Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.gentoo.dev > #70408

Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item

From "Rahul Sandhu" <nvraxn@posteo.uk>
Newsgroups linux.gentoo.dev
Subject Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item
Date 2026-04-08 11:10 +0200
Message-ID <MHx57-dzbl-1@gated-at.bofh.it> (permalink)
References <MHmt3-drTN-3@gated-at.bofh.it> <MHolb-dtb6-1@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On Wed Apr 8, 2026 at 12:44 AM BST, Kenton Groombridge wrote:
> On 26/04/07 09:44PM, Rahul Sandhu wrote:
>> +What Changed
>> +============
>> +
>> +The SELinux policy and associated packages have all been bumped to EAPI 8.
>
> ... and are introducing some upcoming breaking changes.
>
>> +
>> +POLICY_TYPES has become the USE expand SELINUX_POLICY_TYPES. As such, it may be
>> +set in package.use now, like any other USE expand. However, it is recommended
>> +to keep POLICY_TYPES both set, if done so previously, and in sync with the USE
>> +expand set for sec-policy/selinux-base.
>
> Is keeping both around really necessary? If we are planning to remove
> POLICY_TYPES eventually it would make more sense to just tell users to
> switch to the new behavior right away if they are able.

It's necessary for any policy packages that have _not_ been migrated to EAPI 8.
Granted, the scope of this problem should be... very limited. This series is
moving over all the ::gentoo policy packages to EAPI 8, and even ::guru does
not seem to have any consumers of selinux-policy-2.eclass. So this is _mostly_
a catch-all for any weird overlays or whatever that have some custom policy
package.

As for why it's needed, say that a user sets SELINUX_POLICY_TYPES as follows:

SELINUX_POLICY_TYPES="mcs mls"

And let's for the sake of argument say they _don't_ have POLICY_TYPES set and
in sync with the current value of SELINUX_POLICY_TYPES. This means that, due to
the profile and EAPI 7 eclass logic, POLICY_TYPES will default to building all
policy types, so its value can be treated as follows:

POLICY_TYPES="targeted strict mcs mls"

Now, let's say the user attemps to build an EAPI 7 policy package, let's say
sec-policy/selinux-foo::supercooloverlay. It's dependencies, which will be at a
_minimum_ sec-policy/selinux-base{,-policy} will not have support for targeted
and strict as SELINUX_POLICY_TYPES was set to only support mcs and mls above.

As such, sec-policy/selinux-foo will now fail to build.

I do agree the wording is a bit... iffy on this one. Suggestions for rewording
very much welcome. :)

>
>> +
>> +User Action Required
>> +====================
>> +
>> +Some user intervention may be needed due to changes in selinux-policy-2 eclass
>> +variable names.
>> +
>> +If POLICY_TYPES is set, the SELINUX_POLICY_TYPES USE expand should be set to
>> +match POLICY_TYPES' contents.
>> +
>> +Future Changes
>> +==============
>> +
>> +EAPI 7 policy packages will continue to work in the short term whilst the final
>> +touches for the migration take place. However, overlays should look to migrate
>> +to EAPI 8 as soon as possible.
>
> I think we ought to elaborate more here. What migration? Will users have
> to do even more work to deal with the upcoming changes?


User's should not be expected to do more work; this I suppose is more targeted
at overlay maintainers (and hence might be the wrong place?). Once this is
merged, the plan for removal is something akin to this:

1. Add a global scope ewarn for EAPI 7 consumers of selinux-policy-2. This is
   quite noisy to say the least, but it's there to kind of give people a last,
   "final" warning that EAPI 7 is about to go.
2. 2-3 weeks, maybe a month after that, drop EAPI 7 support in its entirety.
   Note that this will make POLICY_TYPES being set a bit useless in the end
   as, well, it has no consumers anymore.

Back to linux.gentoo.dev | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

[gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-07 23:50 +0200
  Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item Kenton Groombridge <concord@gentoo.org> - 2026-04-08 01:50 +0200
    Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item "Rahul Sandhu" <nvraxn@posteo.uk> - 2026-04-08 11:10 +0200
      Re: [gentoo-dev] [PATCH] 2026-04-07-selinux-policy-eapi-8: add news  item Kenton Groombridge <concord@gentoo.org> - 2026-04-08 16:10 +0200
        [gentoo-dev] [PATCH v2] 2026-04-23-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-23 20:40 +0200
          [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add news item Rahul Sandhu <nvraxn@posteo.uk> - 2026-04-24 01:20 +0200
            Re: [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add  news item Sam James <sam@gentoo.org> - 2026-04-30 02:40 +0200
            Re: [gentoo-dev] [PATCH v3] 2026-04-23-selinux-policy-eapi-8: add  news item Eli Schwartz <eschwartz@gentoo.org> - 2026-04-30 03:10 +0200
  [gentoo-dev] Re: [PATCH] 2026-04-07-selinux-policy-eapi-8: add news item Sam James <sam@gentoo.org> - 2026-04-08 02:40 +0200

csiph-web