Re: [meta-selinux][PATCH] systemd: no need to inherit enable-selinux

[Joe MacDonald <Joe_MacDonald@mentor.com>]

[-- Attachment #1: Type: text/plain, Size: 3563 bytes --]

[RE: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On 17.05.08 (Mon 01:40) Huang, Jie (Jackie) wrote:

> 
> 
> > -----Original Message-----
> > From: Joe MacDonald [mailto:Joe_MacDonald@mentor.com]
> > Sent: Tuesday, May 02, 2017 21:14
> > To: Huang, Jie (Jackie)
> > Cc: yocto@yoctoproject.org
> > Subject: Re: [yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-
> > selinux
> > 
> > [[yocto] [meta-selinux][PATCH] systemd: no need to inherit enable-selinux] On
> > 17.02.22 (Wed 14:44) jackie.huang@windriver.com wrote:
> > 
> > > From: Jackie Huang <jackie.huang@windriver.com>
> > >
> > > The selinux PACKAGECONFIG is properly handled in
> > > the recipe in oe-core, no need to inherit the
> > > enable-selinux bbclass.
> > 
> > That might be true, but other than belt-and-suspenders, what's the
> > harm in this being in the recipe?  I don't necessarily think it's an
> > invalid change but my quick count shows ~44 instances of 'inherit
> > enable-selinux' and 'inherit with-selinux' in meta-selinux, why's this
> > one significant?
> 
> That's because I have a patch to change the PACKAGECONFIG for selinux
> in oe-core to fix a dependency issue:
> 
> -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux"
> +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,initscripts-sushell"
> 
> But it would be overrode by the one in enable-selinux.bbclass:
> $ grep PACKAGECONFIG enable-selinux.bbclass
> PACKAGECONFIG_append = " ${@target_selinux(d)}"
> PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,"
> 
> So I need to remove the inherit here in meta-selinux.

Sorry, this fell between the cracks.

So, let me make sure I understand what you're saying.  This oe-core
commit:

commit 1881c5e0c426a193630e5eed5b629b69ff3741d5
Author: Kai Kang <kai.kang@windriver.com>
Date:   Wed Jul 8 14:26:01 2015 +0800

    systemd: add PACKAGECONFIG selinux
    
    Add PACKAGECONFIG 'selinux' for systemd. debug-shell.service starts
    different shell according whether selinux is enabled.
    
    (From OE-Core rev: 3d1aa27191fe4c21428eaf4ae036acb1496b7df7)
    
    Signed-off-by: Kai Kang <kai.kang@windriver.com>
    Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

conflicts with the --enable/--disable settings in meta-selinux and  you
want to remove the setting in meta-selinux?  Again, I don't specifically
object to this, but I'd like to understand the why of it.  Is there a
valid scenario to include meta-selinux in your project but have selinux
disabled?  If so, I would think the settings in meta-selinux should
still take precedence.  Otherwise, I'm confused why the other 40-ish
cases aren't also covered.  I haven't investigated, but are all the
others in non-oe-core layers, maybe?

Thanks,
-J.

> 
> Thanks,
> Jackie
> 
> > 
> > -J.
> > 
> > >
> > > Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > > ---
> > >  recipes-core/systemd/systemd_%.bbappend | 1 -
> > >  1 file changed, 1 deletion(-)
> > >
> > > diff --git a/recipes-core/systemd/systemd_%.bbappend b/recipes-
> > core/systemd/systemd_%.bbappend
> > > index 8d9029b..f1bdaf8 100644
> > > --- a/recipes-core/systemd/systemd_%.bbappend
> > > +++ b/recipes-core/systemd/systemd_%.bbappend
> > > @@ -1,2 +1 @@
> > >  inherit enable-audit
> > > -inherit enable-selinux
> > > --
> > > 2.8.3
> > >
> > --
> > -Joe MacDonald.
> > :wq

-- 
-Joe MacDonald.
:wq

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 484 bytes --]