ctc-oss · jw3 · Oct 7, 2024 · Sep 16, 2024 · Sep 17, 2024 · Oct 1, 2024
diff --git a/.github/rpm-matrix.json b/.github/rpm-matrix.json
@@ -1,11 +1,20 @@
 {
   "props": [
+    {
+      "platform": "fedora",
+      "dist": "fc42",
+      "spec": "fapolicy-analyzer.spec",
+      "image": "registry.fedoraproject.org/fedora:42",
+      "chroot": "fedora-rawhide-x86_64",
+      "version": "42",
+      "prerelease": true
+    },
     {
       "platform": "fedora",
       "dist": "fc41",
       "spec": "fapolicy-analyzer.spec",
       "image": "registry.fedoraproject.org/fedora:41",
-      "chroot": "fedora-rawhide-x86_64",
+      "chroot": "fedora-41-x86_64",
       "version": "41",
       "prerelease": true
     },

diff --git a/.github/workflows/rpm.yml b/.github/workflows/rpm.yml
@@ -109,8 +109,6 @@ jobs:
 
       - name: Adjust spec
         run: |
-          # disable dev-tools crate
-          sed -i '/tools/d' Cargo.toml
           # generate build deps with cargo2rpm
           cargo2rpm -p Cargo.toml buildrequires | while read line; do
             grep -n "BuildRequires:" fapolicy-analyzer.spec | head -n1 | cut -d: -f1 | xargs -I{} sed -i "{}iBuildRequires: $line" fapolicy-analyzer.spec

diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
@@ -44,7 +44,6 @@ jobs:
         run: |
           mkdir /tmp/tools
           mv target/release/tdb /tmp/tools/tdb
-          mv target/release/rulec /tmp/tools/rulec
           mv target/release/faprofiler /tmp/tools/faprofiler
 
       - name: Archive Tools

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Containerfile b/Containerfile
@@ -1,25 +1,40 @@
-ARG image=registry.fedoraproject.org/fedora:39
-FROM $image AS build-stage
+ARG image=registry.fedoraproject.org/fedora:latest
+FROM $image AS fedorabuild
+ARG version
+ARG spec=fapolicy-analyzer.spec
 
-RUN dnf install -y rpm-build rpmdevtools dnf-plugins-core python3-pip nano
+# rpmbuild tools could be installed in the el stage
+# but caching them here ends up saving time on rebuilds
+RUN dnf install -y mock rpm-build rpmdevtools
 
 RUN useradd -u 10001 -g 0 -d /home/default default
 
 USER 10001
 RUN mkdir -p /tmp/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
 WORKDIR /tmp/rpmbuild
 
-COPY --chown=10001:0 fapolicy-analyzer.spec SPECS/
+COPY --chown=10001:0 $spec SPECS/fapolicy-analyzer.spec
 
 USER root
 RUN dnf -y builddep SPECS/fapolicy-analyzer.spec
 
 USER 10001
 
-COPY --chown=10001:0 fapolicy-analyzer.tar.gz SOURCES/
-COPY --chown=10001:0 vendor-docs.tar.gz       SOURCES/
-COPY --chown=10001:0 scripts/srpm/build.sh    ./build.sh
+COPY --chown=10001:0 fapolicy-analyzer-$version.tar.gz SOURCES/
+COPY --chown=10001:0 vendor-docs-$version.tar.gz       SOURCES/
+COPY --chown=10001:0 scripts/srpm/build.sh             .
 
-RUN spectool -g -C /tmp/rpmbuild/SOURCES/ SPECS/fapolicy-analyzer.spec
+USER root
 
 ENTRYPOINT ["/tmp/rpmbuild/build.sh"]
+
+FROM fedorabuild as elbuild
+ARG version
+
+USER 10001
+
+RUN spectool --list-files SPECS/fapolicy-analyzer.spec | grep pythonhosted | cut -d' ' -f2 | xargs -I{} curl -sLO --output-dir SOURCES {}
+
+COPY --chown=10001:0 vendor-rs-$version.tar.gz         SOURCES/
+
+USER root
diff --git a/Makefile b/Makefile
@@ -23,6 +23,8 @@ GRN=\033[0;32m
 RED=\033[0;31m
 NC=\033[0m # No Color
 
+VERSION ?= $(shell sed -n 's/^Version: *//p' fapolicy-analyzer.spec)
+
 # List the common developer targets
 list:
 	@echo
@@ -139,17 +141,17 @@ build-info:
 
 # Generate Fedora rawhide rpms
 fc-rpm:
-	@echo -e "${GRN}--- Fedora RPM generation...${NC}"
-	make -f .copr/Makefile vendor OS_ID=fedora
-	podman build -t fapolicy-analyzer:39 -f Containerfile .
-	podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:39 /v
+	@echo -e "${GRN}--- Fedora RPM generation v${VERSION}...${NC}"
+	make -f .copr/Makefile vendor OS_ID=fedora VERSION=${VERSION}
+	podman build -t fapolicy-analyzer:build --target fedorabuild --build-arg version=${VERSION} -f Containerfile .
+	podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build fedora-39-x86_64 /v
 
 # Generate RHEL 9 rpms
 el9-rpm:
-	@echo -e "${GRN}--- el9 RPM generation...${NC}"
-	make -f .copr/Makefile vendor OS_ID=rhel DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec
-	podman build -t fapolicy-analyzer:el9 -f scripts/srpm/Containerfile.el9 .
-	podman run --rm -it --network=none -v /tmp:/v fapolicy-analyzer:el9 /v
+	@echo -e "${GRN}--- el9 RPM generation v${VERSION}...${NC}"
+	make -f .copr/Makefile vendor vendor-rs OS_ID=rhel VERSION=${VERSION} DIST=.el9 spec=scripts/srpm/fapolicy-analyzer.el9.spec
+	podman build -t fapolicy-analyzer:build --target elbuild --build-arg version=${VERSION} --build-arg spec=scripts/srpm/fapolicy-analyzer.el9.spec -f Containerfile .
+	podman run --privileged --rm -it -v /tmp:/v fapolicy-analyzer:build rocky+epel-9-x86_64 /v
 
 # Update embedded help documentation
 help-docs:

diff --git a/crates/tools/Cargo.toml b/crates/tools/Cargo.toml
@@ -9,10 +9,6 @@ edition = "2021"
 name = "tdb"
 path = "src/trust_db_util.rs"
 
-[[bin]]
-name = "rulec"
-path = "src/rule_check.rs"
-
 [[bin]]
 name = "faprofiler"
 path = "src/fapolicy_profiler.rs"
@@ -23,7 +19,6 @@ lmdb = "0.8"
 nom = "7.1"
 rayon = "1.5"
 thiserror = "1.0"
-ariadne = "0.1"
 log = "0.4"
 
 fapolicy-analyzer = { path = "../analyzer" }

diff --git a/fapolicy-analyzer.spec b/fapolicy-analyzer.spec
@@ -1,4 +1,6 @@
 %bcond_without check
+%bcond_without cli
+%bcond_without gui
 
 Summary:       File Access Policy Analyzer
 Name:          fapolicy-analyzer
@@ -41,6 +43,22 @@ BuildRequires: audit-libs-devel
 BuildRequires: cargo-rpm-macros
 BuildRequires: python3dist(setuptools-rust)
 
+Requires:      %{name}-cli
+Requires:      %{name}-gui
+
+%description
+Tools to assist with the configuration and management of fapolicyd.
+
+
+%package cli
+Summary:       File Access Policy Analyzer CLI
+
+%description cli
+CLI Tools to assist with the configuration and management of fapolicyd.
+
+%package gui
+Summary:       File Access Policy Analyzer GUI
+
 Requires:      python3
 Requires:      python3-gobject
 Requires:      python3-events
@@ -67,15 +85,22 @@ Requires:      webkit2gtk4.1
 %global module_version  %{lua: v = string.gsub(rpm.expand("%{?version}"), "~dev", ".dev"); \
                                v = string.gsub(v, "~rc",  "rc"); print(v) }
 
-%description
-Tools to assist with the configuration and management of fapolicyd.
+%description gui
+GUI Tools to assist with the configuration and management of fapolicyd.
 
 %prep
 %autosetup -n %{name}
 %cargo_prep
 
-# disable dev-tools crate
+%if %{without cli}
+# disable tools crate
 sed -i '/tools/d' Cargo.toml
+%endif
+
+%if %{without gui}
+# disable pyo3 crate
+sed -i '/pyo3/d' Cargo.toml
+%endif
 
 # extract our doc sourcs
 tar xvzf %{SOURCE1}
@@ -96,6 +121,12 @@ echo "audit" > FEATURES
 %cargo_generate_buildrequires -a
 
 %build
+
+%if %{with cli}
+cargo build --bin tdb --release
+%endif
+
+%if %{with gui}
 # ensure standard Rust compiler flags are set
 export RUSTFLAGS="%{build_rustflags}"
 
@@ -105,8 +136,15 @@ export RUSTFLAGS="%{build_rustflags}"
 
 %{cargo_license_summary}
 %{cargo_license} > LICENSE.dependencies
+%endif
 
 %install
+
+%if %{with cli}
+install -D target/release/tdb %{buildroot}/%{_sbindir}/%{name}-trust
+%endif
+
+%if %{with gui}
 %{py3_install_wheel %{module}-%{module_version}*%{_target_cpu}.whl}
 %{python3} help install --dest %{buildroot}/%{_datadir}/help
 install -D bin/%{name} %{buildroot}/%{_sbindir}/%{name}
@@ -115,14 +153,17 @@ install -D data/config.toml -t %{buildroot}%{_sysconfdir}/%{name}/
 desktop-file-install data/%{name}.desktop
 find locale -name %{name}.mo -exec cp --parents -rv {} %{buildroot}/%{_datadir} \;
 %find_lang %{name} --with-gnome
+%endif
 
 %check
+%if %{with gui}
 desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop
+%endif
 
-%files -n %{name} -f %{name}.lang
-%doc scripts/srpm/README
-%license LICENSE
-%license LICENSE.dependencies
+%files cli
+%attr(755,root,root) %{_sbindir}/%{name}-trust
+
+%files gui
 %{python3_sitearch}/%{module}
 %{python3_sitearch}/%{module}-%{module_version}*
 %attr(755,root,root) %{_sbindir}/%{name}
@@ -131,6 +172,11 @@ desktop-file-validate %{buildroot}/%{_datadir}/applications/%{name}.desktop
 %config(noreplace) %attr(644,root,root) %{_sysconfdir}/%{name}/config.toml
 %ghost %attr(640,root,root) %verify(not md5 size mtime) %{_localstatedir}/log/%{name}/%{name}.log
 
+%files -f %{name}.lang
+%doc scripts/srpm/README
+%license LICENSE
+%license LICENSE.dependencies
+
 %changelog
 * Sun Jul 28 2024 John Wass <[email protected]> 1.4.0-1
 - New release
diff --git a/news/1025.packaging.md b/news/1025.packaging.md
@@ -0,0 +1 @@
+Subpackaged RPM build to support separate CLI and GUI installations.
diff --git a/scripts/srpm/Containerfile.el9 b/scripts/srpm/Containerfile.el9
diff --git a/scripts/srpm/build.sh b/scripts/srpm/build.sh
@@ -18,18 +18,13 @@
 spec_file="fapolicy-analyzer.spec"
 rpmbuild_dir=/tmp/rpmbuild
 
-if [[ "$ONLINE" -eq 1 ]]; then
-  cd ${rpmbuild_dir}/SOURCES
-  spectool -g "../SPECS/$spec_file"
-  cd ${rpmbuild_dir}/SPECS
-  dnf builddep "$spec_file" -y
-fi
-
-cd ${rpmbuild_dir}/SPECS
-rpmbuild -ba "$spec_file" -D "_topdir ${rpmbuild_dir}"
+echo "[build.sh] mock $1"
+mock -r "$1" --init
+mock -r "$1" --resultdir ${rpmbuild_dir} --buildsrpm --sources ${rpmbuild_dir}/SOURCES/ --spec ${rpmbuild_dir}/SPECS/${spec_file}
+mock -r "$1" --resultdir ${rpmbuild_dir} --rebuild ${rpmbuild_dir}/*.src.rpm
 
-if [[ ! -z "$1" ]]; then
-  echo "[build.sh] exporting *rpms to ${1}"
-  cp -v ${rpmbuild_dir}/RPMS/**/*.rpm ${1}
-  cp -v ${rpmbuild_dir}/SRPMS/*.rpm   ${1}
+if [[ -n "$2" ]]; then
+  echo "[build.sh] exporting rpms to ${2}"
+  cp -v ${rpmbuild_dir}/*.rpm ${2}
+  cp -v ${rpmbuild_dir}/*.rpm ${2}
 fi
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Subpackaged RPM build to support separate CLI and GUI installations.