Re: [meta-selinux][PATCH 1/2] refpolicy: Replace 2.2014120 with release 2.20151208.

[Philip Tricca <flihp@twobit.us>]

On 03/22/2016 12:43 PM, Stephen Smalley wrote:
> On 03/21/2016 12:26 AM, Philip Tricca wrote:
>> This was mostly straight forward. Had to refresh a single patch:
>> poky-policy-fix-new-SELINUXMNT-in-sys.patch
> 
> Can we drop that one?  Doesn't upstream already include rules for the
> change from /selinux to /sys/fs/selinux, since that has been the default
> for Linux 3.0 and later?

I'm trying to make as few changes as possible with this though you're
likely right. These are also marked as specific to Poky and I've been
testing only the minimal oe-selinux.conf. The patches aren't applied
using any logic that looks at the distro so I'm not even sure how
specific they are to poky even.

> Also, refpolicy-update-for_systemd.patch seems suspect, given that
> upstream refpolicy already includes systemd support (but you need to
> build with SYSTEMD=y, which can be done now via POLICY_SYSTEMD=y in your
> local.conf or elsewhere).  The only bit I see in that patch that isn't
> already in refpolicy is
> allow devpts device_t:filesystem associate;
> which ought to be rewritten as
> dev_associate(devpts_t)
> and upstreamed to refpolicy terminal.te if needed.
> 
> I assume that is from creating the /dvv/pts mount point and
> automatically trying to label it according to file_contexts, but the
> type in file_contexts is really for the devpts mount, not the mount point.

Long story short it looks like these patch queues need a scrub. This is
useful information though to get the task started. I'll merge this as it
is and take on the patch scrub on next.

Philip