[PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[Philip Tricca]

This prevents the Xen 'configure' script from using the
checkpolicy binary from the host system if it's installed.
---
 recipes-extended/xen/xen_4.3.0.bb |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-extended/xen/xen_4.3.0.bb b/recipes-extended/xen/xen_4.3.0.bb
index 2e1a29f..5d26000 100644
--- a/recipes-extended/xen/xen_4.3.0.bb
+++ b/recipes-extended/xen/xen_4.3.0.bb
@@ -557,6 +557,9 @@ export CROSS_COMPILE="${TARGET_PREFIX}"
 # overide LDFLAGS to allow xen to build without: "x86_64-oe-linux-ld: unrecognized option '-Wl,-O1'"
 export LDFLAGS=""
 
+# use checkpolicy from  sysroot
+export CHECKPOLICY="${STAGING_DIR_NATIVE}${bindir}/checkpolicy"
+
 do_configure() {
     # fixup qemu-xen-traditional pciutils check hardcoded to test ${includedir}/pci
     sed -i 's/\/usr\/include\/pci/$(STAGING_INCDIR)\/pci/g' ${S}/tools/qemu-xen-traditional/xen-hooks.mak
-- 
1.7.10.4

Re: [PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[Philip Tricca]

Probably should add that I'm not very fond of having the path hard coded
like this. Makes for a dependency on the install location from the
checkpolicy recipe. For the short term this fixes the immediate issue
though. Feedback on the "right way" to reference / find this binary
would be appreciated.

Regards,
- Philip

On 10/04/2013 12:39 PM, Philip Tricca wrote:
> This prevents the Xen 'configure' script from using the
> checkpolicy binary from the host system if it's installed.
> ---
>  recipes-extended/xen/xen_4.3.0.bb |    3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/recipes-extended/xen/xen_4.3.0.bb b/recipes-extended/xen/xen_4.3.0.bb
> index 2e1a29f..5d26000 100644
> --- a/recipes-extended/xen/xen_4.3.0.bb
> +++ b/recipes-extended/xen/xen_4.3.0.bb
> @@ -557,6 +557,9 @@ export CROSS_COMPILE="${TARGET_PREFIX}"
>  # overide LDFLAGS to allow xen to build without: "x86_64-oe-linux-ld: unrecognized option '-Wl,-O1'"
>  export LDFLAGS=""
>  
> +# use checkpolicy from  sysroot
> +export CHECKPOLICY="${STAGING_DIR_NATIVE}${bindir}/checkpolicy"
> +
>  do_configure() {
>      # fixup qemu-xen-traditional pciutils check hardcoded to test ${includedir}/pci
>      sed -i 's/\/usr\/include\/pci/$(STAGING_INCDIR)\/pci/g' ${S}/tools/qemu-xen-traditional/xen-hooks.mak

Re: [PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[David Nyström]

On 10/04/2013 07:23 PM, Philip Tricca wrote:
> Probably should add that I'm not very fond of having the path hard coded
> like this. Makes for a dependency on the install location from the
> checkpolicy recipe. For the short term this fixes the immediate issue
> though. Feedback on the "right way" to reference / find this binary
> would be appreciated.
>
> Regards,
> - Philip

I suppose the correct way would be to patch the configure scripts and 
upstream that patch to Xen. But I have no problems with this, as long as 
chkconfig referenced from native sysroot is in DEPENDS, to avoid build 
race conditions.

Br,
David

Re: [PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[Bruce Ashfield]

On Wed, Oct 9, 2013 at 5:14 AM, David Nyström <david.c.nystrom@gmail.com> wrote:
> On 10/04/2013 07:23 PM, Philip Tricca wrote:
>>
>> Probably should add that I'm not very fond of having the path hard coded
>> like this. Makes for a dependency on the install location from the
>> checkpolicy recipe. For the short term this fixes the immediate issue
>> though. Feedback on the "right way" to reference / find this binary
>> would be appreciated.
>>
>> Regards,
>> - Philip
>
>
> I suppose the correct way would be to patch the configure scripts and
> upstream that patch to Xen. But I have no problems with this, as long as
> chkconfig referenced from native sysroot is in DEPENDS, to avoid build race
> conditions.

Which isn't the case at the moment.So this patch needs a bit more work.

Philip: Are you talking about the selinux checkpolicy here ? I assume you are,
but want to be sure. If you are, not only do we need the package in the
DEPENDS, we need meta-selinux in the README's layer dependency list for
meta-virt.

Bruce

>
> Br,
> David
>
>
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"

Re: [PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[David Nyström]

On Fri 11 Oct 2013 05:21:37 AM CEST, Bruce Ashfield wrote:
> On Wed, Oct 9, 2013 at 5:14 AM, David Nyström <david.c.nystrom@gmail.com> wrote:
>> On 10/04/2013 07:23 PM, Philip Tricca wrote:
>>>
>>> Probably should add that I'm not very fond of having the path hard coded
>>> like this. Makes for a dependency on the install location from the
>>> checkpolicy recipe. For the short term this fixes the immediate issue
>>> though. Feedback on the "right way" to reference / find this binary
>>> would be appreciated.
>>>
>>> Regards,
>>> - Philip
>>
>>
>> I suppose the correct way would be to patch the configure scripts and
>> upstream that patch to Xen. But I have no problems with this, as long as
>> chkconfig referenced from native sysroot is in DEPENDS, to avoid build race
>> conditions.
>
> Which isn't the case at the moment.So this patch needs a bit more work.

I guess its true what they say, "noone can hear you be subtle on the 
internet" :)

> Philip: Are you talking about the selinux checkpolicy here ? I assume you are,
> but want to be sure. If you are, not only do we need the package in the
> DEPENDS, we need meta-selinux in the README's layer dependency list for
> meta-virt.

If so , we should make this dependency optional if selinux is in 
DISTRO_FEATURES.

>
> Bruce
>
>>
>> Br,
>> David
>>
>>
>> _______________________________________________
>> meta-virtualization mailing list
>> meta-virtualization@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/meta-virtualization
>
>
>

Re: [PATCH] Explicitly set CHECKPOLICY path to native sysroot.

[Philip Tricca]

On 10/10/2013 11:21 PM, Bruce Ashfield wrote:
> On Wed, Oct 9, 2013 at 5:14 AM, David Nyström <david.c.nystrom@gmail.com> wrote:
>> On 10/04/2013 07:23 PM, Philip Tricca wrote:
>>>
>>> Probably should add that I'm not very fond of having the path hard coded
>>> like this. Makes for a dependency on the install location from the
>>> checkpolicy recipe. For the short term this fixes the immediate issue
>>> though. Feedback on the "right way" to reference / find this binary
>>> would be appreciated.
>>>
>>> Regards,
>>> - Philip
>>
>>
>> I suppose the correct way would be to patch the configure scripts and
>> upstream that patch to Xen. But I have no problems with this, as long as
>> chkconfig referenced from native sysroot is in DEPENDS, to avoid build race
>> conditions.
> 
> Which isn't the case at the moment.So this patch needs a bit more work.

So even doing this "the right way" by setting the variable and including
checkpolicy in the DEPENDS (using the selinux distro feature) won't fix
the immediate problem: the configure script and Makefile don't work
right so any user with /usr/bin/checkpolicy installed on their build
host will end up with the Xen recipe trying to build the FLASK policy
and it won't compile.

I'll start checking upstream to see if this was fixed recently or if I
have to start from scratch. Good data on how to handle the conditional
dependency though.

> Philip: Are you talking about the selinux checkpolicy here ? I assume you are,
> but want to be sure. If you are, not only do we need the package in the
> DEPENDS, we need meta-selinux in the README's layer dependency list for
> meta-virt.

That's the checkpolicy I'm talking about. The right way to add a
dependency on a new layer w/o forcing that layer on everyone wasn't
initially clear. I'll poke around the DISTRO_FEATURES stuff and com back
with a v2

Thanks,
- Philip