Re: meta-selinux

[Joe MacDonald <Joe_MacDonald@mentor.com>]

[-- Attachment #1: Type: text/plain, Size: 3463 bytes --]

[Re: [oe] meta-selinux] On 15.02.11 (Wed 16:29) Paul Eggleton wrote:

> (Adding yocto@yoctoproject.org to CC since that is where meta-selinux patches 
> tend to go at least)
> 
> On Wednesday 11 February 2015 10:53:03 dpquigl wrote:
> > I'm working on OpenXT and it makes use of the meta-selinux repo hosted
> > by the yocto project. I'm trying to use it with a base openembedded core
> > and its not in sync with oe-core because its based on pokey. 
> 
> To be clear, poky and OE-Core are in lock-step. No patch to core recipes goes 
> into Poky directly, they are applied to OE-Core and then they flow into Poky 
> immediately thereafter (Richard, who does the merging of patches into OE-Core, 
> does the sync to Poky immediately afterwards.)
> 
> What's more likely happening I suspect is that you are on a newer 
> branch/revision of OE-Core/Poky than the meta-selinux maintainers have tested. 
> I can't speak to the maintenance schedule for meta-selinux but maybe others 
> with knowledge there can chime in.

Our master tends to lag behind oe-core's master for a few reasons, but
none of them are really insurmountable.  Certainly the intent is that
meta-selinux/master will build successfully with oe-core/master at any
given time.

> > This made me think of two questions. 1) Why is this not in OE core since so
> > many packages in core can potentially have SELinux support enabled and 2) if
> > its not supposed to be in core where should turning on SELinux support
> > in a recipe go? For example coreutils can have SELinux support enabled.
> > Currently this is in meta-selinux as a bbappend to the coreutils
> > package. This works out because its always going to be there. However
> > there is also a bbappend for an LXC recipe. LXC isn't in core which
> > means it has a dependency on a layer not in core.
> > 
> > Ideally I would put the recipes needed for SELinux support in core and
> > have a distro feature which is checked in the recipes in core for
> > whether or not to add --with-selinux to the build flags. Then LXC could
> > check a core distro feature and enable SELinux if it wants to.
> 
> We have to draw the line somewhere for what to include in OE-Core, and at the 
> moment I guess we have considered SELinux to be outside its scope. Obviously 
> these things get re-evaluated from time to time, and SELinux is a little bit 
> painful for this because of how many recipes it has to touch. Ultimately it 
> depends on how many people in the embedded space want to enable and use 
> SELinux.
> 
> Thoughts from others?

I've been doing SELinux stuff for rather a long time and it's generally
been my experience that there's a set of developers / vendors that
*really* want it and know what they're doing, there's another set that
*really* want nothing to do with it and a group that say they want
SELinux support but then immediately start needing to turn stuff off
because it causes their system to behave too differently.

Taken as a simple maintenance thing, I think it's easier to have SELinux
be part of OE-Core.  Given, though, it's really not possible to divorce
much of SELinux functionality from python on the target, so then I don't
know if it really makes sense for something like that to be part of
oe-core, proper.  I would think no.

> 
> Cheers,
> Paul
> 
> -- 
> 
> Paul Eggleton
> Intel Open Source Technology Centre
-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 501 bytes --]