[PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment

[PATCH v2 2/4] [DO NOT MERGE] Install selinux-policy-devel in test environment

[Vit Mojzis]

Temporary commit for testing purposes.
The change needs to be done in
https://gitlab.com/libvirt/libvirt-ci/-/blob/master/guests/lcitool/lcitool/ansible/vars/projects/libvirt.yml

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 ci/containers/ci-centos-8.Dockerfile                     | 1 +
 ci/containers/ci-centos-stream.Dockerfile                | 1 +
 ci/containers/ci-fedora-32.Dockerfile                    | 1 +
 ci/containers/ci-fedora-33.Dockerfile                    | 1 +
 ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile | 1 +
 ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile | 1 +
 ci/containers/ci-fedora-rawhide.Dockerfile               | 1 +
 7 files changed, 7 insertions(+)

diff --git a/ci/containers/ci-centos-8.Dockerfile b/ci/containers/ci-centos-8.Dockerfile
index e600598329..7d6cbafe6b 100644
--- a/ci/containers/ci-centos-8.Dockerfile
+++ b/ci/containers/ci-centos-8.Dockerfile
@@ -84,6 +84,7 @@ RUN dnf update -y && \
         rpm-build \
         sanlock-devel \
         scrub \
+        selinux-policy-devel \
         systemtap-sdt-devel \
         wireshark-devel \
         xfsprogs-devel \
diff --git a/ci/containers/ci-centos-stream.Dockerfile b/ci/containers/ci-centos-stream.Dockerfile
index 2b51eccc8d..b4d02f4148 100644
--- a/ci/containers/ci-centos-stream.Dockerfile
+++ b/ci/containers/ci-centos-stream.Dockerfile
@@ -86,6 +86,7 @@ RUN dnf install -y centos-release-stream && \
         rpm-build \
         sanlock-devel \
         scrub \
+        selinux-policy-devel \
         systemtap-sdt-devel \
         wireshark-devel \
         xfsprogs-devel \
diff --git a/ci/containers/ci-fedora-32.Dockerfile b/ci/containers/ci-fedora-32.Dockerfile
index 71d391b7bd..3b9d98c83f 100644
--- a/ci/containers/ci-fedora-32.Dockerfile
+++ b/ci/containers/ci-fedora-32.Dockerfile
@@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \
         rpm-build \
         sanlock-devel \
         scrub \
+        selinux-policy-devel \
         sheepdog \
         systemtap-sdt-devel \
         wireshark-devel \
diff --git a/ci/containers/ci-fedora-33.Dockerfile b/ci/containers/ci-fedora-33.Dockerfile
index 5fb30380b0..c8b4dcca34 100644
--- a/ci/containers/ci-fedora-33.Dockerfile
+++ b/ci/containers/ci-fedora-33.Dockerfile
@@ -89,6 +89,7 @@ exec "$@"' > /usr/bin/nosync && \
         rpm-build \
         sanlock-devel \
         scrub \
+        selinux-policy-devel \
         sheepdog \
         systemtap-sdt-devel \
         wireshark-devel \
diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
index c718778acb..55825c9753 100644
--- a/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide-cross-mingw32.Dockerfile
@@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \
         rpcgen \
         rpm-build \
         scrub \
+        selinux-policy-devel \
         sheepdog \
         zfs-fuse && \
     nosync dnf autoremove -y && \
diff --git a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
index 6058d0c0b2..69159a7e3c 100644
--- a/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide-cross-mingw64.Dockerfile
@@ -55,6 +55,7 @@ exec "$@"' > /usr/bin/nosync && \
         rpcgen \
         rpm-build \
         scrub \
+        selinux-policy-devel \
         sheepdog \
         zfs-fuse && \
     nosync dnf autoremove -y && \
diff --git a/ci/containers/ci-fedora-rawhide.Dockerfile b/ci/containers/ci-fedora-rawhide.Dockerfile
index 027e8a7c41..edd9c34c46 100644
--- a/ci/containers/ci-fedora-rawhide.Dockerfile
+++ b/ci/containers/ci-fedora-rawhide.Dockerfile
@@ -90,6 +90,7 @@ exec "$@"' > /usr/bin/nosync && \
         rpm-build \
         sanlock-devel \
         scrub \
+        selinux-policy-devel \
         sheepdog \
         systemtap-sdt-devel \
         wireshark-devel \
-- 
2.30.2

[PATCH v2 3/4] selinux: Remove 'make' dependency

[Vit Mojzis]

Compile the policy using a script executed by meson.

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Changes:
* Rewrite policy compilation script in python

 libvirt.spec.in           |  12 ----
 meson.build               |  12 ++++
 selinux/compile_policy.py | 128 ++++++++++++++++++++++++++++++++++++++
 selinux/meson.build       |  23 +++++++
 4 files changed, 163 insertions(+), 12 deletions(-)
 create mode 100755 selinux/compile_policy.py
 create mode 100644 selinux/meson.build

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 9cbdb2c513..1b807ec324 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1239,14 +1239,6 @@ export SOURCE_DATE_EPOCH=$(stat --printf='%Y' %{_specdir}/%{name}.spec)
            %{?arg_login_shell}
 
 %meson_build
-%if 0%{?with_selinux}
-# SELinux policy (originally from selinux-policy-contrib)
-# this policy module will override the production module
-cd selinux
-
-make -f %{_datadir}/selinux/devel/Makefile %{modulename}.pp
-bzip2 -9 %{modulename}.pp
-%endif
 
 %install
 rm -fr %{buildroot}
@@ -1331,10 +1323,6 @@ mv $RPM_BUILD_ROOT%{_datadir}/systemtap/tapset/libvirt_qemu_probes.stp \
     %endif
 %endif
 
-%if 0%{?with_selinux}
-install -D -m 0644 selinux/%{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
-%endif
-
 %check
 # Building on slow archs, like emulated s390x in Fedora copr, requires
 # raising the test timeout
diff --git a/meson.build b/meson.build
index 69a7b4c88e..884d3a490d 100644
--- a/meson.build
+++ b/meson.build
@@ -2182,6 +2182,18 @@ endif
 
 subdir('build-aux')
 
+os_release = run_command('grep', '^ID=', '/etc/os-release').stdout()
+os_version = run_command('grep', '^VERSION_ID=', '/etc/os-release').stdout().split('=')
+if (os_version.length() == 2)
+  os_version = os_version[1]
+else
+  os_version = 0
+endif
+
+if ((os_release.contains('fedora') and os_version.version_compare('>33')) or
+    (os_release.contains('rhel') and os_version.version_compare('>8')))
+  subdir('selinux')
+endif
 
 # install pkgconfig files
 pkgconfig_files = [
diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
new file mode 100755
index 0000000000..2de26f21c7
--- /dev/null
+++ b/selinux/compile_policy.py
@@ -0,0 +1,128 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2021 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see
+# <http://www.gnu.org/licenses/>.
+
+# This script is based on selinux-policy Makefile
+# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/support/Makefile.devel
+
+import subprocess
+import sys
+import os
+import glob
+
+if len(sys.argv) != 6:
+    print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
+          % sys.argv[0], file=sys.stderr)
+    exit(os.EX_USAGE)
+
+module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
+
+m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
+           "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
+           "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
+
+SHAREDIR = "/usr/share/selinux"
+HEADERDIR = os.path.join(SHAREDIR, "devel/include")
+
+m4support = sorted(glob.glob("{}/support/*.spt".format(HEADERDIR)))
+header_layers = glob.glob("{}/*/".format(HEADERDIR))
+header_layers = sorted([x for x in header_layers
+                        if os.path.join(HEADERDIR, "support") not in x])
+
+header_interfaces = []
+for layer in header_layers:
+    header_interfaces.extend(glob.glob("{}/*.if".format(layer)))
+header_interfaces.sort()
+
+# prepare temp folder
+try:
+    os.makedirs(sys.argv[5])
+except Exception:
+    pass
+
+# remove old trash from the temp folder
+for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
+    try:
+        os.remove(os.path.join(sys.argv[5], name))
+    except Exception:
+        pass
+
+# tmp/all_interfaces.conf
+# echo "ifdef(\`__if_error',\`m4exit(1)')" > $5/iferror.m4
+with open(os.path.join(sys.argv[5], "iferror.m4"), "w") as file:
+    file.write("ifdef(`__if_error',`m4exit(1)')\n")
+
+# echo "divert(-1)" > $5/all_interfaces.conf
+with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "w") as int_file:
+    int_file.write("divert(-1)\n")
+
+# m4 $M4SUPPORT $HEADER_INTERFACES $2 $5/iferror.m4
+#   | sed -e s/dollarsstar/\$\$\*/g >> $5/all_interfaces.conf
+subprocess.run(r"m4 {} | sed -e s/dollarsstar/\$\$\*/g >> {}".format(
+               " ".join([*m4support, *header_interfaces, sys.argv[2],
+                         os.path.join(sys.argv[5], "iferror.m4")]),
+               os.path.join(sys.argv[5], "all_interfaces.conf")),
+               shell=True, check=True)
+
+# doesn't work properly without "shell=True"
+#    m4_process = Popen(["m4", *m4support, *header_interfaces, sys.argv[2],
+#                        os.path.join(sys.argv[5], "iferror.m4")],
+#                       stdout=PIPE, stderr=PIPE)
+#    sed_process = Popen(["sed", "-e", "s/dollarsstar/\$\$\*/g"],
+#                        stdin=m4_process.stdout, stdout=int_file)
+#    outs, errs = m4_process.communicate()
+
+# echo "divert" >> $5/all_interfaces.conf
+with open(os.path.join(sys.argv[5], "all_interfaces.conf"), "a") as file:
+    file.write("divert\n")
+
+# tmp/%.mod
+# m4 $M4PARAM -s $M4SUPPORT $5/all_interfaces.conf $1 > $5/$MODULE_NAME.tmp
+with open(os.path.join(sys.argv[5], "{}.tmp".format(module_name)),
+          "w") as tmp_file:
+    subprocess.run(["m4", *m4param, "-s", *m4support,
+                    os.path.join(sys.argv[5], "all_interfaces.conf"),
+                    sys.argv[1]], stdout=tmp_file, check=True)
+
+# /usr/bin/checkmodule -M -m $5/$MODULE_NAME.tmp -o $5/$MODULE_NAME.mod
+subprocess.run(["/usr/bin/checkmodule",
+                "-M",
+                "-m",
+                os.path.join(sys.argv[5], "{}.tmp".format(module_name)),
+                "-o",
+                os.path.join(sys.argv[5], "{}.mod".format(module_name))],
+               check=True)
+
+
+# tmp/%.mod.fc
+# m4 $M4PARAM $M4SUPPORT $3 > $5/$MODULE_NAME.mod.fc
+with open(os.path.join(sys.argv[5],
+                       "{}.mod.fc".format(module_name)), "w") as mod_fc_file:
+    subprocess.run(["m4", *m4param, *m4support, sys.argv[3]],
+                   stdout=mod_fc_file, check=True)
+
+# %.pp
+# /usr/bin/semodule_package -o $4 -m $5/$MODULE_NAME.mod
+#   -f $5/$MODULE_NAME.mod.fc
+subprocess.run(["/usr/bin/semodule_package",
+                "-o",
+                sys.argv[4],
+                "-m",
+                os.path.join(sys.argv[5], "{}.mod".format(module_name)),
+                "-f",
+                os.path.join(sys.argv[5], "{}.mod.fc".format(module_name))],
+               check=True)
diff --git a/selinux/meson.build b/selinux/meson.build
new file mode 100644
index 0000000000..2737e60519
--- /dev/null
+++ b/selinux/meson.build
@@ -0,0 +1,23 @@
+selinux_sources = [
+  'virt.te',
+  'virt.if',
+  'virt.fc',
+]
+
+compile_policy_prog = find_program('compile_policy.py')
+
+virt_pp = custom_target('virt.pp',
+  output : 'virt.pp',
+  input : selinux_sources,
+  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
+  install : false)
+
+bzip2_prog = find_program('bzip2')
+
+bzip = custom_target('virt.pp.bz2',
+  output : 'virt.pp.bz2',
+  input : virt_pp,
+  command : [bzip2_prog, '-c', '-9', '@INPUT@'],
+  capture : true,
+  install : true,
+  install_dir : 'share/selinux/packages/')
-- 
2.30.2

[PATCH v2 4/4] selinux: add "mls" binary version of the policy

[Vit Mojzis]

Compile the module also for use with "mls" systems and allow
installation to systems with any selinux type (targeted, mls and
minimum).

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 libvirt.spec.in           | 53 +++++++++++++++++++++++++++++++++------
 selinux/compile_policy.py | 21 ++++++++++------
 selinux/meson.build       | 11 +++++---
 selinux/mls/meson.build   | 20 +++++++++++++++
 4 files changed, 87 insertions(+), 18 deletions(-)
 create mode 100644 selinux/mls/meson.build

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 1b807ec324..9efbd2e6db 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -5,9 +5,8 @@
 # or versions, but no effort will be made to ensure that going forward.
 
 %if 0%{?fedora} > 33 || 0%{?rhel} > 8
-	%global with_selinux 1
-	%global selinuxtype targeted
-	%global modulename virt
+    %global with_selinux 1
+    %global modulename virt
 %endif
 
 %define min_rhel 7
@@ -1535,18 +1534,57 @@ exit 0
 # SELinux contexts are saved so that only affected files can be
 # relabeled after the policy module installation
 %pre selinux
-%selinux_relabel_pre -s %{selinuxtype}
+if [ -e /etc/selinux/config ]; then
+    . /etc/selinux/config
+    %selinux_relabel_pre -s ${SELINUXTYPE}
+fi
 
 %post selinux
-%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+# only policy reload is needed - module installation is managed by triggers
+/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
 
 %postun selinux
 if [ $1 -eq 0 ]; then
-    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+    /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
 fi
 
 %posttrans selinux
-%selinux_relabel_post -s %{selinuxtype}
+if [ -e /etc/selinux/config ]; then
+    . /etc/selinux/config
+    %selinux_relabel_post -s ${SELINUXTYPE}
+fi
+
+# install the policy module to corresponding policy store if
+# selinux-policy-{targeted|mls|minimum} package is installed on the system
+%triggerin -n %{name}-selinux -- selinux-policy-targeted
+/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
+
+%triggerin -n %{name}-selinux -- selinux-policy-minimum
+/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
+# libvirt module is installed by default, but disabled -- enable it
+/usr/sbin/semodule -n -s minimum -e %{modulename} || :
+
+%triggerin -n %{name}-selinux -- selinux-policy-mls
+/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || :
+
+# remove the policy module from corresponding module store if
+# libvirt-selinux or selinux-policy-* was removed from the system,
+# but not when either package gets updated
+%triggerun -n %{name}-selinux -- selinux-policy-targeted
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then
+    /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || :
+fi
+
+%triggerun -n %{name}-selinux -- selinux-policy-minimum
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then
+    /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || :
+    /usr/sbin/semodule -n -d %{modulename} || :
+fi
+
+%triggerun -n %{name}-selinux -- selinux-policy-mls
+if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then
+    /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || :
+fi
 %endif
 
 %files
@@ -2018,6 +2056,7 @@ fi
 %if 0%{?with_selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{modulename}.pp.*
+%{_datadir}/selinux/packages/mls/%{modulename}.pp.*
 %ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
 %ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
 %ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
index 2de26f21c7..7a703dbb3d 100755
--- a/selinux/compile_policy.py
+++ b/selinux/compile_policy.py
@@ -24,16 +24,21 @@ import sys
 import os
 import glob
 
-if len(sys.argv) != 6:
-    print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
-          % sys.argv[0], file=sys.stderr)
+if len(sys.argv) != 7:
+    print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
+           " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr)
     exit(os.EX_USAGE)
 
 module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
 
-m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
-           "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
-           "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
+m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms",
+           "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024",
+           "-D", "mcs_num_cats=1024"]
+
+if sys.argv[6] == "mls":
+    m4param = ["-D", "enable_mls"] + m4param
+else:
+    m4param = ["-D", "enable_mcs"] + m4param
 
 SHAREDIR = "/usr/share/selinux"
 HEADERDIR = os.path.join(SHAREDIR, "devel/include")
@@ -55,7 +60,9 @@ except Exception:
     pass
 
 # remove old trash from the temp folder
-for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
+tmpfiles = ["{}.{}".format(module_name, ext)
+            for ext in ["mod", "mod.fc", "tmp"]]
+for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles:
     try:
         os.remove(os.path.join(sys.argv[5], name))
     except Exception:
diff --git a/selinux/meson.build b/selinux/meson.build
index 2737e60519..305cf59e72 100644
--- a/selinux/meson.build
+++ b/selinux/meson.build
@@ -4,15 +4,16 @@ selinux_sources = [
   'virt.fc',
 ]
 
-compile_policy_prog = find_program('compile_policy.py')
+set_variable('compile_policy_prog', find_program('compile_policy.py'))
 
+# targeted/minimum policy module
 virt_pp = custom_target('virt.pp',
   output : 'virt.pp',
   input : selinux_sources,
-  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
+  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp', 'mcs'],
   install : false)
 
-bzip2_prog = find_program('bzip2')
+set_variable('bzip2_prog', find_program('bzip2'))
 
 bzip = custom_target('virt.pp.bz2',
   output : 'virt.pp.bz2',
@@ -20,4 +21,6 @@ bzip = custom_target('virt.pp.bz2',
   command : [bzip2_prog, '-c', '-9', '@INPUT@'],
   capture : true,
   install : true,
-  install_dir : 'share/selinux/packages/')
+  install_dir : 'share/selinux/packages')
+
+subdir('mls')
diff --git a/selinux/mls/meson.build b/selinux/mls/meson.build
new file mode 100644
index 0000000000..20bab41fea
--- /dev/null
+++ b/selinux/mls/meson.build
@@ -0,0 +1,20 @@
+selinux_sources = [
+  '../virt.te',
+  '../virt.if',
+  '../virt.fc',
+]
+
+# MLS policy module
+virt_pp_mls = custom_target('virt.pp',
+  output : 'virt.pp',
+  input : selinux_sources,
+  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'],
+  install : false)
+
+bzip_mls = custom_target('virt.pp.bz2',
+  output : 'virt.pp.bz2',
+  input : virt_pp_mls,
+  command : [bzip2_prog, '-c', '-9', '@INPUT@'],
+  capture : true,
+  install : true,
+  install_dir : 'share/selinux/packages/mls')
-- 
2.30.2

Re: [PATCH v2 4/4] selinux: add "mls" binary version of the policy

[Vit Mojzis]

Please disregad these patches, they where intended for a different ML.
Sorry for the noise.

On 4/7/21 12:12 PM, Vit Mojzis wrote:
> Compile the module also for use with "mls" systems and allow
> installation to systems with any selinux type (targeted, mls and
> minimum).
> 
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
>   libvirt.spec.in           | 53 +++++++++++++++++++++++++++++++++------
>   selinux/compile_policy.py | 21 ++++++++++------
>   selinux/meson.build       | 11 +++++---
>   selinux/mls/meson.build   | 20 +++++++++++++++
>   4 files changed, 87 insertions(+), 18 deletions(-)
>   create mode 100644 selinux/mls/meson.build
> 
> diff --git a/libvirt.spec.in b/libvirt.spec.in
> index 1b807ec324..9efbd2e6db 100644
> --- a/libvirt.spec.in
> +++ b/libvirt.spec.in
> @@ -5,9 +5,8 @@
>   # or versions, but no effort will be made to ensure that going forward.
>   
>   %if 0%{?fedora} > 33 || 0%{?rhel} > 8
> -	%global with_selinux 1
> -	%global selinuxtype targeted
> -	%global modulename virt
> +    %global with_selinux 1
> +    %global modulename virt
>   %endif
>   
>   %define min_rhel 7
> @@ -1535,18 +1534,57 @@ exit 0
>   # SELinux contexts are saved so that only affected files can be
>   # relabeled after the policy module installation
>   %pre selinux
> -%selinux_relabel_pre -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> +    . /etc/selinux/config
> +    %selinux_relabel_pre -s ${SELINUXTYPE}
> +fi
>   
>   %post selinux
> -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
> +# only policy reload is needed - module installation is managed by triggers
> +/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
>   
>   %postun selinux
>   if [ $1 -eq 0 ]; then
> -    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
> +    /usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
>   fi
>   
>   %posttrans selinux
> -%selinux_relabel_post -s %{selinuxtype}
> +if [ -e /etc/selinux/config ]; then
> +    . /etc/selinux/config
> +    %selinux_relabel_post -s ${SELINUXTYPE}
> +fi
> +
> +# install the policy module to corresponding policy store if
> +# selinux-policy-{targeted|mls|minimum} package is installed on the system
> +%triggerin -n %{name}-selinux -- selinux-policy-targeted
> +/usr/sbin/semodule -n -s targeted -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-minimum
> +/usr/sbin/semodule -n -s minimum -X 200 -i %{_datadir}/selinux/packages/%{modulename}.pp.bz2 || :
> +# libvirt module is installed by default, but disabled -- enable it
> +/usr/sbin/semodule -n -s minimum -e %{modulename} || :
> +
> +%triggerin -n %{name}-selinux -- selinux-policy-mls
> +/usr/sbin/semodule -n -s mls -X 200 -i %{_datadir}/selinux/packages/mls/%{modulename}.pp.bz2 || :
> +
> +# remove the policy module from corresponding module store if
> +# libvirt-selinux or selinux-policy-* was removed from the system,
> +# but not when either package gets updated
> +%triggerun -n %{name}-selinux -- selinux-policy-targeted
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename} ]; then
> +    /usr/sbin/semodule -n -s targeted -X 200 -r %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-minimum
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename} ]; then
> +    /usr/sbin/semodule -n -s minimum -X 200 -r %{modulename} || :
> +    /usr/sbin/semodule -n -d %{modulename} || :
> +fi
> +
> +%triggerun -n %{name}-selinux -- selinux-policy-mls
> +if ([ $1 -eq 0 ] || [ $2 -eq 0 ]) && [ -e %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename} ]; then
> +    /usr/sbin/semodule -n -s mls -X 200 -r %{modulename} || :
> +fi
>   %endif
>   
>   %files
> @@ -2018,6 +2056,7 @@ fi
>   %if 0%{?with_selinux}
>   %files selinux
>   %{_datadir}/selinux/packages/%{modulename}.pp.*
> +%{_datadir}/selinux/packages/mls/%{modulename}.pp.*
>   %ghost %{_sharedstatedir}/selinux/targeted/active/modules/200/%{modulename}
>   %ghost %{_sharedstatedir}/selinux/minimum/active/modules/200/%{modulename}
>   %ghost %{_sharedstatedir}/selinux/mls/active/modules/200/%{modulename}
> diff --git a/selinux/compile_policy.py b/selinux/compile_policy.py
> index 2de26f21c7..7a703dbb3d 100755
> --- a/selinux/compile_policy.py
> +++ b/selinux/compile_policy.py
> @@ -24,16 +24,21 @@ import sys
>   import os
>   import glob
>   
> -if len(sys.argv) != 6:
> -    print("Usage: %s <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> -          % sys.argv[0], file=sys.stderr)
> +if len(sys.argv) != 7:
> +    print(("Usage: {} <policy>.te <policy>.if <policy>.fc <output>.pp <tmpdir>"
> +           " <type (mls/mcs)>").format(sys.argv[0]), file=sys.stderr)
>       exit(os.EX_USAGE)
>   
>   module_name = os.path.splitext(os.path.basename(sys.argv[1]))[0]
>   
> -m4param = ["-D", "enable_mcs", "-D", "distro_redhat", "-D",
> -           "hide_broken_symptoms", "-D", "mls_num_sens=16", "-D",
> -           "mls_num_cats=1024", "-D", "mcs_num_cats=1024"]
> +m4param = ["-D", "distro_redhat", "-D", "hide_broken_symptoms",
> +           "-D", "mls_num_sens=16", "-D", "mls_num_cats=1024",
> +           "-D", "mcs_num_cats=1024"]
> +
> +if sys.argv[6] == "mls":
> +    m4param = ["-D", "enable_mls"] + m4param
> +else:
> +    m4param = ["-D", "enable_mcs"] + m4param
>   
>   SHAREDIR = "/usr/share/selinux"
>   HEADERDIR = os.path.join(SHAREDIR, "devel/include")
> @@ -55,7 +60,9 @@ except Exception:
>       pass
>   
>   # remove old trash from the temp folder
> -for name in ["iferror.m4" "all_interfaces.conf" "{}.*".format(module_name)]:
> +tmpfiles = ["{}.{}".format(module_name, ext)
> +            for ext in ["mod", "mod.fc", "tmp"]]
> +for name in ["iferror.m4", "all_interfaces.conf"] + tmpfiles:
>       try:
>           os.remove(os.path.join(sys.argv[5], name))
>       except Exception:
> diff --git a/selinux/meson.build b/selinux/meson.build
> index 2737e60519..305cf59e72 100644
> --- a/selinux/meson.build
> +++ b/selinux/meson.build
> @@ -4,15 +4,16 @@ selinux_sources = [
>     'virt.fc',
>   ]
>   
> -compile_policy_prog = find_program('compile_policy.py')
> +set_variable('compile_policy_prog', find_program('compile_policy.py'))
>   
> +# targeted/minimum policy module
>   virt_pp = custom_target('virt.pp',
>     output : 'virt.pp',
>     input : selinux_sources,
> -  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp'],
> +  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/tmp', 'mcs'],
>     install : false)
>   
> -bzip2_prog = find_program('bzip2')
> +set_variable('bzip2_prog', find_program('bzip2'))
>   
>   bzip = custom_target('virt.pp.bz2',
>     output : 'virt.pp.bz2',
> @@ -20,4 +21,6 @@ bzip = custom_target('virt.pp.bz2',
>     command : [bzip2_prog, '-c', '-9', '@INPUT@'],
>     capture : true,
>     install : true,
> -  install_dir : 'share/selinux/packages/')
> +  install_dir : 'share/selinux/packages')
> +
> +subdir('mls')
> diff --git a/selinux/mls/meson.build b/selinux/mls/meson.build
> new file mode 100644
> index 0000000000..20bab41fea
> --- /dev/null
> +++ b/selinux/mls/meson.build
> @@ -0,0 +1,20 @@
> +selinux_sources = [
> +  '../virt.te',
> +  '../virt.if',
> +  '../virt.fc',
> +]
> +
> +# MLS policy module
> +virt_pp_mls = custom_target('virt.pp',
> +  output : 'virt.pp',
> +  input : selinux_sources,
> +  command : [compile_policy_prog, '@INPUT@', '@OUTPUT@', 'selinux/mls/tmp', 'mls'],
> +  install : false)
> +
> +bzip_mls = custom_target('virt.pp.bz2',
> +  output : 'virt.pp.bz2',
> +  input : virt_pp_mls,
> +  command : [bzip2_prog, '-c', '-9', '@INPUT@'],
> +  capture : true,
> +  install : true,
> +  install_dir : 'share/selinux/packages/mls')
>