand named SELINUX_POLICY_TYPES. The use of a USE expand variable
fixes some longstanding bugs and allows users to switch policy types
more easily.

While the POLICY_TYPES variable is considered deprecated going forward,
it is necessary to keep it set (and in sync with SELINUX_POLICY_TYPES)
until you are certain that all installed policy packages on your system
have been updated.

Please read on for further instructions.
"""

Continuing below.

> 
> >
> >> +
> >> +User Action Required
> >> +====================
> >> +
> >> +Some user intervention may be needed due to changes in selinux-policy-2 eclass
> >> +variable names.
> >> +
> >> +If POLICY_TYPES is set, the SELINUX_POLICY_TYPES USE expand should be set to
> >> +match POLICY_TYPES' contents.
> >> +
> >> +Future Changes
> >> +==============
> >> +
> >> +EAPI 7 policy packages will continue to work in the short term whilst the final
> >> +touches for the migration take place. However, overlays should look to migrate
> >> +to EAPI 8 as soon as possible.
> >
> > I think we ought to elaborate more here. What migration? Will users have
> > to do even more work to deal with the upcoming changes?
> 
> 
> User's should not be expected to do more work; this I suppose is more targeted
> at overlay maintainers (and hence might be the wrong place?). Once this is
> merged, the plan for removal is something akin to this:
> 
> 1. Add a global scope ewarn for EAPI 7 consumers of selinux-policy-2. This is
>    quite noisy to say the least, but it's there to kind of give people a last,
>    "final" warning that EAPI 7 is about to go.
> 2. 2-3 weeks, maybe a month after that, drop EAPI 7 support in its entirety.
>    Note that this will make POLICY_TYPES being set a bit useless in the end
>    as, well, it has no consumers anymore.

I think this is a good plan. I say drop EAPI 7 a month after the news
goes out.

Suggesting more clarified instructions:

"""
FOR USERS
=========
Set SELINUX_POLICY_TYPES in your package.use to match what POLICY_TYPES
is currently set to. Example:

$ echo 'SELINUX_POLICY_TYPES="mcs"' >>/etc/portage/make.conf

OR

$ echo "sec-policy/* SELINUX_POLICY_TYPES: mcs" >/etc/portage/package.use/selinux-policy

DO NOT unset POLICY_TYPES until you are certain that all policy packages
you have installed have been updated to match the new behavior. You can
use this command to find all outdated installed policy packages that
have not been updated yet:

$ eix -C sec-policy --installed --eapi 7 -#

If the above command returns an empty list, then the POLICY_TYPES
variable is safe to remove.

FOR DEVELOPERS
==============
In your SELinux policy packages, bump the EAPI variable to EAPI=8. No
further action is required.
"""

Noting though that the instructions I wrote here indicate you can remove
POLICY_TYPES safely if every package you have is on EAPI 8, however if a
user does this and then decides to install an outdated package, then
there might be problems.

Also, while the command I provided to find outdated packages is using
eix, I would prefer if we could provide one that didn't require that
tool since it's not normally installed by default.

-- 
Kenton Groombridge
Gentoo Linux Developer, SELinux Project

Back to linux.gentoo.dev | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

[gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-07 23:50 +0200
  Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item Kenton Groombridge <concord@gentoo.org> - 2026-04-08 01:50 +0200
    Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item "Rahul Sandhu" <nvraxn@posteo.uk> - 2026-04-08 11:10 +0200
      Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item Kenton Groombridge <concord@gentoo.org> - 2026-04-08 16:10 +0200
        [gentoo-dev] [PATCH v2] 2026-04-23-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-23 20:40 +0200
          [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-24 01:20 +0200
            Re: [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add  news item Sam James <sam@gentoo.org> - 2026-04-30 02:40 +0200
            Re: [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add  news item Eli Schwartz <eschwartz@gentoo.org> - 2026-04-30 03:10 +0200
  [gentoo-dev] Re: [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item Sam James <sam@gentoo.org> - 2026-04-08 02:40 +0200

csiph-web