Base selinux - bootstrapping PKGBUILDs

[tqre]

Here are the base and base-devel meta packages modified for SELinux support. The base-selinux meta package allows for bootstrapping from ArchISO with pacstrap /mnt base-selinux. The base-devel -group has been also recreated as a meta package, as tools like sudo and openssh are compiled with SELinux support. I have only included the refpolicy-arch package for now to keep it as small as possible.

I have also added few lines to build_and_install_all.sh -script for these meta-packages to get built, which is the script I use within my build pipeline.

It only makes sense to have these packages if a public repository is available that serves them, so I have been maintaining one. I have added note of this to main README, and will make step-by-step instructions to ArchWiki at some point.

So far it's been working as intended, although I haven't done extensive testing. I have succesfully installed on VM's and bare-metal machines, and my spare laptop runs Arch with SELinux support installed and kept up-to-date using these packages for over a month now.

Improvements and thoughts are most welcome.

[fishilico]

This looks good, thanks :) I stumbled open an open namcap bug while analyzing the PKGBUILD files because they do not define source (https://bugs.archlinux.org/task/65042), but this is indeed a bug in namcap, not in the files.

I pushed base-selinux and base-devel-selinux to the AUR. I can give you co-maintainer rights on these packages if you indicate your AUR account name.

I updated this repository to use the AUR packages with git subtree, like the other packages, and also pushed your modification in the README.md.

For build_and_install_all.sh I have some comments before accepting your changes:

• Why do you need -d ("nodeps") option for base-selinux and base-devel-selinux? If there is a reason, it should be documented as a comment in the script.
• Why only build the package (no -i in makepkg), instead of building and installing it like the other packages?

If you update this Pull Request by rebasing and changing build_and_install_all.sh, I could merge it.

[tqre]

Happy to hear this :)

I can give you co-maintainer rights on these packages if you indicate your AUR account name.

I'm tqre in the AUR aswell.

Why do you need -d ("nodeps") option for base-selinux and base-devel-selinux? If there is a reason, it should be documented as a comment in the script.

The meta-packages are essentially only lists of packages to install in the same spirit as base package is in the core repository. But you have a good point, as the packages actually can be built and installed with build_and_install -function. Partly these are test remnants, but the reason for the -d flag's usage is that I did put base-selinux as a dependency to base-devel-selinux.

Why only build the package (no -i in makepkg), instead of building and installing it like the other packages?

So I tested it, and I found the reasoning which I didn't document at the time: installing base-selinux -package results in having both base and base-selinux packages present in the system, and this will most likely result in problems when upgrading the system. I made a bit lengthy comment to the script about this.

Breaking the meta packages' purposes down to understand them, the base-selinux package's intention is to be used on the bootstrapping phase when installing Arch Linux. base-devel is actually a package group in the core, but as it includes sudo I made a meta package that contains all the same packages, the only difference being sudo-selinux.

I'll update the PR with the comments added to the script.

[fishilico]

Thanks for the explainations. They seem reasonable and I agree with them. I am therefore merging this PR.