Re: meta-selinux

[Joe MacDonald <Joe_MacDonald@mentor.com>]

[-- Attachment #1: Type: text/plain, Size: 2455 bytes --]

[Re: [oe] meta-selinux] On 15.02.11 (Wed 09:25) Christopher Larson wrote:

> On Wed, Feb 11, 2015 at 8:53 AM, dpquigl <dpquigl@tycho.nsa.gov> wrote:
> 
> > I'm working on OpenXT and it makes use of the meta-selinux repo hosted
> > by the yocto project. I'm trying to use it with a base openembedded core
> > and its not in sync with oe-core because its based on pokey. This made
> > me think of two questions. 1) Why is this not in OE core since so many
> > packages in core can potentially have SELinux support enabled and 2) if
> > its not supposed to be in core where should turning on SELinux support
> > in a recipe go? For example coreutils can have SELinux support enabled.
> > Currently this is in meta-selinux as a bbappend to the coreutils
> > package. This works out because its always going to be there. However
> > there is also a bbappend for an LXC recipe. LXC isn't in core which
> > means it has a dependency on a layer not in core.
> >
> 
> This is a bug in the layer. It's fairly trivial to construct a layer in
> such a way that you can have per-layer bbappends that are only applied when
> that layer exists. This is likely the approach meta-selinux should take to
> address this implicit dependency upon meta-virtualization.

I agree.  As Philip mentioned, there's been creep in meta-selinux
dependencies that I really would prefer to avoid but I haven't gotten
around to making the dependencies optional and proposing a patch set on
the list yet.  It's something I think we need, though, particularly for
meta-selinux, but I imagine it's not the only layer that could use such
a change.

> That said, I think most folks would be open to PACKAGECONFIGs for selinux
> capability going into the main recipes, as that's not an invasive change,
> nor a patch, but just a tweak in configuration.

I know that's been the case in several places already, and in a lot of
cases I think that's probably the better place to do such things, so
that at least in theory the layer maintainers themselves are aware of
selinux issues, but I try to be a practical sort and since I don't
expect up-stream developers to be maintaining their own policy modules,
I also don't expect layer maintainers to be testing with selinux all
that often.  :-)

FWIW, though, there're plenty of examples in oe-core of SELinux
PACKAGECONFIGs and that works out pretty well for everyone, I think.

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]