fix: Gate SELinux to Linux and add cross-platform CI tests (#8795)

naoNao89 · web-flow · commit 02312bfffd6a · 2025-10-05T14:23:59.000+02:00
Gate SELinux functionality to Linux-only and provide stub implementations for chcon/runcon on non-Linux platforms to maintain cross-platform builds. Changes: - Gate all SELinux code with target_os = "linux" checks - Add stub main() for chcon/runcon on non-Linux with user-friendly errors - Add CI job to verify stubs build correctly on macOS and Windows - Update ls to check both selinux feature AND target_os Benefits: - Fixes build failures on macOS/Windows (#8581, #7996, #7695, #6491) - Maintains workspace buildability across all platforms - Provides clear error messages instead of silent failures - Prevents accidental SELinux usage on unsupported platforms CI Testing: - New 'Build/SELinux-Stubs (Non-Linux)' job tests macOS and Windows - Verifies stub binaries are created and compilation succeeds - Validates full workspace builds with stubs present Addresses maintainer feedback in PR #8795
diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml
@@ -1280,6 +1280,40 @@ jobs:
     - name: Lint with SELinux
       run: lima bash -c "cd work && cargo clippy --all-targets --features 'feat_selinux' -- -D warnings"
 
+  test_selinux_stubs:
+    name: Build/SELinux-Stubs (Non-Linux)
+    needs: [ min_version, deps ]
+    runs-on: ${{ matrix.job.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        job:
+          - { os: macos-latest   , features: feat_os_macos }
+          - { os: windows-latest , features: feat_os_windows }
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
+    - uses: dtolnay/rust-toolchain@stable
+    - uses: Swatinem/rust-cache@v2
+    
+    - name: Build SELinux utilities as stubs
+      run: cargo build -p uu_chcon -p uu_runcon
+        
+    - name: Verify stub binaries exist
+      shell: bash
+      run: |
+        if [ "${{ runner.os }}" = "Windows" ]; then
+          test -f target/debug/chcon.exe || exit 1
+          test -f target/debug/runcon.exe || exit 1
+        else
+          test -f target/debug/chcon || exit 1
+          test -f target/debug/runcon || exit 1
+        fi
+        
+    - name: Verify workspace builds with stubs
+      run: cargo build --features ${{ matrix.job.features }}
+
   benchmarks:
     name: Run benchmarks (CodSpeed)
     runs-on: ubuntu-latest
diff --git a/src/uu/chcon/src/main.rs b/src/uu/chcon/src/main.rs
@@ -1,2 +1,12 @@
-#![cfg(target_os = "linux")]
+// On non-Linux targets, provide a stub main to keep the binary target present
+// and the workspace buildable. Using item-level cfg avoids excluding the crate
+// entirely (via #![cfg(...)]), which can break tooling and cross builds that
+// expect this binary to exist even when it's a no-op off Linux.
+#[cfg(target_os = "linux")]
 uucore::bin!(uu_chcon);
+
+#[cfg(not(target_os = "linux"))]
+fn main() {
+    eprintln!("chcon: SELinux is not supported on this platform");
+    std::process::exit(1);
+}
diff --git a/src/uu/ls/src/ls.rs b/src/uu/ls/src/ls.rs
@@ -1085,11 +1085,11 @@ impl Config {
             time_format_older,
             context,
             selinux_supported: {
-                #[cfg(feature = "selinux")]
+                #[cfg(all(feature = "selinux", target_os = "linux"))]
                 {
                     uucore::selinux::is_selinux_enabled()
                 }
-                #[cfg(not(feature = "selinux"))]
+                #[cfg(not(all(feature = "selinux", target_os = "linux")))]
                 {
                     false
                 }
@@ -3309,7 +3309,7 @@ fn get_security_context<'a>(
     }
 
     if config.selinux_supported {
-        #[cfg(feature = "selinux")]
+        #[cfg(all(feature = "selinux", target_os = "linux"))]
         {
             match selinux::SecurityContext::of_path(path, must_dereference, false) {
                 Err(_r) => {
diff --git a/src/uu/runcon/src/main.rs b/src/uu/runcon/src/main.rs
@@ -1,2 +1,12 @@
-#![cfg(target_os = "linux")]
+// On non-Linux targets, provide a stub main to keep the binary target present
+// and the workspace buildable. Using item-level cfg avoids excluding the crate
+// entirely (via #![cfg(...)]), which can break tooling and cross builds that
+// expect this binary to exist even when it's a no-op off Linux.
+#[cfg(target_os = "linux")]
 uucore::bin!(uu_runcon);
+
+#[cfg(not(target_os = "linux"))]
+fn main() {
+    eprintln!("runcon: SELinux is not supported on this platform");
+    std::process::exit(1);
+}

Original file line number	Diff line number	Diff line change
`@@ -1085,11 +1085,11 @@ impl Config {`
`1085`	`1085`	`time_format_older,`
`1086`	`1086`	`context,`
`1087`	`1087`	`selinux_supported: {`
`1088`		`- #[cfg(feature = "selinux")]`
	`1088`	`+ #[cfg(all(feature = "selinux", target_os = "linux"))]`
`1089`	`1089`	`{`
`1090`	`1090`	`uucore::selinux::is_selinux_enabled()`
`1091`	`1091`	`}`
`1092`		`- #[cfg(not(feature = "selinux"))]`
	`1092`	`+ #[cfg(not(all(feature = "selinux", target_os = "linux")))]`
`1093`	`1093`	`{`
`1094`	`1094`	`false`
`1095`	`1095`	`}`
`@@ -3309,7 +3309,7 @@ fn get_security_context<'a>(`
`3309`	`3309`	`}`
`3310`	`3310`
`3311`	`3311`	`if config.selinux_supported {`
`3312`		`- #[cfg(feature = "selinux")]`
	`3312`	`+ #[cfg(all(feature = "selinux", target_os = "linux"))]`
`3313`	`3313`	`{`
`3314`	`3314`	`match selinux::SecurityContext::of_path(path, must_dereference, false) {`
`3315`	`3315`	`Err(_r) => {`